New Delhi: Safeguarding citizen rights, global perspectives on data security, and operational challenges posed by the draft Digital Personal Data Protection (DPDP) Rules were some of the critical issues discussed at a roundtable discussion held this week in New Delhi’s Bharat Mandapam.
On 15 January, the Indian National Association of Legal Professionals (INALP) hosted the discussion in partnership with the Embassy of Israel in India, focusing on the recently released draft DPDP rules, 2025, by the Ministry of Electronics and Information Technology (MeitY).
With the DPDP Rules open for public consultation, this roundtable served as a platform to bring together policymakers, legal experts, data privacy specialists, private sector leaders, and international stakeholders. The discussions aimed to delve into key aspects of the draft rules and their implications for India’s digital ecosystem.
The event saw the participation of 70 companies, including Sony, Wipro, Hitachi, KTM, Suzuki, Mahindra and Apollo, among others.
As part of the discussion, Rishav Ranjan, a practising advocate in Delhi, provided an overview of India’s journey toward data protection. He traced the evolution from the landmark 2017 K.S. Puttaswamy judgment, which recognised privacy as a fundamental right, to the passage of the DPDP Act in August 2023.
In 2019, when the law was tabled as a Personal Data Protection bill in Parliament, it drew concerns and led to public consultation. On 17 December 2019, it was sent to the Joint Parliamentary Committee headed by MP and Supreme Court lawyer Meenakashi Lekhi.
“This is how we are at this juncture. The newly drafted DPDP rules of 2025 aim to operationalise this Act. While this rule provides much-needed clarity on critical aspects like consent management, data breach notification, cross-border data transfer, they also pose significant compliance concerns for stakeholders,” he said.
Also Read:
‘Internet never forgets’
Shani Rapaport, first secretary and the head of public diplomacy at the Embassy of Israel in India, emphasised the need for robust data protection frameworks in her keynote address.
“In today’s digital age, the exponential growth in data flows across sectors requires robust and comprehensive data protection frameworks. Nations are increasingly recognising the necessity to safeguard personal data, build trust in the digital ecosystem, and ensure the responsibility of information,” she said.
Highlighting the collaborative potential between India and Israel, Rapaport added that Israel and India are well-positioned to collaborate on advancing data protection and cybersecurity. “Aligning regulatory approaches would foster trust in emerging technologies, ensuring that innovation thrives while citizens’ rights are protected,” she noted.
The event also featured a diverse array of stakeholders from the private and public sectors, who discussed the challenges and opportunities presented by the DPDP Rules.
Suhail Nathani, managing partner at Economic Laws Practice, emphasised the importance of India’s comprehensive data protection law while acknowledging its challenges. He praised the government for allowing “a long consultation period” but noted the inevitable “initial hiccups” in implementation.
He also highlighted the dichotomy between users enjoying a free internet by trading data and later opposing excessive data collection, saying, “The internet never forgets.”
Nathani outlined key principles for robust data laws, including purpose limitation, proportionality, transparency, and storage constraints. He criticised practices like excessive Aadhaar data collection. “There needs to be fairness and transparency because if I’m giving you my data, you shouldn’t sell it the next day,” he said, adding that oftentimes, the biggest breaches occur “by the state”.
Suggestions by panel
The panel discussion centred on defining Significant Data Fiduciaries (SDFs), an organisation that processes large amounts of sensitive personal data, under evolving data protection regulations. Panelists emphasised that SDFs aren’t solely determined by the volume of data but also the type of data and the organization’s influence, citing cases like that of Cambridge Analytica. The British political consulting firm was accused in 2018 of collecting personal user information from Facebook for political advertising.
Key obligations for SDFs include data inventory audits, Data Protection Impact Assessments (DPIAs), and ensuring compliance with rules that hinge on government-defined sensitive data.
Concerns were also raised about ambiguities in the law, particularly around the criteria for SDF designation and the scope of DPIAs. Questions were posed about whether DPIAs should cover all processes or only high-risk ones.
Further challenges include government demands for data localisation and the capacity of the Data Protection Board to handle audits and breaches effectively.
Panelists called for clearer guidelines and proportionality in regulation to balance legal, operational, and constitutional concerns while fostering trust and compliance across organisations. They also discussed the intricacies of criminal jurisprudence, public order, and the classification of entities under regulatory frameworks. They highlighted the ambiguity in defining public order and its implications for governance and data regulation.
Among the suggestions, the panellists said there was a need for volume-based criteria for SDFs, activity-based classification, and mechanisms for advance rulings to provide clarity and reduce litigation.
Kapil Chaudhary, executive vice president and general counsel at Info-Edge India, expressed optimism about the draft data protection rules, calling them “a unique opportunity for digital innovation”. He discussed compliance with legacy data provisions, emphasising simplicity in processes like email or in-app notifications.
On child verification, he noted global trends including Australia’s recent stringent regulations controlling social media access to children below 16. He proposed leveraging existing systems like unique APAAR IDs—a lifelong academic passport, consolidating all achievements and credentials of a student in one place—but stressed the need for clarity on how the rules would apply for children without parental support to ensure equal access to the internet.
(Edited by Sanya Mathur)