Overview of the Digital Personal Data Protection (DPDP) Rules
The Ministry of Electronics and Information Technology released draft rules for the DPDP Act, 2023, on January 3, 2025, 16 months after the law was introduced.
The government is seeking feedback on these rules, but public disclosure and counter-comments are restricted.
Critics argue the rules, combined with the DPDP Act, do not provide a comprehensive data privacy framework and suggest scrutiny by a parliamentary committee.
Data Localisation Mandate
The draft rules propose a data localisation mandate, which goes beyond the original law’s scope.
Data localisation limits data flow outside of India and would create a committee to decide what data cannot be exported.
Significant data fiduciaries (e.g., Meta, Google, Amazon) will be affected based on the volume and sensitivity of the data they process.
This mandate stems from challenges faced by law enforcement in accessing cross-border data and follows a similar move in 2018 by the Reserve Bank of India for payment data.
The government plans to give companies a two-year period to comply and establish local data storage systems.
Challenges for Businesses
Data localisation could create operational difficulties for both large tech companies and start-ups, particularly in managing and segmenting data across different data centers.
This could increase operational costs and disrupt business operations, according to experts like Aparajita Bharti.
Concerns Over Executive Overreach
Section 36 of the DPDP Act and Rule 22 give the government the power to demand any data from companies for national security reasons, raising concerns of excessive government control.
There are fears that these powers could be misused for surveillance or political purposes, potentially undermining privacy rights.
The provisions might also require companies to compromise end-to-end encryption of messages, a concern previously raised by WhatsApp.
Critics argue that the government’s broad discretion lacks adequate safeguards, making it susceptible to misuse, and may negatively impact commercial interests.
COMMENTS