含羞草社区

In 2023, India embarked on a new era of data protection by enacting the Digital Personal Data Protection Act, 2023 (DPDP Act). Subsequently, the government released the Draft Digital Personal Data Protection Rules, 2025 (draft DPDP rules) in January 2025 for stakeholder consultation, which concluded on 5 March 2025.

The DPDP Act has been signed into law by the president of India but is not yet in force. Until it is enforced, the 2011 SPDI (sensitive personal data or information) rules will govern data protection in India. The Ministry of Electronics and Information Technology (MeitY) is considering a two-year transition period for businesses to align with the DPDP Act and forthcoming rules.

Some of the recent statements of the MeitY minister suggest that while the government expects businesses to start aligning their policies and practices with the DPDP Act, this is easier said than done. This is because the details of various provisions of the DPDP Act will not only be clarified through the upcoming rules, which are yet to be finalised, but the government and the Data Protection Board of India (DPB) are also expected to mandate even more operational aspects. Until the draft DPDP rules are finalised and the DPDP Act comes into force, businesses would also have to continue complying with the SPDI rules while ensuring that their policies and practices are ready for compliance with the DPDP Act and the rules, when they come into effect.

Compliance with one regulation and the road to readiness to adhere to another appears feasible, particularly considering a two-year transition period. However, the reality presents a stark contrast. The SPDI rules provide merely a foundational framework for data protection in India, characterised by less rigorous requirements and inconsistent enforcement, thereby complicating the transition to compliance with the DPDP Act. Furthermore, the DPDP Act, in conjunction with the anticipated DPDP rules, in certain aspects yields to sector-specific laws and functions as a basic data protection framework, enabling sectoral regulations to impose additional or more stringent requirements, especially concerning the cross-border transfer of personal data. The necessity to align with other regulations may lead to substantial operational and logistical hurdles, affecting the ease of doing business, particularly for startups and smaller entities, which may lack the infrastructure and resources to implement and maintain compliance protocols effectively.

The DPDP Act’s principles-based approach presents additional challenges at the policy and operational levels.

Potential policy uncertainty. The provisions of the DPDP Act leave room for policy uncertainty, especially when read with requirements under sectoral laws. For instance, in 2020, the government banned certain Chinese mobile apps that were “stealing and transmitting users’ data in an unauthorised manner” outside India. However, now the position is marked by an unexplained shift in the government’s stance towards Chinese technology. This is illustrated by recent comments made by the MeitY minister concerning hosting the Chinese open-source AI model, DeepSeek, on Indian servers to alleviate concerns surrounding data security and privacy.

The DPDP Act authorises the central government to restrict personal data transfer to foreign countries or territories. It mandates that such cross-border data transfers adhere to stringent protections outlined in sectoral laws. The draft DPDP rules further stipulate that any data transfer, within and outside India, would have to comply with restrictions articulated in general or special orders by the central government, particularly regarding accessibility to foreigners or entities linked to foreign states.

However, the legislation’s lack of detailed safeguards and reliance on executive discretion for cross-border data transfers risk arbitrary decision making and frequent regulatory changes. This can create policy uncertainty, undermining confidence in the legal framework. The potential unpredictability of these notifications and shifting policies impose compliance challenges and elevate regulatory risks for businesses and stakeholders.

Another provision that potentially creates policy uncertainty is the clause in the draft DPDP rules concerning the notification of personal data breaches. According to the clause, a data fiduciary must inform each affected data principal and the DPB of any personal data breach “without delay”. Subsequently, the data fiduciary is required to submit a detailed report to the DPB within 72 hours. The term “without delay” remains undefined in the draft DPDP rules. This lack of specified initial reporting timelines may conflict with existing regulations mandated by the CERT-In, further contributing to policy uncertainty and unnecessary duplication of efforts in high-risk cases.

Challenges in notifying personal data breaches. While the draft DPDP rules and the DPDP Act require the reporting of all personal data breaches to the DPB and the affected data principal, they do not provide any threshold or criteria for reporting such breaches, obliging data fiduciaries to report every instance of a personal data breach, no matter how trivial. This requirement, lacking guidance on the nature, scale and risk associated with an incident, may result in excessive reporting to the DPB, hampering its ability to mitigate the risks arising from breaches effectively. Furthermore, this stipulation could misrepresent system failures as personal data breaches, adding to confusion and potentially overwhelming affected individuals and the DPB, ultimately causing reputational damage.

The personal data breach reporting requirement also does not consider other sectoral regulations such as the CERT-In Directions on Cybersecurity and the Telecommunications (Telecom Cyber Security) Rules, 2024, issued under the Telecom Act, 2023, which mandate the notification of similar data breaches to various regulatory authorities. This oversight stems from a silo-based approach by government authorities who should have engaged in a comprehensive whole-of-government exercise to establish a single-window regulatory pathway for reporting personal data breaches. Multiple “reporting nodes” are likely to exacerbate vulnerabilities rather than mitigate them.

Vague data localisation requirements. Any data localisation mandate is likely to conflict with various requirements under foreign laws regarding the disclosure or transfer of personal data to foreign government agencies. The draft DPDP rules propose a data localisation requirement for significant data fiduciaries, whereby certain personal datasets and traffic data are prohibited from being transferred outside India based on the recommendations of a committee established by the central government. This represents a shift
from the government’s previous stance
of moving away from strict data localisation requirements.

Arbitrary powers for requisition of information. The power to call for information from any data fiduciary and the intermediary has been mandated without any procedural safeguards, and appears to contradict the Supreme Court decision in the landmark case of Justice KS Puttaswamy (Retd) & Anr v Union of India & Ors (2017), which recognised the fundamental right to privacy guaranteed under Article 21 of the Indian Constitution. The judgment further identified that any request for disclosure of data that violates the right to privacy would have to meet three requirements:

1. 1. the action must be sanctioned by law;
   2. the proposed action must be necessary in a democratic society for a legitimate aim; and
   3. the action must be proportional, ensuring a rational nexus between the objects and the means adopted to achieve them.

The draft DPDP rules and the DPDP Act fail to consider these three requirements and instead endow the government with wide discretionary powers to call for any information. This power is vague and arbitrary as it lacks any procedural safeguards or basis for seeking this information. The DPDP Act does not even provide the option or recourse to the data fiduciaries/intermediaries to object to or challenge the request for information.

While the draft DPDP rules propose to seek information for certain identified purposes such as security of the state, performance of a statutory function, etc., these purposes are worded broadly. This gives excessive powers to the government to seek any information and creates an imbalance favouring the government over not only individual privacy rights but the ease of doing business.

To conclude, while the DPDP Act and the draft DPDP rules mark significant steps in providing a dedicated data protection legal framework and aligning India with global privacy standards, several ambiguities and operational challenges remain. While some of these challenges flow from the DPDP Act itself, certain issues can be resolved through a well thought out execution of the DPDP rules, which would be essential for striking the right balance between individual privacy rights, security, innovation and making the system business friendly.

ADP LAW OFFICES
B 809, ATS Bouquet, Sector 132, Noida
Uttar Pradesh 201304, India
Tel: +91 99100 31747
Email: ameet@adplawoffices.com |