India needs a balanced approach towards building a trusted digital data protection framework

The ultimate goal of India’s DPDP Rules is to create a regulatory framework that not only protects personal data but also fosters business growth and digital innovation.

By Shreya Suri

The aim of supplementary policy rules is to support and strengthen the core principles of overarching legislation while ensuring flexibility for future policy implementation. This is particularly important for technology policies in India, given the fast-evolving nature of the digital ecosystem. The policies must not only serve as guiding principles but also ensure operational efficiency in implementation and enforcement.

The Draft Digital Personal Data Protection (DPDP) Rules, 2025 are designed with this objective in mind for India's landmark legislation on digital privacy – the DPDP Act, passed in August 2023. This Act, India’s first attempt to safeguard citizens' personal digital data, marks a critical step towards protecting individual privacy, a long-overdue commitment.

Pragmatic Policymaking and Balancing Interests

From a pragmatic policymaking perspective, the Draft Rules clearly reflect a well-intentioned vision: to protect digital personal data while offering data fiduciaries opportunities to deliver quality customer experiences with efficiency and accountability. However, the regulatory approach must strike a balance – one that upholds privacy, enables cross-border interoperability, and ensures business continuity.

As we near the DPDP Act's notification date, it’s essential to address key concerns from various stakeholders – including data principals and fiduciaries. In particular, issues surrounding data localisation and age verification introduce operational complexities that must be resolved before the provisions are enforced.

Data Localisation: A Departure from DPDP Act’s Flexibility

The current draft of the DPDP Rules introduces stringent data localisation requirements, a topic of debate since the formation of the Srikrishna Committee. While the DPDP Act doesn’t explicitly mandate localisation, it provides a framework for cross-border data transfers to specified jurisdictions. However, the Draft Rules impose additional localisation obligations on significant data fiduciaries, which, while within the scope of rulemaking, diverge from the overall approach of the DPDP Act.

Globally, several jurisdictions have successfully implemented strong data protection frameworks without rigid localisation mandates. The General Data Protection Regulation (GDPR), for example, allows well-regulated cross-border data flows while safeguarding privacy. Enforcing strict data residency requirements could stress domestic data infrastructure, escalate compliance costs, and offer little additional security. Moreover, these localisation mandates could conflict with other sectoral regulations in India.

Instead, a more pragmatic approach would be for the government to implement a cross-border transfer mechanism designating trusted jurisdictions. This would ensure that compliance burdens are not arbitrarily imposed. Structured mechanisms, such as standard contractual clauses, could provide enforceable safeguards without unduly restricting data flows.

Empowering Customers with Greater Control Over Their Data

Another significant aspect of the Draft Rules is the mandate for data destruction upon user inactivity or after a prescribed three-year retention period. While aimed at enhancing privacy protections, the interplay between this requirement and exemptions raises questions about clarity and consistency. Data deletion is mandated, but exemptions, such as archiving provisions, suggest that data can be retained indefinitely in some cases.

It remains unclear whether this is an expectation or merely an option for data fiduciaries. While archived data can be retrieved and re-associated with a user upon reactivation, the lack of clarity on retention boundaries could create operational ambiguity. In cases involving legal disputes, warranty claims, or regulatory compliance, Section 17 of the DPDP Act permits data retention. However, a more structured framework outlining when and how long fiduciaries can retain data under exemptions would ensure a balance between user agency, business continuity, and compliance obligations.

A more judicious approach could empower users with greater control over their data retention preferences. Rather than enforcing blanket deletion policies, the framework could introduce opt-in mechanisms allowing customers to specify retention periods based on their needs.

Age Verification: A Nuanced Approach to Protecting Children

The Draft Rules also address concerns around ensuring a safe and secure online environment for children. Several data fiduciaries globally have been implicated in failing to protect children’s online safety. While the Draft Rules emphasise protecting children’s personal data, mandating age verification for every user—even on platforms not designed for children—could introduce operational inefficiencies without effectively solving the core issue.

A more nuanced approach would prioritise child safety through responsible platform design, parental controls, and digital literacy initiatives. Children often serve as the primary users of technology within families, sometimes guiding parents and relatives. Therefore, safeguards should focus on real-world user behaviours rather than imposing sweeping verification mandates.

Mandating age verification on all platforms could create usability friction, escalate compliance costs, and introduce privacy trade-offs. For child-directed services, creating a child’s profile should be an affirmative act, reflecting a parent's decision to grant access to a platform. This approach would align better with real-world usage patterns.

A more effective framework would ensure a safe online environment for children without relying solely on parental consent. Many parents may not fully understand what they are consenting to, making such measures more of a checkbox exercise rather than a genuine safeguard. Instead, prioritising robust platform-level protections—such as content moderation, default privacy settings, and age-appropriate experiences—can create a safer digital ecosystem.

A Vision for India’s Digital Future

The ultimate goal of India’s DPDP Rules is to create a regulatory framework that not only protects personal data but also fosters business growth and digital innovation. The government’s approach, which involves consultations with businesses of varying sizes, seeks to balance regulation and flexibility, ensuring a win-win for all stakeholders.

The Draft Rules represent an important step in India’s digital future. As India continues to expand its digital infrastructure, these regulations must evolve to address new challenges and opportunities while ensuring that privacy, security, and fairness remain at the forefront of the nation’s digital agenda.

(Shreya Suri, Partner, IndusLaw.)

Views are personal, and do not represent the stance of this publication.