COAI seeks clarity as DPDP rules 2025 come into effect

The Cellular Operators Association of India (COAI) has responded to the Ministry of Electronics and Information Technology’s (MeitY) notification of the Digital Personal Data Protection (DPDP) Rules 2025, describing the development as a significant step in operationalising India’s data protection framework.

Lt Gen Dr S P Kochhar, Director General of COAI, said the new rules represent an important moment in the evolution of India’s digital governance architecture. “The Digital Personal Data Protection Rules (DPDP) 2025… mark a significant milestone in operationalising India’s data protection framework,” he noted. He added that by adopting a purpose-limited, notice-and-consent model with clear reporting timelines and fiduciary accountability, the framework places India among countries with comprehensive data protection systems. “COAI and its members welcome this progress and remain fully committed to supporting the effective implementation of the DPDP Act,” he said.

However, COAI has reiterated the need for additional clarity in several areas previously highlighted during public consultations. These include the parameters for a security compliance framework, approaches to age verification for minors, interpretation of “purpose limitation” and “legitimate use”, multilingual consent mechanisms, breach-reporting obligations, duties of consent managers and alignment with existing sectoral laws. According to the association, most of these concerns remain unaddressed in the notified rules.

Dr Kochhar emphasised the importance of a risk-based security approach aligned with established telecom standards, given the sector’s already detailed and resource-intensive compliance requirements. COAI has recommended that the Data Protection Board adopt such an approach to ensure strong protections while maintaining operational practicality.

On breach-notification requirements, COAI advocates a proportionate reporting model similar to frameworks in Japan and several EU jurisdictions. The association argues that, with multiple overlapping reporting mandates under the IT Act, CERT-In directions, Department of Telecommunications (DoT) guidelines and now the DPDP Rules, harmonised timelines and a unified notification process would help avoid duplication. A standardised incident-reporting format accepted by all relevant authorities, COAI says, would support consistent and efficient compliance. Dr Kochhar noted that such an approach aligns with recent recommendations from the NITI Aayog panel on regulatory reform.

COAI also raised concerns about the practicalities of verifying consent for minors under the age of 18, particularly in the context of SIM card acquisition. The organisation previously suggested an exemption for minors aged 16 to 18, citing diverse household structures and the government’s own efforts to promote digital autonomy among young people.

Regarding the obligations for Significant Data Fiduciaries, COAI reiterated its view that Data Protection Impact Assessments (DPIAs) should be risk-based rather than mandatory on an annual basis. Recognising DPIAs conducted under global standards, such as the GDPR, could help prevent unnecessary duplication, the association argued.

For consent managers, COAI believes that restrictions preventing directors or key personnel from having any association with data fiduciaries may be overly restrictive. Dr Kochhar noted that established organisations across the technology, finance and telecom sectors possess the expertise to responsibly operate such systems.

COAI has therefore proposed safeguards against preferential treatment, rather than blanket prohibitions. It also suggested either permitting a common industry-led consent management layer for telecom operators or confirming that operators may continue using their internal consent-management systems if they meet DPDP standards.

COAI further recommended that the DPDP Act’s overriding clause should be applied in line with the legal principle that specific laws take precedence over general laws. Harmonising telecom-sector rules with the DPDP framework would help ensure clarity and minimise compliance uncertainty.

The association is preparing detailed submissions to MeitY on the DPDP Rules. Dr Kochhar reaffirmed the industry’s commitment to a secure and future-ready data protection framework, stating: “COAI and its members affirm their longstanding commitment to a strong, secure and future-ready data protection ecosystem. We will continue to constructively work with the Government to ensure effective, balanced and industry-aligned implementation of the DPDP framework.”