As the government unveils the draft Digital Personal Data Protection (DPDP) Rules to operationalise the Digital Personal Data Protection Act, 2023, the Tech Entrepreneurs Association of Mumbai (TEAM) has welcomed the move as a “crucial dialogue” toward building a robust digital data privacy framework in India. However, TEAM has also highlighted key areas that require further deliberation to ensure the framework is comprehensive and effective.

Firstly, the association talks about AI safety, saying with the rise of large language models or LLMs, guidelines will be needed on the ethical use of personal data for training AI models.

The association says the user-centric data deletion processes should also be user-driven and should align with international standards like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

TEAM suggests a tiered approach to compliance, with varying burdens for differently-sized entities – like distinguishing between large multinational corporations and start-ups. This can enhance innovation, says the body.

Additionally, the association has sought enhanced clarity on age gating, breach protocols and penalties, compliance frameworks and timelines, cross-border data transfers, and data retention/erasure policies.

“Creating a structured platform, which includes bodies such as ours, industry associations, startups and tech companies, civil society organisations, think tanks and academic institutions in the feedback process would further ensure a comprehensive and expert-driven analysis. Furthermore, ensuring the rules are circulated in multiple languages with help from media and content platforms may help in more civic society participation in this critical mission,” says TEAM.

Notably, the government released the Draft Digital Personal Data Protection Rules on January 2, 2025, with an aim to safeguard citizens’ rights for the protection of their personal data in India. These rules seek to operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act), which will create a framework for protecting digital personal data in the country.

The new data protection rules are designed to protect citizens’ data rights while achieving a balance between regulation and innovation. They also address specific challenges like unauthorised commercial use of data, digital harms and personal data breaches.

The key features of the draft DPDP rules are a balance between innovation and regulation, a digital-first approach, and addressing stakeholder concerns. However, there are certain areas where, experts think, more consultations and discussions are required to fully safeguard the digital data rights of individuals in India.

The ministry has sought feedback or comments on the draft rules from the stakeholders by February 18, 2025. Feedback or comments can be submitted via the MyGov portal.