Introduction

The Digital Personal Data Protection Rules, 2025 have been published on 3rd January 2025 through a gazette notification, G.S.R.02(E) of the Central Government, Ministry of Electronics And Information Technology (MeitY). These rules are made under sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023). These rules have been published for the information of all persons likely to be affected thereby, and for asking objections and suggestions, if any, till 18th February 2025, after which the said draft rules shall be taken into consideration. The draft rules have seen the light of the day more than a year after the Digital Data Protection Act, 2023 received the President's assent in August 2023. Its very purpose is to implement the provisions of the said Act. In this way, ‘the publication of the draft rules marks a significant milestone, as they are necessary before the Data Protection Act can actually be implemented in a way that effectively protects the rights of Indian citizens’1. (Undoubtedly, the rules represent an ambitious attempt to protect the country's 800 million-plus internet users. But like the most well-intentioned regulations, they contain both promise and paradoxes.’2 According to legal, industry and technology experts, the following apprehensions can be listed:

Apprehension over Data Localisation

In this regard, Rule 14 of the said Rules has to be considered:3

“14. Processing of personal data outside India. -Transfer to any country or territory outside India of personal data processed by a Data Fiduciary-

a. within the territory of India; or

b. outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”

Rule 12(4) in this connection specifically states the responsibility of a Significant Data Fiduciary as under:

“A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.”4

Explanatory note to Digital Personal Data Protection Rules, 2025

Clause 14 of this note prepared by the ministry (MeitY), explains the provisions contained in the above rules-

“14. Processing of personal data outside India:

Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals from outside India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities. This is intended to ensure that personal data remains protected under the Act.”5

Data localisation has been a bugbear for the tech industry for several years, which was removed from the Data Protection Act, 2023. However, it has made a comeback under the Draft Rules, 2025. Data localisation refers to measures that result in restricting data flow within a jurisdiction's boundaries. Under the above-mentioned rules, the Union Government will specify the kind of personal data which can be processed by “Significant Data Fiduciaries”, subject to the restriction that such personal data and traffic data pertaining to its flow is not transferred outside the territory of India. The rules state that a committee would be formed by the government to recommend the classes of data and traffic patterns in this regard. This requirement has only been proposed for significant data fiduciaries, which will be determined on the basis of volume and sensitivity of personal data they process, and the risks they might have on sovereignty and integrity of India, electoral democracy, security, and public order. Big tech major companies, including Meta, Google, Apple, Microsoft, and Amazon, are likely to be qualified as significant data fiduciaries.

However, the central government has clarified its position as such:

“The government-appointed committee will act as a central body, which will collate requests from all other sectoral regulators and ministries, which see the need for certain data to be localised. Based on that, the committee will first hold industry consultations and then come up with its recommendations”, said Ashwini Vaishnav, the Minister for Information Technology.6

In this context, some of the dissident views on the subject of data localisation coming from the tech and legal experts may be summarised as follows:

1. There are significant business costs to India Inc if the government insists on data localisation. This will involve reciprocal requests from other countries with which India has significant business relationships.7
2. Insisting on localisation could also be viewed as the imposition of a non-tariff trade barrier by the Indian government.8
3. With a proposed committee recommending that certain personal data may be restricted from being transferred outside India, this would be an additional compliance/restriction to existing regulatory landscape.9
4. The draft would leave open the door for the government to restrict the overseas processing of the Indian's data. Tech companies are likely to seek particular clarity on this front, as they usually store and process user data in servers around the world.10
5. A contrary view from the above objections has come from Charles Assisi, an author and public intellectual, saying that from a policing perspective, India has treaties with many nations to cooperate on legal matters. Yet these treaties rarely deliver results. The experience says that Western countries collaborate readily with each other but with India, their enthusiasm wanes. So, whether it's extraditing a fugitive or retrieving critical information stored overseas, India often finds itself waiting and waiting. This is why localisation is essential. If data is not stored locally, it's not accessible in any meaningful sense.11

Elaborating upon the government's view on data localisation, the IT minister, Mr. Ashwini Vaishnaw said, “The government's intent is not to disrupt cross-border flows but for specific personal data there are sectoral requirements that require data localisation for the safety of citizens….Selective restrictions is the best practice in the world today and the committee framework is needed to avoid any disruptions in the industry.” The understanding is that if sectoral regulators and ministries wish to come up with their own requirements for local storage of certain kinds of personal data-like how the Reserve Bank requires for financial data-the committee could function as a common place of discussion for the government and industry. It could also prevent unpredictable data localisation mandates issued by government departments working in silos. Vaishnaw also said that the government is looking at giving a two-year timeline to the industry to transition to the new law and get their systems in place for compliance.12

Parental Consent

The draft rules envisage that parental consent is required to sign up minors for online services for which the platforms need to verify parents’ identity first. The requisite rule is given below:

“10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian.-

1. A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to:

a. reliable details of identity and age available with the Data Fiduciary; or
b. voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider.

(2) A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall due observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship.”

Explanatory note to Digital Personal Data Protection Rules, 2025

"10. Verifiable consent for processing personal data of children and persons with disabilities:

This provision outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child's data processing is the child's parent or local guardian, and that the parent or guardian is identifiable. For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details. This verification process is critical to ensure that consent is being given by a responsible adult, in compliance with relevant laws. Examples are provided to clarify how this process should work, particularly in cases where the parent is already a registered user or when the parent needs to provide identity details using a Digital Locker service.”

Thus, the rules require that companies verify the identity of parents/guardians of children by various means, including through digital locker service providers. The rules also allow tech companies to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children. The government has thus refrained from proposing a mechanism from its side and has left it to the companies to adopt a system of their own choice.

As per critics, the following points have been raised for government's consideration:

1. How one can know if someone is a parent or not. This could mean that "platforms will have to verify EVERYONE".13
2. Though the government's approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults, this "could lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection.”14
3. Children-users below the age of 18-could get around the platform seeking parental consent by not intimating the platform that they are below the age threshold.15
4. India's approach in this matter is both different and stringent. There is no blanket ban and yet the 18-year threshold is higher than the European Union's 16 years. As per the experts, ‘the rule rests on the premise that children must first admit they're children’. The alternative of verifying everyone's age would create a surveillance apparatus far more concerning. Large divides in digital literacy across the country too will need careful focus to ensure no children, or parents, are left at risk by choices they don't fully understand.16

In this regard, Mr. Ashwini Vaishnaw, the IT minister clarified the government’s stance by stating that “We will refine it (DPDP Rules) further to take the power of technology to children while saving them from many harm.” Elaborating further, he said that according to the draft rules, digital platforms can process data of a child only after taking consent from verifiable guardian or parent. The verification can be done using voluntarily provided details of identity and age, or through a virtual token issued by an entity entrusted by law or by the Centre or State governments to maintain details of a person. He said that the token system has been successful in various cases such as verification in case of Aadhaar-based transactions. “The tokens will be temporary and limited to one transaction after which it will be destroyed automatically.”17

Data Protection Board and the Selection Process

Rule 16 of DPDP Rules,2025 contains the provisions for appointment of Board's chairman and members. It states:

16. Appointment of Chairperson and other Members:

1. The Central Government shall constitute a Search-cum-Selection Committee, with the Cabinet Secretary as the chairperson and the Secretaries to the Government of India in charge of the Department of Legal Affairs and the Ministry of Electronics and Information Technology and two experts of repute having special knowledge or practical experience in a field which in the opinion of the Central Government may be useful to the Board as members, to recommend individuals for appointment as Chairperson.
2.  The Central Government shall constitute a Search-cum-Selection Committee, with the Secretary to the Government of India in the Ministry of Electronics and Information Technology as the chairperson and the Secretary to the Government of India in charge of the Department of Legal Affairs, and two experts of repute having special knowledge or practical experience in a field which in the opinion of the Central Government may be useful to the Board as members, to recommend individuals for appointment as a Member other than the Chairperson.
3. The Central Government shall, after considering the suitability of individuals recommended by the Search-cum-Selection Committee, appoint the Chairperson or other Member, as the case may be.
4. No act or proceeding of the Search-cum-Selection Committee specified in sub-rules (1) of this rule shall be called in question on the ground merely of the existence of any vacancy or absences in such committee or defect in its constitution.”

The Data Protection Board is crucial to the functioning of the Act as essentially, it constitutes the infrastructure through which the law will be implemented. In case of future complaints against State organs for wrongful processing of data. In this backdrop, it is very essential to equip the Board with an adequately independent Chairperson and the Members. They should necessarily be independent of the government. However, from a bare perusal of the above rule, it is clear that the whole selection procedure is controlled by the government machinery including top bureaucrats at the Centre. Moreover, the terms and conditions of the officers are also set within the rules, which can be altered at suitable times in future through executive fiat. All this cast a shadow of doubt over the functioning of the Board which in all likelihood, is not expected to remain impartial. In this context, it is to be noted that many countries have “entrenched the independence of data protection authorities or boards within the law to ensure that appointments and tenures are free of partisan political influence. Such authorities work as what are commonly known as “fourth branch institutions”; that is, a wing of the State that is separate from the legislature, the executive, and the judiciary, but performs vital functions in ensuring the implementation of rights, integrity and accountability in public functions. At the moment, under a combination of the Data Protection Act and the draft rules, the Data Protection Board falls short of being a genuine “fourth branch institution”-but there is still time to rectify this.”18

Extra Leverage Provided to State for Processing of Data

“5. Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.-

1. The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds.
2. Processing under this rule shall be done following the standards specified in Second Schedule.
3. In this rule and Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued:
   a. under law shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit in exercise of any power of or the performance of any function by the State or any of its instrumentalities under any law for the time being in force;
   b. under policy shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit under any policy or instruction issued by the Central Government or a State Government in exercise of its executive power; and
   c. using public funds shall be construed as a reference to provision or issuance of such subsidy, benefit, service, certificate, licence or permit by incurring expenditure on the same form, or with accrual of receipts to,-
   (i) in case of the Central Government or a State Government, the Consolidated Fund of India or the Consolidated Fund of the State or the public account of India or the public account of the State; or
   (ii) in case of any local or other authority within the territory of India or under the control of the Government of India or of any State, the fund or funds of such authority.”

As per clause (5) of the Explanatory note to Digital Personal Data Protection Rules, 2025,

“The aim is to ensure that personal data processing is transparent, secure, and in line with legal and policy standards, safeguarding the interests of the Data Principals.”

This rule allows a ‘very wide leeway to the State or its instrumentalities’ to process personal data to provide any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds. These are "extremely wide categories", which can go against the basic premise of law ordaining that the consent of citizens is mandatory prior to collecting or processing their data. Gautam Bhatia, the noted jurist, has succinctly opined that “While in certain exceptional cases, it might be permissible to mandatorily collect data in violation of the right to privacy, the jurisprudence of the Supreme Court has made it clear that any such violation must take place strictly in compliance with the test of proportionality. The rules do not incorporate this test, and the safeguards they require (such as data minimization) fall short of constitutional standards.”19

Reasonable Security Safeguards Lacks Clarity

Clause 6 of the Explanatory note to Digital Personal Data Protection Rules, 2025, states about reasonable security safeguards:

“6. Reasonable security safeguards: A Data Fiduciary must implement reasonable security measures to protect data, including encryption, access control, monitoring for unauthorized access, and data backups etc. These safeguards ensure the confidentiality, integrity, and availability of data, and must include provisions for detecting and addressing breaches and maintenance of logs. Contracts with Data Processors must also ensure security measures are in place. The measures should comply with technical and organizational standards to prevent data breaches.”

Apparently, this rule 6 stipulates “reasonable security safeguards" that must be undertaken by the Data Fiduciaries in respect of data under its possession or control. However, contrary to expectation, the same provision is not worded clearly. In the whole gamut of rule 6, words like “appropriate measures”, “reasonable measures”, “appropriate provision”, “appropriate technical and organisational measures” and “appropriate data security measures” have been used which appear to be vague. Reasonable security safeguards must be enumerated in clear and specific terms. “When dealing with something as crucial as citizens’ right to privacy and informational self-determination in the digital age, it is of utmost importance that rules be framed in the most precise terms possible, and leave the least scope for discretion, as this lends itself to overcollection of data and potential abuse.”20

Time Period too short for the Erasure of Data

Rule 8 provides the time limit to erase an inactive customer's data and for this purpose, a window of 48 hours has been provided. It says:

“8. Time period for specified purpose to be deemed as no longer served.-

1. A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, if, for the corresponding time period specified in the said Schedule, the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
2. At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
3. In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email addresses, mobile number and other similar presences by means of which she is able to access the services of such Data Fiduciary.”

Industry sources pointed out that a window of 48 hours for any platform to erase an inactive customer's data is too short a duration and might need to be extended.21

Conclusion

The Digital Personal Data Protection Rules, 2025 marks a new beginning as it will pave the way for the proper implementation of the DPDP Act of 2023. The very purpose of passing the said Act and the corresponding rules is to ensure the valuable right to privacy of every Indian citizen, more so because this right has now assumed the status of a fundamental right under the Constitution of India. It is also directed towards the proper management of data, including its cross-border transfer with certain restrictions which are directly related to the country's security and sovereignty, in particular. These rules have touched the sensitive issues like the Data Principal's consent before processing their data, and the verification of parents’ identity for obtaining consent of the children below 18 years of age and the disabled persons. Data localisation is another major issue which has been contested by the tech industries. In this regard, one has to keep it in mind that India is surrounded by a host of countries which are not quite friendly. Moreover, the terrorists from across the border are also flourishing in the country with the help of outside support. Hence, in the interests of safety and security of the country, data localisation is necessary to some extent. These rules are now in the public domain to elicit different views from all corners of the society to bring out changes where necessary. These suggestions may be given to the government before 18th February 2025. Thus, room is still open for further amendments in the rules, and it is hoped that the government will consider the stakeholders’ concern with full attention. Despite these contradictions and concerns raised by the experts and industry sector, the rules represent a significant forward step toward digital dignity. New data rules are poised towards spurring innovation and guarding privacy at the same time. When this process will be complete, India can boast of a robust Digital Personal Data Protection Act and Rules to protect the data and privacy of Indian citizens.

.    .    .

Reference:

1. Gautam Bhatia, Draft data protection rules can be improved, Hindustan Times, Jan 9, 2025.
2. Editorial, Hindustan Times, Jan 7, 2025.
3. (G.S.R.02(E), New Delhi, the 3rd January, 2025 available at mygov-999999999568142946_250116_115208.pdf, accessed on Jan 18, 2025.
4. Ibid.
5. Available at Explanatory-Note-DPDP-Rules-2025_250116_114954.pdf, accessed on 17.1.2025.
6. Soumyarendra Barik, Data localisation, parental verification weigh most on tech industry's minds, The Indian Express, Jan 15, 2025.
7. Suraksha P & Himanshi Lohchab, Experts Wary of Data Panel Curveball on Big Tech, Social Firms, The Economic Times, Jan 6, 2025.2025.
8. Ibid.
9. Ibid.
10. The Hindu Bureau, Data localisation plan, parental nod ‘sore points’ in draft rules, Jan 5,2025.
11. Charles Assisi, Bill to take charge of India's digital destiny, Hindustan Times, Jan 16, 2025.
12. Soumyarendra Barik, Panel for local data storage envisioned to prevent sectoral disruptions: IT Minister, The Indian Express, Jan 5, 2025.
13. The Hindu Bureau, Data localisation plan, parental nod ‘sore points’ in draft rules, Jan 5, 2025.
14. Ibid.
15. Soumyarendra Barik, Draft rules released, Govt brings back localisation of personal data, The Indian Express, Jan 4, 2025.
16. Editorial, Hindustan Times, Jan 7, 2025.
17. Data protection rules may be refined further to protect children: Vaishnaw, The Indian Express, Jan 8, 2025.
18. Gautam Bhatia, Draft data protection rules can be improved, Hindustan Times, Jan 9, 2025.
19. Draft data protection rules can be improved, Hindustan Times, Jan 9, 2025.
20. Ibid.
21. Pratik Bhakta, Fintechs See a Minefield of Costs, Regulatory Issues as DPDP Looms, The Economic Times, Jan 15, 2025.