Cellular Operators’ Association of India (COAI) has released statement on Digital Personal Data Protection (DPDP) Rules 2025 notified by ministry of Electronics and IT (MeitY). According to director general, COAI, “The DPDP 2025, recently notified by the MeitY, mark a significant milestone in operationalising India’s data protection framework. The rules adopt a purpose-limited, notice-and-consent–based model with defined reporting timelines, broad fiduciary accountability and limited exemptions. With this, India now joins other nations having a comprehensive data protection framework that would not only ensure data protection of the citizens but also equips the citizens with certain rights with respect to their data. COAI and its members welcome this progress and remain fully committed to supporting the effective implementation of the DPDP Act.
At the same time, COAI, in its submissions at the time of public consultations, had highlighted areas where additional clarity was required to further enable smooth, industry-aligned and risk-aligned compliance of the said rules. These areas included, for example, parameters for a security compliance framework, age verification methodology for verifiable consent in case of minors, DPIA obligations for significant data fiduciary (SDF), interpretation of ‘purpose limitation’ and ‘legitimate use’, operational aspects of multilingual consent, breach-notification requirements, consent-manager obligations and harmonization/alignment with sectoral laws. Most of these concerns remain unaddressed.
Notably, on security compliance, the current framework in the telecom sector is highly detailed and resource-intensive. Going forward, under the DPDP Act, a calibrated, risk-based approach consistent with global best practices and standards, aligned with established telecom-security norms should be adopted by the Data Protection Board to ensure robust protection and efficient compliance mechanism.
Similarly, on requirement of mandatory notification for data breaches (Rule 7), COAI recommends adopting a proportionate reporting model, as followed in Japan and several EU jurisdictions. Further, given the multiplicity of incident-reporting obligations under the IT Act, CERT-In directions, DoT guidelines and now the DPDP framework, harmonised timelines and aligned procedures are required to help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes. CERT-In and the Data Protection Board may consider adopting a unified breach-reporting timeline, with a single trigger and a harmonised reporting window applicable across all digital and telecom entities. A standardised incident-notification format, accepted by all competent authorities, would ensure that regulators receive timely, consistent and decision-useful information, without necessitating multiple parallel reports under differing timelines. This approach would be in-line with the recent recommendations by the NITI Aayog panel, where in they have proposed overhauling the nation’s regulatory framework to promote ease of living and ease of doing business.
On reasonable security safeguard mandates (Rule 6), in the telecom context, the adequacy of “reasonable security safeguards” should be assessed in a layered, risk-based manner, rather than through encryption and masking alone. From a sectoral standpoint, mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data. These measures provide a robust defense-in-depth architecture for protecting digital personal data processed over telecom networks.
With respect to minors (Rule 10), establishing verifiable consent for users below 18 years of age presents practical challenges and does not adequately reflect India’s diverse household structures or the digital autonomy encouraged under various government initiatives. COAI had, therefore, suggested a practical exemption for minors aged 16–18 for SIM acquisition.
Under the additional obligations mandated for Significant Data Fiduciary (Rule 13), COAI had proposed that DPIA requirements be risk-based rather than annual and prescriptive. Rather, DPIAs conducted under recognised global frameworks, such as the GDPR, should be duly recognised to avoid redundancy.
Regarding consent managers (Rule 4), the current restrictions disallowing directors and key personnel from having any association with Data Fiduciaries may be overly stringent. Several established organisations in technology, financial and telecom services possess the experience required to operate responsible consent management systems. COAI had suggested replacing the blanket prohibition with safeguards against preferential treatment, such as declarations at the time of registration rather than mandating changes to corporate constitutions. COAI is of the view that either a single, interoperable consent‑management layer be permitted for the telecom sector (for example, through a common industry consent manager or interoperable arrangements), or that it be clarified that telecom operators are not mandatorily required to use external consent managers where a robust, auditable internal consent‑management system is in place, provided that such systems fully meet the DPDP standards on consent.
Furthermore, Section 38(2) of the DPDP Act, 2023 accords the Act overriding effect over other laws in case of conflict. COAI had recommended adherence to the well-established legal principle that specific laws prevail over general laws. A review and harmonisation of sector-specific regulations with the DPDP framework, along with clear interpretative guidance, would help minimise ambiguity and facilitate a smooth transition for all stakeholders.
COAI is in the process of compiling detailed inputs for MeitY on the DPDP Rules. While the industry awaits detailed notifications, standards and parameters for compliance under the DPDP regime, COAI and its members affirm their longstanding commitment to a strong, secure and future-ready data protection ecosystem. We will continue to constructively work with the Government to ensure effective, balanced and industry-aligned implementation of the DPDP framework.”
