India’s data protection rules need some fine-tuning Premium

India’s DPDP Rules focus on outcomes rather than processes, empowering users without burdening businesses and consumers with unnecessary complexities

On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released the much-anticipated Draft Digital Personal Data Protection (DPDP) Rules — a key moment in India’s journey to regulate digital personal data. This step follows the passage of the DPDP Act, 2023, bringing India closer to operationalising its framework for safeguarding personal data.

The draft rules represent a departure from the earlier and controversial Personal Data Protection Bill, which many deemed was overly restrictive and even hostile to industry interests. The Bill underwent extensive framing, reframing and consultations over nearly a decade, only to be rescinded when committees and government stakeholders wisely decided it was untenable.

In contrast, the positive response to the DPDP Act and its accompanying rules, reflected in conversations with businesses and in media coverage, stems from the less prescriptive, principles-based approach of the draft rules.

Unlike the earlier rush to regulate under the so-called “Brussels Effect”, where global digital rulemaking mirrored the European Union (EU)’s interventionist regulatory ethos, India has taken a more pragmatic stance. The EU’s General Data Protection Regulation (GDPR), once hailed as a gold standard by privacy experts, now faces criticism for unintended consequences — favouring well-resourced corporations, stifling smaller enterprises, and failing to significantly enhance public trust in the Internet. India’s measured approach thus far offers a refreshing alternative to Europe’s interventionist policies.

One of the draft rules’ standout features is their principles-based framework for notice and consent. While the GDPR has cumbersome requirements, such as notifying users of indirect data acquisition, cross-border data transfers, and automated decision-making processes, India’s rules emphasise simplicity and clarity. This helps reduce “consent fatigue”, a significant issue in Europe, where users are inundated with unnecessary details, such as the location of data processing — information of little practical use.

In 2023, the European Commission introduced the Cookie Pledge Initiative to address growing frustration over incessant consent pop-ups. However, such course correction would have been unnecessary had the EU taken a less invasive approach to regulating user interfaces and consent mechanisms. The very existence of this pledge highlights the burdens created by prescriptive regulation.

India’s DPDP Rules sidestep these pitfalls by focusing on outcomes rather than processes, empowering users without drowning businesses and consumers in unnecessary complexities. The rules avoid dictating how entities should enable users to exercise their rights to correction, erasure, nomination, withdrawal of consent and to seek information from entities. They require only the publication of relevant information on apps and websites. In contrast, the GDPR is prescriptive about how similar information should be presented, including instances where entities may need to provide this information orally to users. Why should the state dictate every aspect of an app or website’s design or user interface? India’s approach, thankfully, respects business autonomy and innovation.