Background

• On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection (DPDP) Rules. 
• This step follows the passage of the DPDP Act, 2023, bringing India closer to operationalising its framework for safeguarding personal data.
• Unlike the earlier rush to regulate under the so-called “Brussels Effect”, where global digital rulemaking copied the European Union (EU)’s interventionist regulation, India has taken a more pragmatic stance. 
• The EU’s General Data Protection Regulation (GDPR), once hailed as a gold standard by privacy experts, now faces criticism for unintended consequences such as favouring well-resourced corporations, stifling smaller enterprises, and failing to significantly enhance public trust in the Internet. 
• India’s measured approach thus far offers a refreshing alternative to Europe’s interventionist policies.

Positive Aspects of this Rules

• Principles-Based Framework: The rules give importance to simplicity and clarity in notice and consent mechanisms, reducing unnecessary regulatory burdens on businesses.
• Avoiding Consent Fatigue: Unlike the GDPR, which burdens users with excessive notifications, India’s approach streamlines consent requirements to enhance user experience.
• Flexibility in Compliance: The rules focus on outcomes rather than rigid processes, allowing businesses to implement compliance measures in a way that suits their operations.
• Respect for Business Autonomy: Unlike the prescriptive nature of GDPR, India’s framework does not dictate specific user interface designs, preserving innovation and adaptability.
• Sector-Specific Exemptions: Recognizing industry needs, exemptions are provided for educational institutions, healthcare providers, and child-care centers, allowing behavioral monitoring and tracking without parental consent under certain conditions.
• Balanced Approach to Regulation: Instead of blindly following the EU’s GDPR model, India’s approach is pragmatic, avoiding overreach while safeguarding digital privacy.

Possible Problems in the Rules

• Cross-Border Data Flow Restrictions: The rules introduce unclear and complex restrictions on transferring data outside India, particularly for Significant Data Fiduciaries (SDFs). This could lead to regulatory arbitrage, where smaller entities exploit lighter regulations for competitive advantage.
• Data Localisation Mandates: Potential data localisation requirements for large enterprises may deter foreign investment and increase operational costs, making India a less attractive business destination.
• Executive Overreach: The government holds excessive power in determining compliance obligations, and public consultations on the draft rules have been restricted, undermining democratic participation.
• Limited Independence of the Regulatory Body: The Data Protection Board (DPB) lacks autonomy since its chairperson is selected by a government-led committee, raising concerns about political influence and lack of impartial enforcement.
• Unclear Data Breach Notification Timelines: There are no specific deadlines for notifying users about data breaches, increasing risks for individuals affected by security incidents.
• Concerns Over Government Access to Sensitive Data: Rule 22 allows the government to requisition information without clear limitations, raising fears about potential misuse and compromising trade secrets of businesses.
• Broad Exemptions for Government Data Processing: Rule 5 exempts government agencies from consent requirements when processing personal data for subsidies and benefits, weakening accountability and oversight.

Way Forward

• According to IBM, data breaches cost Indian businesses an average of ₹19.5 crore ($2.35 million) in 2024. 
• Compliance with data protection laws should not be seen as a regulatory obligation, but as critical to protecting business reputation and ensuring continuity. 
• With the convergence of the Internet of Things, 5G, and artificial intelligence enabling unprecedented data collection, India must envision privacy frameworks that do not exclusively rely on the fallible principle of consent. 
• As public consultations refine the draft rules, prioritising preservation of the framework’s flexibility and industry-specific accommodations is key. It should also work to balance the possible problems which may arise out of the implementation of the Rules.
• This approach will help maintain a balance between innovation, economic growth, and individual rights — something not many jurisdictions have managed to get right.