[This article has been authored by Mihir Singh and Tia Sikka, fourth-year B.A. LL.B. students at Christ University, Bangalore. It examines critical gaps in India’s Draft Digital Personal Data Protection Rules 2025, particularly the absence of clear timelines for notice, data deletion, and grievance redressal, as well as vague procedures for consent withdrawal. The authors argue that these omissions weaken the enforceability of the DPDP Act and call for concrete reforms inspired by global standards like the GDPR to ensure meaningful protection of digital rights.]
Introduction
The Digital Personal Data Protection (DPDP) Act, 2023, was perhaps the most highly anticipated law on data protection. However, the Draft DPDP Rules, 2025, released by the Ministry of Electronics and Information Technology (MeitY) for public review, has been criticised for operational vagueness in several key areas. Most salient among these are the issues of timelines for giving notice, erasure of data, redressal of grievances, and procedural directives to withdraw consent. All these exclusions not only compromise the very fabric of the data principal’s basic rights, but also the enforcement of the law in its true sense. This article tries to critically examine the loopholes in the DPDP Rules 2025 in terms of timeline and consent management, and place them within the broader best practices in global discourse, as well as India’s digital rights debate. Additionally, it underscores how the draft rules risk undermining the accountability and transparency principles enshrined in the parent legislation, thereby threatening to reduce the Act to a mere symbolic framework without meaningful enforceability.
One of the pillars of data protection under Section 6 of the DPDP Act is that a Data Fiduciary must give notice to the Data Principal about the purpose, nature, and extent of data collection and processing. But the Draft Rules are silent on when such notice must be given—whether at collection, prior to processing, or within a time limit after collection. In contrast, we may draw inspiration from models such as the EU’s General Data Protection Regulation (GDPR), which mandates that such notices be provided “at the time when personal data are obtained” (Article 13). Thus, with no time limit, Indian fiduciaries can delay notices, rendering the very principle of informed consent useless. This ambiguity creates an asymmetry of power: data fiduciaries could exploit this silence to process data without the immediate knowledge of the data principal, defeating the foundational notion of transparency.
Data Deletion and Retention: No End in Sight
Section 9 of the DPDP Act also provides for the right of the Data Principal to request erasure of personal data if there is withdrawal of consent or where the purpose is no longer being met. Once again, the Draft Rules do not mention any particular timeline within which such deletion must be accomplished. Such ambiguity allows room for non-compliance, especially by larger data fiduciaries who may deal with enormous datasets spanning geographies. In nations like the UK, within the GDPR order, 30 days are considered sufficient for such deletion requests. The absence of this clarity within the Indian system would lead to denial of rights in the guise of operational delays. The redressal mechanism so provided is also not as robust as European standards. Section 11 of the DPDP Act mandates each data fiduciary to enable a grievance redressal mechanism to be accessible, and the draft rules fail to state within what period of time such grievances are to be decided. They also fail to give details of the procedural framework for the redressal mechanisms. Lack of temporal guidelines will almost always be disadvantageous to data principals, especially when timely redress is a matter of urgency. The regulations must create a time-limited framework in the way of customer complaint timeliness in sectors like telecom or banking, where there is a 30-day resolution timeline that holds sway. In its current form, the absence of grievance timeliness can make the entire redressal exercise futile.
Consent forms the cornerstone of the DPDP Act, and withdrawal of consent is a basic right granted to the data principals. The Draft Rules do not indicate the process, format, or the technical means by which such withdrawal may be sought. It is not clear if this must be facilitated by means of an online dashboard, email, or some other standard mechanism. This lack of procedural homogeneity may result in a disjointed implementation context, with different institutions adopting divergent systems and confusing and paralyzing the users. GDPR for instance, emphasizes that the right to withdraw consent should be as easy as to provide it (Recital 42, Article 7). The Indian proposal, however, leaves this at the discretion of the Data Fiduciary, which can mean exploitative delay or outright denial of such a right.
The other glaring omission is the absence of timeframes based on information sensitivity or risk of harm. For instance, a violation involving biometric or health data ostensibly needs to have a faster redressal mechanism than one involving generic identifiers. The Draft Rules fail to do so. In optimal practices across the world, user communication and breach notification timelines are tiered based on risk level. For example, GDPR mandates supervisory authorities to be notified of breaches within 72 hours (Article 33). Tiered strategies are important in securing user trust and responding swiftly where response is most required.
While MeitY has invited public comments on the draft, the brief period for consultation and technical nature of the rules deter genuine civic participation. Experts have pointed out that by not putting drafts in local languages or easier forms, the exercise of consultation remains urban and elite-focused. This lack of participatory design risks weakening public trust in the regime from the outset. Moreover, because the setting of timelines for deletion or redressal may be difficult, the government may have established sector-specific working groups to recommend practical timelines. This would have applied context-specific operational practicability while maintaining user rights.
The Way Forward
India’s data protection regime needs an implementation plan that recognizes the nation’s fragmented digital environment while being enforceable. A staged model of compliance would offer a practical route for various classes of enterprises. For example, in the initial year, high-tech firms with revenues over ₹500 crore annually and existing technical infrastructure could be covered under full compliance. Mid-sized businesses might be next in the second year with targeted government-sponsored transition initiatives, and small and medium enterprises (SMEs) might be phased in by year three via streamlined compliance procedures and centralized tool access. A staggered strategy ensures that smaller organizations do not bear an undue burden for requirements written largely with large organizations in mind.
One of the principal facilitators of strong implementation would be building digital infrastructure support mechanisms. Rather than requiring each firm to develop custom systems, the government might put in place centralized consent management platforms and standardized data erasure, which would prove highly beneficial for small organizations lacking substantial technical capability. Concurrently, government-supported technical support initiatives might offer continual assistance, thus lowering compliance expenses. Standardized, low-cost compliance tools, provided as common public goods, would further mitigate the risks of differential implementation.
Another critical pillar for good data protection governance is building capacity. Mandatory technical training and certification for Data Protection Officers, funded through industry levies charged on large fiduciaries, would provide a trained corps of professionals capable of ensuring compliance standards. Having regional enforcement centres with in-region language capacity could further enhance accessibility of users while handling complaints in a more agile and context-aware form. Embracing technology-agnostic standards based on outcomes rather than prescriptive requirements would also enable interoperability across domains.
Additionally, concerns of enforcement cost and compliance cannot be overruled. The government needs to make systematic economic impact studies to grasp better the compliance burden across business sizes. Safe harbour could be given to businesses that make good faith efforts towards compliance, thus balancing accountability with encouragement. Public-private collaborations can also step in by enabling practical guidelines tested by real-world situations, thus rendering compliance pragmatic and strong. Cumulatively, these measures would tackle the systemic issues that the draft rules currently miss. Through phased implementation, infrastructural support, capacity building, and cost-sensitive enforcement strategies, India has the opportunity to operationalize the DPDP Act in such a way that ensures digital rights while not overwhelming its economically diverse stakeholders.
The DPDP Act, 2023 and the European Union’s General Data Protection Regulation (GDPR) both provide robust legislative frameworks to protect personal data. Yet, a detailed comparison of their consent and retention requirements reveals significant differences in ambit, organization, and implementation. Under the DPDP Act, consent is the anchor of legal data processing. Crucially, consent needs to be sought individually for every individual purpose so that there is granularity and clarity. Nevertheless, the DPDP regime does not provide acknowledgement of other legal bases for data processing such as “legitimate interests” or contractual necessity which are provided for under the GDPR, so the Indian regime is comparatively inflexible. The GDPR takes a more permissive strategy by providing six legitimate reasons for processing personal information under Article 6(1), including consent, contractual necessity, legal requirement, protection of vital interests, public interest, and legitimate interests. GDPR consent must be freely given, informed, and clear, but the regulation positively prohibits pre-checked boxes and passive consent. The regulation also facilitates ease of revocation, as mandated under Article 7(3). The absence of such alternative lawful bases in the DPDP framework not only creates rigidity but could also incentivise consent fatigue, where users click ‘agree’ without comprehension just to access services.
With regards to data preservation, both legislations support the data minimization concept. The DPDP Act under Section 8(7) mandates that personal data is only kept as long as necessary for the intended purpose of data collection. When the purpose is accomplished or consent is revoked, the data must be deleted except where it is required to be kept by statute. Additionally, the Act requires regular reviews of the data to prevent endless retention. The Act is silent on precise guidance for its implementation, e.g., the frequency at which the reviews should be carried out and whether deletion logs should be kept.
The GDPR treats retention in the storage limitation principle of Article 5(1)(e), requiring personal data to be stored in a format which allows for data subjects to be identified for no longer than is necessary. Furthermore, the GDPR provides individuals with an express “right to be forgotten” in Article 17, in that they can request erasure of their data under certain conditions. Although both frameworks accommodate erasure rights, the GDPR provision is wider and backed by more robust enforcement tools. In enforcement, the DPDP Act creates the Data Protection Board of India, whereas the GDPR delegates regulatory power to autonomous Data Protection Authorities (DPAs) in every Member State. The GDPR also mandates much larger pecuniary fines up to €20 million or 4% of the annual global turnover of a business over the DPDP Act’s ceiling of ₹250 crore. This disparity in penalties could make compliance optional for large global tech entities operating in India, diluting the deterrent effect of the Indian framework.
Conclusion
The DPDP Act, 2023 is a well-intentioned initiative towards institutionalizing data protection in an acceleratingly digitizing economy. The Draft DPDP Rules, 2025, however reveal essential regulatory loopholes in operationalizing essential precepts like timely notice, transparent withdrawal of consent, and enforceable timelines for erasure of data and grievance redressal. Conversely, the GDPR presents a much more developed and sophisticated model, prioritizing legal certainty, empowering users, and procedural protections based on risk-based tiered systems. For the effective protection of digital rights in India, the draft rules need to be redesigned with concrete timelines, uniform consent processes, and differentiated strategies based on data sensitivity. These gaps in the Draft reflect common challenges in translating legislation into operational regulations rather than fundamental flaws that would render the entire framework ineffective. As draft regulations designed to evolve through public consultation and stakeholder feedback, these rules provide an opportunity to address implementation questions before they become systemic problems. Without these reforms, the potential of the DPDP Act could be undermined by implementation structures and discretionary freedom that is biased towards fiduciaries as opposed to data principals.