Introduction
In a world increasingly driven by data and technology, India’s Digital Personal Data Protection (“DPDP”) Act, 2023, published in the Official Gazette on August 11, 2023, represents a crucial step toward safeguarding digital rights and ensuring accountability in data usage. The Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Data Protection Rules, 2025 along with an explanatory note for public consultation on January 3, 2025 to operationalise the provisions of the Act.
Building upon this legislative foundation, the Draft Digital Data Protection Rules, 2025, outline the implementation framework for its enforcement. As India’s first data protection legislation, the Act seeks to regulate the processing of digital personal data while balancing individual’s right to privacy with the lawful use of such data. It lays down operational obligations for data processors, special protection for children, and rights for all users. It also introduces a body for grievance redressal called the Data Protection Board of India, marking a significant step forward in India’s digital governance framework.
Shortcomings
Lack of Safeguards
The rules do not specify the safeguards the government must undertake to prevent unauthorised access and breaches when handling data obtained from Data Fiduciaries. The rules do not clarify how the government will utilize collected information or the duration for which it will be retained. This lack of clarity raises concerns, particularly regarding government surveillance, potential data leaks, and the risk of sensitive business information being compromised in cross-agency data sharing.
Ambiguities in Operational Guidelines
The rule requires data processors to provide a 48-hour notice for data erasure but does not clarify how this notice should be communicated, whether email, SMS, or in-app notifications. While users are directed to follow steps published by businesses to exercise their rights, the absence of standardised mechanisms could lead to inconsistent practices across organizations.
Similarly, vague terms such as “reasonable security measures” are left undefined, leading to inconsistent interpretations in past data regulations, as seen in IT Rules, 2021 where Rule 3(1)(b)(v) mandated platforms to remove content that is “false or misleading in nature”. However, without a precise definition, platforms struggled to distinguish between misinformation, satire, and opinion-based content. This vagueness led to concerns about arbitrary enforcement and suppression of free speech.
High Compliance Cost for Small Players
The net worth threshold of INR 2 Crores and the operational capacity requirements could disproportionately impact smaller firms, restricting market diversity and hindering innovation in Consent Management services. Further, the mandate for annual Data Protection Impact Assessments (“DPIAs”) and audits imposes significant financial and operational burdens on smaller entities, potentially stifling innovation and participation.
Cross-Border Data Flow
The rules lack clarity on the mechanisms ensuring personal data sent abroad complies with local laws. They do not address practical issues, such as jurisdictions with weaker regulatory frameworks, which could expose personal data to additional risks.
Parental Consent and Verification Gaps
The provision for parental consent and verification is insufficiently detailed. While the DPDP Act obligates parental consent for children under 18, the draft rules provide no specific mechanisms for obtaining this consent. Data processors are required to ensure that parental consent is obtained and that parents are identifiable adults, but the lack of concrete guidelines leaves this obligation open to interpretation.
Additionally, there is no clear guidance on what happens if a child fails to identify as a minor, and whether the organisation would be held liable in such cases. It remains unclear whether liability in cases of misrepresentation falls on the service provider or the parent. This is particularly concerning given that businesses may face penalties of up to INR 200 crores for non-compliance with obligations related to children’s data processing.
Concentration of Authority and Lack of Oversight Mechanisms
The Data Protection Board Chairperson is empowered to take urgent actions without clearly defined oversight mechanisms, raising concerns about unchecked authority. This centralisation undermines the principles of accountability and transparency, which form the foundation of effective data protection governance.
Unrealistic Expectations for Breach Reporting Timelines
The breach reporting timelines outlined in the are also unrealistic. Organisations are expected to report breaches immediately after becoming aware of them, but modern cybersecurity incidents are often complex and require thorough investigations to determine the extent of the breach, its root cause, the entry points, or the number of affected individuals. This process can take days or even weeks, making it impractical to meet the prescribed timelines. Moreover, the absence of mandatory audit reports or remedial measures to address breaches leaves users vulnerable and uninformed about the steps taken to prevent future incidents.
Language Constraints Marginalizing Non-English/Hindi Stakeholders
The rules present a significant challenge in terms of accessibility and inclusivity. Public feedback on the draft is accepted only in Hindi and English, excluding numerous non-English/Hindi stakeholders from participating in the consultation process. Furthermore, explanatory notes have not been provided in regional languages, limiting participation to experts and corporations while marginalizing a significant portion of India’s diverse population.
What Can Be Done
Incorporating International Best Practices
India can draw valuable lessons from global data protection frameworks such as the California Consumer Privacy Act (“CCPA”) and Singapore’s Personal Data Protection Act (“PDPA”). For instance, CCPA’s approach to tiered security measures based on data sensitivity allows businesses to adopt safeguards proportional to the risk associated with the data they process. Similarly, Singapore’s PDPA provides simplified compliance obligations for small and medium enterprises (SMEs) through initiatives like the Data Protection Essentials (DPE) framework. By adopting similar measures, India can enable SMEs to uphold robust data protection standards without imposing excessive compliance costs, thereby fostering innovation.
Establishing a Technical Advisory Body
A dedicated advisory body within the Data Protection Board, akin to Brazil’s National Data Protection Authority (“ANDP”) under the General Data Protection Law (“LGPD”), could provide the much-needed technical expertise and guidance for implementing the DPDP Rules effectively. This body could issue detailed operational standards, offer industry-specific recommendations, and regularly update best practices to keep pace with evolving digital ecosystems. Its role would also include bridging gaps in compliance and ensuring consistent interpretation of the rules across diverse sectors, enhancing both clarity and effectiveness in enforcement.
Introducing Certification Programs
Introducing government-backed certification programs, like Singapore’s Data Protection Trustmark (“DPTM”), would incentivise voluntary compliance and encourage organizations to adopt best practices in data protection. Such programs could serve as a mark of trust and reliability for consumers, while also helping businesses stand out in the competitive market. Certification programs could include a tiered structure to cater to the varied needs and capacities of businesses, ensuring broader participation while promoting higher standards of accountability.
Strengthening Oversight Mechanisms
To ensure transparency and accountability, the authority granted to the Chairperson of the Data Protection Board must be subject to robust checks and balances. Establishing mechanisms for independent review of urgent actions taken by the Chairperson would prevent potential misuse of power. This would strengthen public confidence in the governance framework and align the DPDP Rules with the principles of fairness and accountability that are essential for effective data protection.
Defining Realistic Timelines for Breach Reporting
Given the complexities of modern cybersecurity incidents, requiring immediate breach reporting is impractical. The rules should allow organisations sufficient time to investigate and assess the full scope of a breach before reporting. This would ensure accurate and meaningful disclosures, enhancing the effectiveness of remedial actions. Additionally, mandating post-breach audit reports and action plans could help organizations identify vulnerabilities and implement measures to prevent future incidents, thereby building user trust.
Clarifying Ambiguous Terms and Processes
To address inconsistencies in implementation, the DPDP Rules must clearly define terms like “reasonable security measures” and establish standardized processes for data retention, breach notification, and parental consent collection. Clear operational guidelines would minimize discrepancies in compliance and enforcement, ensuring that organizations, regardless of their size, can meet the requirements effectively. Standardization would also improve transparency, making it easier for businesses to plan and align their operations with regulatory expectations.
Promoting Inclusivity and Accessibility
India’s diverse linguistic landscape necessitates greater inclusivity in the implementation of the DPDP Rules. Public consultations should accommodate feedback in regional languages, while explanatory notes and draft rules should be provided in multiple languages to ensure widespread understanding and participation. Such measures would ensure that stakeholders across the country, including non-English and non-Hindi speakers, are not excluded from contributing to the development of this critical legislation.
Conclusion
In conclusion, while the Draft Digital Personal Data Protection (DPDP) Rules, 2025, represent a significant step towards fostering a regulated and secure digital ecosystem in India, their current form reveals several gaps and ambiguities that must be addressed. Drawing lessons from global frameworks such as the CCPA, PDPA, LGPD, and Singapore’s DPTM, India can create a robust, transparent, and inclusive data protection regime. Establishing clear safeguards, scalable compliance mechanisms, cross-border data management strategies, and equitable oversight are essential to building trust among users and stakeholders. Stakeholders can work together to develop a data protection regime that meets the needs of India’s diverse population and its evolving digital landscape. By emphasising both innovation and accountability, the DPDP Rules can balance the twin goals of protecting individual rights and driving India’s digital economy toward sustainable growth.
This blog is written by Diksha Singh, BALLB student, NLIU Bhopal