TechTicker Issue 62: January 2025

New Year, New Rules! No prizes for guessing what we’re talking about. If you've been following us, you already know we’ve been sprinkling memes here and there in earlier editions, about how eagerly we have been waiting for drumrolls the draft Digital Personal Data Protection Rules, 2025 (Rules). And just like that, with the New Year (and, a slightly late Xmas gift) from the IT Ministry, we’re now setting sail towards the world of data protection compliance.?

It’s been a rollercoaster, and with our tech policy friends and fam, we’re all on this ride together. So, after quickly exchanging a flurry of ‘sad-happy weekend to us!’ messages, followed by a collective sigh (yep, we’ve all been there), we put on our analysis hats and got to work. You can read our preliminary analysis here. Our partners Nehaa and Sreenidhi also spent some time unpacking and talking about the rules – specifically how they impact B2C businesses – and that recording is here.

Amidst the flood of information that has been doing the rounds, we’ve got your back by adding another one to the pile. And so, this edition is laser-focused on the Rules.

We start by going back in time and refreshing the story surrounding the origins of the Rules — from the passing of the Act and the numerous events that delayed their launch in the past year. Then, we get into the weeds: spotlighting hot-cake issues, capturing some of the reaction and ‘wait, what’ moments. We round up with a share of some in-house expert takes on some of questions that we and the broader ecosystem have been grappling with. In case you have any specific queries for our team, shoot away! You can reach out to us at [email protected].?

Even though this newsletter is all. about. data. — we will indulge ourselves a minor deviance to discuss a couple of important updates on AI and content moderation.

Let’s rewind it a bit

Back in 2012, visionary Justice A.P. Shah presented a report calling for better protection of individual’s privacy in India. But it took over a decade — after a Supreme Court ruling recognizing the right to privacy; the Srikrishna committee report exploring potential regulatory approaches; and not one, but several draft bills — for the Digital Personal Data Protection Act, 2023 (DPDP Act) to come to life in August 2023.

And we were told, the rules to operationalize this Act would be rolled out immediately after. But then, something hit the brakes. The hold up? Reportedly, there were industry concerns regarding how to technically operationalize verifiable parental consent. Oh, and the Ministry of Home Affairs had to give their stamp of approval as well. The result? Businesses found themselves stuck and restless — in a waiting game worse than Bengaluru’s traffic.

Finally, after what seemed like an eternity (at least to us), the IT Ministry doing its best rendition of ‘thank god its Friday’, released the Draft Rules for public consultation on January 3, 2025. Deadline to submit comments to this draft is February 18, 2025; so, if you want to get in your two cents, now's the time! (Psst: some have sought extension on this deadline, which reportedly might just be granted.)

Hot-cake issues ?

• The phased roll-out: The DPDP Rules will be enforced in phases. Upon coming into force, rules relating to the details of the Data Protection Board (Rules 16-20), will immediately come into effect. However, the rest of the rules (Rules 3-15 and 21-22), will see a more staggered timeline. Basically, there’s room to breathe — but only for a little while. Minister Vaishnaw has already shared that there will be a two-year transition period to help everyone shift to the new regime. Translation? You’ve got time, but you need to start working now. He shared that the goal is to have the final rules in-place by mid-2025 (in time for the monsoon session), so mark your calendars.
• ?Notice and consent: The Act and rules pretty much go hand-in-hand when it comes to these provisions. It says that privacy notices and consent requests must not only be in English, but also in all 22 scheduled languages of India. The notice must also include: what personal data you’re collecting, why you’re collecting it, how consumers can flex their rights, how to revoke consent, and how to file complaints with the Data Protection Board. On top of this, the data fiduciaries (DFs), i.e. those who determine how and why personal data is being processed, must ensure that it meets other requirements of being crystal clear, easy to digest, and, of course, totally unambiguous. And in 22 languages. Good luck y’all.
• ?Extra love and care for children’s data?: The DPDPA requires organizations to collect parents’ consent before processing a child’s data. Here’s where it gets interesting: instead of forcing everyone into a one-size-fits-all box, the Rules seemingly take a more flexible approach, clarifying that DFs can adopt ‘appropriate technical and organisational standards’ to take this consent (Rule 10). While generally this may rely on the nature of business and content accessible on a website or an application, there are questions over what counts as 'appropriate’? The IT Minister said that the Rules will evolve based on learnings from their implementation, and accordingly these provisions may be refined even after implementation. Others have raised concerns that this potentially means age-gating the entire internet. There are also exemptions offered to healthcare and educational institutions, and purposes like opening a user account, among others.

• Act fast if there’s a breach!: Been breached? The new Rules specify the who, what and when of data breach reporting. There is a two-step process: DFs must notify affected users and the Data Protection Board immediately. Then after 72 hours, share a more detailed ?report with the Board. Regarding the what, the Rules provides an exhaustive list of components like breach description, circumstances, consequences and safety / mitigation measures that need to be disclosed. It seems like all breaches must be reported, and not only the ones that cause harm or risk of harm, contrasting with the approach followed in other nations. ?
• ?Locking down on security measures: This came out of the left-field, but the Rules specify the base-line security measures that companies must adopt to keep data safe. Think encryption, access controls, and continuous breach monitoring — a comprehensive approach to ensure data isn’t left vulnerable. At first glance, this seems fairly routine — but a reading of the fine print suggests certain measures (such as retaining logs for 1 year) are a bit prescriptive, and may be infeasible to implement for certain kinds of businesses — based on technological or resource limitations.
• ?The night consent manager: Seems like everyone wants to become a doctor consent manager these days. But this is no walk in the park. The Rules have strict registration criteria, and only those who meet the high bar will get the coveted CM badge. What’s included? Well, things like having a net worth of INR 2 crores, 7-year record-keeping, no subcontracting, independence from DFs, etc etc — it is a long list. Want to know more? Check out the First Schedule of the Rules.?
• ?Ghost of data localization past: The return of the prodigal son. In contrast to the Act’s forward-looking approach towards cross-border data transfers, the Draft Rules bring back — in a slightly convoluted way — data localization and transfer restrictions. The Rules empower the government to restrict data transfers based on conditions related to foreign government access — conflict of laws much? — and if you're classified as a Significant Data Fiduciary (SDF), you might even need to localize certain data categories. Obviously, how all this will play out is anyone’s guess. The uncertainty has left everyone worried and experts are re-iterating the challenges this can create for business operations.

?

• Calling for information by the government — almost as easy as a phone call?: ?The Central Government now has the power to knock on your door (figuratively, of course) and ask companies for specific info, as per the Seventh Schedule. But hold your horses—this isn’t a free-for-all. If spilling the beans could mess with India’s sovereignty, integrity, or security, the government’s got the right to put a hold on disclosure unless they get the green light first. Whether it's for national security, legal compliance, or just checking in on the status of certain DFs, the government’s empowered to make those requests. In short, when the government asks, you must answer, so to speak.

?Review, reaction, and commentary

Immediately after the DPDP Rules were released, the media was flooded with Twitter rants and government clarifications.

Government clarifies: Union Minister Ashwini Vaishnaw gave a series of interviews? (here, here and here) explaining and clarifying different provisions of the DPDP Rules. These included providing a timeline for the implementation of the rules, noting that sector-specific restrictions may be implemented for cross-border data flows and highlighting the use of tokens for verifiable parental consent. The IT Ministry also emphasized that data localization will be limited in its application and clarified that sectoral regulators will retain their authority over cross-border data flows. The IT Ministry is likely to extend the consultation period for the Rules, with specific focus groups to be formed on specific aspects of the draft.

Industry reacts:? Different sectors have had varied reactions to the DPDP Rules. While the Rules have caused concern in sectors like fintech — which is grappling with the potential increase in operational costs to comply with different requirements; some are waiting to get-set-go on innovating and building new products. Meanwhile, marketers brace for change in engagement strategies — basically, the increased emphasis on data minimization and user consent may change the existing model of hyper-specific targeted advertisements and move the industry to develop marketing practices beyond sharp targeting.

Civil society views: Some civil society organizations have criticized the rules for being ‘too vague’, citing how terms like “reasonable safeguards”, “appropriate measures”, or “necessary purposes” are used without any clear explanations. A commentator highlighted that there is a lack of operative guidance in the Rules, and they are “incomplete and rushed”. However, other experts have praised the Rules for establishing a forward-looking framework to protect the rights of individuals by granting them greater control over information.

What we are reading

• This guide by Medianama? contains coverage on all the different provisions of the DPDP Rules as well as the DPDP Act.
• Rahul Matthan’s first impressions on the DPDP Rules.
• IGAP’s two part report on cyber security incident reporting and data breaches under the DPDP Act.
• The initial analysis of the Rules by the Internet Freedom Foundation, which points out how the Rules remain vague in several areas and leave room for discretionary interpretation by the government.??
• This opinion in The Hindu articulating some of the challenges of implementing the Rules.
• A report from November 2023 by The Quantum Hub on the global practices around age assurance and age verification used to protect children’s data and privacy.

?Experts’ corner – Ikigai voices on the DPDP

“Who needs to verify and age-gate. How do you go about doing that? This is a concern that has been raised in earlier iterations as well. Are you moving towards a scenario where you age-gate the entire internet? I don’t think that is the intent of the government. It might be an inadvertent effect. In other parts of the world, we have seen language which says that organisations should have age verification or age-gate mechanisms based on the kind of content that is being accessed and the level of risks involved in the online activity. So, if you are a website for adult content, having a checkbox that says ‘I confirm I am above 18’ might not quite cut it. But if you are a news website, should you really be worried about verifying the age and identity of every single individual who is coming on your platform to consume your content. At least in the letter of the law, we currently don’t see this kind of nuance come through. You do have to do a little bit more so that children below the age of 18 cannot easily access, or the converse that only those above the age of 18 may have access.

-???Nehaa Chaudhari, Partner (in her podcast with the The Economic Times)

?SDFs will also be subject to data localisation requirements based on the recommendations of an executive committee,” said Pallavi Sondhi, senior associate at Ikigai Law.

Experts believe this rule is likely to encounter strong pushback from industry giants such as Meta, Amazon, Google, and other organisations which handle sensitive health and financial data.

Rule 14, on the other hand, restricts the flow of Indians’ data with foreign countries. This rule, however, unlike rule 12, applies to all data fiduciaries. It says that if a company processes personal data in India or processes it outside of India for goods or services offered in India, it must follow certain requirements when it comes to sharing that data with foreign governments.

"In case of cross border data transfer, data fiduciaries will have to comply with certain conditions that the Central Government may prescribe through a separate executive order," said Sondhi. "The conditions will relate to providing data access to foreign governments or persons/entities under its control."

-?? Pallavi Sondhi, Senior Associate (quoted in the Secretariat)

While DPDP Rules definitely stole the spotlight, there have been other exciting and relevant tech policy updates. Moving on to other news…

Connecting the Dots

• Meta’s Fact Checking Upheaval: Mark Zuckerberg announced sweeping changes to Meta’s content moderation policies that govern Facebook, Threads, and Instagram in the US. The company is eliminating its third-party fact checking programme (started in 2016) and replacing it with a crowdsourced fact-checking model like X’s community notes, where users add facts and context below a specific post. It will be ‘simplifying’ its content policies by removing restrictions on topics like immigration and gender. The updated policy will change its enforcement approach and prioritize automated filters only on illegal and high-severity violations, and only user reports will be required for lower-severity violations. These changes are aimed at addressing concerns and complaints raised that Meta over-censors “harmless content” and is slow to respond to its users who have their accounts restricted as a result. While the policy changes are restricted to only the US for now, some suggest that this decision may slowly roll out in other countries too.

?In India, fact-checking organizations are uncertain about their future. Eleven organizations in the country, currently partner with Meta through its fact-checking network, with some relying on Meta for half their revenue. Interestingly, Union Minister Ashwini Vaishnaw commented on the decision stating that Meta’s shift in policy validated the government’s approach of setting up fact-check units (FCUs) to deal with misinformation pertaining to the government. These FCUs were conceptualized under the amended Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. They were empowered to identify any content concerning any ‘business of the Central Government’ and flag it as fake or false or misleading. However, the Bombay High Court declared FCUs to be unconstitutional. You can read more about FCUs and the case in our previous edition here.

• Directorate Generate of GST Intelligence (DGGI) gets direct takedown power over online gaming platforms: Online gaming has been on the DGGI’s radar for a while now. In its 2024 annual report, it flagged online gaming as a ‘high-risk’ sector for tax evasion. In December 2024, Parliament was informed that 642 entities are under investigation for GST violations. Now, in a significant move, the finance ministry has given DGGI the go-ahead to directly issue takedown orders to intermediaries—no need to route them through the IT ministry. This means online real money gaming apps and websites flagged for evading taxes can be blocked much faster.
• ?Draft AI Governance Guidelines are out: The IT Ministry had set up a high-level committee back in November 2023, led by the Principal Scientific Advisor (PSA), to identify gaps and propose a framework for AI governance. This committee, which includes key ministry representatives, formed a special sub-committee focused on drafting AI governance guidelines. Their report—completed last year—was officially released on January 6, 2025, and is open for public consultation until January 27, 2025. The guidelines call for a balanced approach: fostering AI innovation, while ensuring accountability and safeguarding stakeholder interests.

?That’s all for now!

We’d love to hear your feedback, concerns or issues you’d like us to cover. Or, you could just drop in to say hi. We are available at [email protected] .

Follow us on LinkedIn, Facebook and X to catch up on updates.

Signing off, the Ticker team for this edition: Isha Vidushi Nirmal Vijayant

?