India's draft data protection rules aim to safeguard privacy rights, but also grant extensive governmental discretion and impose stringent compliance requirements, creating uncertainty for businesses across consent management, breach reporting, and cross-border data transfers. Experts highlight the need for clearer implementation guidelines.
As India advances to implementing its first comprehensive data protection framework, the recently released Draft Digital Personal Data Protection Rules, 2025 have sparked intense discussion about their practical implications. These rules represent a significant shift in how companies must handle personal data, granting unprecedented discretionary powers to the government while imposing stringent compliance requirements on businesses.
At the heart of these new regulations lie serious concerns about the extensive government discretion embedded within the framework, which creates an uncertain environment for businesses. The rules, while attempting to establish India's first comprehensive data protection regime, grant sweeping powers to the government across multiple critical areas, from cross-border data transfers to compliance requirements.
The framework marks a departure from current practices by introducing data fiduciaries - entities that determine the purpose and means of processing personal data. These organisations face a complex balancing act between government oversight and operational feasibility, particularly in India's diverse digital landscape, where high mobile penetration coexists with varying levels of digital literacy.
Further complicating matters, the rules establish a consent-based regime that exceeds the stringency of global standards such as the General Data Protection Regulation (GDPR), while simultaneously giving the government extensive authority to demand information from data fiduciaries. This dual challenge creates a complex compliance environment for businesses operating in India.
CONSENT AND BREACH NOTIFICATIONS
"The most significant challenge in compliance would be adhering to the primarily consent-based regime and the requirement to ask for specific consent for each kind of processing," explains Deepa Christopher, partner at Talwar Thakore & Associates. This marks a dramatic shift from current practices, where companies typically provide broad notices covering multiple data uses.
The rules also mandate notices in 22 languages and require reporting of all data breaches, regardless of severity, creating substantial operational challenges. Unlike GDPR's materiality thresholds, this all-encompassing approach to breach notification could overwhelm both businesses and users.
“This will prove onerous for both businesses and data principals who must give consent for each action," Christopher adds.
Another contentious aspect is the approach to data breach notifications. Unlike global frameworks such as GDPR, which apply materiality thresholds, India's draft rules mandate reporting all breaches to affected individuals and the Data Protection Board, regardless of severity. This could lead to what some lawyers term ‘notification fatigue.’
The absence of a harm-assessment threshold for data breaches could ultimately prove detrimental to business operations and counterproductive in the longer run, experts say.
“Such frequent reporting could make it difficult for data principals to distinguish between minor incidents and significant threats, thereby reducing the effectiveness of the breach notification mechanism,” explains Jitendra Soni, a partner at Argus Partners. “Moreover, the lack of prioritisation could place an undue burden on organisations, diverting resources away from managing more critical breaches,” Soni adds.
For children's data protection, practical implementation questions remain unresolved. "It is still unclear how a data fiduciary should identify a minor at the outset," Christopher points out. "The rules only suggest two instances – where a child self-identifies or is identified by their parent, both of which will not be viable if services are used anonymously or are on shared devices."
CROSS-BORDER DATA TRANSFER
Cross-border data transfers emerge as a major concern, particularly for international businesses. The rules grant the government broad powers to restrict data transfers to any country or foreign entity, potentially creating uncertainty for companies operating globally. This could significantly impact sectors reliant on cloud infrastructure and international data flows.
“For businesses reliant on global cloud infrastructure, these restrictions may lead to higher costs, fragmented data architectures, and cybersecurity challenges,” Soni explains.
The government's ability to impose restrictions with limited notice creates additional operational uncertainty, especially for sectors heavily reliant on real-time international data flows, such as financial services, healthcare, and e-commerce platforms.
For multinational corporations, these restrictions could necessitate a complete overhaul of existing data-sharing practices between Indian operations and global offices. The rules' reach extends to data processed outside India if it relates to goods and services provided within India, effectively creating extraterritorial obligations. "This lack of clarity will prove especially harmful for importers, exporters and multinational companies," Christopher notes.
IMPACT ON DIFFERENT BUSINESSES
The framework introduces the concept of "significant data fiduciaries" (SDFs), imposing additional obligations on organisations processing substantial volumes of data. While this tiered approach aims to balance regulation with business needs, the criteria for SDF classification remain unclear, creating anxiety among mid-sized companies about their potential obligations.
Christopher notes that these requirements could prove especially burdensome if the SDF classification extends beyond initially anticipated scope: "Based on current guidance, the assumption is that only very large organisations who process significant volume or very sensitive categories of data will qualify as significant data fiduciaries. If this assumption is proven wrong, and a larger number of organisations have to comply with the more stringent requirements, it will be quite challenging."
SDFs face stringent requirements, including annual data audits, impact assessments, and potential data localisation mandates. They must also ensure their algorithmic software doesn't harm data principal rights – a vague obligation that technology companies may find particularly challenging to implement.
"Based on current guidance, the assumption is that only very large organisations who process significant volume or very sensitive categories of data will qualify as significant data fiduciaries. If this assumption is proven wrong, and a larger number of organisations have to comply with the more stringent requirements, it will be quite challenging."—Deepa Christopher, Talwar Thakore & Associates
For India's burgeoning startup ecosystem, these requirements could pose significant challenges. While the rules attempt to differentiate obligations based on business scale, the baseline compliance requirements remain substantial. Smaller companies may struggle with the technical and financial resources needed to implement comprehensive consent management systems, multiple language support, and breach notification mechanisms.
WAY FORWARD
As organisations prepare to navigate this new regulatory landscape, several critical priorities demand immediate attention. They need to audit their current data processing activities, implement more granular consent mechanisms, and prepare for potential data localisation requirements. International companies must reassess their data transfer mechanisms and potentially restructure their data architectures to accommodate future restrictions.
The consent manager framework, while innovative, remains untested. These entities are meant to serve as intermediaries, helping individuals manage their privacy preferences across services. However, the practical implementation of this system, including technical standards and interoperability requirements, needs further clarity.
The government’s extensive powers to call for information from data fiduciaries under the DPDP Act and draft rules may also need to be reviewed. “It is likely that data fiduciaries will find this challenging to adhere to, especially in the context of the Schrems-II judgement. The surveillance powers of the government will also impact any end-to-end encryption undertaken by social media companies, such as Meta,” Christopher notes.
“Data fiduciaries will now have to be careful of their data sharing practices and will need to undertake an exercise to continuously map where their data is transferred and who is given access to it,” she adds.
The rules are currently open for public feedback until Feb. 18, 2025, offering a crucial window for industry input. Many hope this consultation process will lead to clarifications on key aspects, particularly around breach notification thresholds, SDF criteria, and cross-border transfer restrictions.
"While companies should begin to comply with this new regime, it is likely that such compliance will be an ongoing process as further clarity is given through developing market practice and government notifications," Christopher concludes.
