Draft Digital Personal Data Protection (DPDP) Rules, 2025

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection (DPDP) Rules, marking a significant step in India’s efforts to regulate digital personal data. This follows the passing of the DPDP Act, 2023, and represents a shift from the previously criticized Personal Data Protection Bill.

Principles-Based Framework

• India's approach departs from the EU’s GDPR, favoring a less prescriptive, principles-based framework.
• Emphasis on simplicity and clarity is intended to reduce "consent fatigue" among users.
• The framework focuses on outcomes rather than prescribing processes, thereby empowering users without overwhelming businesses.

Protection for Children's Data

• Stricter protections are established for processing children's data.
• Exemptions are provided for educational institutions and health services for activities like behavioral monitoring, which benefit children’s educational outcomes.

Flaws and Challenges

• The rules introduce complexities concerning cross-border data flows.
• Potential data localisation mandates for Significant Data Fiduciaries (SDFs) could lead to regulatory arbitrage.
• Ambiguities remain regarding how businesses can authenticate data requesters or charge for excessive requests.
• Concerns exist about whether the government can access sensitive business data.

Need for Procedural Integrity

• Procedural integrity is crucial to ensure sensitive data remains secure.
• Businesses need safeguards to manage information requests effectively.
• The rules should address data protection as a critical aspect of business reputation and continuity, not just a regulatory obligation.

Future Considerations

• India needs to move beyond notice-and-consent mechanisms to protect privacy, especially as technologies like IoT, 5G, and AI evolve.
• Public consultations are essential to refine the draft rules, balancing innovation, economic growth, and individual rights.

The article emphasizes that while the DPDP rules offer a more flexible approach compared to the EU’s GDPR, certain areas require further clarity and refinement. This includes addressing procedural integrity and ensuring the rules accommodate industry-specific needs without stifling innovation.