Five (more) issues to consider as the DPDPA heads towards implementation
In August this year, India’s data protection law, the Digital Personal Data Protection Act, 2023 (fondly, the DPDPA) completed two years around the sun.
I commemorated the anniversary with a list of 5 issues that had lingered despite the passage of time – questions without straightforward answers. There was a sense then that the draft rules, once finalised, might answer some of these (or, other) questions.
Three months on, we have a chance to verify this.
On 13 November, the DPDPA resurfaced, bringing with it the finalised Digital Personal Data Protection Rules, 2025 (now, also fondly, the DPDP Rules) and an 18-month implementation timeline.
While this should wrap things up neatly in a bow by 13 May 2027 (which is when the law is supposed to fully take effect), several questions remain. Questions that may be compounded by a shrinking – and now, likely to be compressed – implementation timeline.
In the months to come, we will do what we have done since the Srikrishna Committee published the first draft in 2018. We will dissect every inch of the law with increasing fervour. We will also, inevitably, segue into (and out of) interpretive nuances (with, hopefully, the grace of a Jackson moonwalk).
5 more issues
In that spirit, here are 5 more issues to consider as the DPDPA heads into implementation season.
Small but mighty: The term “processing” lies at the heart of the DPDPA, determining which activities are covered by the law. The broadly-defined term (which, like its GDPR counterpart, covers everything from collection to erasure) appears 68 times in the DPDPA and 55 times in the DPDP Rules. As with every wide definition, usage is everything.
Take Rule 8(3), for instance, which introduces a positive retention obligation.
It requires all data fiduciaries to retain personal data, associated traffic data, and other logs of the ‘processing’ for a year ‘from the date of such processing’. Such retention is for specified purposes on whose basis the Government may call for information.What does this, however, mean for data fiduciaries who collect, use, or otherwise ‘process’ personal data (even if it is the same data) on a rolling basis?
Similarly, as all processing must occur on the basis of consent or a legitimate use (unless an exemption or exclusion applies), what happens when an entity elects to anonymise personal data? Will (or, should) that processing activity trigger a consent requirement?
Whose personal data is it, anyway?: A data principal can withdraw their consent from the processing of their personal data at any time, triggering its erasure.
How does this play out in multi-party data scenarios? Let us suppose that X withdraws consent from platform Y’s processing of her personal data. X’s personal data includes a music video that X collaborated on with Z, another user of Y’s platform. The music video contains X and Z’s personal data.
Does platform Y delete the music video in response to X’s withdrawal of consent, absent a similar indication from Z? Since processing (which includes erasure) must be premised on a lawful basis – will Y have to identify an appropriate legitimate use (which will be unlikely in this scenario), or seek Z’s consent?
The questions may feel outlandish, but multi-party personal data is far from hypothetical. (As an amateur singer who collaborates online with musicians far more talented than myself, I can attest to this.)
Gone, but not forgotten: Our personal data will likely outlive us, but how will the DPDPA govern it?
The DPDPA appears to apply to such personal data, which makes sense, given it bestows on data principals a right to nomination. This means that a person can nominate someone to exercise their rights as a data principal under the DPDPA. The DPDP Rules enable such requests, leaving it to data fiduciaries to determine the mechanics of receipt and fulfilment. So far, so good.
Here’s, however, where things begin to get complicated.
A nominee’s role is limited to exercising the rights of a data principal under the DPDPA: that is, the right to (1) access information about their personal data; (2) correction, completion, updating and erasure; (3) grievance redressal; and (4) (curiously) nomination.
What does this mean for compliance with other substantive obligations under the DPDPA? For example, if this personal data is subject to fresh processing (e.g., analysed afresh) and a legitimate use or exemption do not apply – who will consent to such processing? On a related note, will the obligation to take reasonable security safeguards apply in respect of such personal data, too?
Singaporean personal data protection law, by comparison, is clearer on these issues. It, for instance, provides a 10-year path for lawful disclosure, by enabling service of notices on legal representatives, and receipt of their consent, similarly extending security obligations for this period.
Absent similar clarity under the DPDPA, this will be an important question for both businesses and data principals to ponder.
What are ‘transfers’, anyway? Cross-border transfers make the world go around, and go around the world. Much ink, digital and otherwise, has been spilt on the issue of how the restrictions under the DPDPA will operate.
To recap, the DPDPA is expected to notify a blacklist featuring countries or territories to which personal data cannot be transferred.
The DPDP Rules add a few layers to this.
They require:
such transfers to be subject to restrictions regarding disclosure to foreign States, their agencies, and persons or entities that these States may control.
significant data fiduciaries (a special class of fiduciaries to be notified by the Government, including based on factors like volume of personal data handled; SDFs) to localise certain (so far, unspecified) types of personal data and related traffic data.
While we await the blacklist, restrictions on disclosures, SDF classification, and the types of personal data to be localised, here’s a more fundamental question to consider: what is a transfer?
Determining the scope of this term will be key to identifying what can and cannot leave the country under the DPDPA, and under what circumstances.
There’s a new kid (-related exemption) in town. The DPDP Rules add to the purpose-based processing exemptions for children’s data that were proposed in the January 2025 draft rules. Any processing to track the real-time location of a child in the interests of their safety, protection, or security will be permissible under the DPDPA.
The bigger questions, of course, are: what underlying data will the exemption cover, and what will this mean for general tracking technologies? (Parents, if you’re using tracking technology to check in on your kids’ whereabouts, you’ll want to think about this.)
Did the DPDP Rules clarify any of the issues on the August anniversary list?
Regrettably, no.
While some (like, questions around age verification and the scope of ‘publicly available data’) were unlikely to be impacted by the DPDP Rules – others remain as they were, too.
The 3P consent conundrum is no clearer. To recap: how does the recipient of your pharmacy order/e-commerce parcel/surprise gift/grocery order, or UPI payment consent to their personal data being processed before it is collected?
Verifying parental consent remains tied to reliable details in hand, and in the absence of such details, most likely reliance on fledgling digital ID mechanisms that have limited adoption so far.
U18s may experience a brand new world come 2027 if content personalisation for children (which will, likely, depend on monitoring their behaviour online) remains off limits. The big question: will this mean that U18s access to personalised playlists, educational podcasts – or, just their ability to discover something new that may be to their tastes will be impaired?
Closing thoughtsThe DPDP Rules are a reminder that delegated legislation cannot be a panacea for loose ends that are best addressed by the primary law.
They also provide that nudge that everyone was waiting for to begin compliance-building in earnest. With (up to) 18 months to revisit existing data handling practices, and shape new, DPDPA-compliant ones, businesses (and their advisors) are bound to be busy.
As we’ve been collectively training for this moment since 2018, though, let’s treat this like a marathon and not a sprint.
