The Digital Personal Data Protection Act (DPDPA), enacted by the Parliament and assented by the President of India on 11th August 2023, is by no means an ordinary legislation. It is an Act that provides a much-needed legal framework to ensure the right of every Indian citizen to protection and fair processing of their digital personal data.
In essence, this Act lays down unequivocally the legal bases on which and on which alone personal data of Indian citizens can be processed anywhere inside or outside India. It goes on to affix obligations and accountability to persons, companies and organisations who process or intend to process personal data, makes it mandatory on them to comply end-to-end with the provisions of the Act and imposes hefty pecuniary penalties for each incidence of breach.
The inherent disruptive nature of the Act is expected to cast a profound impact on the existing digital business ecosystem helping India garner trust and credibility in the global markets which are largely governed under similar personal data protection standards. It will certainly go a long way in catapulting India into the elite league of digitally empowered nations – a status necessary to play an instrumental role in realising her economic potential to the fullest.
With all its promising grandeur, DPDPA will be fortified as Central Government formulates the necessary operational rules, constitutes statutory governing bodies and establishes necessary digital infrastructure, by virtue of the power vested in them as per Section 40 of the Act. Every stakeholder stands in earnest anticipation eagerly waiting for that to happen.
The Draft Rules 2025 containing twenty-two rules and seven schedules, is intended to complete various sections of the DPDP Act 2023 which itself runs into forty-four Articles and one Schedule. With the publication of the much-awaited Draft Rules proposed by the Central Government, the DPDP Act enters a decisive second stage before it finally becomes operational in full force across the country, the exact date of which is just around the corner though not visible yet.
While we anxiously wait and observe the course of development of the DPDP Act, let’s consider some food for thought that the current draft of Digital Personal Data Protection Rules, 2025 has to offer on the intellectual platter of a common citizen of India.
The Double-Edged Sword of Regulatory Flexibility
The DPDP Rules' deliberate use of permissive language creates a regulatory framework that acknowledges technological dynamism. This flexibility enables organisations to adapt their compliance strategies to rapidly evolving technological landscapes. However, this adaptability comes at a potential cost to standardisation.
Organisations interpreting these regulations may develop divergent compliance approaches, creating incoherently fragmented implementations. This variation could complicate enforcement efforts and potentially undermine the Act's effectiveness in establishing consistent data protection standards across India's digital ecosystem.
Navigating Complex Privacy Notice Requirements
The stringent privacy notice requirements contained in Rule 3, represent a significant step toward transparency and accountability. The mandate for clear, independent and itemised descriptions of personal data usage demonstrates a commitment to user empowerment. However, these requirements pose substantial operational challenges.
Large organisations managing complex data operations would face particularly daunting documentation requirements. The need for comprehensive, accessible privacy notices may further necessitate significant investments in legal expertise and documentation systems. While these requirements advance user privacy rights, they may disproportionately burden smaller organisations with limited resources.
Data Fiduciary Obligations: Finding Clarity Amid Ambiguity
The pliability in interpretation of the Act can often lead to incongruities. For instance, Section 8(7) of the DPDP Act creates a mandate for data fiduciaries to erase personal data unless retention of the same is required under any other law in force for the time being. The obligation stated herein is by and large clear.
However, the situation turns ambiguous when we refer to Schedule 3 of the Draft Rules which provides a comprehensive framework on data retention periods, giving ample room for interpretational manoeuvring to data fiduciaries in comprehending the purpose and duration of data retention as per their convenience – which stands in vehement opposition to the fundamental intent of the Act.
Implications for India's Digital Future
The DPDPA 2025 represents a crucial step in India's digital evolution, but its success depends on striking the right balance between flexibility and standardisation. As organisations prepare for implementation of their compliance strategies, several key considerations emerge including the following:
· The need for sector-specific guidance to help organisations interpret and apply the rules consistently.
· Development of clear compliance metrics to evaluate adherence to privacy notice requirements.
· Establishment of mechanisms for regular review and updates to accommodate technological advances.
Moving Forward
As India positions itself to nudge its way to become a global digital powerhouse, the DPDP Act 2023 and the Rules formed thereunder must evolve through continuous engagement and practical implementation experience of the various stakeholders at least in early formative stages.
Effective implementation of the Act will require collaborative efforts between regulators, industry participants and privacy advocates to ensure that the Act achieves its intended objectives while fostering innovation and growth in India's digital economy.
The Central Government has not disappointed the stakeholders in this regard. The Draft Rules 2025 has been customarily thrown open to the public providing them the opportunity to make their comments and suggestions to be submitted by March 5, 2025, whereupon after due deliberations and possible modifications, the Draft Rules will finally take the shape of enforceable piece of legislation augmenting the primary DPDP Act.
All that we require at this moment of time is to take this opportunity to make our contributions heard and counted.
Kumar Priyank is the CEO at DPDP Consultants. Views are personal.
