_20240731134909_original_image_17.webp)
On 3 January 2025, the Ministry of Electronics and Information Technology unveiled the draft rules for the Digital Personal Data Protection Act (DPDPA), 2023. These eagerly awaited rules, following the Act’s passage in Parliament in August 2023, are now open for public feedback on the MyGov portal until 18 February 2025. The draft rules address critical areas such as personal data breaches, safeguarding children's data, and the consent manager framework.
Experts Kalindhi Bhatia, Partner at BTG Advaya, and Vikas Bansal, Partner in IT Risk Advisory and Assurance at BDO India, have shared their insights into open-ended issues like timelines for data-breach intimation and the compliance burden on social media platforms.
Open-Ended Issues
Kalindhi Bhatia noted that the draft DPDPA Rules, 2025, leave certain aspects unclear, particularly regarding timelines for reporting personal data breaches. While the draft rules require breaches to be reported “without delay,” this lack of specificity could complicate enforcement. Bhatia suggested that the 72-hour ‘outer limit’ proposed in draft Rule 7(2) aligns with the General Data Protection Regulation (GDPR) and is reasonable compared to unworkable timelines like the six-hour reporting mandate under the CERT-In Direction, 2022.
Regarding cross-border data transfers, Bhatia highlighted the absence of immediate restrictions in the draft rules, though the government reserves the right to regulate such transfers where data may be accessed by foreign states. She argued that this potential restriction is not unreasonable, given concerns about Indian nationals' data being exploited by foreign entities.
Vikas Bansal emphasised the necessity for robust data breach notification procedures integrated with security operations and data loss prevention systems to meet the stipulated timelines. He also pointed out the requirement for Standard Contractual Clauses (SCCs) or Data Transfer Agreements for international data transfers, in line with global standards like GDPR. Bansal noted that more clarity is needed regarding Section 14’s mandate for cross-border data transfer compliance with central government requirements.
Compliance Burden on Social Media Platforms
Social media platforms with over 20 million registered users are classified as Significant Data Fiduciaries under the draft rules’ Third Schedule. This designation imposes stringent compliance requirements, including the appointment of a mandatory Data Protection Officer, annual data audits, data impact assessments, and data localisation. These obligations add to standard requirements like consent management, user access protocols, data retention policies, and child data protection.
Bhatia noted that global platforms already compliant with GDPR would find the DPDPA’s requirements manageable, as they are less stringent. However, she warned that the era of unchecked cross-selling and targeted advertising, especially to minors, is nearing its end. For Indian companies lacking GDPR compliance experience, the transition will demand significant investment in privacy systems and processes.
Bansal added that the additional compliance layers require social media platforms to prioritise establishing dedicated data privacy offices and implementing enhanced privacy protocols.
