The Cellular Operators Association of India (COAI) has welcomed the Digital Personal Data Protection Rules 2025 notified by the Ministry of Electronics and Information Technology (MeitY), calling them a major milestone in strengthening India’s data protection framework.
In a detailed statement, Lt. Gen. Dr. S.P. Kochhar, Director General of COAI, said, “The Digital Personal Data Protection Rules (DPDP) 2025, recently notified by the Ministry of Electronics and Information Technology (MeitY), mark a significant milestone in operationalising India’s data protection framework. The Rules adopt a purpose-limited, notice-and-consent–based model with defined reporting timelines, broad fiduciary accountability and limited exemptions. With this, India now joins other nations having a comprehensive data protection framework that would not only ensure data protection of the citizens but also equips the citizens with certain rights with respect to their data. COAI and its members welcome this progress and remain fully committed to supporting the effective implementation of the DPDP Act.”
At the same time, COAI reiterated that several key concerns raised during public consultations remain unresolved. As Dr. Kochhar noted, “COAI, in its submissions at the time of public consultations, had highlighted areas where additional clarity was required to further enable smooth, industry-aligned and risk-aligned compliance of the said rules.
These areas included, for example, parameters for a security compliance framework, age verification methodology for verifiable consent in case of minors, DPIA obligations for Significant Data Fiduciary (SDF), interpretation of ‘purpose limitation’ and ‘legitimate use’, operational aspects of multilingual consent, breach-notification requirements, consent-manager obligations and harmonization or alignment with sectoral laws. Most of these concerns remain unaddressed.”
Need for a Risk-Based Security Compliance Framework
Highlighting the complexity of telecom-sector security protocols, COAI stressed the need for alignment between DPDP requirements and existing frameworks. Dr. Kochhar explained, “The current framework in the telecom sector is highly detailed and resource-intensive. Going forward, under the DPDP Act, a calibrated, risk-based approach consistent with global best practices and standards, aligned with established telecom-security norms should be adopted by the Data Protection Board to ensure robust protection and efficient compliance mechanism.”
Proportionate Breach-Reporting and Harmonised Timelines
On the mandatory breach notification requirement under Rule 7, COAI called for a proportionate global-style model. Dr. Kochhar stated, “COAI recommends adopting a proportionate reporting model, as followed in Japan and several EU jurisdictions. Further, given the multiplicity of incident-reporting obligations under the IT Act, CERT-In directions, DoT guidelines and now the DPDP framework, harmonised timelines and aligned procedures are required to help avoid unnecessary duplication to ensure cohesive compliance across regulatory regimes.”
He further added, “CERT-In and the Data Protection Board may consider adopting a unified breach-reporting timeline, with a single trigger and a harmonised reporting window applicable across all digital and telecom entities.”
COAI also emphasised operational efficiency through a universal reporting template, noting Dr. Kochhar’s point that “a standardised incident-notification format, accepted by all competent authorities, would ensure that regulators receive timely, consistent and decision-useful information, without necessitating multiple parallel reports under differing timelines.”
Sector-Specific View on ‘Reasonable Security Safeguards’
From a telecom perspective, COAI reinforced the need for a layered, risk-based interpretation of Rule 6. Dr. Kochhar said, “The adequacy of ‘reasonable security safeguards’ should be assessed in a layered, risk-based manner, rather than through encryption and masking alone. Mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data.”
Practical Challenges in Verifiable Consent for Minors
COAI has also urged revisiting the consent mechanism for minors aged 16–18. Dr. Kochhar noted, “Establishing verifiable consent for users below 18 years of age presents practical challenges and does not adequately reflect India’s diverse household structures or the digital autonomy encouraged under various government initiatives. COAI had, therefore, suggested a practical exemption for minors aged 16–18 for SIM acquisition.”
Risk-Based DPIA for Significant Data Fiduciaries
On the additional obligations under Rule 13, Dr. Kochhar stated, “COAI had proposed that DPIA requirements be risk-based rather than annual and prescriptive. Rather, DPIAs conducted under recognized global frameworks, such as the GDPR, should be duly recognised to avoid redundancy.”
Consent Manager Restrictions Require Reconsideration
Addressing Rule 4 on consent managers, COAI cautioned against overly restrictive mandates. Dr. Kochhar observed, “The current restrictions disallowing directors and key personnel from having any association with Data Fiduciaries may be overly stringent. Several established organisations in technology, financial and telecom services possess the experience required to operate responsible consent management systems.”
He added, “COAI had suggested replacing the blanket prohibition with safeguards against preferential treatment, such as declarations at the time of registration rather than mandating changes to corporate constitutions.”
COAI further proposed structural flexibility for the telecom sector, stating that “either a single, interoperable consent-management layer be permitted for the telecom sector or that it be clarified that telecom operators are not mandatorily required to use external consent managers where a robust, auditable internal consent-management system is in place.”
Need for Harmonisation Between DPDP Act and Sectoral Laws
Addressing Section 38(2) of the DPDP Act, Dr. Kochhar remarked, “COAI had recommended adherence to the well-established legal principle that specific laws prevail over general laws. A review and harmonisation of sector-specific regulations with the DPDP framework, along with clear interpretative guidance, would help minimise ambiguity and facilitate a smooth transition for all stakeholders.”
COAI Preparing Detailed Inputs for MeitY
Dr. Kochhar concluded by reaffirming the industry’s commitment to constructive engagement. He said, “COAI is in the process of compiling detailed inputs for MeitY on the DPDP Rules. While the industry awaits detailed notifications, standards and parameters for compliance under the DPDP regime, COAI and its members affirm their longstanding commitment to a strong, secure and future-ready data protection ecosystem. We will continue to constructively work with the Government to ensure effective, balanced and industry-aligned implementation of the DPDP framework.”
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
