MediaNama reports:
India needs a threshold-based system for data breach reporting, speakers argued at MediaNama’s discussion on the draft Digital Personal Data Protection Rules (DPDP Rules, 2025) on February 7. This came as a comment during the session on the draft rules around data breaches. MediaNama conducted this discussion under the Chatham House Rule. (Chatham House Rule in a meeting allows the participants to freely use the information received, but the identity of the speakers or of any other participant must not be revealed.)
The DPDP Act and the subsequent rules require companies to inform both affected individuals and the Data Protection Board in the event of a breach without delay. Companies also have a period of 72 hours to inform the data protection board and the affected users about the mitigation measures they have implemented to tackle the breach.
One of the key concerns that participants expressed was that a personal data breach could be something as small as someone clicking on a malicious link and compromising their account. Given the broad definition of a data breach, a participant wondered, would even such a compromised account classify as a breach? “Everybody agrees there should be a threshold. It’s kind of like the privacy impact assessment, right? Let there be a trigger. But what is that trigger? If you take competing geographies, if you take Japan and you take Singapore, they take a number between 500 to 1,000. Now that may make sense for a city-state like Singapore,” another participant said. They added that India cannot copy-paste what the breach threshold should be from another jurisdiction (like Singapore or Japan).
Read more at MediaNama.
