A risk-based approach to data protection could enable India to simultaneously protect user rights and unlock its potential as a global manufacturing and export powerhouse
| Photo Credit:
kraisorn waipongsri
India’s proposed data protection rules will overburden MSMEs and hinder the country’s export ambitions in the current global political environment, said IndusLaw firm while hosting a virtual panel discussion on the proposed Digital Personal Data Protection (DPDP) Rules.
Speaking about the impact on small businesses, c, said, “The DPDP rules in their current form can become a significant impediment to scale for small and mid-sized businesses. A one-size-fits-all approach imposes a disproportionate compliance burden on SMBs, stifling innovation and growth. Instead, risk-based regulations would be a better approach.”
Data localisation could complicate trade
To fully leverage the current geopolitical shifts around tariffs, panelists asked that India improve its ease of doing business by ensuring simpler and more proportionate compliance frameworks in the rules. A risk-based approach to data protection could enable India to simultaneously protect user rights and unlock its potential as a global manufacturing and export powerhouse, while not doing so risks discouraging investment and innovation, said the firm.
Kamesh Shekar, Senior Programme Manager – Privacy, Data Governance and Co-lead – AI, The Dialogue, said, “Data localisation requirements could further complicate the development and training of AI models, which often depend on cross-border data flows. Additionally, without mechanisms like ‘legitimate interest’ or alternate legal bases — which are available in frameworks like the GDPR — India risks limiting innovation by making it difficult for businesses to access diverse, global datasets essential for model accuracy and fairness.”
On children’s data
Speakers argued that the rules will lead to significant implementation challenges around verifiable parental consent mechanisms.
Meghna Bal, Director at The Esya Centresaid, “According to a study by the Esya Centre, 76 per cent of children prefer personalised content. And 73 per cent said that they would feel uncomfortable/ unsafe if content was depersonalised. For targeted ads – 75 per cent of children indicated that they would not be able to discover educational and non-educational products (toys, movies etc) meant for them if targeted ads went away. 81 per cent of children said they’d be unhappy if strict privacy rules led them to lose access to age-appropriate products. And 75 per cent said this loss of access would negatively affect their routine.”
Meanwhile, other panellists raised concerns on the current binary age-verification model, which restricts verification to only two methods. The blanket restriction on behavioural advertising and tracking for minors was also marked as overly broad and misaligned with actual online behaviour patterns among children.
Privacy by design
Experts called for the adoption of privacy-enhancing technologies that embed protection by design. They asked to re-evaluate traditional notions of consent and notice, calling instead for consent alternatives that can support responsible innovation. Additionally, panellists highlighted that a vertical-specific regulatory framework, as seen in the US, would be more effective in addressing the unique risks and needs of different sectors.
Published on April 16, 2025
