The draft Digital Personal Data Protection Rules, 2025, released by the ministry for electronics & information technology (MeitY), is being touted as a long overdue advance in the direction of enforcing the fundamental right to informational privacy. The right was unequivocally affirmed by the Supreme Court of India in the landmark Justice K.S. Puttaswamy vs Union of India (2017) case. The draft rules, consisting of 22 provisions and seven schedules, aim to operationalise the Digital Personal Data Protection Act, 2023 (DPDP Act).
The proposed rules offer direction on how online services will be required to:
• communicate the purposes of their data collection to users;
• safeguard children’s data online;
• establish the Data Protection Board of India (DPBI);
• set the standards for government agencies to follow to be exempt from the Act’s provisions, and
• spell out the procedures to be observed, if personal data is breached by a data fiduciary.
The Internet Freedom Foundation has described the draft rules to be ‘too little, too vague and too late’. While the draft rules address some gaps, many issues remain unclear and are left to the discretion of the Union government. Recently, Ashwini Vaishnaw, minister, MeitY, clarified that this approach was intentional and aimed at avoiding overly prescriptive measures due to the rapidly evolving nature of digital technology. However, these omissions raise concerns and the draft rules require further deliberation and analysis to fully understand their potential impact.
Data localisation, a bugbear for Big Tech, which was removed from the Data Protection Act, 2023, has made a comeback under the draft rules. Data localisation relates to measures that result in restricting data flow within a jurisdiction’s boundaries.
Under the data protection Bill, first introduced in 2019 and later withdrawn from Parliament in 2022, companies were required to store a copy of certain sensitive personal data – like health and financial data – within India and the export of undefined ‘critical’ personal data from the country was prohibited.
‘Narrowly tailored’
With the fresh draft rules, these localisation requirements have made a re-entry. In 2022, Rob Sherman, VP & deputy chief privacy officer, Meta, had said that India’s data localisation norms could make it ‘difficult’ for the company to offer its services in the country. Keith Enright, chief privacy officer, Google, added that data localisation norms should be as ‘narrowly tailored as possible’.
The draft rules propose that the Central government will specify the kind of personal data that can be processed by ‘significant data fiduciaries’, subject to the restriction that such personal and traffic data related to its flow are not transferred outside the territory of India. A committee, to be formed by the government, will determine such data.
While data fiduciaries are companies and entities, which collect and process personal data, ‘significant data fiduciaries’ will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on sovereignty and integrity of India, electoral democracy, security and public order. All major tech companies including Meta, Google and Amazon are expected to be classified as significant data fiduciaries.
The Act was passed in Parliament over a year ago. Critics say that this seven-year wait after the landmark judgment has not been without costs for the privacy of the data of Indians, as it coincided with a period that saw a rapid growth in digitisation. Besides, the concerns regarding the proposed DPBI’s institutional design have not been resolved by these proposed rules and it may not be realistic to expect such an outcome from subordinate legislation.
Critics feel it is regrettable that the government continues to cloak the rule-making process of a critical policy, such as this, in secrecy. Since the Justice B.N. Srikrishna Committee was convened to draft the first bill for data protection, the government has consistently declined to place recommendations from stakeholders in the public domain and has foreclosed such disclosure for these draft rules as well. For legislation, where the stakes are high for individual users as well as for large technology firms, an open deliberative process is essential.
Such a process, according to the freedom activists, can only be facilitated when industry associations and the general public can find equal footing by being equal participants with transparency into each other’s viewpoints during the consultation process. Thus, it is essential for any government to proceed with these principles in mind, while never departing from the key aims of any data protection law: minimising data collection, promoting disclosures, penalising neglect in protecting user data and discouraging surveillance practices, both by the private sector and the government.