Experts working with the tech industry tentatively welcomed the draft Digital Personal Data Protection Rules, 2025, issued on Friday (January 3, 2025). The draft Rules document “gives broad direction to the industry to start preparing for compliance,” Aparajita Bharti, a founding partner at TQH Consulting, which works with tech companies in complying with Indian laws, said in a statement. “It is encouraging to finally witness progress on this front,” Shreya Suri, senior partner at IndusLaw said in a statement.
They highlighted gaps, however, that they hope that the ensuing consultation process will resolve. Industry associations have so far not directly commented on the draft. “The draft rules provide some clarity on framing and displaying notices [to users, or “data principals”] under the Digital Personal Data Protection Act, but they fall short in offering guidance on the mode of delivery or issuance—something well-defined under GDPR,” Ms. Suri said, referring to Europe’s General Data Protection Regulation.
“One key concern in the rules is potential room for bringing data localisation requirements for significant data fiduciaries as they mention that a committee may do so in the future,” Ms. Bharti said, referring to the draft leaving the door open for the government to restrict the overseas processing of Indians’ data. Tech companies are likely to seek particular clarity on this front, as they usually store and process user data in servers around the world.
The draft’s rules around minors having to get parental consent to sign up for online services raised some eyebrows, as the rules mandate that platforms verify parents’ identity first. “How do you know if someone is a parent or not,” Nikhil Pahwa, editor of the tech policy website MediaNama asked. This could mean that “platforms will have to verify EVERYONE,” he speculated on X, formerly Twitter.
Ms. Suri opined that the government’s “approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults,” but hinted at a broad data collection; depending on the implementation, this “could potentially lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection,” she said.
The DPDP Act, 2023 already exempts government organisations from the law, and the Rules set out the “standards” for such exemptions. However, Ms. Bharti said, “The draft rules also do not explicitly address exemptions, processing grounds, or other frameworks specifically tailored for AI model training purposes.”
“Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms,” Mayuran Palanisamy, Partner at Deloitte India said in a statement.
The Internet Freedom Foundation flagged a lack of specificity in the draft, saying in a statement that “terms like “reasonable safeguards”, “appropriate measures”, or “necessary purposes” are used without adequate elaboration” in the text. Since the Data Protection Board will not be a fully independent entity, IFF added, “large parts of the implementation and enforcement will be administered by the Ministry of Electronics and Information Technology raising apprehension.”
“We want to ensure that in their finality, the age verification process, complaints and enforcement are easier for people and not yet another burdensome run-around with no recourse where their data is illegal collected, used, shared and breached,” Mishi Choudhary, founder of the New Delhi-based Software Freedom Law Centre, India said.
Published - January 04, 2025 03:59 pm IST