LinkedPrime
Jobs
Technology

Mixed reactions to data law with some flagging costs, gaps

India’s latest data protection law has drawn mixed reactions from legal experts and policy researchers, with some arguing the framework bolsters privacy and individual rights, while others believe high compliance costs and ambiguity over state’s use of data could weaken the legislation’s original intent.Dhruv Garg, from New Delhi-based non-profit think- tank Indian Governance and Policy Project (IGAP), described the Digital Personal Data Protection (DPDP) Rules as “a mixed picture on data minimisation.”While the rules reinforce deletion obligations, they also require tech service providers to retain traffic logs and activity records for at least one year.“This improves auditability but raises real privacy concerns over the persistence of digital footprints,” Garg said.That could strain smaller startups that must maintain large data logs and security information systems.Although the tiered consent and verification mechanisms offer strong protections, they impose a “heavy operational lift” on platforms expected to verify guardianship and implement age verification systems, he said. Garg warned that state processing remains “a big grey zone” as the framework provides only broad standards for government data use, giving discretion the maximum latitude while offering minimal oversight.Detailed, yet demandingExperts see the DPDP Rules as a detailed but operationally demanding framework. While they signal the government’s intent to harden privacy enforcement, the resulting compliance costs, definitional ambiguities, and expansive state powers may test both industry readiness and the law’s stated balance between innovation and individual protection.Meghna Bal, director at the Esya Centre, a New Delhi-based policy think tank said the rules represent a missed opportunity to simplify compliance. “Instead of being less compliance-heavy than the European Union's General Data Protection Regulation (GDPR), we have one of the most stringent consent regimes in the world,” she said.With consent required for nearly all data processing and no recognition of legitimate interest or contractual necessity, Bal said, “routine operations like marketing campaigns or parcel deliveries could become legally cumbersome.”Arun Prabhu, partner and co-head of digital, and technology, media and telecommunications at law firm Cyril Amarchand Mangaldas, said stakeholders had hoped for practical clarity on the manner of recording consent and standardised templates for data processing agreements. “That has not occurred,” he said, adding that operational uncertainty persists.Kazim Rizvi, founding director of The Dialogue, another New Delhi-based policy think tank, termed the outcome “disappointing,” given that stakeholder concerns raised during consultations were largely unaddressed. He pointed to persistent gaps in the framework for children’s data and the absence of clear thresholds for breach notifications, which could “overwhelm regulators with minor or low-impact incidents.” Rizvi also warned of unintended consequences from the localisation requirements for Significant Data Fiduciaries (SDFs), which may challenge firms relying on globally distributed infrastructure and reduce operational flexibility.There also remains uncertainty over how entities will be designated as Significant Data Fiduciaries and which categories of data will be subject to localisation. 'Opaque'“The absence of guidance on the criteria, composition of the committee, and process of determination creates regulatory opacity,” said Lagna Panda, partner at law firm AP & Partners. Supratim Chakraborty, partner at Khaitan & Co law firm, pointed out that many expected relaxations “have not materialised.” He said there was an absence of exemptions allowing child-directed services to filter or curate content for age-appropriate use, even as limited allowances have been made for location tracking to ensure child safety. “Similarly, the obligation to verify guardianship for persons with disabilities could be practically onerous where legal records are unavailable,” he said. The issue of children's data, and its collection has been heavily debated for years now. "Unlike the earlier Draft Rules, the final Rules exempt data processing for determining the "real-time location" of a child from the DPDPA's prohibitions on tracking and behavioural monitoring," Bal stressed.Lawyers pointed out the rules have not provided any uniform template for the dissemination of notices. This grants businesses the latitude to tailor their notification frameworks in alignment with the nature of the data being processed, Rajiv Chugh, partner and national leader, policy advisory and specialty services at EY India said. "The time has come to take stock and action before the moratorium of 18 months given to stakeholders runs out.” he warned.

Suraksha P
Mixed reactions to data law with some flagging costs, gaps

India’s latest data protection law has drawn mixed reactions from legal experts and policy researchers, with some arguing the framework bolsters privacy and individual rights, while others believe high compliance costs and ambiguity over state’s use of data could weaken the legislation’s original intent.Dhruv Garg, from New Delhi-based non-profit think- tank Indian Governance and Policy Project (IGAP), described the Digital Personal Data Protection (DPDP) Rules as “a mixed picture on data minimisation.”While the rules reinforce deletion obligations, they also require tech service providers to retain traffic logs and activity records for at least one year.“This improves auditability but raises real privacy concerns over the persistence of digital footprints,” Garg said.That could strain smaller startups that must maintain large data logs and security information systems.Although the tiered consent and verification mechanisms offer strong protections, they impose a “heavy operational lift” on platforms expected to verify guardianship and implement age verification systems, he said. Garg warned that state processing remains “a big grey zone” as the framework provides only broad standards for government data use, giving discretion the maximum latitude while offering minimal oversight.Detailed, yet demandingExperts see the DPDP Rules as a detailed but operationally demanding framework. While they signal the government’s intent to harden privacy enforcement, the resulting compliance costs, definitional ambiguities, and expansive state powers may test both industry readiness and the law’s stated balance between innovation and individual protection.Meghna Bal, director at the Esya Centre, a New Delhi-based policy think tank said the rules represent a missed opportunity to simplify compliance. “Instead of being less compliance-heavy than the European Union's General Data Protection Regulation (GDPR), we have one of the most stringent consent regimes in the world,” she said.With consent required for nearly all data processing and no recognition of legitimate interest or contractual necessity, Bal said, “routine operations like marketing campaigns or parcel deliveries could become legally cumbersome.”Arun Prabhu, partner and co-head of digital, and technology, media and telecommunications at law firm Cyril Amarchand Mangaldas, said stakeholders had hoped for practical clarity on the manner of recording consent and standardised templates for data processing agreements. “That has not occurred,” he said, adding that operational uncertainty persists.Kazim Rizvi, founding director of The Dialogue, another New Delhi-based policy think tank, termed the outcome “disappointing,” given that stakeholder concerns raised during consultations were largely unaddressed. He pointed to persistent gaps in the framework for children’s data and the absence of clear thresholds for breach notifications, which could “overwhelm regulators with minor or low-impact incidents.” Rizvi also warned of unintended consequences from the localisation requirements for Significant Data Fiduciaries (SDFs), which may challenge firms relying on globally distributed infrastructure and reduce operational flexibility.There also remains uncertainty over how entities will be designated as Significant Data Fiduciaries and which categories of data will be subject to localisation. 'Opaque'“The absence of guidance on the criteria, composition of the committee, and process of determination creates regulatory opacity,” said Lagna Panda, partner at law firm AP & Partners. Supratim Chakraborty, partner at Khaitan & Co law firm, pointed out that many expected relaxations “have not materialised.” He said there was an absence of exemptions allowing child-directed services to filter or curate content for age-appropriate use, even as limited allowances have been made for location tracking to ensure child safety. “Similarly, the obligation to verify guardianship for persons with disabilities could be practically onerous where legal records are unavailable,” he said. The issue of children's data, and its collection has been heavily debated for years now. "Unlike the earlier Draft Rules, the final Rules exempt data processing for determining the "real-time location" of a child from the DPDPA's prohibitions on tracking and behavioural monitoring," Bal stressed.Lawyers pointed out the rules have not provided any uniform template for the dissemination of notices. This grants businesses the latitude to tailor their notification frameworks in alignment with the nature of the data being processed, Rajiv Chugh, partner and national leader, policy advisory and specialty services at EY India said. "The time has come to take stock and action before the moratorium of 18 months given to stakeholders runs out.” he warned.

Read original article →

Related Articles