The Digital Personal Data Protection Act (DPDP Act), enacted in August 2023, represents a landmark moment in India’s digital governance journey. It provides a comprehensive framework for personal data protection and marks a decisive step towards safeguarding citizen privacy. The release of the draft DPDP Rules, 2025 on January 3rd aims to operationalise the Act’s provisions, ensuring its vision translates into effective implementation.
While the law offers commendable safeguards for individuals, several critical issues remain that must be addressed for India to emerge as a global leader in data privacy and digital trade.
The Positives
- Comprehensive Framework – The Act establishes a structured, rights-based approach to digital personal data management, setting clear obligations for data fiduciaries.
- Empowered Citizens – Individuals gain rights such as access, correction, erasure, grievance redressal, and posthumous data management through a nominated representative.
- Stronger Fiduciary Duties – Significant Data Fiduciaries face additional responsibilities, including appointing Data Protection Officers (DPOs) and conducting impact assessments.
- Data Localisation
- Mandatory localisation increases costs, fragments operations, and may hinder AI innovation.
- A flexible approach—allowing transfers to “trusted nations” with robust frameworks—would align with India’s global trade and Viksit Bharat 2047 ambitions.
- Parental Consent for Minors
- Requiring parental consent for under-18s poses practical challenges in age verification.
- Lowering the threshold to 16 years, in line with GDPR, and adopting pragmatic, tech-driven mechanisms (e.g., self-declaration) could make compliance realistic.
- Broad Exemptions for Government Agencies
- Wide-ranging exemptions raise concerns over unchecked access to personal data.
- Narrowing exemptions and creating an independent oversight body would strengthen trust.
- Ambiguity in Implementation
- Provisions lack clarity on fiduciary obligations and processing norms, risking inconsistent enforcement. Clearer definitions and criteria are essential.
- Enforcement & Penalties
- The Data Protection Board of India must operate with independence and transparency.
- Penalties should differentiate between minor lapses and serious breaches, avoiding a one-size-fits-all approach.
- Support for SMEs
- Stringent compliance could overburden smaller players.
- Exemptions, phased adoption, and financial/technical support would ensure inclusive compliance.
- Data Breach Notifications
- The 72-hour reporting mandate overlaps with CERT-IN requirements, creating confusion.
- Flexibility is needed for complex breaches requiring longer investigation timelines.
- Global Alignment
- Misalignment with frameworks like EU’s GDPR could deter foreign investment.
- Aligning with international standards, leveraging partnerships (e.g., Quad), will bolster India’s role in global data governance.
- Privacy Awareness Campaigns
- Public trust hinges on awareness.
- Nationwide digital literacy and awareness drives, in partnership with industry and civil society, are critical.
