COAI has raised concerns about the newly released DPDP Rules 2025.
The rules, notified on November 14, are said to need “additional clarity” from MeitY.
Key issues remain unaddressed, including minors’ consent, security standards, and overlapping reporting requirements.
The Cellular Operators Association of India (COAI), representing major telecom players such as Bharti Airtel, Reliance Jio and Vodafone Idea, has raised concerns about the newly released Digital Personal Data Protection (DPDP) Rules 2025.
The industry body says the rules notified on November 14 require “additional clarity”, and that the Ministry of Electronics and Information Technology (MeitY) did not address key concerns shared during consultations, particularly those relating to minors’ consent, security standards and overlapping reporting requirements.
31 October 2025
Get the latest issue of Outlook Business
“COAI is in the process of compiling detailed inputs for MeitY on the DPDP Rules,” said Director General Lt Gen Dr S. P. Kochhar, adding that the industry is awaiting detailed notifications, standards and parameters for compliance.
Digital Personal Data Protection Rules (DPDP) 2025
Nearly two years after Parliament passed the Digital Personal Data Protection Act in 2023, MeitY last week notified the rules to operationalise the Act. The ministry said it examined 6,915 inputs before finalising them.
The DPDP Rules aim to safeguard the digital personal data of Indian citizens and guide organisations on how to collect and process such data. The rules adopt a strict stance on privacy lapses. Companies have an 18-month compliance window, spread across three phases, beginning with the formation of the Data Protection Board of India (DPBI).
Phase 2, starting November 2026, brings consent-manager rules into effect, including their registration, obligations and DPBI’s power to investigate breaches and levy penalties.
Phase 3, from May 2027, enforces all remaining provisions—covering personal data processing, consent, fiduciary obligations, rules for children’s data, cross-border data processing, breach reporting, individual rights and exemptions—marking full implementation of the law.
Telecom companies, which collect and store massive volumes of user data, are expected to be classified as Significant Data Fiduciaries (SDFs). This requires stricter compliance, including appointing a Data Protection Officer, hiring an independent auditor, conducting regular Data Protection Impact Assessments (DPIAs) and undergoing periodic audits as required by the government.
What Telcos Are Concerned About
Dr Kochhar said COAI had sought “additional clarity” during consultations to enable smooth, industry-aligned and risk-aligned compliance.
The areas flagged include, a clear security-compliance framework, age-verification methods for minors, DPIA requirements for SDFs, interpretation of ‘purpose limitation’ and ‘legitimate use’, multilingual-consent processes, breach-notification rules, obligations for consent managers and alignment with existing sectoral regulations.
“Most of these concerns remain unaddressed,” Kochhar said.
One major issue relates to security compliance. COAI argues that telecom security frameworks are already highly detailed and resource-intensive, and that the risk-based approach under the Act should enable robust protection without duplicative obligations.
A specific concern is Rule 7, which requires data fiduciaries to promptly inform affected individuals in clear language about any breach—explaining the incident, its impact, steps taken, recommended safety measures and contact details for assistance. At the same time, they must immediately notify the DPBI, provide an initial breach description and follow up with a detailed report within 72 hours.
Telecom operators also say many of these requirements already exist under the Information Technology Act, CERT-In directives and Department of Telecommunications (DoT) guidelines, making the DPDP obligations largely duplicative.
COAI says “harmonised timelines and aligned procedures” are needed to avoid multiple reports for the same incident, suggesting that India consider proportionate reporting models used in Japan and several EU jurisdictions.
The industry body also notes that under Rule 6, “reasonable security safeguards” should be assessed through a layered, risk-based approach, not limited to checks on encryption or data masking. Telecom networks already employ mature security systems that reduce the chances of unauthorised access.
They further argue that verifying consent for users under 18 is operationally difficult and does not reflect India’s diverse family structures or digital-access programmes. The industry had recommended allowing 16- to 18-year-olds to obtain SIM cards without strict parental-consent requirements.
On Rule 13, which outlines additional duties for SDFs, COAI says DPIAs should be triggered by actual risk and not mandated annually. It also suggests that DPIAs conducted under global standards such as the GDPR should be recognised to avoid unnecessary duplication.
Additionally, COAI points out that Section 38(2) of the DPDP Act gives the law overriding effect over other laws in case of conflict. The industry had recommended following the long-established principle that specific laws should prevail over general laws.
“A comprehensive review and harmonisation of sector-specific regulations with the DPDP framework, along with clear interpretative guidance, would help minimise ambiguity and ensure a smoother transition,” Kochhar added.
