India’s Digital Personal Data Protection Act: A bold step with unfinished business

By Manoj Chugh

India’s Digital Personal Data Protection Act (DPDP Act), enacted in August 2023, is a landmark legislation that established a comprehensive framework for personal data protection. The release of the draft Digital Personal Data Protection Rules, 2025, on 3rd of January aim to operationalise the provisions of the Act. The Act will undoubtedly go a long way in safeguarding digital personal data. Whilst the benefits to the common citizen are laudable, there are clearly areas of that need to be urgently addressed.  

Let us first begin with the positives: 

1. Comprehensive framework: The DPDP Act introduces a structured approach to managing digital personal data, emphasising individual privacy rights and outlining obligations for data fiduciaries. 

2. Rights of data principles: The Act empowers individuals with rights such as access to personal data, correction and erasure, grievance redressal, and the ability to nominate a representative to manage their data posthumously. Citizens will see this as a Big Positive. 

3. Significant data fiduciary obligations: The Act identifies significant data fiduciaries based on criteria like data volume and sensitivity, mandating additional responsibilities such as appointing Data Protection Officers and conducting Data Protection Impact Assessments. 

Whilst the rules cover a wide spectrum, there are some potential Areas that need to be addressed to catapult India as a Leader when it comes to Data Privacy, given our Global Ambitions. These include: 

1. Data localisation requirements: Data is the lifeblood of a Nation. The draft rules mandate data localisation, restricting the transfer of certain personal data outside India. This approach has faced criticism for potentially increasing operational costs for businesses and creating barriers to global data flows. A flexible approach could be taken with regard to data flows with Friendly and Trusted Nations. Allowing cross-border data transfers to trusted jurisdictions with robust data protection frameworks will position India as a key player in Global trade. India wants to increase exports of goods and services to achieve it’s vision of “Viksit Bharat” by 2047. India could establish bilateral or multilateral agreements to safeguard cross-border data flows while ensuring accountability.

2. Parental consent for minors: Requiring the parental consent for individuals under 18 to access social media platforms presents practical challenges in verifying users age and obtaining verifiable parental consent. This could inadvertently limit access to online resources for minors. The Government could consider lowering the age of threshold for parental consent to 16, aligning with global standards like the GDPR. In addition,

   The introduction of clear, technology-driven mechanisms for age verification without being overly intrusive need to be determined. Implementing this rule from a pragmatic perspective will be onerous. Self- declaration may turn out to be a potential way forward, given India’s massive rural population that accesses online services and platforms and the difficulty of implementing parental consent.

3. Broad exemptions for government agencies: The Act grants exemptions to government agencies from certain data protection obligations, which has raised concerns about potential misuse and the undermining of individual privacy rights. The Government should consider narrowing the scope of exemptions and define specific scenarios where they are permissible. In addition, an independent oversight mechanism should be introduced to monitor government access and use of personal data.

4. Ambiguity in implementation: Several provisions in the draft rules lack clarity, particularly regarding the specific obligations of significant data fiduciaries and the criteria for data processing norms. This ambiguity could lead to inconsistent enforcement and compliance. 

5. Enforcement mechanism: The establishment of the Data Protection Board of India as an adjudicating body is a positive step. However, details about its composition, independence, and related powers need to clearly outlined to ensure it’s effectiveness in upholding data protection standards. The Data Protection Board operates independently, with a clear mandate and transparent processes. Penalties should not be applied on the basis of “one size fits all”. Minor violations from severe one’s must be distinguished and penalties applied accordingly.
6. Support for SMEs: Stringent compliance requirements may disproportionately burden SMEs. Whilst certain entities will be exempted, the thresholds have to be defined. In addition, simplified compliance procedures for smaller entities, such as reduced reporting requirements should be enabled. Financial and technical support for SMEs to adopt data protection measures should be provided.
7. Address data breach notifications: Whilst data breaches have to be notified within 72 hours, there is an overlap of reporting the same to another Agency- CERT-IN as well. This overlap of jurisdiction can cause confusion. Also, in case of a sophisticated attack, the remedial measure to be undertaken could take more than 72 hours to determine. This puts additional burden on the Fiduciary, since they will have to seek specific exemption from the ability to report within 72 hours for such breaches. 
8. Align rules with international standards: Misalignment with global data protection frameworks may discourage foreign investment. Aligning provisions with global standards such as the EU’s GDPR will foster international collaboration. Also India’s participation in Quad and other partnerships can be leveraged to establish cross-border data norms.
9. Develop privacy awareness campaigns: The success of the framework will depend on public awareness and understanding of rights and obligations.

Conducting nationwide campaigns to educate citizens about their data rights and responsibilities by Partnering with industry and civil society to promote digital literacy initiatives will go a long way.

It is important to understand that mandating storage and processing of certain personal data within India increases operational costs and fragments global data operations for foreign players investing deeply in India. Clear definitions of sensitive personal data and transparent processes for seeking transfer permissions will be required. Data localisation requirements will limit access to cost-effective global infrastructure and tools, which would hinder Innovation around AI where Data is the “oil”. Compliance costs for SMEs could pose to be a challenge, a simplified regime needs to be considered and a phased approach taken. Finally, broad Government Exemptions are a cause of concerns over privacy risks for consumer data accessed by government agencies without proper oversight.

To conclude, the DPDP Act and its accompanying draft rules signify India’s strong commitment to strengthening data protection and privacy. While the framework introduces essential safeguards and rights for individuals, addressing the concerns will enable wholehearted acceptance by all stakeholders. Refining the rules will help balance individual privacy rights with practical compliance requirements. These changes would enhance trust among stakeholders, foster innovation, and position India as a leader in global data governance.