3 Asian Legal Business | January-February 2025 Cover Story thresholds, this all-encompassing approach to breach notification could overwhelm both businesses and users. “This will prove onerous for both businesses and data principals who must give consent for each action,” Christopher adds. Another contentious aspect is the approach to data breach notifications. Unlike global frameworks such as GDPR, which apply materiality thresholds, India’s draft rules mandate reporting all breaches to affected individuals and the Data Protection Board, regardless of severity. This could lead to what some lawyers term ‘notification fatigue.’ The absence of a harm-assessment threshold for data breaches could ultimately prove detrimental to business operations and counterproductive in the longer run, experts say. “Such frequent reporting could make it difficult for data principals to distinguish between minor incidents and significant threats, thereby reducing the effectiveness of the breach notification mechanism,” explains Jitendra Soni, a partner at Argus Partners. “Moreover, the lack of prioritisation could place an undue burden on organisations, diverting resources away from managing more critical breaches,” Soni adds. For children’s data protection, practical implementation questions remain unresolved. “It is still unclear how a data fiduciary should identify a minor at the outset,” Christopher As India advances to implementing its first comprehensive data protection framework, the recently released Draft Digital Personal Data Protection Rules, 2025 have sparked intense discussion about their practical implications. These rules represent a significant shift in how companies must handle personal data, granting unprecedented discretionary powers to the government while imposing stringent compliance requirements on businesses. At the heart of these new regulations lie serious concerns about the extensive government discretion embedded within the framework, which creates an uncertain environment for businesses. The rules, while attempting to establish India’s first comprehensive data protection regime, grant sweeping powers to the government across multiple critical areas, from cross-border data transfers to compliance requirements. The framework marks a departure from current practices by introducing data fiduciaries - entities that determine the purpose and means of processing personal data. These organisations face a complex balancing act between government oversight and operational feasibility, particularly in India’s diverse digital landscape, where high mobile penetration coexists with varying levels of digital literacy. Further complicating matters, the rules establish a consentbased regime that exceeds the stringency of global standards such as the General Data Protection Regulation (GDPR), while simultaneously giving the government extensive authority to demand information from data fiduciaries. This dual challenge creates a complex compliance environment for businesses operating in India. Consent and breach notifications “The most significant challenge in compliance would be adhering to the primarily consent-based regime and the requirement to ask for specific consent for each kind of processing,” explains Deepa Christopher, partner at Talwar Thakore & Associates. This marks a dramatic shift from current practices, where companies typically provide broad notices covering multiple data uses. The rules also mandate notices in 22 languages and require reporting of all data breaches, regardless of severity, creating substantial operational challenges. Unlike GDPR’s materiality India’s privacy puzzle India’s draft data protection rules aim to safeguard privacy rights, but also grant extensive governmental discretion and impose stringent compliance requirements, creating uncertainty for businesses across consent management, breach reporting, and cross-border data transfers. Experts highlight the need for clearer implementation guidelines. By Nimitt Dixit
RkJQdWJsaXNoZXIy MjA0NzE4Mw==