Data protection rules: India Inc says challenges remain

While the industry has broadly welcomed the draft, experts suggest that there is still substantial work to be done to address implementation hurdles, procedural gaps, and areas of ambiguity in the Act.
Image used for representational purposes only.
Image used for representational purposes only.FILE | Special Arrangement
Updated on
2 min read

NEW DELHI: The Ministry of Electronics and Information Technology has released the much-awaited draft rules for the Digital Personal Data Protection Act, 2025.

While the industry has broadly welcomed the draft, experts suggest that there is still substantial work to be done to address implementation hurdles, procedural gaps, and areas of ambiguity in the Act.

“These rules were highly anticipated as there was an expectation that they would clarify the Act’s implementation challenges,” said Sherya Suri, Partner at Indus Law.

“While the draft covers several critical aspects, there’s still significant ground to cover. I anticipate a rigorous consultation process that will ensure the final version reflects the needs of all stakeholders. Continued engagement from the government will be key to ensuring effective implementation.”

Goldie Dhama, Partner at Deloitte India, said the draft offers important clarifications, mainly regarding verifiable consent for children’s data. This includes scenarios where data fiduciaries may not need to obtain consent for processing children’s data in certain circumstances.

After a gap of over 16 months, the Ministry of Electronics and Information Technology on Friday introduced regulations under the Digital Personal Data Protection Act 2025.

The Act, which outlines how companies and government agencies should handle digital personal data, is open for consultation until February 18, 2024. These rules, known as the Digital Personal Data Protection Rules, 2025, come into effect upon publication, except for Rules 3 to 15, 21, and 22, which will take effect at a later date.

The draft rules introduce provisions for online platforms to verify the age and identity of parents when obtaining consent to process the data of users under 18. To verify parental consent, the rules propose two methods. When the parent is a platform user and child wishes to create an account on a platform that the parent already uses, the platform can rely on the identity and age details the parent has previously provided.

For example, if a child wants a YouTube account and the parent has already verified their identity with YouTube, the platform can use that information to confirm the parent is an adult. When the parent is not a platform user, in this case, platforms may verify the parent’s age and identity through a legally authorized entity or government body.

The draft also includes provisions specific to healthcare such as clinical and mental health establishments can process a child’s data without parental consent, but only to provide essential health services. The same exemption is there for using the data for educational purpose.

Additionally, the DPDP Act mandates that platforms obtain verifiable consent from guardians when processing the data of individuals with disabilities. To safeguard personal data, companies will be required to implement stringent security measures, such as encryption, obfuscation, and the use of virtual tokens.

In the event of a data breach, companies must notify both the Data Protection Board (the privacy regulator) and affected individuals. Failure to report a breach could result in fines of up to Rs 200 crore, while companies failing to implement adequate security measures could face penalties of up to Rs 250 crore.

Image used for representational purposes only.
DPDP Act will balance innovation and regulation, safeguard citizens' rights: IT Minister Vaishnaw

Related Stories

No stories found.

X
The New Indian Express
www.newindianexpress.com