Draft DPDP rules: Are we ready for the new data law yet?

A significant departure from the Act is that the Central government may limit the nature of data that may be accessible by a foreign state, even if data transfer is permissible to the state.
Draft DPDP rules: Are we ready for the new data law yet?
Updated on
2 min read

The new year has started on a positive note with the Ministry of Electronics and Information Technology publishing a draft of the Digital Personal Data Protection Rules, 2025 for public consultation. The much-awaited draft rules were meant to clarify several open questions under the Digital Personal Data Protection Act, 2023 and bring us closer to India’s very first comprehensive and dedicated data protection legislation being brought to effect.

The reality, though, is slightly different. While the new law on personal data will play a transformative role in India’s data privacy landscape and will hopefully boost cross-border deals with India faring better on the adequacy standards, in several aspects, the Indian framework is even more regimented than some of its global counterparts and fails to adequately address all open issues.

For instance, the provisions on data breach intimation require prompt reporting to the Data Protection Board as well as the data subject, with specific details on the breach consequences and risk mitigation measures forming part of such disclosure. This, coupled with the existing CERT-in reporting obligations, impose an unreasonable burden on data fiduciaries, along with the concern that premature disclosure to data subjects might cause more harm than benefit.

Similarly, the age-gating provisions put the onus on the data fiduciaries to obtain verifiable consents which will require revamping of business processes and legal compliance, and may hinder the use of AI tools by companies catering to a population under the age of 18, including edu-tech companies, gaming platforms, companies offering financial services to teens, among others.

The manner and extent of compliance by entities that collect personal data offline but subsequently digitise the same, is also unclear. The privacy notice assumes digital data collection and a digital interface available to data subjects to provide consent to the notice and exercise their rights. There is still no clarity on who is a significant data fiduciary. A significant departure from the Act is that the Central government may limit the nature of data that may be accessible by a foreign state, even if data transfer is permissible to the state.

Data fiduciaries regulated by sectoral regulators will need to ensure dual compliance with the DPDP Act and Rules along with sector-specific regulations governing data processing, localisation, cybersecurity, and breach response.

The DPDP Rules are definitely a step forward, in the long journey towards India having its own data privacy regulation, but without some of the issues being resolved, the data fiduciaries will have to grapple with uncertainties and compliance burden, in addition to the risk of non-compliance.

Namita Viswanath Partner, IndusLaw

Related Stories

No stories found.

X
The New Indian Express
www.newindianexpress.com