Proposed Data Protection Rules May Increase Compliance Burden On Indian Businesses

Vikas Bansal - Partner - IT Risk Advisory and Assurance 

The draft rules under Digital Personal Data Protection Act, 2023 deal with provisions for personal data breach, protecting children's data, and the consent manager framework, among other things.

The new draft rules under the Digital Personal Data Protection Act, 2023 could pose a challenge over data breach reporting timelines and data transfer, while increasing the compliance burden for local Indian businesses.

The much-anticipated draft rules were released on Friday, opening the policy to public comments till Feb. 18.

The draft rules deal with the provisions for personal data breach, protecting children's data, the consent manager framework, and the setting up of a data protection board.

Concern #1: Unclear Data Breach Reporting Timeline

"The draft DPDPA Rules, 2025, do not provide complete clarity on certain aspects, like timelines for reporting personal data breaches," according to Kalindhi Bhatia, partner at BTG Advaya.

"The formulation in the draft rules is that this reporting should be done 'without delay'. In practice, it would be difficult to determine if a notification was made with such delay, or not," she said.

Bhatia added that the earlier six-hour reporting timeline, which was mandated by the CERT-In in 2022, is unworkable, but the 72-hour upper limit is reasonable, and is identical to the European Union's General Data Protection Regulation provision.

Concern #2: Clarity On International Data Transfer 

The Act indicated that the government may publish a list of countries or regions to which personal data cannot be transferred.

While Bhatia of BTG Advaya said the draft rules do not restrict the cross-border transfer of data, Suresh of JSA said they seem to provide a broader restriction on transfer of data outside India.

"The Government has reserved the right to make rules where Indian personal data is made available to a foreign state or its instrumentality. This is not an unreasonable restriction, if imposed; the concerns around data of Indian nationals being used by foreign governments are not misplaced. For the moment, the takeaway remains that cross-border transfer of data is not restricted," Bhatia said.

Suresh of JSA, however, argued that these restrictions will now affect transfer not only for commercial purposes, but sharing data with foreign state actors for other purposes like surveillance or law enforcement.

Vikas Bansal, partner at BDO India, agreed that this required more clarity.

"The data transfer, similar to what GDPR states, wherein companies engaging in international data transfers must implement standard contractual clauses or Data Transfer Agreements to comply—for them Section 14 mandates that cross-border data transfers comply with Central Government-specified requirements, ensuring data protection equivalence in recipient countries. This requires more clarity," he said.

Concern #3: Compliance Burden On Social Media Firms, Indian Companies

Bhatia added that platforms will need to spend time and resources to comply with the DPDPA and its rules.

"In reality, if an organisation is already compliant with GDPR, this is not a very big ask...At the same time, the ‘wild-west’ days of cross-selling and unhindered targeted advertising will come to a close, in particular when it comes to targeting underage users," she said.

She added that more than MNCs and global platforms, the burden of changing their culture of privacy (non) compliance will impact local Indian business houses.

"Without the benefit and experience of GDPR compliance, Indian companies will need to take a ‘day zero’ approach to privacy and build systems and processes from scratch," she said.

As per the rules, social media platforms with more than 2 crore registered users fall under the category of Significant Data Fiduciaries, and will now be required to have a mandatory data protection officer, annual data audit, data impact assessment and data localisation requirements.

"These compliances are over and above the normal requirements of consent, user access, data retention, security safeguards, child consent and much more. All these come with an additional layer of privacy protocols and social media platforms should certainly start working on a data privacy office," according to Bansal.