Wait, Are the Rules Out Yet?
India’s long-awaited Digital Personal Data Protection (DPDP) Rules 2025 aren’t here just yet, but the drafts already tell a story. On the surface, they promise GDPR-style protections: informed consent, user rights, stiff penalties. But tucked between the legal jargon are red flags that could turn privacy law into a tool of state surveillance.
The government has announced that the final DPDP Rules will be published on September 28, 2025, giving companies, experts, and civil society time to prepare. Until then, all we have are drafts that hint at both progress and potential pitfalls.
So before the official rules drop, let’s decode what’s promised, what’s dangerous, and what it all means for you.
What the Drafts Promise on Paper
Informed consent and withdrawal right
Consent managers as intermediaries
Obligations for data fiduciaries like breach notifications and audits
Cross-border data rules for what can leave India
User rights (access, correction, erasure)
Fines up to ₹250 crore for violations
Sounds like India is catching up to Europe’s GDPR, right? Not so fast.
The Red Flags Nobody Should Ignore
The drafts highlight several areas that could seriously undermine privacy protections if left unchecked. Here are the key concerns that have experts, businesses, and privacy advocates talking.
Consent Fatigue → More Clicks, Less Privacy
The framework leans hard on consent. Every little action could require your “yes.” In practice, that’s checkbox theater. With only 16% of Indians even aware of the DPDP Act, most will just click “accept” to move on. That’s not privacy, that’s paperwork.
Rule 22 → The Secret Back Door for Surveillance
The most alarming draft clause, Rule 22, allows the government to demand data from any company, banks, ISPs, even journalists, under vague reasons like “sovereignty” or “security of the state.” Companies are legally prohibited from disclosing these requests, meaning users, the public, and even auditors cannot be informed. Translation: the government can access your personal data in secret, without judicial oversight, creating a hidden surveillance pathway.
Data Localization → Protection or Paradox?
The government claims that keeping data within India protects citizens from foreign surveillance. But research shows it mainly makes domestic surveillance easier. Once sensitive data is forced onto Indian servers, it’s far more accessible to local authorities. Think China’s model, not Europe’s.
Vague Standards, Real Penalties
Drafts talk about “reasonable security safeguards,” but don’t define what that means. That gives regulators unlimited discretion after a breach happens. For startups, this is compliance roulette: spend millions and still risk a ₹250 crore fine.
What Businesses Are Saying
Fintech & payments (NPCI, PhonePe, Amazon Pay, Google Pay) → worry about unworkable explicit consent for every transaction.
Foreign companies → fear cross-border restrictions and localization headaches.
Industry associations (Nasscom, etc.) → warn that overregulation could choke startups and deter global investment.
What It Means for You
Everyday users: More consent pop-ups, but not necessarily more privacy.
Journalists & activists: Confidential sources may be at risk. Rule 22 creates a hidden back door into sensitive communications.
Businesses: Compliance costs will rise, often trickling down to users via pricier services or fewer free perks.
The Bigger Picture → GDPR vs. China’s PIPL
Globally, two models dominate:
Europe’s GDPR → rights-first, heavy on user empowerment.
China’s PIPL → state-first, using privacy law as a framework for surveillance.
India’s DPDP seems caught in the middle. The language sounds European (consent, rights, safeguards), but the powers look distinctly Chinese (government back doors, localization, broad surveillance).
The Enforcement Gap Nobody Talks About
India’s Data Protection Board doesn’t yet have resources or staff for nationwide enforcement.
Only 38% of households are digitally literate, consent assumes understanding that many simply don’t have.
Regulators worldwide struggle with enforcement, even the EU, with 25 years of experience. Expect India’s rollout to be messy at best, toothless at worst.
September 28 Checklist , What to Watch
Does Rule 22 survive intact, or get watered down?
How strict are localization requirements?
Are “reasonable safeguards” finally defined?
Do user rights come with practical enforcement mechanisms?
👉 Subscribe now to get the no-spin breakdown when the final DPDP Rules 2025 land. Don’t let surveillance slip in under the name of privacy.