Photo used for representation purpose only.
| Photo Credit: Getty Images/iStock
Experts working with the tech industry tentatively welcomed the draft Digital Personal Data Protection Rules, 2025, issued on Friday (January 3, 2025). The draft Rules document “gives broad direction to the industry to start preparing for compliance,” Aparajita Bharti, a founding partner at TQH Consulting, which works with tech companies in complying with Indian laws, said in a statement. “It is encouraging to finally witness progress on this front,” Shreya Suri, senior partner at IndusLaw said in a statement.
They highlighted gaps, however, that they hope that the ensuing consultation process will resolve. Industry associations have so far not directly commented on the draft. “The draft rules provide some clarity on framing and displaying notices [to users, or “data principals”] under the Digital Personal Data Protection Act, but they fall short in offering guidance on the mode of delivery or issuance—something well-defined under GDPR,” Ms. Suri said, referring to Europe’s General Data Protection Regulation.
“One key concern in the rules is potential room for bringing data localisation requirements for significant data fiduciaries as they mention that a committee may do so in the future,” Ms. Bharti said, referring to the draft leaving the door open for the government to restrict the overseas processing of Indians’ data. Tech companies are likely to seek particular clarity on this front, as they usually store and process user data in servers around the world.
Parental consent
The draft’s rules around minors having to get parental consent to sign up for online services raised some eyebrows, as the rules mandate that platforms verify parents’ identity first. “How do you know if someone is a parent or not,” Nikhil Pahwa, editor of the tech policy website MediaNama asked. This could mean that “platforms will have to verify EVERYONE,” he speculated on X, formerly Twitter.
Ms. Suri opined that the government’s “approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults,” but hinted at a broad data collection; depending on the implementation, this “could potentially lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection,” she said.
Exemption concerns
The DPDP Act, 2023 already exempts government organisations from the law, and the Rules set out the “standards” for such exemptions. However, Ms. Bharti said, “The draft rules also do not explicitly address exemptions, processing grounds, or other frameworks specifically tailored for AI model training purposes.”
“Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms,” Mayuran Palanisamy, Partner at Deloitte India said in a statement.
Published – January 04, 2025 03:59 pm IST
