A Make-or-Break Moment for Digital India

By Arjun Sinha, Partner, AP & Partners

India’s long-awaited data protection framework is taking shape with the Digital Personal Data Protection (DPDP) Act, 2023, laying the groundwork for managing personal data in one of the world’s fastest-growing digital economies. However, the draft DPDP Rules, 2025, will be the real game-changer, determining how effectively the law balances privacy protection with economic growth. If these rules are overly stringent or out of touch with business realities, they risk stifling innovation and burdening smaller firms. Done thoughtfully, they can safeguard privacy while fostering a thriving digital ecosystem.

Drawing from industry insights, here are key ways to ensure the DPDP Rules hit the mark:

1. Avoid Redundant Compliance Burdens: Sectors like banking, insurance, and stockbroking already follow strict data and cybersecurity standards set by regulators like the RBI and SEBI. Forcing these businesses to duplicate efforts—through repetitive audits or reports—under the DPDP Act would be inefficient and costly. Recognising compliance with existing regulations as sufficient for DPDP is practical, and early signs suggest the government is open to this.

2. Don’t Price Out Businesses: India’s economy runs on small and medium enterprises (SMEs), but one-size-fits-all data rules could impact the cost of doing business. Annual data audits or expensive age-verification technologies for children’s data will impose high costs. India needs a risk-based system: tougher requirements for companies handling sensitive data, simpler ones for low-risk businesses. If not, the DPDP Rules will create barriers for the very businesses India wants to promote. Extended timelines would also help giving time for building a culture of privacy with a longer lead time given for traditional and SME business to absorb a privacy first culture. This is particularly crucial because these businesses often have limited resources, lower privacy maturity, and may require significant operational and organisational adjustments to align with the compliance requirements under the DPDP Act. A phased implementation approach would allow them to invest in the essential technology measures, conduct necessary training, and establish robust data protection mechanisms without disrupting their core business operations.

3. Don’t Turn Every Breach into a Crisis: The draft DPDP Rules require companies to notify users of every single data breach, no matter how minor. This is unnecessary and would flood people with alerts they don’t understand — much like endless pop-ups for cookie consent that most people ignore. Instead, India should focus on breaches that actually harm people, like financial data leaks or identity theft. That’s how the EU’s GDPR does it, only personal data breaches likely to result in a high risk to the rights and freedoms of people need to be communicated to the people. Also, the 72-hour deadline for reporting breaches is too tight, especially for complex cyberattacks. Businesses need time to investigate and understand what happened before disclosing.However, this seems to be something that the government may be unwilling to consider, giving primacy to user needs.

4. Protect Kids: Without Making the Internet Unusable: Children deserve special protection, but the current draft requires verifiable parental consent. A risk-based approach would be smarter. Platforms aimed at children should meet higher standards, but others should be allowed simpler checks like self-declared age. The verification methods could exclude first-generation learners whose parents may be unable to provide consent. Exemptions do not align with how online businesses work, as they exclude platforms delivering health or education services.

5. Harmonise with Global Standards: Unlike Europe’s GDPR or Singapore’s PDPA, India’s DPDP Act currently excludes “legitimate interests” and “performance of a contract” as legal bases for data processing, which are widely used by businesses globally. This omission could place Indian companies at a disadvantage, especially in scenarios involving multiple data fiduciaries, such as Online Travel Agencies (OTAs), where obtaining direct user consent is complex. In contrast, GDPR and Singapore’s PDPA permit data processing under these grounds, streamlining business operations while upholding data protection. To align with global best practices and address practical challenges, the DPDP Rules should incorporate ‘Performance of Contract’ and ‘Legitimate Interests’ alongside ‘Consent’ and ‘Certain Legitimate Uses’ as valid grounds. This is equally critical for scenarios like journalistic processing, handling user-generated content, or managing third-party data, which align with constitutional protections for free speech.

6. Government Access to Data Needs Guardrails: The DPDP Act gives India’s government broad powers to demand data from companies, but the draft Rules don’t explain how those requests will work or set limits. Without clear rules, businesses could be forced to share more data than necessary, undermining user trust and possibly inviting abuse. The absence of robust security safeguards raises concerns regarding potential unauthorised access by other government departments or private entities. India needs procedures that ensure any government request is necessary, proportionate, and time-bound.

7. Data Protection Board Should Guide, Not Just Punish: The DPDP Act sets up a Data Protection Board to enforce the law. But right now, the Board has no power to issue guidance or help companies comply. The Board should be empowered to issue clarifications, FAQs, and best practices, similar to what Data Protection Authorities and the EDPB do in Europe. Empowering the Board to issue such guidance is much needed in this nascent stage of data privacy law jurisprudence in the country. Such guidance could help mitigate ambiguities, reduce inadvertent violations, and foster a more transparent and accountable data protection ecosystem in India.

India stands at a crucial juncture to carve out a data protection framework that fairly blends robust privacy safeguards with dynamic economic growth, potentially setting a global standard. For the DPDP Rules to succeed, they must emphasise practicality and predictability, ensuring compliance is streamlined, non-redundant, and scaled to the risks at hand. By cultivating trust in digital ecosystems, these rules can unlock innovation and investment, driving India’s digital economy forward to accelerate the journey of becoming Viksit Bharat.