Such precision, in theory, should assure individuals of meaningful notice and control. But the Act also recognizes “Legitimate Use,” a carve-out allowing data fiduciaries to process personal data without consent, unless the individual explicitly objects. Here lies an interpretative fork: if every usage must be individually specified and notified, when does ‘legitimate use’ ever truly apply? In effect, organizations are left with a puzzle: how to exhaustively abide by the rules while relying on loosely defined ‘legitimate use’ exceptions.
Unlike Europe’s General Data Protection Regulation (GDPR), which offers flexible “legitimate interest” uses, provided rights are not overridden, India’s model keeps the compliance screws tight. Indian businesses may find it challenging to draft consent forms that are both granular and operationally viable. The lack of exceptions such as those for fraud prevention or service improvement found in other jurisdictions adds yet another burden, particularly as the digital landscape evolves with AI, IoT and data-driven services.
Minors and consent—An untested frontier: Nowhere are DPDPA implementation challenges clearer than in the law’s treatment of minors’ data. The Rules require “verifiable consent” from parents or guardians against a backdrop of far-from-settled age verification standards. Data fiduciaries must verify ages as well as the authenticity of the adult providing consent, a logistical feat in any nation but profoundly so in one as diverse and differentially digitally educated as India.
Global data flows—Innovation at cross-purposes: For India’s digital economy to continue its global march, seamless cross-border data flows are essential. Yet, the DPDP Rules empower the government to put the brakes on transfers by “significant data fiduciaries,” with all others left to navigate potential future restrictions as central policy evolves.
This ambiguity is a double-edged sword: while it gives legislators room to respond to new threats, it deprives enterprises of certainty, undermining business confidence, investments and the growing ambitions of India Inc’s Global Capability Centres.
To bridge this gap, many have called for standardized contractual transfer clauses, akin to those in the EU. These would let organizations comply through tested frameworks rather than risk sudden policy shifts, striking a balance between regulatory oversight and commercial reality.
Breach notification and the risk of noise: India is no stranger to headline-grabbing data breaches, with large-scale exposures rattling consumer trust. Accordingly, the DPDP Rules demand breach notification to consumers and the regulator within 72 hours. Cert-In, the government’s cyber security agency, also requires incident disclosure within six hours. This overlap breeds a kind of regulatory déjà vu; companies must now notify two authorities (and sometimes the public) for even minor incidents, risking notification fatigue and administrative paralysis.
Industry stakeholders argue for a Singapore-style threshold, where mandatory notification is reserved for incidents causing significant harm or impacting more than a set number of individuals. Without such refinement, India’s breach regime may create so much noise that signals are lost in the noise.
Liability—where the buck stops: Major data breaches, including one at the Indian Council of Medical Research, have prompted lawmakers to affix liability for any data breach solely on the data fiduciary, irrespective of whether a vendor or sub-processor was responsible. While this may foster accountability, it hits at the heart of practical risk management.
In contrast, the GDPR apportions liability based on contractual controls, adherence to instructions and oversight, thus allowing organizations to manage exposure and incentivize secure partnerships.
For India’s C-suite, this means re-examining vendor contracts with newfound urgency. Legacy arrangements will need wholesale renovations to clarify liability, indemnities and escalation procedures. The coming 18 months, the Rules’ compliance window, will be a scramble as businesses fortify supply-chain obligations.
The path to effective privacy: Despite operational headaches, India’s new personal data protection framework lays a foundation for a digital economy aligned with privacy rights and international best practices. Our privacy law has been years in the making and it already lags technological advancements such as artificial intelligence (AI).
All eyes will be on the Data Protection Authority, which is expected to update existing definitions. Moreover, as Indian society is largely unaware of privacy as a right, a grassroots government campaign that alerts citizens of it should help the Rules take effect and organizations serve people better.
Lastly, countries such as the Philippines provide ‘certifications’ to organizations that have demonstrated compliance with privacy regulations and this could fruitfully be emulated by Indian authorities.
India has finally adopted a path of privacy enforcement. Smooth sailing will depend on organizational ingenuity as much as on the legislated provisions. The privacy of a billion plus individuals is at stake here.
The author is an independent privacy lawyer.
#rules #flickery #lighthouse #wont #easy
