Close

Recent Posts

Consumer Tech News

DPDP Rules 2025 Mark Major Step in India’s Data Protection Regime; Industry Seeks Clarity on Key Compliance Areas: COAI

DPDP Rules 2025 Mark Major Step in India’s Data Protection Regime; Industry Seeks Clarity on Key Compliance Areas: COAI
Byadmin
  • PublishedNovember 27, 2025

The Digital Personal Data Protection (DPDP) Rules 2025, recently notified by the Ministry of Electronics and Information Technology (MeitY), mark a major milestone in operationalising India’s data protection ecosystem. According to the Cellular Operators Association of India (COAI), the new Rules place India among the countries with a comprehensive and rights-based personal data protection framework, built on purpose limitation, notice-and-consent, defined reporting timelines and broad fiduciary accountability.

Lt. Gen. Dr. S.P. Kochhar, Director General, COAI
Lt. Gen. Dr. S.P. Kochhar, Director General, COAI

Welcoming the notification, Lt. Gen. Dr. S.P. Kochhar, Director General, COAI, said the industry remains committed to supporting the smooth implementation of the DPDP Act. “The Rules… not only ensure data protection of the citizens but also equip the citizens with certain rights with respect to their data. COAI and its members welcome this progress and remain fully committed to supporting the effective implementation of the DPDP Act,” he noted.

However, COAI also emphasised that several industry concerns raised during public consultations remain unaddressed. The Association reiterated the need for additional clarity in areas such as parameters for a security compliance framework, age-verification methodology for minors, DPIA obligations for Significant Data Fiduciaries (SDFs), interpretation of ‘purpose limitation’ and ‘legitimate use’, multilingual consent operations, breach-notification requirements, consent-manager obligations, and harmonisation with existing sectoral laws.

Risk-based security and harmonised reporting needed

COAI highlighted that the telecom sector already operates under an extensive and resource-intensive security framework. It recommended that the Data Protection Board adopt a calibrated, risk-based approach aligned with global best practices and existing telecom-security norms to avoid duplicative burdens.

On breach notifications under Rule 7, the Association has advocated a proportionate reporting model similar to Japan and several EU jurisdictions. Given the multiple and often overlapping incident-reporting requirements under the IT Act, CERT-In directions, DoT guidelines and now the DPDP framework, COAI has suggested a unified breach-reporting timeline and a standardised notification format accepted across all competent authorities. Such harmonisation, it said, would reduce duplication and is in line with recent NITI Aayog recommendations on streamlining regulatory frameworks to enhance ease of doing business.

Clarifications on safeguards, minors’ consent and SDF obligations

Regarding Rule 6 on reasonable security safeguards, COAI stated that security should be assessed through a layered, risk-based approach rather than by emphasising encryption or masking alone. Telecom networks already deploy mature defence-in-depth systems that mitigate risks of unauthorised data access or misuse, it added.

On minors’ data (Rule 10), the Association pointed out the practical challenges of verifying parental consent for all individuals under 18, particularly given India’s diverse household structures. It reiterated its earlier recommendation for a practical exemption for minors aged 16–18 for SIM acquisition.

For Significant Data Fiduciaries under Rule 13, COAI reiterated that Data Protection Impact Assessments (DPIAs) should be risk-based—not annual or prescriptive—and that DPIAs conducted under globally recognised frameworks such as the GDPR should be accepted to avoid redundancy.

Consent managers and harmonisation with sectoral laws

COAI also raised concerns about the stringent eligibility restrictions for consent managers under Rule 4, which prohibit directors and key personnel from being associated with any Data Fiduciary. The Association suggested replacing blanket prohibitions with safeguards against preferential treatment, and urged the government to allow a common industry-level consent-management layer or permit operators to continue using robust internal consent-management systems that meet DPDP standards.

Further, the Association underscored the need to clarify the DPDP Act’s overriding effect under Section 38(2). It recommended adherence to the established legal principle that specific sectoral laws should prevail over general laws in case of conflict. Clear mechanisms for harmonising telecom-specific regulations with the DPDP framework would minimise ambiguity and support a smoother transition for all stakeholders, COAI said.

COAI preparing detailed submissions to MeitY

COAI is compiling detailed inputs for MeitY on the DPDP Rules and awaits further notifications and standards that will guide compliance under the new regime. The Association affirmed that the telecom industry remains committed to building a secure, future-ready, and citizen-centric data protection ecosystem.

“We will continue to constructively work with the Government to ensure effective, balanced and industry-aligned implementation of the DPDP framework,” Lt. Gen. Dr. S.P. Kochhar said.

Tags:

Written By
admin

Prev Post

Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

5 Takeaways From The First Round Of France’s Election
News
June 7, 2022

5 Takeaways From The First Round Of France’s Election

Corporations Are People, Too
News
June 7, 2022

Corporations Are People, Too

Is Australian democracy in good health?
News
June 7, 2022

Is Australian democracy in good health?