Dear Reader,
The 31st edition of Spotlight provides a snapshot of gaps in the Draft DPDP Rules, 2025. It highlights concerns around breach intimation, security, and data localisation, offering suggestions to strengthen India’s data protection framework.
We look forward to hearing your comments and suggestions!
|
|
Draft DPDP Rules, 2025: Bridging the Gaps in Transparency, Security, and Data Localisation
TL;DR - Issues at a Glance
Lack of Breach Transparency: There is no clarity on breach disclosure details, timelines, or user notification requirements. Additionally, there is no framework for determining liability or providing compensation.
Disproportionate Security Measures: One-size-fits-all security rules place an undue burden on smaller firms. A risk-based, scalable approach with regular public audits can enhance protection, reduce costs, and build trust.
Sudden Shift in Data Localisation Rules: The abrupt introduction of data localisation measures may increase compliance costs for businesses, potentially passing these costs on to consumers and affecting the affordability and availability of services.
Recommendations: Ensure detailed breach disclosures, fair allocation of liability, and timely compensation for data principals. Tailor security and localisation requirements based on risk and scale. Promote transparency through audits and flexible, impact-driven compliance.
Gaps in the Draft Rules
Breach Intimation and Transparency: Missing Safeguard
|
|
- The draft Rules do not specify the level of detail required in breach disclosures, such as what data was affected, how many individuals were impacted, or the extent of the data compromised. This lack of specificity leaves data principals and regulators without a clear understanding of breach’s severity.
- In the absence of a mandate to disclose when a breach occurred and when it was detected, affected individuals are unable to take timely protective measures.
- The draft Rules currently offer no guidance on how affected individuals should be compensated or how liability should be assessed in case of a data breach.
- Data Fiduciaries are not held to different standards of accountability depending on whether the breach resulted from a lapse or occurred despite the implementation of robust safeguards.
|
- Mandate that Data Fiduciaries disclose the categories of affected data, number of impacted individuals, and volume of data exposed. This helps in assessing the seriousness of the breach.
- Require breach reports to include a timeline. From breach occurrence to detection and notification, to promote transparency and enable swift user response.
- Ensure that Data Principals receive the same follow-up communication sent to the Board, keeping them informed of remedial actions.
- Hold Data Fiduciaries fully accountable for breaches caused by negligence or poor security measures.
- In cases where breaches occur despite reasonable precautions, assess liability fairly based on context.
- Encourage insurance or risk-pooling to ensure timely compensation, and mandate the Board to set clear, consistent compensation guidelines.
|
|
Rethinking Security Measures: Ensuring Proportionate Regulation
|
|
- Requiring the same level of security measures from all Data Fiduciaries, regardless of their size or risk exposure, places a disproportionate compliance burden on smaller platforms, startups, and low-risk entities.
- High compliance costs may deter new entrants, stifle innovation and reduce market competitiveness.
- The draft Rules do not account for whether a security incident causes material harm, treating all incidents as equally significant in regulatory terms.
- In the absence of regular, public-facing audit disclosures, it is difficult to assess how seriously Data Fiduciaries take their security obligations.
|
- Calibrate security obligations based on the size, data sensitivity, and operational capacity of the Data Fiduciary, using a risk-based or materiality-based approach to ensure proportionality and fairness.
- Trigger security obligations only when incidents meet defined thresholds, taking into account data sensitivity, scale, and potential harm to Data Principals.
- Mandate security assessments every six months and require public disclosure of reports to promote transparency, build public trust, and encourage continuous compliance.
|
|
Data Localisation and Cross-Border Transfers: A Sudden Shift
|
|
- Requiring the same level of security measures from all Data Fiduciaries, regardless of their size or risk exposure, places a disproportionate compliance burden on smaller platforms, startups, and low-risk entities.
- High compliance costs may deter new entrants, stifle innovation and reduce market competitiveness.
- The draft Rules do not account for whether a security incident causes material harm, treating all incidents as equally significant in regulatory terms.
- In the absence of regular, public-facing audit disclosures, it is difficult to assess how seriously Data Fiduciaries take their security obligations.
|
- Calibrate security obligations based on the size, data sensitivity, and operational capacity of the Data Fiduciary, using a risk-based or materiality-based approach to ensure proportionality and fairness.
- Trigger security obligations only when incidents meet defined thresholds, taking into account data sensitivity, scale, and potential harm to Data Principals.
- Mandate security assessments every six months and require public disclosure of reports to promote transparency, build public trust, and encourage continuous compliance.
|
|
Conclusion
The draft DPDP Rules, 2025, provided a much-needed framework for implementing India's data protection law. However, several critical gaps remain. Transparent and well-structured regulation will not only build public trust but also support the sustainable growth of India's digital economy.
|
|
|
|