DPDP and the criticality of data: A turning point for India's gigital future
At its core, the DPDPA is a principles-based legislation. The draft rules currently under consultation provide a closer view of what real-world compliance will demand—particularly in areas such as consent, retention, data erasure, and breach notification. This is where the criticality of data governance truly comes into focus—not just as a question of digital infrastructure, but as a matter of strategic economic and legal consequence.
Data compliance vs practicality
The draft rules under should adopt a more risk-based and proportionate approach to age verification and parental consent. As it stands, the requirement for verifiable consent—regardless of a data principal's self-declared age—could impose disproportionate burdens on data fiduciaries, often compelling them to collect excessive data and implement rigid mechanisms that may violate principles of data minimisation. International standards like the EU-GDPR and COPPA offer a more balanced path by allowing entities to take 'reasonable efforts' to verify age and parental consent, depending on the nature of the service and risk involved. The DPDPR should follow suit by clarifying that stricter age assurance measures be applied only where high-risk processing of children's data is involved, while permitting flexibility for low-risk use cases. This not only prevents unnecessary operational hurdles for businesses but also aligns better with both child protection goals and practical feasibility.
What's more, the DPDP Act also does not currently allow for 'legitimate interest' as a legal basis to process data—something that other jurisdictions like the EU recognize. This could make basic business activities like internal audits, AI training, and even due diligence for M&A transactions unnecessarily difficult.
Breach reporting framework
One of the more stringent aspects of the draft rules is the breach notification framework. Data fiduciaries are required to notify both the Data Protection Board and the affected data principals of every data breach, irrespective of the perceived level of risk or harm. While a more extended window of 72 hours (or longer, subject to the Board's discretion) has been proposed for submitting a detailed report to the Board, the timeline for notifying affected data principals is notably tighter—requiring disclosure 'without delay.' In addition, a preliminary breach report must also be submitted to the Board without delay, containing essential initial details. Given the varying levels of detail and specificity expected in these 'without delay' notifications to the Board and data principals, there may be differing interpretations of the timeline and its practical implications.
This structure, though well-intentioned, raises concerns about the resulting desensitization of both users and regulators. In practice, most breaches require internal triage: identifying the breach, scoping its impact, initiating remediation. Reporting too early without adequate clarity could expose companies to unnecessary reputational and legal risks. Worse, it could distract from mitigating actual harm.
A more pragmatic approach would involve the introduction of a severity threshold, distinguishing minor from major breaches, and re-calibrating reporting timelines, to ensure meaningful compliance rather than mechanical disclosure.
MSMEs and the risk of overregulation
Another critical concern is the asymmetry of impact. While large corporations may struggle with scale, it is smaller businesses that will feel the heat of non-compliance most acutely. The framework as it stands does not adequately differentiate obligations by the size, scale, or risk profile of the fiduciary.
As seen in other sectors, overly burdensome compliance can stifle MSME growth. Risk-based regulation—where the extent of compliance is proportionate to the sensitivity and volume of data—needs to be institutionalised.
Governance beyond compliance
What the DPDP regime ultimately signals is the institutionalization of data governance in India. The legislation is not just about data protection. it is about shaping the way organizations think about trust, risk, and accountability. This is not merely a legal challenge—it is an organizational transformation. Policymakers must continue to listen—to industry, to civil society, and to consumers—so that implementation is guided by dialogue rather than dictate.
India has a unique opportunity to set the gold standard in digital governance—not just by protecting personal data, but by enabling the responsible unlocking of its economic value. But to achieve this, the DPDP Rules must evolve: from ambiguity to clarity, and from theory to real-world feasibility.
Five key areas to make the DPDP law more effective:
Adopt a risk-based approach to age verification and parental consent —aligned with global best practices and avoid one-size-fits-all mandates that may lead to over-collection of data and create compliance burdens.
Add 'legitimate interest' as a basis for data processing —especially for due diligence in M&A and Investment activities and internal operations.
Introduce a severity-based breach reporting system and reconcile reporting timelines to avoid false alarms and regulatory fatigue.
Clarify the language requirements for user notices—especially for backend or automated services.
Differentiate compliance for MSMEs to ensure ease of doing business isn't compromised.
Encourage industry-led self-regulation
under the oversight of the Data Protection Board.
Facebook Twitter Linkedin Email Disclaimer
Views expressed above are the author's own.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Time of India
an hour ago
- Time of India
A step closer to gig workers' safety, onus on aggregators
Bengaluru: The legislative assembly Tuesday passed the Karnataka Platform-Based Gig Workers (Social Security and Welfare) Bill, 2025, placing obligations on aggregators to provide social security benefits, including occupational health and safety, to gig workers. Tired of too many ads? go ad free now Proposing to establish the gig welfare fund on the lines of the fund for construction workers, the govt had earlier promulgated an ordinance on April 11, with governor Thaawar Chand Gehlot giving assent on May 27. The Bill now replaces the ordinance and envisages the creation of a Gig Workers Welfare Board to manage the fund and extend welfare measures. Opposition members, including CN Ashwath Narayan, suggested the govt also contribute to the fund along with aggregators. In response, labour minister Santosh Lad, who tabled the bill, said such suggestions would be considered while framing rules for legislation. However, to a proposal from BJP's Suresh Kumar to bring outsourced employees under the bill, Lad said: "They can't be included as they do not fit the definition of gig workers. " Lad explained that the contribution of aggregators to the fund would be determined by the Board. The bill allows aggregators to collect 1% to 5% of a gig workers' welfare fee from customers, which must be deposited into the fund at the end of each quarter. "The legislation ensures social security for gig workers. It is the need of the hour considering the rapid emergence of the gig economy," Lad said. "A NITI Aayog report says by 2029-30, about 23.5 million people will be employed as gig workers, creating many opportunities in this sector. There are about 4 lakh gig workers in Karnataka." Key provisions of the bill include a dispute resolution mechanism, registration of gig workers and aggregators with the Board, and measures to provide reasonable job security and health safety. Tired of too many ads? go ad free now The Board will comprise four representatives from gig workers' associations, representatives of aggregators, and two from civil society. It will also have powers to enter into agreements between gig workers and aggregators to prevent indiscriminate termination. Gig workers may also file complaints against aggregators before the Board, and in case of injustice, appeal before an Internal Dispute Committee even against the Board itself. Highlighting challenges workers face, Lad said: "Gig workers, especially two-wheeler riders, are constantly exposed to noise and environmental pollution. Some work 18 hours to earn Rs 1,800, taking on 25 to 30 delivery tasks a day. They face severe health hazards which is why this bill has been introduced." Who is a gig worker? The bill defines gig workers as those engaged through online platforms for services such as food and grocery delivery, logistics, e-market operations, health services, travel and hospitality besides others. It states that a gig worker is a person who performs or participates in a work arrangement, is paid a fee as per terms of a contract, and whose work is sourced through a platform in the services specified in the schedule.
The Hindu
3 hours ago
- The Hindu
Centre to introduce law to prohibit real money gaming firms, official says
The Union Cabinet on Tuesday (August 19, 2025) approved a Bill to effectively prohibit real money games (RMGs) online, a multi-billion dollar industry that counts fantasy sports platforms such as Dream11 and card game apps, including PokerBaazi. The Promotion and Regulation of Online Gaming Bill, 2025 is now headed to Parliament and is likely to be tabled on Wednesday. The move was not telegraphed in any public way by the government before the Cabinet approved it, with no draft Bill circulated by the Ministry of Electronics and Information Technology, as has been done for a number of notifications and the Digital Personal Data Protection Act, 2023. A copy of the Bill viewed by The Hindu lays out a broad definition for 'online money gaming,' targeting a vast swath of RMGs in one fell swoop. Under this definition, 'depositing money or other stakes in expectation of winning which entails monetary and other enrichment in return of money or other stakes' comes under online money gaming, and is prohibited. Industry associations representing RMG firms did not have a comment to offer on the proposal and indicated that they would respond formally when the Bill is released upon its tabling in Parliament. The firms maintain extensive contacts with government officials and have resisted the government's previous attempts to regulate them. For instance, in the months leading up to the GST Council's decision to increase the tax applicable on RMG deposits, the industry registered its opposition on multiple fronts. At the State level, industry bodies and individual firms have successfully obtained stays on bans on their operation, such as in Karnataka. Those legal victories rested on a critical distinction between games of skill and games of chance, with only the latter being recognised by courts as gambling, which is a State subject in the Constitution. Now, that distinction may present an existential threat instead of a lifeline to the industry, as online gaming has been brought under the administrative authority of the IT Ministry, which will enforce this prohibition. Under a 2023 amendment to the IT Rules, 2021, the government sought to bring the industry under self-regulation, with oversight by an independent committee to address complaints. However, no self-regulatory bodies (SRBs) were approved by the government under that amendment, with officials questioning proposed SRBs' independence from the firms they were supposed to be overseeing. The Bill creates a carve-out for the e-sports industry, essentially allowing video game tournaments that collect entry fees to continue doing so without falling afoul of the RMG prohibition.
NDTV
3 hours ago
- NDTV
Want To Live In Portugal? Indians Can Apply For A Golden Visa But There's A Catch
Known for its beautiful coastline and rich history, Portugal has emerged as one of Europe's most attractive destinations for Indians seeking permanent residency (PR). With its unique culture and high quality of life, Portugal offers a Golden Visa that allows you to stay and live there. What Is Portugal's Golden Visa? The Portugal Golden Visa is a residency by investment program that allows you to live, work, and study in the country. It also gives visa-free access to the Schengen Area. It also opens up an oppotunity for Indian citizens a chance to secure residency in Portugal and eventually EU citizenship through qualifying investments. Who Is Eligible? You can apply for a Portugal Golden Visa if you meet the following requirements: Should be 18 years or older. Open to all non-EU/EEA/Swiss nationals, including Indians. A clean criminal record from Indian or any other country where they have lived recently. Someone who can either purchase a property, transfer capital, or invest in businesses or funds. Applicant must stay in the country for 7-14 days per year to maintain residency. The catch? You need to invest a hefty amount of funds to obtain Portugal's Golden Visa. There are different types of investments that you can do, including: A fund subscription, which basically includes a minimum of €500,000 subscription in a qualifying Portuguese fund, such as Venture Capital funds and Private Equity. Start a new business wherein you create 10 new full-time jobs in Portugal. Invest a minimum of €500,000 in an existing Portuguese business and create five full-time jobs for at least 3 years. Make a donation of €500,000 for a research and development activity in Portugal. You can also invest €250,000 in preserving national heritage in Portugal. Note: As per the latest update, the real estate investment is no longer an option after October 2023 for new applicants. Documents Required Completed the Golden Visa application form A valid passport issued within the last 10 years and with a validity of 3 months Passport-sized photographs Police clearance certificate Proof of investments Portuguese bank statement confirming the investment transfer A statement stating investment for 5 years A valid health insurance covering at least €30,000 in the Schengen states Tax and social security clearance from Portugal, issued within 45 days Proof of fee payment for the application and processing How To Apply Step 1: Get a Portugese Tax Number and a bank account for completing an investment. Step 2: Make the investment by transferring funds from outside Portugal and complete the qualifying investment. The investment must be maintained for at least 5 years. Step 3: All documents must be notarized, apostilled, and translated into Portuguese if necessary. Step 4: Submit the application online, which is filed through Potugal's official immigration portal (AIMA or Agencia para a Integracao, Migracoes e Asilo). Step 5: Once the application is approved, you must travel to Portugal to provide fingerprints and photos. Step 6: The initial residence permit is valid for 2 years, renewable for another 3 years, leading to permanent residency and citizenship after 5 years. As per the latest update, the Portuguese government proposed some changes to the nationality law that may change Golden Visa rules. However, the proposal is currently under review. It is recommended to keep following the official website for the latest updates.
