By Rajiv Chugh and Mini Gupta,
The Centre set up an expert committee under the chairmanship of Justice BN Srikrishna to prepare a white paper on data protection framework for India. The objective was to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”
The draft digital personal data protection rules, 2025 builds on above principles and aims to provide much needed clarity on implementation of the Digital Personal Data Protection Act, 2023, craft privacy protections amid fostering India’s digital economy innovation and give directions to the businesses in India by explicating upon compliance to be carried out.
The draft rules are open for industry consultation and propose to introduce a framework to safeguard personal data, address implementation challenges and uphold privacy rights.
The eagerly awaited regulations aim to tackle implementation hurdles, procedural discrepancies, and areas needing greater clarity within the Act. The draft has made headway in addressing these issues, yet there remains considerable opportunity for further refinement and enhancement.
It is a dual-edged prospect for companies, considering the varied scale and cultural dynamics offering businesses the chance to enhance their compliance strategies.
The rules protect citizen’s right by ensuring clear consent mechanisms and mandating the issuance of notices which will help businesses build trust with customers and unlock opportunities for growth in privacy-conscious markets. The authorities have not provided any uniform template for the dissemination of notices, thereby granting businesses the latitude to tailor their notification frameworks in alignment with the nature of the data being processed. This equilibrium between regulatory guidance and operational flexibility exemplifies the realistic approach followed in the rules.
The trend towards detailed consent requests is set to enhance privacy culture and data protection, empowering individuals and prompting businesses to integrate privacy-by-design into their core practices.
The introduction of consent managers is a novel approach, yet there are outstanding concerns around practical application and seamless integration with data fiduciaries which needs further clarification. The effective implementation of consent managers will necessitate a collaborative approach involving government entities, consent managers and the business organisations.
The rules highlight need for parental/ lawful guardian’s verifiable consent while handling data of children and person with disability subject to specific exemptions to educational institutions, healthcare providers and child welfare groups. The prohibition of tracking, profiling and targeted advertising directed at children, solidifies the rules’ intent to maintain their online interactions as constructive and protected.
The regulation’s emphasis on the protection of data represents a pivotal advancement in fostering a more secure digital landscape and underscores India’s dedication to the responsible cultivation of its future digital citizenry.
In essence, the path ahead for businesses is not merely about regulatory compliance as a checkbox exercise; it demands a deeper commitment. It also provides an opportunity for gaining competitive advantage. Establishing a privacy-by-design framework, capital investment in sophisticated technical infrastructure and the establishment of comprehensive data lifecycle management protocols are essential to build trust within a data-centric economy. To meet impending legal enforcement deadlines, businesses must take immediate, proactive steps.
Rajiv Chugh is tax partner and Mini Gupta is partner-tech consulting with EY India.
Views expressed are the authors’ own and not necessarily those of financialexpress.com.