The Digital Personal Data Protection (DPDP) Rules, 2025, were introduced with the promise of strengthening data privacy for all individuals, including persons with disabilities. However, a closer look reveals that these regulations fall short of truly empowering disabled persons, instead adopting a paternalistic approach that limits their autonomy. By mandating guardian consent for data processing, the rules fail to recognize the diverse capacities of disabled individuals, effectively sidelining their right to personal decision-making. Furthermore, the DPDP framework lacks specific safeguards against discrimination and accessibility barriers in digital data governance.
Scriberes Diya and Samyukta under the guidance of Anupam Sanghi critically examine how the DPDP Rules, 2025, undermine rather than uphold the rights of disabled persons in the digital space.
What Does the DPDPR Say About Disabled Persons?
The Digital Personal Data Protection Rules, 2025 (DPDPR) establish the framework for handling personal data in India. Rule 10 of the DPDPR, which governs verifiable consent, has specific provisions concerning disabled persons. Rule 10(2) specifically states:
“A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority, or a local level committee, under the law applicable to guardianship.”
The DPDPR defines “persons with disabilities” by referring to the Rights of Persons with Disabilities Act, 2016, but with additional specifications. According to the Rules:
“A person with disability shall mean and include: (i) an individual who has a long-term physical, mental, intellectual, or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and (ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation, or a combination of such conditions and includes a person suffering from severe multiple disability.”
While the intent behind this provision is to protect disabled persons from potential misuse of their data, its construction raises serious concerns.
What Is Problematic With the DPDPR’s Construction of Disabled Persons?
One of the primary concerns with the DPDPR’s approach to disabled persons is its assumption that they may be inherently incapable of providing verifiable consent. By requiring a legal guardian’s consent for individuals deemed “unable to take legally binding decisions,” the law risks undermining the agency of disabled individuals who may be perfectly capable of understanding and consenting to the use of their data.
Along the same lines, by clubbing and constructing it along with a provision for the protection of children, it infantilizes disabled persons by assuming they are incapable of making decisions about their own personal data, regardless of their actual abilities.
Second, this approach lacks nuance as it fails to acknowledge the diversity within the disabled community — many disabilities do not impact cognitive function or decision-making ability, yet the law treats all disabled persons as a homogeneous group needing external oversight. The inability to “effectively participate in society” may not and usually does not directly correlate to the ability to effectively navigate the Internet.
These flaws ultimately undermine autonomy and reinforce outdated, discriminatory perceptions of disability.
Tech can be used for good in multiple ways pertaining to differently abled persons — AI technologies are being used as a tool of inclusivity in corporate spaces, read our post about it here — interestingly (or quite sadly) however, Rule 10 makes us think of how the false rhetoric of disabled persons has been revamped in the digital space.
How Can Legislative Language Be Harmful to Disabled Persons?
A study conducted on the challenges to online disability rights advocacy in India revealed that disabled advocates online face a host of challenges while navigating social media platforms and the digital space in general. They are subject to patronizing comments, hypersexualised, invalidated and minimized, trolled and harassed, and outright ignored. The engagement-centred algorithms of social media platforms offer only one of the two extremes to disabled persons – a complete lack of visibility or virality at the cost of incessant trolling and harassment.
In a scenario like this, it is extremely important to understand that legislative language plays a crucial role in shaping societal attitudes and practices. The way the DPDPR constructs the rights of disabled persons ignores the concept of supported decision-making and defaults to substituted decision-making, sending a dangerous message that disabled individuals are inherently unable to advocate for themselves. This reinforces outdated paternalistic structures, where even those who can make informed choices are sidelined by vague legal wording.
Seeing that social media routinely and inevitably prioritizes ableist content, it is imperative that more authentic disabled voices are heard in the conversation. As it stands, Rule 10 does little to favour this endeavour.
What Can Be Done to Remedy the Shortcomings of the DPDPR in This Regard?
To address the shortcomings of the DPDPR concerning disabled persons, the following measures should be considered:
- Clarifying the Definition of “Incapable” – The rules should specify that only individuals who, due to specific and severe cognitive impairments, are genuinely unable to provide informed consent should fall under the provision for guardian consent.
- Incorporating the Principle of Supported Decision-Making – Instead of outrightly allowing legal guardians to make decisions, the DPDPR should emphasize that disabled persons should be assisted in making their own decisions wherever possible. Several jurisdictions have successfully implemented supported decision-making frameworks. For instance, Canada’s Personal Directives Act in Alberta allows individuals to designate supporters who help them make decisions rather than replacing their agency. The positive about this provision is that this support is available to all individuals, not just the disabled population. Similarly, Australia’s National Disability Insurance Scheme (NDIS) recognizes supported decision-making as a core principle, ensuring that individuals with disabilities have assistance without losing their decision-making rights. These examples illustrate how India could develop a more inclusive model that empowers disabled persons rather than stripping them of their autonomy.
- Ensuring Accessibility in the Consent Process – The process for obtaining verifiable consent must be made accessible to people with disabilities, including the provision of assistive technologies, easy-to-read formats, and alternative communication methods.
- Regular Review and Oversight – There should be a mechanism to review instances where consent is given by a guardian, ensuring that such decisions are made in the best interest of the disabled individual and not as a blanket policy.
How Do the Right to Live with Dignity and the Right to Privacy Tie into the DPDPR?
The right to live with dignity and the right to privacy are constitutionally guaranteed under Article 21 of the Indian Constitution. The Supreme Court has consistently interpreted Article 21 to encompass the right to make autonomous decisions and safeguard personal integrity. In the landmark case of K.S. Puttaswamy v. Union of India (2017), the Court reaffirmed that the right to privacy is intrinsic to the right to life and liberty. For disabled persons, this right is especially critical, as the ability to make independent decisions is directly linked to their autonomy, self-determination, and full participation in society. Decision-making empowers individuals to assert control over their personal and digital lives, ensuring they are not subjected to paternalistic structures that diminish their agency. In the digital sphere, where data privacy and online interactions are integral to modern life, the capacity to make informed choices is not just a matter of convenience but a fundamental right that upholds dignity and equality.
The DPDPR’s framework, however, risks infringing upon these rights by presuming incapacity in disabled individuals without adequate differentiation. The infantilization of disabled persons through legal provisions that mandate decision-making by guardians rather than by the individuals themselves contravenes the dignity principle under Article 21. Moreover, allowing third parties, such as legal guardians, to exercise control over a disabled person’s personal data without strict oversight undermines the fundamental right to privacy. The lack of procedural safeguards may lead to undue exploitation, violating the principles of autonomy and self-determination upheld by Indian constitutional jurisprudence.
A more balanced approach that prioritizes supported decision-making and ensures that disabled persons retain as much control as possible over their own data would better align with constitutional guarantees of dignity and privacy.
Conclusion
The DPDPR, while aiming to safeguard personal data, inadvertently risks curtailing the rights of disabled individuals by reinforcing outdated notions of incapacity. The lack of recognition for supported decision-making and the failure to consider the diverse needs of disabled persons contribute to a framework that undermines autonomy. However, by drawing from international best practices and aligning with constitutional principles such as the right to privacy and dignity under Article 21, India can foster a more inclusive and equitable digital landscape. The implementation of supported decision-making mechanisms, robust oversight, and accessible consent processes are necessary steps to ensure that digital privacy laws protect, rather than restrict, the rights of disabled individuals. Reforming the DPDPR with these considerations in mind would be a significant move toward achieving true digital inclusion and empowerment for all.
