On 14 November 2025, India took a definitive step in its digital governance journey with the notification of the Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act, 2023 (DPDPA). These Rules were intended to give practical meaning to the Act fleshing out how personal data should be processed, protected, retained, and shared in India’s rapidly digitalising economy.

However, a closer examination reveals structural gaps and legal inconsistencies where the subordinate Rules appear to diverge from the parent Act. These inconsistencies risk weakening core privacy protections and introducing new compliance burdens that neither Parliament nor citizens clearly debated. This blog explains these issues and outlines why reform is necessary to preserve both legal coherence and individual privacy rights.

To understand the gravity of these gaps, we must first look at the legislative intent behind the original Act.

A Quick Legal Background

The DPDPA, 2023 was enacted by the Indian Parliament to protect digital personal data and specify how it should be processed lawfully. It sets out foundational principles tailored to the Indian context: Consent (which must be free, specific, informed, unconditional, and unambiguous), Purpose Limitation (processing only for the purpose specified or for ‘certain legitimate uses’), Data Minimisation (limiting collection to what is necessary for that purpose), and crucially, the Obligation to Erase (mandating deletion when consent is withdrawn or the specified purpose is no longer served).. To enforce these rights, the Act envisages an independent adjudicatory body, the Data Protection Board of India to resolve disputes.

The Act was designed to be broad and principle-based, relying on subordinate rules to define operational details. This delegation to the executive is standard in modern administrative law, but it relies on a delicate balance: the Rules must strictly adhere to the boundaries set by the parent statute. Unfortunately, as we examine specific provisions, it becomes clear that this balance has been disrupted, starting with the fundamental issue of data retention.

The First Structural Problem: Retention vs Erasure

The most glaring contradiction arises when comparing how the Act and the Rules treat the lifecycle of data specifically, when it must be destroyed.

What the Act Says About Data Retention

Under Section 8 (7) of the DPDPA, the default stance is erasure. Personal data must be deleted:

• When the purpose for which it was collected is fulfilled, or
• When the individual withdraws consent.

The Act allows retention only if necessary to comply with another law in force or unless retention of the same is necessary for the specified purpose. This exception is narrowly framed and typically refers to primary legislation such as tax codes or criminal procedure statutes that explicitly require record-keeping.

What the Rules Say Instead

In contrast to the Act’s ‘erasure-first’ approach, Rule 8(3) of the 2025 Rules^[i] introduces a broad retention mandate. It states that data fiduciaries must retain:

1. Personal data,
2. Associated traffic data (metadata), and
3. Logs of processing for a minimum period of one year.

Why This is a Paradox

This creates a regulatory paradox. While Section 8(7) of the Act establishes ‘erasure’ as the default statutory duty, Rule 8(3) effectively overrides this by mandating a minimum one-year retention period. Legally, this risks exceeding delegated powers (ultra vires): subordinate rules cannot expand retention beyond the Act’s narrow exceptions under Section 8(7), converting an ‘erasure-first’ default into a ‘mandated 1-year hoarding’ policy.”. This inversion undermines the storage limitation principle the fundamental mandate under Section 8(7) that requires Data Fiduciaries to permanently erase personal data as soon as the specified purpose is no longer being served or consent is withdrawn, thereby preventing indefinite data hoarding, a pillar of modern privacy frameworks. Without clear legislative authority, subordinate rules should not create new retention obligations that conflict with the statute that delegated rule-making power.

Practical Impact

The retention of metadata and logs has real-world security implications. Mandating the retention of ‘traffic data’ is akin to forcing a post office to photocopy the envelope of every letter you ever send. While the content (personal data) might be deleted, the ‘digital exhaust’ (who you spoke to, when, and from where) remains. Security experts argue that this metadata often reveals more behavioral patterns than the message itself, turning Rule 8(3)’s log repositories into high-value targets for cybercriminals..

While the retention issue affects how data is held domestically, a second structural flaw complicates how data is allowed to move globally.

The Second Structural Problem: Cross-Border Restrictions and Oversight

The friction between the Act and Rules extends to international data flows, specifically regarding who has the power to restrict them.

What the Act Requires

The Act permits the Central Government to restrict cross-border transfers of data by issuing a formal notification. Critically, any such notification must be laid before Parliament, enabling legislative review. This mechanism is essential for democratic oversight, given the economic and diplomatic weight of data localisation.

What the Rules Do Instead

Rule 13(4) dilutes this oversight. It introduces a mechanism where the Government can restrict transfers of both personal data and traffic data based merely on the recommendations of a committee.

Why This Matters

By shifting the power to a committee recommendation rather than the formal notification process envisioned in the Act, the Rules risk bypassing Parliament entirely. Furthermore, the inclusion of traffic data (a term borrowed from the IT Act but undefined in the DPDPA) expands the scope of regulation beyond what the Act authorised. Since metadata is critical for global cloud performance, restricting its flow could inadvertently fragment infrastructure and impede digital trade.

Why These Structural Gaps Matter

These legal inconsistencies are not merely academic debates; they generate tangible risks for every stakeholder in the ecosystem.

• For Individuals: While citizens gain rights on paper, broad retention mandates and opaque localisation rules may paradoxically compromise their privacy. Metadata retention risks revealing behavioural patterns individuals never intended to share, a concern echoed in global privacy critiques.
• For Businesses: Companies, particularly Significant Data Fiduciaries (SDFs), face a confusing compliance landscape. This legal confusion creates a “Growth Trap” for India’s startup ecosystem. A scaling startup that passes the size threshold set by the Data Protection Board (such as hitting a certain number of active users) is instantly hit with the heavy responsibilities of a Significant Data Fiduciary (SDF). They move overnight from a simple, ‘light-touch’ set of rules to facing the same rigid audit and storage requirements as a global tech giant. However, unlike Big Tech, these startups lack the massive legal budgets needed to navigate the friction between the DPDP Act’s command to erase data and the CERT-In (Indian Computer Emergency Response Team) directives, which often require keeping detailed logs and user data for years for security purposes.
• For Democratic Governance: The shift from the parent Act to the 2025 Rules represents a concerning migration of power from Parliament to the Executive. Under Section 41 of the DPDPA, 2023, the legislative intent was clear: any notification restricting cross-border data flows must be “laid before Parliament”. This ensures that decisions impacting India’s digital sovereignty and international trade are subject to public debate and representative scrutiny. However, Rule 13(4) bypasses this by delegating the power to restrict data transfers to a committee recommendation process. By moving these decisions into “regulatory silos,” the government avoids the “laying procedure,” effectively shielding high-stakes digital policy from the floor of the House.

This lack of transparency creates a ‘black box’ for the digital economy. When data restrictions are decided by administrative committees rather than through transparent legislative notifications, it erodes public accountability. Foreign policy and global trade are now inextricably linked to data flows; a unilateral decision to block data to a specific jurisdiction can trigger diplomatic friction or retaliatory trade measures. Without parliamentary oversight, these decisions lack the multi-stakeholder vetting required to balance national security with economic growth. Furthermore, by including “traffic data” in these restricted silos a term not defined or empowered by the original Act the Rules overstep their legal mandate, creating a regime where the executive branch acts as both the architect and the enforcer of digital borders without a democratic check.

Conclusion and Recommendations

To resolve the structural contradictions currently threatening the efficacy of India’s privacy framework, three targeted reforms are essential to restore the balance between regulatory oversight and legislative intent. First, the government must explicitly clarify that the retention mandates under Rule 8(3) are intended strictly for limited security and accountability purposes, ensuring they do not override the fundamental statutory right to erasure or the principle of storage limitation. Simultaneously, the regulatory approach to cross-border data flows requires immediate realignment with democratic oversight mechanisms; specifically, Rule 13(4) must be amended to ensure that any restrictions on data transfers are formalized through a Section 16 notification and laid before Parliament as mandated by Section 41 of the Act, rather than relying on committee recommendations. Furthermore, the legal framework must evolve to distinguish between personal data and metadata, adopting a nuanced approach that reflects technical realities rather than subjecting critical traffic data to the same broad restrictions as personal identifiers.

While the DPDPA, 2023, operationalised by the 2025 Rules, stands as a landmark achievement in India’s quest for digital trust, the current internal inconsistencies risk hollowing out its legislative intent. The divergence between the Act’s promise of privacy and the Rules’ inclination toward retention creates a paradox that elevates compliance risks for businesses and privacy concerns for citizens. Addressing these structural gaps is therefore not merely a matter of legal housekeeping, but a critical necessity to ensure the regime remains effective and transparent. Without these corrections, the framework risks becoming a regulatory burden rather than a protective shield, making immediate reform vital to fulfilling the true promise of data protection for India’s digital future.

^[i] The Digital Personal Data Protection Rules 2025, r 8(3).