Between Protection and Paternalism: Rethinking Disability Safeguards in the DPDP Rules

[Shubhranshu and Ananyashree are students at NALSAR University of Law and Gujarat National Law University, respectively.]

Recently, the Digital Personal Data Protection Rules 2025 (Rules) were notified, arriving almost two years after the passage of Digital Personal Data Protection Act 2023 (Act). Together, the DPDP Act and DPDP Rules aim to create a comprehensive framework for personal data governance in India. As essential services increasingly shift online, the need for a robust personal data protection regime becomes more urgent than ever. Notably, the Rules introduce specific provisions for persons with disabilities (PwDs), particularly with respect to obtaining consent and processing data through lawful guardians. This recognition of the unique requirements of PwD is a welcome step. The Rules, however, warrant a closer scrutiny to assess whether they sufficiently operationalise autonomy, accessibility and protection. Safeguarding the digital rights of PwD is not only about privacy: it’s about independence, dignity and equitable participation in the digital economy. 

The global foundation for disability-inclusive digital governance is set by Article 9 of the UN Convention on the Rights of Persons with Disabilities (UNCRPD), which obligates States to ensure accessibility across information and communication technologies by identifying and eliminating barriers. India has incorporated these commitments domestically through Rights of Persons with Disabilities Act 2016 (RPwD Act) and its rules, which embed reasonable accommodation obligations. Recently, the apex court in Pragya Prasun v. Union of India affirmed that digital services and KYC must be made accessible, reinforcing a legal duty to build an inclusive, disability-friendly digital ecosystem urgently.

Flaws in the Framework

While the Rules introduce disability-specific protections with a view to protect vulnerable groups, certain aspects thereof risk undermining the autonomy along with creating additional barriers. A major critique of the framework is that it puts overemphasis on formal guardianship wherever it exists. Under Rule 11 data fiduciaries are required to obtain “verifiable consent” only from guardians who have been formally appointed by a court, designated authority, or local-level committee. In reality however, most caregiving arrangements for PwD in India are informal and based on family support, especially in small towns and rural regions. Most caregivers, until confronted with the mandate under the Rules, may not know how to obtain the requisite certifications or even see a need for them. This creates an immediate access barrier. On the other hand, service providers faced with the possibility of penalties for any mistake in verification may decline to offer services to disabled users whose guardians do not possess the required documentation. Thus, what was meant as protection could result in exclusion.

These hurdles are worsened by the legal lacuna left by the framework. The Act and the Rules fail to clarify whether guardians ought to be appointed under the National Trust Act 1999 or the RPwD Act. They do not elaborate on what specific documentary proof can be treated as acceptable across differing guardianship regimes. Without clarity, data fiduciaries can struggle to determine which documents to accept, and families will be left uncertain regarding what qualifies as legitimate proof. Those who can access digital services are directly affected by this ambiguity, alongwith how smoothly they can participate in the digital ecosystem.

Another issue lies in the manner the Rules equate disability with incapacity. Though appreciable that Rule 11(2)(b)(i) limits guardian-based consent only to persons who are unable to make legally binding decisions, a similar safeguard is absent in the second category under Rule 11(2)(b)(ii). This approach allows guardians to consent for certain disabilities without first asking a crucial question-whether the person is capable of making that decision themselves. Autism is one such example where the abilities and needs of autistic persons vary widely and evolve. Some autistic adults can live independently, requiring no guardian. Yet the Rules lead their agency to be curtailed without any mandatory inquiry into their functional ability. This approach ignores an individual’s actual capacity and relies on diagnostic labels. It also remains unclear how to determine when a person “is unable to take legally binding decisions” in the absence of objective criteria. The absence of such safeguards opens the door for arbitrary curtailment of agency.

The Rules also miss proportionality among various types of data processing. An individual might need some help in high-risk, sensitive situations such as decisions related to finances or health but can easily give consent for low-risk uses, like entertainment apps or basic communication platforms. The Rules do not recognise this spectrum and treat all processing as requiring the same level of guardian involvement. This one-size-fits-all approach reduces autonomy and makes common digital interactions more cumbersome than they should be.

Another major omission regarding accessibility which is essential for any meaningful exercise of consent. The Rules focus almost entirely on verifying guardian status but are silent on the need to make privacy notices, consent forms and interfaces accessible, thus neglecting the fact that many PwDs could provide informed consent independently if the digital environment accommodated their needs. Without mandatory requirements for tools like text-to-speech, screen readers or simplified explanations, the framework reinforces dependence on guardians and fails to uphold UNCRPD accessibility obligations. Accessibility should be the first step, not an afterthought.

Article 12 of UNCRPD is based on the premise that PwDs have the same legal capacity as everyone and any support they need should help them exercise that capacity rather than replace it. It directs states to institute a supported decision-making system rather than a substitute decision-making system. The DPDP framework however relies on guardians as the default gateway for data processing, effectively treating their consent as a “substitute” for the person’s own will instead of a last-resort option when support has failed. Consequently, moving away from primary rights holders in the digital space and towards a space where digital consent is filtered through someone’s authority.

The compliance burden created by the Rules may also produce unintended discriminatory effects. Data fiduciaries, especially small and medium organisations may fear the administrative costs and the risk of penalties for inadequate verification. Experience in other jurisdictions suggests that stringent accommodation requirements can lead employers or service providers to avoid engaging with PwDs entirely. A similar avoidance pattern could arise here leading to quieter digital segregation with fewer service options, reduced participation and higher barriers to entry. 

The framework also sidesteps the heightened privacy risks that accompany disability related information. The Act removes any distinction between ordinary personal data and sensitive categories that received stronger protection under SDPI rules. At the same time, the Rules require data fiduciaries to verify guardianship, a process which effectively signals that the user is a PwD. This creates a de facto registry of disability information without giving the data any enhanced protection. There exists a probability that such information could be misused by third parties, including insurance companies or advertisers, who might profile a person in discriminatory ways. Ironically, a law designed to bolster privacy could make disability status more traceable and more vulnerable.

The Rules also offer scarce protection against the potential misuse of authority by guardians themselves. They don’t require guardians to show that the purpose and consequences of data processing have been explained to PwD in a form they understand. Nor is there a mechanism to check undue influence or prevent guardians from exercising data rights for personal benefit. In situations where a person is temporarily disabled due to injury or illness, the Rules do not create a flexible pathway for temporary or time-bound assistance. Instead, the approach risks putting all forms of disability whether permanent or short-term, into a single rigid guardianship model. 

Way Forward

A more inclusive direction for the DPDP framework should strike a better balance between restoring agency and keeping practical safeguards. It should require objective, case-by-case capacity assessments for all types of disability before resorting to a guardian to give consent. Such an approach would recognise that many PwDs can independently consent to low-risk activities while reserving stricter protections for high-risk activities such as online banking.

Furthermore, a meaningful data protection regime must offer remedies to the victim. Section 43A confines compensation to actual financial loss, leaving harms such as distress, loss of dignity, or loss of control over personal data largely unaddressed. This burden is especially heavy for PwDs, for whom the impact of misuse may be real yet difficult to quantify. In contrast, EU GDPR Article 82 and UK courts recognise compensation for non-material harm like distress. A similar approach under the DPDP framework would better align remedies with its commitment to dignity and autonomy.

The consent framework must also reflect social realities. Many PwDs rely on informal family or community carers. Requiring only formal guardianship documents risks excluding them from routine digital services. To avoid this, the Rules could permit alternative verification mechanisms for low-risk digital activities, such as attestation by recognised local NGOs or village panchayats. Also, to ease the compliance burden faced by data fiduciaries, the framework should include a clear checklist of acceptable proofs that data fiduciaries can rely on when verifying consent.

Moreover, accessibility must become mandatory, not an aspiration. Significant data fiduciaries should be required to ensure that consent approvals, dashboards and grievance channels comply with WCAG 2.1 Level AA, with reader compatibility, keyboard navigation, captions with language options in major languages.

Finally, the Rules should treat disability data as high-risk, similar to Australia’s framework, where health data is considered sensitive. Other measures include strict-purpose limitation, minimal retention, and a ban on its use for profiling or targeted ads. There should be a periodic review of long-term consent, and an accessible route for PwDs to report misuse to the Data Protection Board, along with a disability-data advisory group of experts to oversee templates, guidelines, and amendments in line with the UNCRPD encouraged participation-model.