RECODING URBAN GOVERNANCE: THE DPDP RULES 2025 AND THEIR IMPLICATIONS FOR INDIAN CITIES

Introduction

The Ministry of Electronics and Information Technology vide notification dated 14 November 2025 formally notified the Digital Personal Data Protection (DPDP) Rules, 2025, thereby completing the operationalization of the DPDP Act 2023. As part of the implementation that stretches to May 2027, cities must take several steps. They have to reconcile decades of data collection practices, including which are ad hoc and/or undocumented. This needs to be done while keeping in mind new obligations around consent, purpose limitation, and accountability. The task for urban local bodies operating fragmented legacy systems without dedicated privacy officers or data governance frameworks is substantial.

The framework establishes consent-based, rights-driven protections for personal data. That much is clear from the text. But what is less immediately obvious, and arguably more consequential, is what this means for Indian cities. Not the private sector compliance story that dominates headlines, but the urban governance story. Smart city infrastructure, expanding surveillance networks, and digitised municipal services. These are the spaces where DPDP will be tested most severely. This article examines how the framework intersects with urban governance and where the critical pressure points lie.

The Surveillance Paradox

India’s Smart Cities Mission has been ambitious. According to a 2023 Press Information Bureau release, Integrated Command and Control Centres (ICCCs) have been operationalised in all 100 smart cities. More than 84,000 CCTV surveillance cameras have been installed across these cities. These systems generate vast quantities of data, much of which qualifies as personal data under DPDP including CCTV footage capturing facial images, vehicle registration numbers recorded by traffic cameras, mobile device identifiers collected through public Wi-Fi networks, and location traces from transit systems.

Here is a problem that gets to the heart of urban data governance: how exactly does one obtain individual consent from thousands of people walking down a monitored street? You cannot. It is logistically impossible.

The Act addresses this through “deemed consent” provisions under Section 7. Processing without explicit consent is permitted when necessary for state functions, public order, safety, or health. However, the exemption comes with certain constraints. Transparency obligations require public notice about surveillance operations. Data minimisation principles limit collection to what is strictly necessary. Accountability mechanisms ensure footage is secured and not kept indefinitely. One key constraint is that deemed consent does not override the purpose specification requirements under Section 5 of the Act i.e. data collected for one purpose cannot simply be repurposed for another without separate legal basis.

The Rules operationalise the Act’s requirement that high-risk processing, particularly large-scale surveillance systems, be preceded by Data Protection Impact Assessments. A smart city deploying citywide CCTV cannot just install cameras and call it a day. Privacy risks must be assessed, anonymisation measures implemented where feasible, and access restrictions put in place before systems become operational. The CERT-In Guidelines for Smart City Infrastructure already emphasise “privacy-by-design” as critical, though these were previously advisory. DPDP makes that principle effectively enforceable.

Why do these safeguards matter in practice? Consider a recent incident in Gujarat. CCTV footage from a hospital, showing patients in deeply sensitive situations, was leaked and offered for sale online. Under DPDP, such incidents trigger mandatory breach notifications within 72 hours. The incident is illustrative of why “security” cannot operate as a blank cheque for surveillance. Things like encryption for footage, granular access controls, comprehensive audit logs, and retention limits have now become legal requirements.

Certain practical challenges and limitations, however, still remain. A sign declaring “this area is under CCTV surveillance” gives notice but does not actually provide consent. Deemed consent may save the state from seeking individual consent, but it does not exempt them from purpose limitation or data minimisation. A traffic camera network justified for congestion management cannot use the same footage for commercial analytics. This is where things are going to get really interesting for public-private partnerships, where private operators have traditionally viewed city data as an asset to be monetised. That assumption is now legally questionable.

The RTI Conundrum

Perhaps the most contentious part of DPDP, vis-à-vis urban governance, is the amendment to the Right to Information Act, 2005. Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act to delete the “larger public interest” override, hitherto allowing disclosures of personal information when transparency concerns outweighed privacy concerns.

The Supreme Court’s decision in Girish Ramchandra Deshpande v. Central Information Commissioner (2012) had already interpreted Section 8(1)(j) expansively. It held that details like memos, show cause notices, and asset declarations of public servants amounted to “personal information” exempt from disclosure. DPDP institutionalizes and expands this restrictive approach further into what might even be seen as a blanket exemption.

If considered practically, an RTI request for the list of beneficiaries under a housing scheme, previously available to expose favouritism or corruption, can now be rejected by invoking “personal data.” Things like asset declarations of public officials, disciplinary records and information that earlier facilitated accountability get structurally more difficult to access.

The Internet Freedom Foundation has warned that the rules “enable extensive data collection by state agencies with scant oversight, thereby entrenching state control over personal data.” Strong words, but not unfounded.

The practical effect is predictable. Public Information Officers are now structurally incentivised to deny requests. DPDP imposes penalties up to Rs. 250 crores for unlawful processing. The RTI Act provides no equivalent sanction for excessive secrecy. When in doubt, denial becomes the safe default. The government argues that Section 8(2) of the RTI Act, permitting disclosure where public interest outweighs harm, remains available. However, courts have historically treated Section 8(2) as an exceptional provision, not a routine override. The burden has shifted. What was once a presumption favouring transparency has become a discretionary exception requiring affirmative justification. That shift matters.

The Consent Architecture

Urban local bodies are the primary interface for citizens accessing essential services: property tax payments, utility billing, building permits, grievance redressal, welfare scheme enrolment. Under DPDP, municipalities must now issue itemised, independently understandable consent notices.

This represents an unprecedented approach, in stark contrast to what legacy e-governance platforms have considered relevant. Most of the existing systems seldom tracked consent changes. Transparent privacy notices were an exception, not the rule. The introduction of Consent Managers (registered intermediaries helping individuals manage permissions across multiple services) may provide a solution for citizens overwhelmed by having to manage consent across dozens of municipal touchpoints. However, since full compliance deadlines extend to May 2027, as of now, the state can already deny RTI requests citing DPDP. This means that citizens must wait eighteen months for meaningful data protection. This asymmetry is not easy to ignore.

According to the reference guide of the Ministry of Housing and Urban Affairs on City Data Policies, only 45 of India’s more than 100 smart cities had formulated City Data Policies. That leaves more than half without even a basic framework, and now they must articulate clear purposes for data collection, limit inter-agency sharing to consented uses, and ensure robust security protocols. Failure carries penalties up to Rs. 250 crore per breach.

The compliance burden falls disproportionately on resource-constrained municipalities. Most urban local bodies operate fragmented legacy systems built over decades, without consideration for privacy. They lack expertise in data protection and have no dedicated privacy officers. Further, their limited IT budgets face competing demands. Consider a concrete example: the property tax database maintained by most municipal corporations contains sensitive financial information, yet few have conducted data mapping exercises to understand what personal data they actually hold, where it is stored, and who can access it.

The Enforcement Deficit

Two structural issues deserve scrutiny. First, is the fact that the Data Protection Board of India, (the sole regulatory authority under DPDP) is housed under MeitY. This raises structural concerns regarding independence. When a citizen complains about data practices by a government agency, who adjudicates? An entity within the same executive branch.

Under Rule 17 of the DPDP Rules, the Board’s Chairperson is selected by a Search-cum-Selection Committee chaired by the Cabinet Secretary, with the Secretaries of Legal Affairs and MeitY as members, along with two experts. For other Members, the committee is chaired by the MeitY Secretary. Unlike independent regulators under the EU’s GDPR framework, or India’s own Competition Commission, this Board lacks structural insulation from the executive branch that controls much of the data processing it must oversee.

Second, the two-year appointment term for Board members, renewable at executive discretion, creates dependency that may compromise adjudicatory independence. The Supreme Court has repeatedly cautioned against such arrangements. In Madras Bar Association v. Union of India (2025), the Court struck down provisions of the Tribunal Reforms Act, 2021, holding that short tenure with reappointment provisions increases executive influence over regulatory bodies and violates constitutional principles of separation of powers. The Court emphasised that only a term of five years or more would ensure the independence required by the Constitution. Whether a citizen complaint against a state government’s surveillance practices will receive genuinely independent adjudication from a two-year appointee remains, at best, an open question.

Conclusion

The DPDP Rules 2025 usher in a new era of digital urban development, which has to go hand in hand with data protection. Cities that adapt quickly and invest in data governance, appoint protection officers, and embed privacy-by-design principles into smart architecture stand to benefit substantially in the areas of citizen trust and institutional credibility. The framework allows genuine tools to address legitimate concerns about over-surveillance, data security, and accountability deficits that have marked most digital governance so far.

But the immediate dilution of RTI within this framework, deferral of citizen rights, and doubts over regulatory independence call for vigilance. This asymmetry is very real: state powers take effect immediately while citizen protections await implementation.

The next eighteen months will be decisive. They will determine a journey towards smarter and more privacy-respecting cities or a situation in which the promise of data protection remains unfulfilled in those very spaces where citizens will live, work, and navigate their daily lives. The outcome is not preordained. It depends upon choices made now.