Data Principal Rights Under India’s Draft DPDP Rules: An Illusion or Reality?

The Draft Digital Personal Data Protection Rules (“Draft DPDP Rules”) provides the implementation framework to streamline the exercise of Data Principal rights as accorded in Section 11 to Section 14 of the Digital Personal Data Protection Act 2023 (“DPDPA”).

Under Rule 13 of the Draft DPDP Rules, the Data Fiduciary or Consent Manager is mandated to publish clear and accessible procedures on their website and/or app by which a Data Principal shall make a request to the Data Fiduciary or Consent Manager to exercise any of their rights. The Data Fiduciary/ Consent Manager shall also provide the Data Principal the particulars of any details such as the username or other identification details (customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number) which the Data Principal may require to make a request.[1] However, without clear enforcement timelines and mechanisms, do these rights truly protect users, or are they merely an illusion?

This post critically examines the effectiveness of the rights provided by DPDPA and Draft DPDP Rules and compares these with similar provisions in other jurisdictions i.e. GDPR (General Data Protection Regulation) in the EU, CCPA (California Consumer Privacy Act) in the USA, LGPD (Lei Geral de Proteção de Dados) in Brazil, and PDPA (Personal Data Protection Act) in Singapore) and also discusses the gaps present in the current Indian framework.

 

1. Right to Access 

 

Section 11 of the DPDPA Act provides the Data Principal right to access personal information. The Data Principal can obtain from the Data Fiduciary (i) a summary of the personal data that are being processed and the processing activities undertaken by the Data Fiduciary and (ii) the identities of all other Data Fiduciaries and Data Processors with whom personal data has been shared and a description of such shared data.

However the Draft DPDP Rules lack a clear timeline for fulfilling data access requests, when compared with data protection frameworks in other jurisdictions such as the GDPR [2] (30 days, extendable by 2 months), LGPD (15 days)[3], PDPA (30 days)[4], and even the CCPA[5] (45 days, extendable to 90 days).  Even in India, under the Right to Information Act, 2005, public authorities must respond to information requests within 30 days, or within 48 hours if the request concerns life and liberty.[6] Failure to comply can result in a penalty of ₹250 per day, up to ₹25,000. [7]These legal frameworks establish crucial accountability mechanisms, in stark contrast to the Draft DPDP Rules, which leave the timeline undefined, merely stating that requests should be fulfilled within a “reasonable time.”

This lack of specificity of timelines not only creates uncertainty for individuals seeking access to their data but also grants Data Fiduciaries/ Consent Managers broad discretion to delay or deny requests without clear accountability.

 

2. Right to Correction and Erasure

 

Section 12 of the DPDPA Act provides the Data Principal right to correction and erasure of personal data. This right to correction is extended to (i) correction of inaccurate or misleading personal data (ii) completion of incomplete personal data (iii) updation of change in personal data. Further the Data Principal also has a right to request erasure of personal data, upon such request the Data Fiduciary shall erase personal data unless retention of the same is necessary for the specified purpose or for compliance with any law. The Draft DPDP Rules continues to fail to specify a clear timeline for Data Fiduciaries to process requests in comparison to data protection laws in other jurisdictions. In contrast the Reserve Bank of India[8], has already set a precedent for consumer right in data correction by a circular which mandates all Credit Information Companies and Credit Institutions to update/rectify any credit information as requested by the consumer within 30 days of the initial filing of the complaint by the complainant. Further in order to address delay in updation/rectification of credit information and to improve efficiency of grievance redressal, complainants are eligible to receive ₹100 per calendar day if their complaint remains unresolved for more than 30 days.

Further right to erasure is more detailed in GDPR [9] as it not only allows individuals the right to request deletion of their personal data but also mandates a data controller who has made the data public, to take reasonable steps, considering available technology and cost, to ensure other controllers erase copies, links, or replications of that data. The DPDPA or Draft DPDP rules do not mandate informing third parties of correction/erasure requests. Without such obligations, even if a Data Principal requests erasure, their personal data may continue to be present across platforms, in essence limiting user control over their digital footprint.

Rule 8 of the Draft DPDP Rules also has a provision for Data Fiduciaries to auto-erase personal data if the Data Principal does not engage with the Fiduciary for a specified time provided that there is no legal obligation requiring the Fiduciary to retain the data. However, prior to 48 hours before scheduled erasure of personal data, the Data Fiduciary must inform the Data Principal that their data will be erased unless they log into their account or otherwise contact the Data Fiduciary to request continued processing or exercise their rights. E-commerce entities having not less than two crore registered users in India,  online gaming intermediaries having not less than fifty lakh registered users in India, social media intermediaries having not less than two crore registered users in India may retain personal data for three years from the date of the Data Principal’s last interaction, or commencement of the Digital Personal Data Protection Rules, whichever is latest. The Draft DPDP Rules do not clarify retention periods for entities having higher thresholds and other regulated  sectors like finance, healthcare, education, telecom etc.

The retention period however is an unique feature in India’s data protection law; such a timeline is absent in GDPR (which focuses on purpose-driven retention without fixed timelines) and Brazil’s LGPD (which emphasizes “minimum necessary” retention). [10] In contrast, Singapore’s PDPA [11] grants a right to correction but doesn’t have an explicit right to erasure hence retention is stopped only when personal data is no longer necessary for the stated purpose or legal/business obligations.

 

3. Right to Grievance Redressal

 

Section 13 of the DPDPA provides the right to grievance redressal should be made available by the Data Fiduciary and/or Consent Manager in respect of any act or omission by them. The Data Principal shall approach the Data Protection Board upon exhausting the opportunity of redressing grievance with the Data Fiduciary/Consent Manager. Rule 13 of the Draft DPDP Rules requires entities to publish the response time period for addressing grievances on their websites or apps and to implement appropriate technical and organizational measures to ensure timely responses. Lack of specific timelines under the framework for addressing grievances continues in this right as well.

In comparison, the EU GDPR requires complaints to be addressed without undue delay and within one month, with an extension of up to three months for complex cases [12], pursuant to which data subjects can lodge complaints with the supervisory authority, specifically the member state of their residence, if their rights have been violated. [13] Under GDPR, Data subjects also have a right to compensation from the controller or processor for the damage suffered. [14] Unlike DPDPA and GDPR, the CCPA [15], PDPA [16] and LGPD [17] does not explicitly require businesses to resolve individual complaints directly, but it empowers regulators and courts to enforce compliance.

Indian laws also provide a robust framework for grievance redressal, for instance, the Consumer Protection Act, 2019 empowers consumers to file complaints against deficient services, requiring District Commissions to resolve cases within 3-5 months [18], and State and National Commissions to adjudicate appeals within 90 days [19]. Under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules, 2021), intermediaries are mandated to acknowledge grievances within 24 hours and resolve them within 15 days, setting a precedent for timely redressal.[20]

Further, in case of unresolved grievances, the Data Principal shall escalate the matter to the Data Protection Board (DPB). However, concerns also arise regarding the DPB’s capacity to manage a high volume of complaints effectively. [21] For instance, the Consumer Protection Act, 2019 model, which establishes a three-tier system comprising District, State, and National Commissions, seems to be a more efficient approach.

The lack of legally mandated response time can create potential for uncertainties and may allow Data Fiduciaries and Consent Managers to delay addressing grievances, thereby undermining the effectiveness of the redressal system. Further Data Principals do not have a specific right to private action under the DPDPA or Draft DPDP Rules to claim compensation for any breach of right as available in certain jurisdictions. To enhance accountability and efficiency, the Draft DPDP Rules must specify a concrete and adequate timeframe for responding and resolving grievances and, only then will the rights of Data Principals  be upheld in a timely manner.

 

4. Right to Nominate 

 

Section 14 of the DPDPA provides a Data Principal the right to nominate one or more individuals, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal. The right to nominate is a progressive and unique provision compared to data protection legislations of other jurisdictions; however, operational clarity and safeguards against misuse will determine its effectiveness. The rules do not give any guidance of how this will be operationalised in the event of death or incapacity of a data principal.

 

Conclusion

 

The Draft DPDP Rules is supposed to provide a crucial implementation framework for the rights of Data Principals under the DPDPA 2023. However, without clear enforcement mechanisms and defined timelines, the rights granted under the data protection framework becoming illusory as key issues such as undefined timelines for data access, correction, erasure, and grievance redressal could hinder practical enforcement and accountability for both the Data Principal and Data Fiduciary. While innovative features like the right to nominate and fixed retention periods for certain platforms distinguish India’s approach, their real-world implementation remains uncertain.[22] To enhance data protection and user empowerment, the final version of the DPDP Rules must address these gaps, introduce concrete implementation timelines, and establish stronger enforcement safeguards.

 

References:

1. Rule 13 (1) of Draft DPDP Rules
2. Article 12 of GDPR
3. Article 19 of LGPD
4. Advisory Guidelines on Key Concepts PDPA 2021
5. Section 1798.130 and Section 1798.145 of CCPA
6. Section 7 of The Right to Information Act 2005
7. Section 20 of The Right to Information Act 2005
8. Framework for compensation to customers for delayed updation/ rectification of credit information RBI/2023-24/72
9. Article 17 of GDPR
10. Article 6,16,18 of LGPD
11. Section 25 of PDPA
12. Article 12 of GDPR
13. Article 77 of GDPR
14. Article 82 of GDPR
15. Section 1798.150 of CCPA
16. Section 48O of PDPA
17. Article 18 of LGPD
18. Section 38(7) of Consumer Protection Act 2019
19. Section 52 of Consumer Protection Act 2019
20. Rule 3(2)(i) of IT Rules 2021
21. Sarasvati Nt, How Will The Data Protection Board Play A Key Role In Enforcing Privacy Rights Of Individuals? #PrivacyNama2023, Medianana, November 3, 2023, https://www.medianama.com/2023/11/223-data-protection-board-grievance-redressal-privacynama/
22. Ishika Gupta, How do the Draft DPDP Rules 2025 Affect Personalised Shopping Experiences on E-Commerce Platforms?, Medianama, January 30, 2025 https://www.medianama.com/2025/01/223-draft-dpdp-rules-2025-effects-personalised-shopping-experiences-ecommerce-platforms/