India's privacy law must remain pragmatic to avoid chilling innovation: Jules Polonetsky
Polonetsky, a former New York state legislator and the ex-chief privacy officer at AOL, said that overly rigid notification rules and an over-reliance on consent as the sole ground for processing data could create “serious challenges” for companies.
By Pranav Mukul, ETtech |
ETtech
The implementation of India’s Digital Personal Data Protection (DPDP) Act will determine whether it unlocks responsible innovation or slow it down, Jules Polonetsky, CEO of Washington DC-based privacy and data policy think tank Future of Privacy Forum (FPF), told ET on the sidelines of the India AI Impact Summit 2026.
Polonetsky, a former New York state legislator and the ex-chief privacy officer at AOL, said that overly rigid notification rules and an over-reliance on consent as the sole ground for processing data could create “serious challenges” for companies.
“On the other hand, if a safe and pragmatic approach is taken, that’s different. If the law effectively makes companies feel that nothing can be done unless everything is perfectly clear, people will hesitate. That’s not good for consumers and not good for business. Much depends on enforcement timelines and on how MeitY and the Data Protection Board interpret the law,” he said.
In November last year, the central government notified the Digital Personal Data Protection (DPDP) Rules, 2025, paving the way for the enforcement of the Digital Personal Data Protection Act, 2023. The law governs how personal digital data is collected by firms, used, stored and shared.
The MeitY had also earlier sought views on shortening the originally proposed 18-month transition window, which was announced when the DPDP Rules were notified in November, replacing it with a staggered rollout. This meant that some provisions of the law would take effect immediately, others within three months and the rest within 12 months.
The law also proposes setting up of a Data Protection Board to oversee the enforcement of the law, and Polonetsky underscored that India should prioritise appointing independent technical experts who understand data flows and modern systems.
“We’ve seen in Europe what happens when regulators don’t fully grasp how cross-border data works. For years, it was technically illegal to transfer certain data from Europe to the US, yet businesses continued operating. That creates a situation where companies either ignore the law, take risks, or invest heavily in compliance just to show effort,” he said.
On AI regulations, he said that new rules in jurisdictions such as the European Union (EU), which has brought in the comprehensive AI Act, are overlapping with existing frameworks such as the General Data Protection Regulation (GDPR).
“If you layer new obligations on top of old ones without coordination, you create confusion. Smart regulation requires understanding court decisions, existing laws and technical realities before adding new rules,” he said. “In the US, many AI and privacy rules are emerging at the state level rather than federally. That creates fragmentation. Political messaging varies—protect children, protect workers, protect data—but the underlying policies can diverge significantly,” he added.
Polonetsky, a former New York state legislator and the ex-chief privacy officer at AOL, said that overly rigid notification rules and an over-reliance on consent as the sole ground for processing data could create “serious challenges” for companies.
“On the other hand, if a safe and pragmatic approach is taken, that’s different. If the law effectively makes companies feel that nothing can be done unless everything is perfectly clear, people will hesitate. That’s not good for consumers and not good for business. Much depends on enforcement timelines and on how MeitY and the Data Protection Board interpret the law,” he said.
In November last year, the central government notified the Digital Personal Data Protection (DPDP) Rules, 2025, paving the way for the enforcement of the Digital Personal Data Protection Act, 2023. The law governs how personal digital data is collected by firms, used, stored and shared.
The MeitY had also earlier sought views on shortening the originally proposed 18-month transition window, which was announced when the DPDP Rules were notified in November, replacing it with a staggered rollout. This meant that some provisions of the law would take effect immediately, others within three months and the rest within 12 months.
The law also proposes setting up of a Data Protection Board to oversee the enforcement of the law, and Polonetsky underscored that India should prioritise appointing independent technical experts who understand data flows and modern systems.
ADVERTISEMENT
“We’ve seen in Europe what happens when regulators don’t fully grasp how cross-border data works. For years, it was technically illegal to transfer certain data from Europe to the US, yet businesses continued operating. That creates a situation where companies either ignore the law, take risks, or invest heavily in compliance just to show effort,” he said.
On AI regulations, he said that new rules in jurisdictions such as the European Union (EU), which has brought in the comprehensive AI Act, are overlapping with existing frameworks such as the General Data Protection Regulation (GDPR).
“If you layer new obligations on top of old ones without coordination, you create confusion. Smart regulation requires understanding court decisions, existing laws and technical realities before adding new rules,” he said. “In the US, many AI and privacy rules are emerging at the state level rather than federally. That creates fragmentation. Political messaging varies—protect children, protect workers, protect data—but the underlying policies can diverge significantly,” he added.
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
ADVERTISEMENT
