Draft Digital Personal Data Protection Rules, 2025: Committee for local data storage envisioned to prevent sectoral disruptions, says IT Minister

“The government appointed committee will act as a central body, which will collate requests from all other sectoral regulators and ministries, which see the need for certain data to be localised. Based on that, the committee will first hold industry consultations and then come up with its recommendations,” Vaishnaw told The Indian Express during an interaction Saturday.

The draft rules propose that the Central Government will specify the kind of personal data which can be processed by “significant data fiduciaries” subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India. A committee, to be formed by the government, will determine such data.

While data fiduciaries are companies and entities which collect and process personal data, “significant data fiduciaries” will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on sovereignty and integrity of India, electoral democracy, security, and public order. All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.

Under the Data Protection Act cleared in August 2023, the government had said it would simply notify the territories where personal data of Indians can not be taken to. This was seen as a big win following immaculate lobbying efforts by the tech companies against a provision in an older version of the draft law which mandated strict localisation mandates.

“The government’s intent is not to disrupt cross-border data flows but for specific personal data there are sectoral requirements that require data localisation for the safety of citizens… Selective restrictions is the best practice in the world today and the committee framework is needed to avoid any disruptions in the industry,” Vaishnaw told this paper when asked about the need for a specific committee that would take decisions on what data to mandatorily localise.

The understanding is that if sectoral regulators and ministries wish to come up with their own requirements for local storage of certain kinds of personal data – like how the Reserve Bank requires for financial data – the committee could function as a common place of discussion for the government and industry. It could also prevent unpredictable data localisation mandates issued by government departments working in silos. Vaishnaw also said that the government is looking at giving a two year timeline to the industry to transition to the new law and get their systems in place for compliance.

The draft rules are crucial for operationalising the Digital Personal Data Protection Act, 2023, which is yet to be implemented despite receiving the President’s assent more than 16 months ago.

The draft rules also allow tech companies to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children. Effectively, the government has refrained from proposing a mechanism from its side, and has left it to the companies to adopt a system of their choice, after social media companies complained that it could be a difficult provision to implement. The rules require that companies verify the identity of parents/guardians of children by various means including through digital locker service providers.

In the event of a data breach, data fiduciaries will have to intimate impacted individuals “without delay” a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences relevant to the impacted user, that are likely to arise from the breach; and the measures implemented and being implemented to mitigate risk among other things. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

The draft rules also require that data fiduciaries – companies and entities which collect and process personal data – have to provide a clear, standalone, and understandable notice to data principals before processing their data. Specifically, the notice should include, itemised list of the personal data being collected and a clear description of the purpose for processing, along with an itemised explanation of the goods, services, or uses enabled by such processing.