Our Terms & Conditions | Our Privacy Policy
On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the much-anticipated Draft Digital Personal Data Protection (DPDP) Rules — a key moment in India’s journey to regulate digital personal data. This step follows the passage of the DPDP Act, 2023, bringing India closer to operationalising its framework for safeguarding personal data.
The draft rules represent a departure from the earlier and controversial Personal Data Protection Bill, which many deemed was overly restrictive and even hostile to industry interests. The Bill underwent extensive framing, reframing and consultations over nearly a decade, only to be rescinded when committees and government stakeholders wisely decided it was untenable.
In contrast, the positive response to the DPDP Act and its accompanying rules, reflected in conversations with businesses and in media coverage, stems from the less prescriptive, principles-based approach of the draft rules.
Unlike the earlier rush to regulate under the so-called “Brussels Effect”, where global digital rulemaking mirrored the European Union (EU)’s interventionist regulatory ethos, India has taken a more pragmatic stance. The EU’s General Data Protection Regulation (GDPR), once hailed as a gold standard by privacy experts, now faces criticism for unintended consequences — favouring well-resourced corporations, stifling smaller enterprises, and failing to significantly enhance public trust in the Internet. India’s measured approach thus far offers a refreshing alternative to Europe’s interventionist policies.
The hits as pragmatism and flexibility
One of the draft rules’ standout features is their principles-based framework for notice and consent. While the GDPR has cumbersome requirements, such as notifying users of indirect data acquisition, cross-border data transfers, and automated decision-making processes, India’s rules emphasise simplicity and clarity. This helps reduce “consent fatigue”, a significant issue in Europe, where users are inundated with unnecessary details, such as the location of data processing — information of little practical use.
In 2023, the European Commission introduced the Cookie Pledge Initiative to address growing frustration over incessant consent pop-ups. However, such course correction would have been unnecessary had the EU taken a less invasive approach to regulating user interfaces and consent mechanisms. The very existence of this pledge highlights the burdens created by prescriptive regulation.
India’s DPDP Rules sidestep these pitfalls by focusing on outcomes rather than processes, empowering users without drowning businesses and consumers in unnecessary complexities. The rules avoid dictating how entities should enable users to exercise their rights to correction, erasure, nomination, withdrawal of consent and to seek information from entities. They require only the publication of relevant information on apps and websites. In contrast, the GDPR is prescriptive about how similar information should be presented, including instances where entities may need to provide this information orally to users. Why should the state dictate every aspect of an app or website’s design or user interface? India’s approach, thankfully, respects business autonomy and innovation.
The processing of children’s personal data requires stricter protection compared to other types of data processing — which the rules provide for. However, as more children engage with digital technologies online, they increasingly benefit from certain activities, such as monitoring and tracking, which are of value in specific contexts. Take the case of educational institutions, including supplementary education and vocational training services. They rely on activities such as behavioural monitoring and tracking to deliver targeted interventions tailored to students’ academic performance. These practices leverage the benefits of learning management systems, which personalise instruction and improve educational outcomes. Recognising this, the rules thoughtfully allow exemptions for specific industries. Educational institutions, clinical and mental health establishments, allied health-care providers, and child-care centres are not required to verify parental consent for tracking and behavioural monitoring, as long as they adhere to guardrails. The exemption for such industries demonstrates a nuanced understanding of industry-specific needs, reflecting the principles of thoughtful policymaking.
The misses as data localisation, overreach
However, the draft rules are not without flaws. Their provisions for restricting cross-border data flows introduce unnecessary complexity and ambiguity. Significant Data Fiduciaries (SDFs) — large enterprises handling substantial data volumes — face potential localisation mandates that extend beyond the legislation’s original scope. While the DPDP Act allows the government to restrict personal data transfers, it limits such action to specific notified countries. Differentiating between SDFs and smaller entities, where the second enjoy relaxed transfer rules for the same data, creates the risk of regulatory arbitrage. Smaller entities could exploit the lighter regime to gain an unfair advantage. These inconsistencies may deter investment and drive businesses out of India. The localisation provision likely stems from the challenges faced by law enforcement agencies in accessing cross-border data for investigations. While these agencies undeniably need access to such data, a narrower sectoral approach to localisation could prove more effective than a centralised one. The Reserve Bank of India’s 2018 mandate for localising payment data is a prime example of proportionate regulation. Tailored specifically to the financial sector, it effectively addressed legitimate industry concerns without causing too many business disruptions. Applying this approach to personal data could balance security and compliance with economic competitiveness.
Some areas still require greater clarity. Businesses need safeguards to verify whether users requesting information about data processing are legitimate. This necessity is acknowledged even in the GDPR. However, India’s draft rules do not address scenarios where businesses face incessant information requests or provide scope for businesses to charge a reasonable fee for requests which are excessive or even unfounded. A related ambiguity is whether the government can demand access to sensitive business data. If so, how will it ensure the protection of such information from falling into the hands of competitors? What if this information is a trade secret? These gaps highlight the need for thinking about procedural integrity.
What lies ahead
According to IBM, data breaches cost Indian businesses an average of ₹19.5 crore ($2.35 million) in 2024. Compliance with data protection laws should not be seen as a regulatory obligation, but as critical to protecting business reputation and ensuring continuity.
India must also move beyond reliance on notice-and-consent mechanisms to safeguard citizens’ privacy in future laws. Notice and consent originate from the medical profession, where they can still be deemed to work effectively in controlled settings. However, in environments such as malls, airports, or even beaches, individuals have little opportunity to provide consent. With the convergence of the Internet of Things, 5G, and artificial intelligence enabling unprecedented data collection, India must envision privacy frameworks that do not exclusively rely on the fallible principle of consent. As public consultations refine the draft rules, prioritising preservation of the framework’s flexibility and industry-specific accommodations is key. This approach will help maintain a balance between innovation, economic growth, and individual rights — something not many jurisdictions have managed to get right.
Vivan Sharan is a technology policy expert at Koan Advisory Group. Srishti Joshi is is a technology policy expert at Koan Advisory Group. The views expressed are personal
Published – January 13, 2025 12:16 am IST
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
Comments are closed.