India's New Data Protection Rules: What COAI's Support—and Concerns—Mean

“The Rules adopt a purpose-limited, notice-and-consent-based–based model with defined reporting timelines, broad fiduciary accountability and limited exemptions. India now joins other nations having a comprehensive data protection framework that ensures citizens' data protection and data rights," said Dr S.P. Kochhar, Director General, COAI.

The industry body also flagged unresolved issues from public consultations, including parameters for a security compliance framework, age verification methodology for verifiable consent in case of minors and DPIA obligations for Significant Data Fiduciary (SDF).

Further, the association called for clarity in the interpretation of “purpose limitation” and “legitimate use,” operational aspects of multilingual consent, breach‑notification requirements, consent‑manager obligations and harmonisation with sectoral laws.

On security compliance, COAI said that the current framework in the telecom sector is highly detailed and resource-intensive.

It urged that the Data Protection Board should adopt a calibrated, risk‑based approach consistent with global best practices aligned with established telecom-security norms.

On the requirement of mandatory notification for data breaches, COAI recommends adopting a proportionate reporting model similar to models in Japan and some European Union jurisdictions.

From a sectoral standpoint, mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data, the release said.

COAI suggested a practical exemption for minors aged 16-18 for SIM acquisition, adding that establishing verifiable consent for users aged below 18 years is difficult and does not reflect India’s diverse household structures or the digital autonomy encouraged by the government.

- IANS