The government’s release of the draft Digital Personal Data Protection Rules, 2025, (Draft Rules) on January 3, 2025, has set the stage for rolling out the Digital Personal Data Protection Act, 2023. These rules aim to address everything from how organisations should notify users about data practices to measures for preventing and responding to breaches. While the Draft Rules promise to establish a stronger framework for safeguarding personal data, its fragmented and complex approach risks placing an undue burden on smaller businesses, often overlooking the practical challenges of compliance. This article unpacks some of the key issues with the Draft Rules and explores its implications for businesses in India.
Under the Draft Rules, organisations are expected to adopt a host of data security measures such as encryption, obfuscation, masking, use of virtual tokens, implementation of access control measures, retention of appropriate logs, and data recovery and backup mechanisms. They must also ensure that their data processors are contractually obliged to comply with these requirements.
While the emphasis on reasonable security safeguards could help foster a robust data protection culture nationwide, it may impose an undue burden on smaller businesses with limited resources, particularly those handling minimal personal data. For example, a neighbourhood Kirana store that collects basic details like name and address for home delivery may find it challenging to implement the prescribed safeguards. In such cases, the measures seem less reasonable and more disproportionate, as they fail to consider the scale and nature of the business. A risk-based framework, encouraging the adoption of industry best practices, would have been more practical than the current one-size-fits-all model.
The Draft Rules mandate that all personal data breaches, regardless of severity, must be reported to both affected users and the Data Protection Board of India (DPBI). Upon becoming aware of a breach, organisations are required to immediately notify affected individuals with comprehensive details including the breach's description, nature, extent, timing, location, potential consequences, risk mitigation and recommended safety measures and contact information for inquiries. Similar information must be concurrently reported to the DPBI.
These breach measures are flawed for two main reasons. First, the expectation that businesses will have immediate access to all the necessary details as soon as they become aware of a breach is unrealistic and unreasonable. It is widely recognised that identifying the specifics of a personal data breach—like when it happened, how much data was affected, the potential consequences, and how to mitigate risks—takes time. These details cannot be known right away, so it's puzzling that the Draft Rules mandate something so clearly unfeasible.
Second, without any reporting thresholds, customers would be inundated with notifications for even the smallest breaches. This could lead to "breach fatigue," where individuals stop paying attention to notifications, even for those breaches that may pose a serious risk.
That said, the Draft Rules allow some flexibility when it comes to notifying the DPBI about the facts and circumstances surrounding a breach, findings on who caused it, and the measures taken to prevent recurrence. These details don't need to be provided immediately but must be shared within 72 hours of becoming aware of the breach, or even longer if allowed by the DPBI.
However, these strict notification requirements can be burdensome, especially for smaller organisations with limited resources. A more practical approach could involve setting materiality thresholds for breach reporting and giving businesses a reasonable amount of time to gather the necessary information before making a notification.
A particularly controversial aspect of the Draft Rules involves the processing of children’s data. Parental consent, a prerequisite for processing, can be verified through one of two ways: (a) confirming the reliable details of identity and age of the parent if the same is already available with the organisation or (b) using the identity and age details voluntarily provided by the parent, or by way of a virtual token linked to those details.
The challenge with this approach under the Draft Rules is that it assumes children will accurately disclose their age. There is no clear guidance on what happens if a child fails to identify as a minor, and whether the organisation would be held liable in such cases. This is particularly concerning given that businesses may face penalties of up to ₹200 crore for non-compliance with obligations related to children’s data processing. Moreover, the mechanism outlined in the Draft Rules can only verify that the person granting consent on behalf of the child is an adult. However, there is no system in place to confirm that the adult giving consent is actually the child's parent.
Similar issues apply to the processing of data for individuals with disabilities. For such persons, consent must come from a lawful guardian. The Draft Rules expect businesses to verify that the guardian has been appointed by a court or an official authority, but it provides no guidance on how this verification should be carried out. Without clarification, it’s unclear how this guardian verification process would function in practice.
The Draft Rules require entities designated as significant data fiduciaries by the government, based on factors such as the volume and sensitivity of personal data, to conduct Data Protection Impact Assessments (DPIA) annually and submit their findings to the DPBI. The annual requirement for DPIAs seems misplaced. Typically, DPIAs are triggered by the introduction of new technologies or processing activities that could significantly impact privacy. Requiring them every year, regardless of changes to data practices, doesn't align with established best practices, like those under the GDPR, where a DPIA is conducted mainly when new risks arise, not on a set calendar schedule. Mandating annual DPIAs, irrespective of circumstances, could place an undue administrative burden on organizations.
The Draft Rules offer minimal clarity on cross-border data transfers, merely granting the central government the authority to impose restrictions or conditions on transferring personal data to other countries. This has reignited concerns about data localisation, fuelling fears that the government might mandate data storage within India—a move that could significantly disrupt industries reliant on global data flows.
The Draft Rules are open for consultation until February 18, 2025, offering stakeholders a chance to share their views. It is hoped that the government carefully considers these inputs to craft rules that are both practical and impactful.
(The writer is a technology lawyer specialising in data privacy, fintech, and cybersecurity. A Certified Information Privacy Professional (CIPP/E), she advises clients on data protection laws, cybersecurity compliance, and cross-border data transfers. She helps fintech companies develop innovative solutions aligned with regulatory frameworks and is a published author with a keen interest in the intersection of technology and policy)
Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.