In News:

The Government of India has introduced the long-awaited draft Digital Personal Data Protection Rules, 2025 to operationalize the Digital Personal Data Protection Act, 2023. These rules contain several significant provisions, including the controversial reintroduction of data localisation requirements, provisions for children's data protection, and measures to strengthen data fiduciaries' responsibilities.

This development holds substantial implications for both Indian citizens' data privacy and global tech companies, especially with respect to compliance, security measures, and data processing.

Data Localisation Mandates

Key Provision: The draft rules propose that certain types of personal and traffic data must be stored within India. Specifically, "significant data fiduciaries", a category that will include large tech firms such as Meta, Google, Apple, Microsoft, and Amazon, will be restricted from transferring certain data outside India.

• Committee Oversight: A government-appointed committee will define which types of personal data cannot be transferred abroad, based on factors like national security, sovereignty, and public order.
• Localisation Re-entry: This provision brings back data localisation, a contentious issue previously removed from the 2023 Data Protection Act after heavy lobbying by tech companies.
• Impact on Big Tech: Companies like Meta and Google had previously voiced concerns that strict localisation rules could hinder their ability to offer services in India, with Google arguing for narrowly tailored data localisation norms.

Role and Responsibilities of Data Fiduciaries

Key Provision: The rules lay out a clear framework for data fiduciaries, defined as entities that collect and process personal data.

• Significant Data Fiduciaries (SDFs): This subcategory will include entities that process large volumes of sensitive data, such as health and financial data. These companies will be held to higher standards of compliance and security.
• Data Retention: Personal data can only be stored for as long as consent is valid; after which, it must be deleted.
• Security Measures: Data fiduciaries must implement stringent measures such as encryption, access control, unauthorized access monitoring, and data backups.

Parental Consent for Children's Data

Key Provision: The draft rules include provisions aimed at protecting children's data, including mechanisms to ensure verifiable parental consent before children under 18 can use online platforms.

• Verification Process: Platforms must verify the identity of parents or guardians using government-issued identification or digital locker services.
• Exceptions: Health, mental health institutions, educational establishments, and daycare centers will be exempted from needing parental consent.

Data Breach Reporting and Penalties

Key Provision: In the event of a data breach, data fiduciaries are required to notify affected individuals without delay, detailing the breach's nature, potential consequences, and mitigation measures. Failure to comply with breach safeguards can result in penalties.

• Penalties for Non-Compliance: Entities that fail to adequately protect data or prevent breaches could face fines of up to Rs 250 crore.
• Breach Notification: The rules mandate timely reporting of all breaches, whether minor or major, and an emphasis on transparency in the breach notification process.

Safeguards for Government Data Processing

Key Provision: The draft rules seek to ensure that the government and its agencies process citizen data in a lawful manner with adequate safeguards in place.

• Exemptions for National Security and Public Order: The rules also address concerns that the government may process data without adequate checks by stipulating lawful processing and protections when data is used for national security, foreign relations, or public order.

Compliance Challenges for Businesses

Key Challenges: The introduction of these rules will impose several challenges for businesses, particularly tech companies:

• Consent Management: Companies will need to implement robust systems to handle consent records, allowing users to withdraw consent at any time. This will require significant infrastructure changes.
• Data Infrastructure Overhaul: Organizations will need to invest in data collection, storage, and lifecycle management systems to ensure compliance.
• Security Standards: Experts have raised concerns about the vagueness of certain security standards, which could lead to inconsistent implementation across sectors.

Penalties and Enforcement

Key Provisions:

• Penalties for Non-Compliance: Entities failing to adhere to the rules may face significant financial penalties, including fines up to Rs 250 crore for serious breaches.
• Repeat Violations: Consent managers who repeatedly violate rules could have their registration suspended or cancelled.

Conclusion:

The Digital Personal Data Protection Rules, 2025 bring important changes to India’s data privacy framework, particularly the reintroduction of data localisation and more stringent requirements for data fiduciaries. These rules aim to strengthen citizen privacy and ensure greater accountability from businesses. However, the challenges in compliance, especially for global tech firms, and the potential impact on service delivery, will need to be closely monitored as the final rules take shape.