India’s Data Protection Dilemma - Balancing Innovation, Privacy, and Economic Ambition

Keeping pace with the global economic order, India has been emerging as a significant global manufacturing hub through pioneering initiatives such as “Make in India” and a trillion-dollar digital economy. India is also trying to ensure responsible innovation through the drafting of various key legislations, including the Digital Personal Data Protection Act 2022 and the Digital Personal Data Protection Rules 2025.

While this is a step in the right direction, as we move forward, rules and legislation require further deliberation to ensure that we have a data protection regulation that balances state interest, business development, and consumer protection.

Considering the Least Common Factor

Although the data protection legislation aims to establish uniform safeguards across all sizes of data fiduciaries, our ecosystem has voiced that it doesn’t account for the varying capacities of different entities, such as essential start-ups and MSMEs, as it doesn’t start from the least common denominator. Developing provisions with larger data fiduciaries in lens could cause frictions for smaller players in terms of practical incompatibility in applicability.

For instance, the MSME player during The Dialogue’s conference highlighted that a lack of alternatives might lead to a situation where data fiduciaries may face dropouts as the number of clicks to enrol may increase with the virtual token mechanism. The stakeholders emphasised that policy must not be made with large companies in focus but should account for smaller firms so as not to entrench larger players and support smaller players.

Clarity on Children's Personal Data Protection

The suggested exemptions from parental consent are narrow and only include educational institutions, creches, child day care centres, mental health establishments, allied healthcare professionals, and clinical establishments. However, to enhance innovation, exemptions should be expanded to digital service providers who add value to children's cognitive development and well-being, provided that terms like “cognitive development” and “well-being” are clearly defined. Therefore, the DPDP Rules must also outline the procedure and parameters through which classes of data fiduciaries can seek exemptions from processing children's personal data for specific purposes.

Moreover, while the DPDPA 2023 prohibits targeted advertising directed at children, contextual advertising or advertising based on the content of the page is still possible and may be appropriate. Some data fiduciaries may rely on advertising to offer their products or services at no cost. However, aspects of contextual advertising are not discussed in the DPDP Rules.

Relaxation of Data Localisation

Restrictions on cross-border data transfer, as outlined in Rule 12(4), would be disproportionate, as data security is location-agnostic. Such an obligation will increase the costs significantly for SDFs. Most businesses are not prepared for data localisation. Data localisation may be perceived as a non-tariff barrier by other countries, and the associated cost implications could negatively impact India as a less preferred business destination.

The stakeholders, through various sources, have expressed the view that Section 12(4) is likely to be deemed ultra vires of the Act, as it introduces significant uncertainty. Concerns were raised about the impact on the Global Capability Centre (GCC) sector, which has made substantial investments in India and is now reconsidering future commitments due to the new rules. The stakeholders during the Dialogue’s consultation emphasised the need for clear guidance from the government on what types of data fall outside the scope of existing regulations and would be subject to these new restrictions. Specifically, they questioned what categories of data justify such stringent localisation measures.

Lack of Legitimate Interest and Anonymisation Standards

One of the most fundamental concerns regarding AI innovation and data protection is the legal basis for processing personal data. Consent is the cornerstone of the DPDP Act 2023 protection. There is no room for a legitimate interest as an alternative legal basis, which would provide a legal basis for processing data for AI training purposes, including in the context of the EU’s GDPR. However, with the vast amounts of data involved in AI training, relying solely on consent presents significant challenges, such as consent fatigue and the inadequacy of traditional mechanisms to ensure informed, voluntary, and easily reversible consent. Therefore, beyond consent, the government may recognise industry-wide technical standards that ensure that data processing for AI innovation aligns with privacy norms.

The article is authored by Kazim Rizvi, the Founding Director of The Dialogue, a public policy think tank based in New Delhi.