Balancing Privacy and Innovation: Insights on the Digital Personal Data Protection Rules, 2025

The Indian government's release of the draft Digital Personal Data Protection Rules, 2025, under the Digital Personal Data Protection Act, 2023, marks a significant step toward enhancing data privacy and security. As an Adtech company, we recognize the importance of these regulations and believe that with thoughtful implementation, they can strike an optimal balance between safeguarding user privacy and fostering industry innovation.

Key Provisions of the DPDP Act:

Applicability: The Act governs the processing of digital personal data within India, including data collected offline but digitized later. It also applies to entities outside India if they offer goods or services to individuals within the country.

Data Fiduciary Obligations: Entities processing personal data (Data Fiduciaries) are required to:

• Ensure data is processed for specified, explicit, and lawful purposes.
• Obtain clear and informed consent from individuals (Data Principals).
• Implement reasonable security safeguards to prevent data breaches.
• Report data breaches promptly to the Data Protection Board and affected individuals.
• Avoid processing children's data in ways that could harm them.

Data Principal Rights: Individuals have the right to:

• Access their personal data.
• Correct inaccuracies in their data.
• Erase their data under certain conditions.
• Withdraw consent at any time.
• Seek grievance redressal for data processing issues.

Penalties: Non-compliance can result in significant financial penalties, with fines up to ₹250 crore for certain violations.

Here are some insights and suggestions that we hope will be helpful in refining the framework:

1. Clarify Data Localization Requirements The draft rules suggest that the Union Government can define the types of data that Significant Data Fiduciaries must localize within India. However, the specifics remain ambiguous. If these requirements included clear guidelines on data localization, companies could better understand compliance expectations and evaluate the implications for cross-border data flows. Such clarity would foster confidence among businesses while ensuring data sovereignty.
2. Define 'Significant Data Fiduciary' Criteria The term 'Significant Data Fiduciary' plays a pivotal role in determining the scope of compliance obligations. If objective criteria—such as the volume of data processed, its sensitivity, and the potential impact on data principals—were established, it would ensure that obligations are appropriately tailored and proportionate to the role of the fiduciary. This would enhance fairness and predictability for businesses.
3. Streamline Consent Management Processes Explicit user consent is a cornerstone of the draft rules. By standardizing consent management requirements, interoperable solutions could be developed that enhance user experience and simplify compliance for businesses. This approach could make consent management more transparent and effective across platforms.
4. Provide Guidance on Data Anonymization Data analytics is central to programmatic advertising. If the draft rules included clear guidelines on acceptable data anonymization techniques, companies could continue leveraging valuable insights while ensuring personal data remains protected. This would align innovation with privacy protection, fostering a responsible data ecosystem.
5. Establish Realistic Compliance Timelines Implementing changes to meet the new rules will require time and resources. Realistic timelines for compliance would help organizations transition smoothly without disrupting operations. Phased implementation plans could also support smaller entities in meeting their obligations effectively.
6. Encourage Industry Collaboration Collaboration between regulators and industry stakeholders can yield practical and effective regulations. Establishing advisory committees or industry forums to provide ongoing feedback could ensure the rules remain adaptive and relevant in a rapidly evolving digital landscape. Such initiatives would underline the government's commitment to participatory policymaking.
7. Ensure Proportional Penalties While penalties are necessary to enforce compliance, a proportional approach would take into account factors such as intent, the extent of harm caused, and remedial actions taken. A tiered penalty structure could encourage compliance while fostering trust and cooperation between businesses and regulators.

By incorporating these measures, the draft rules could lay the foundation for a robust data protection framework that champions user rights while enabling the ad tech industry to innovate and thrive. We look forward to seeing how these regulations evolve and hope they will serve as a model for balanced and forward-thinking governance in the digital age.