COAI welcomes DPDP rules; urges clarity, compliance measures

New Delhi, Nov 27 The Cellular Operators Association of India (COAI) on Thursday called the Digital Personal Data Protection Rules, 2025, a milestone in operationalising the country’s data protection framework, but sought clarity in several rules and sector‑aligned compliance measures.

“The Rules adopt a purpose-limited, notice-and-consent-based–based model with defined reporting timelines, broad fiduciary accountability and limited exemptions. India now joins other nations having a comprehensive data protection framework that ensures citizens' data protection and data rights," said Dr S.P. Kochhar, Director General, COAI.

The industry body also flagged unresolved issues from public consultations, including parameters for a security compliance framework, age verification methodology for verifiable consent in case of minors and DPIA obligations for Significant Data Fiduciary (SDF).

Further, the association called for clarity in the interpretation of “purpose limitation” and “legitimate use,” operational aspects of multilingual consent, breach‑notification requirements, consent‑manager obligations and harmonisation with sectoral laws.

On security compliance, COAI said that the current framework in the telecom sector is highly detailed and resource-intensive.

It urged that the Data Protection Board should adopt a calibrated, risk‑based approach consistent with global best practices aligned with established telecom-security norms.

On the requirement of mandatory notification for data breaches, COAI recommends adopting a proportionate reporting model similar to models in Japan and some European Union jurisdictions.

From a sectoral standpoint, mature network and system security controls already deployed by telecom service providers reduce the risk of unauthorised access, exfiltration or misuse of personal data, the release said.

COAI suggested a practical exemption for minors aged 16-18 for SIM acquisition, adding that establishing verifiable consent for users aged below 18 years is difficult and does not reflect India’s diverse household structures or the digital autonomy encouraged by the government.

Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor