Data localisation, a bugbear for Big Tech, that was removed from the Data Protection Act, 2023, Friday made a comeback under the draft rules released Friday. The draft rules come more than a year after the Digital Personal Data Protection Act received the President’s assent in August 2023.

Data localisation relates to measures that result in restricting data flow within a jurisdiction’s boundaries.

The draft Digital Personal Data Protection Rules, 2025, propose that the Central Government will specify the kind of personal data which can be processed by “significant data fiduciaries” subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India. A committee, to be formed by the government, will determine such data.

While data fiduciaries are companies and entities which collect and process personal data, “significant data fiduciaries” will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on sovereignty and integrity of India, electoral democracy, security, and public order. All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.

The government has invited comments to the draft rules until February 18.

The draft rules have also proposed certain safeguards for citizens when their data is being processed by the Central government and its agencies, suggesting that such processing should happen in a “lawful” manner.

The Data Protection Act had come under scrutiny for granting wide-ranging exemptions to the government or its agencies while processing citizens’ personal data on grounds of ‘national security’, ‘friendly relations with other states’, and ‘public order’, among other things. At the time, IT Minister Ashwini Vaishnaw had told The Indian Express that the government would issue safeguards in such cases under the rules.

Under the Data Protection Act cleared in August 2023, the government had said it would simply notify the territories where personal data of Indians can not be taken to. This was seen as a big win following immaculate lobbying efforts by the tech companies against a provision in an older version of the draft law which mandated strict localisation mandates. Under the data protection Bill, first introduced in 2019, and later withdrawn from Parliament in 2022, companies were required to store a copy of certain sensitive personal data – like health and financial data – within India and the export of undefined “critical” personal data from the country was prohibited.

With the fresh draft rules, these localisation requirements have made a re-entry. In 2022, Meta’s VP and deputy chief privacy officer, Rob Sherman, had said that India’s data localisation norms could make it “difficult” for the company to offer its services in the country. Google’s chief privacy officer Keith Enright said that data localisation norms should be as “narrowly tailored as possible.”

The draft rules also allow tech companies to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children. Effectively, the government has refrained from proposing a mechanism from its side, and has left it to the companies to adopt a system of their choice, after social media companies complained that it could be a difficult provision to implement

The Indian Express had first reported that the government was considering this. The rules require that companies verify the identity of parents/guardians of children by various means including through digital locker service providers.

However, children – users of online services below the age of 18 – could get around the platform needing parental consent by not intimating the platform that they are below the age threshold.

The government has also proposed to exempt health and mental health establishments and professionals, education institutions, and creche and daycare centres, from needing parental consent before processing personal data of children.

In the event of a data breach, data fiduciaries will have to intimate impacted individuals “without delay” a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences relevant to the impacted user, that are likely to arise from the breach; and the measures implemented and being implemented to mitigate risk among other things. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

A data fiduciary will also have to implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorised access, and data backups, the rules propose.

The draft rules also require that data fiduciaries – companies and entities which collect and process personal data – have to provide a clear, standalone, and understandable notice to data principals before processing their data. Specifically, the notice should include, itemised list of the personal data being collected and a clear description of the purpose for processing, along with an itemized explanation of the goods, services, or uses enabled by such processing.

 

Stay informed with access to our award-winning journalism.

Avoid misinformation with trusted, accurate reporting.

Make smarter decisions with insights that matter.