The much-awaited draft regulations for the Digital Personal Data Protection (DPDP) Act, 2023, were made public by the Ministry of Electronics and Information Technology (MeitY) on 3rd January 2025. Since then, they have sparked widespread discussion across the industry.
The draft rules establish requirements for cross-border data transfers, mandate express consent for data processing, and enforce strict protocols for managing data breaches.
Industry experts view the draft regulations as a significant step towards aligning India’s data protection framework with international standards. Many have shared their views on key provisions outlined in the draft, including user rights, data protection procedures, and the creation of a regulatory framework. Here’s a look at their insights:
Jaspreet Singh, Partner, Grant Thornton Bharat said,"The Digital Personal Data Protection Act (DPDPA) Rules 2025 represent a pivotal advancement in safeguarding digital fundamental rights. This robust legislation prioritizes the protection of personal data, granting individuals greater control over their information in an increasingly digitalized world. By introducing stringent regulations for data collection, processing, and storage, the DPDPA Rules 2025 aim to strike a balance between technological progress and the right to privacy.
The act mandates transparency from data handlers, enforces consent-driven data usage, and imposes substantial penalties for data breaches and non-compliance. With its emphasis on accountability and user empowerment, the DPDPA Rules 2025 reaffirms the importance of data privacy as a fundamental right. This forward-looking framework is set to establish new benchmarks for digital trust and security, fostering a safer and more equitable digital ecosystem."
Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co: said,"The DPDP Rules were meant to provide operational clarity to guide compliance and industry practice. To a large extent they do this with respect to how notice has to be provided, how the DPB (Data Protection Board) will be set up, and how personal data breach reporting must take place. Flexibility has been provided for how a data fiduciary must maintain reasonable security safeguards.
That said, the Rules on how to obtain verifiable parental consent are bound to create significant compliance challenges. This is because data fiduciaries will have to maintain different consent processes for adults, minors and persons with disabilities who have lawful guardians. Also concerning are the additional conditions that the Rules are likely to impose on cross border data flows; this was certainly not contemplated in the principal legislation. Finally, the Rules suggest that SDFs may be subject to data localization requirements- this is very concerning. This is an overreach by the Rules and is inconsistent with the provisions of the Act. The consultation process till Feb 18 will therefore be an important process."
Akshayy S. Nanda from Saraf and Partners also shared his views on various provisions of the draft rules. He stated, "The Digital Personal Data Protection (DPDP) Act was passed by Parliament in August last year. It has already been almost 16 months, and with 18th February being the deadline, the government is behind schedule in implementing the Act. The positive aspect of the draft is that it provides basic criteria rather than a rigid template. The requirements for data fiduciaries to maintain appropriate security measures have been made flexible. In line with global standards, the draft stipulates a 72-hour timeline for reporting data breaches, which is commonly followed by most countries."
On the topic of children’s data, he highlighted, "Exemptions for educational and child welfare organisations under specific conditions are acceptable, but more clarity is needed regarding the verification process for obtaining parental consent to process children’s data."
Regarding data breaches and notifications, he noted that data fiduciaries must have mitigation plans in place and notify impacted users of breaches. "While the rights of data principals have been clarified, there is no specific timeline for organisations to respond. This could result in delayed responses, with some organisations potentially stretching their responses for up to months."
He further added that while the draft rules represent a good approach by the government in setting minimum criteria, organisations will still need to assess their own practices. The approach to handling data breaches at an organisational level must be more flexible and efficient. The process is time-consuming, and it will take time to be operational at the ground level. Therefore, the government must prioritise the application of the Act as soon as possible.