The proposed Digital Personal Data Protection (DPDP) Rules will have significant implementation challenges around verifiable parental consent mechanisms and data localisation, with the potential to stifle innovation, overburden MSMEs, and create operational uncertainty for digital-first businesses. The policy frameworks need to be balanced, mitigating risks, and promoting innovation to foster growth and lead the emerging tech.
The United States’ protectionist tariff regime is a reminder for India to be forward-looking and create a business-friendly environment to surge ahead of other countries. To fully leverage these geopolitical shifts, India must improve its ease of doing business — a goal that is intricately linked to how the Draft DPDP Rules are framed and implemented.
If compliance frameworks are overly complex or disproportionate, they risk discouraging investment and innovation. By contrast, a balanced, risk-based approach to data protection could enable India to simultaneously protect user rights and unlock its potential as a global manufacturing and export powerhouse.
IndusLaw, a leading full-service Indian law firm, hosted a virtual panel discussion on the DPDP Rules, 2025, which brought together senior legal experts, industry representatives, and policy thinkers to explore the implications of the draft rules on India’s digital ecosystem.
Moderating the session, Shreya Suri, Partner (TMT) at IndusLaw and a leading data privacy expert, noted, “As the draft rules are still under consultation, it’s crucial that industry challenges are discussed openly and constructively. Today’s conversation aims to do just that — to bring forth key concerns around compliance and reflect on the representations made to the Ministry, ensuring that the final framework is both effective and equitable.”
One of the panellists, Nirupama Soundararajan, Co-founder & CEO, Policy Consensus Centre, speaking about the impact on small businesses stated, “The DPDP rules in their current form can become a significant impediment to scale for small and mid-sized businesses. A one-size-fits-all approach imposes a disproportionate compliance burden on SMBs, stifling innovation and growth. Instead, risk-based regulations would be a better approach.”
Another panellist, Meghna Bal, Director, The Esya Centre said, “According to a study by the Esya Centre, 76 percent of children prefer personalised content. And 73 percent said that they would feel uncomfortable/unsafe if content was depersonalised. For targeted ads – 75 percent of children indicated that they would not be able to discover educational and non-educational products (toys, movies etc) meant for them if targeted ads went away. 81 percent of children said they’d be unhappy if strict privacy rules led them to lose access to age-appropriate products. And 75 percent said that this loss of access would negatively affect their routine.”
Kamesh Shekar, Senior Programme Manager – Privacy, Data Governance and Co-lead – AI, The Dialogue, concluded, “Data localisation requirements could further complicate the development and training of AI models, which often depend on cross-border data flows. Additionally, without mechanisms like ‘legitimate interest’ or alternate legal bases — which are available in frameworks like the GDPR — India risks limiting innovation by making it difficult for businesses to access diverse, global datasets essential for model accuracy and fairness.”
Panellists raised concerns on the current binary age-verification model in Rule 10, which restricts verification to only two methods, potentially excluding a wide array of digital platforms from compliance. The blanket restriction on behavioural advertising and tracking for minors was also marked as overly broad and misaligned with actual online behaviour patterns among children.
Experts called for the adoption of privacy-enhancing technologies that embed protection by design. They also emphasised that with the rise of emerging technologies like AI, traditional notions of consent and notice will need re-evaluation, calling for the need to explore consent alternatives that can support responsible innovation while still ensuring data protection.
Additionally, panellists highlighted that a vertical-specific regulatory framework, as seen in the U.S., would be more effective in addressing the unique risks and needs of different sectors. An omnibus approach, while well-intentioned, risks being too broad to offer the nuanced guidance that diverse industries truly require.
The discussion concluded with speakers highlighting how data protection must be balanced with the broader national ambition to become a leader in AI and tech innovation and calling for a middle ground that enables innovation without compromising user rights.
The panel discussion was titled “Digital Personal Data Act”. The Ministry of Electronics and Information Technology floated the draft rules on January 3, 2025, and sought comments till February 18, 2025. The deadline was further extended till March 5, 2025.
The Digital Personal Data Protection Act, 2023, was enacted on August 11, 2023.
