Global Data Protection Dialogues: Key Takeaways for India’s Industry and Policymakers

Terms of use

Terms of Use

The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.

All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.

Disclaimer

The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.

For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.

New

See all

No notification found.

Global Data Protection Dialogues: Key Takeaways for India’s Industry and Policymakers

Ashish Aggarwal

@ashish.aggarwal

June 2, 2025

Public Policy Data Privacy

162

In April and May 2025, I participated in two pivotal global events on personal data protection—the IAPP Global Privacy Summit in Washington DC (23–24 April) and the Global CBPR Workshop in Singapore (26–28 May).

Below is a summary of insights for Indian industry and government, as we implement the Digital Personal Data Protection Act (DPDPA) and step up on digital trade. My presentation at the CBPR Workshop is attached.

IAPP Global Privacy Summit 2025 (Washington DC, 23–24 April)

The Summit brought together data‐protection practitioners, regulators, policymakers, trade bodies and think-tanks. Outside of the summit, I had useful meetings with US government officials, industry associations and global think tanks.

Top Insights on India’s DPDPA

Balanced Approach Recognised:
– Many delegates view the DPDPA as reasonably well balanced between individual rights and business needs.
– However, they await final Rules hope for a two-year transition timeline.
Key Areas of Concern (due to current scope in the Act/Rules):
1. “Legitimate Use” vs. GDPR’s “Legitimate Interest”
  – DPDPA permits processing only for the purpose explicitly stated in the consent notice and the scope of legitimate use as an alternative basis for processing is very narrow. Unlike GDPR, there is no broadly defined “legitimate interest” basis. Everyone understands that this is an issue with the Act, and the Draft Rules cannot address the same.
2. Cross-Border Processing Restrictions
  – A new method to restrict cross border personal data transfers Significant Data Fiduciaries through a Committee process, something that was not envisaged in the Act came up as a point of concern. This was highlighted in combination with the fact that “Significant Data Fiduciaries” can be designated by Rules in an overly broad manner, potentially lumping many entities into a stricter regime. The threshold for “significant” is unclear, making compliance implications uncertain.
3. Breach Reporting Requirements
  – The Act’s definition of “personal data breach” is quite broad; there is no explicit materiality threshold (e.g., number of records affected).
  – Companies anticipate the requirement for reporting every minor incident as being impractical, and fear this may dilute focus on genuinely severe breaches.
4. Processing of Children’s Data
  – Under the DPDPA, anyone processing data of individuals under 18 requires verifiable parental consent for all purposes. Industry understands that under the draft Rules, the scope of the verification is envisaged to focus on establishing that the person consenting is an adult.
  – Industry is figuring out how to deal with the blanket ban on targeted advertising and behavioural monitoring of minors, regardless of parental opt-in. Exceptions are narrow (healthcare, education, safety).
  – By contrast, EU frameworks allow certain forms of adolescent profiling or marketing under strict conditions (age-appropriate design, transparency).

My Speaking Session: “Operational Implications of India’s DPDPA”

Panellists:
– Monika Tomczak-Górlikowska, Chief Privacy Officer, Prosus N.V.
– Rahul Mathan, Co-founding Partner, Trilegal (specialising in tech, media & telecom law).
Audience Profile:
– Roughly 100 participants, most with substantial operations or global capability centres in India (spanning enterprise software, consumer internet, financial services).

Other Noteworthy Conversations

Sam Altman (OpenAI) & Alex Blania (Tools for Humanity):
– Pitched the “World Network”—an iris-based, open-source orbital scanner for fool-proof human authentication online.
– Underpinned by cryptography and multi-party computation (MPC), data could remain anonymised and not stored in a single database.
– In India, Aadhaar already provides biometric verification at scale. Too early to comment on the “World Network” model - adoption hinges largely on public confidence in privacy safeguards and regulators’ comfort.

2. Global CBPR Workshop 2025 (Singapore, 26–28 May)

Global CBPR (Cross-Border Privacy Rules):
– A voluntary, multilateral framework for interoperable data-protection certification.
– Built upon the APEC CBPR and PRP systems, now administered by the Global CBPR Forum.
– Includes CAPE (Cross-Border Privacy Enforcement) for law-enforcement cooperation.

Organiser and Participants

Hosted by: Infocomm Media Development Authority (IMDA) of Singapore (which includes the Personal Data Protection Commission, PDPC).
Attendees: Senior regulators, industry leaders and representatives from CBPR-member economies and India. A senior representative from MEITY, government of India, participated.

Background: CBPR in India

Previous Delhi Workshop (September 2024): Co-hosted by Nasscom, DSCI, MEITY and MEA to introduce Global CBPR to Indian stakeholders. (Blog here)
Objective: Evaluate whether CBPR (Cross-Border Privacy Rules) and PRP (Privacy Recognition for Processors) would complement India’s DPDPA and facilitate secure international data flows.

Key Updates and Insights

CBPR Framework Evolution:
– Built on the APEC CBPR system, the Global CBPR forum launched in 2022.
– New “Global CBPR” and “PRP” certifications are now live—companies can apply via recognised Accountability Agents.
Growing Global Interest:
– Thailand and Nigeria have expressed intent in joining.
– Sri Lanka and Bangladesh are actively evaluating the framework.
– US, Japan, Australia, Singapore, Canada, S. Korea, Mexico, Philippines, Taiwan are full members and UK, Dubai IFC, Mauritius and Bermuda are associate members.
Progress Report:
1. Operationalisation: Certification pathways clarified; many leading multinationals have applied.
2. Regulatory Cooperation (CAPE): Global CAPE (Cooperation Arrangement for Privacy Enforcement) is gaining momentum. CAPE enables cross-border enforcement collaboration among Privacy Enforcement Authorities (PEAs).
3. Complementarity with DPDPA:
  – CBPR’s baseline obligations align well with many DPDPA principles (accountability, notice, data security).
  – Participation could strengthen safeguards for cross border data processing, facilitate limited interoperability, and smoothen international data flows with our key digital trade partner nations.
Nasscom’s Ongoing Work:
– An in-depth White Paper (under finalisation) will guide government, regulators and industry on CBPR/PRP/CAPE merits, examining:
• Compatibility with DPDPA’s requirements.
• Cost-benefit for Indian entities.
• Law enforcement cooperation benefits (via CAPE).
– Call to Action: As the DPDPA is rolled out, Indian stakeholders should proactively evaluate CBPR/PRP/ CAPE to accelerate global interoperability.

Conclusion
The IAPP Summit and CBPR Workshop underscored the rapid evolution of global data-protection norms and reinforced the need for India to prioritise its DPDPA implementation, examine interoperability with data protection regimes with key trading partners, provide certainty on compliance obligations, all without compromising personal data protection.

DPDP Act DPDPA Global CBPR privacy data protection personal data CBPR

Disclaimer

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.

Download Attachment