Data localisation – a long-standing bugbear for Big Tech, that was removed from the data protection Act last year – has made a comeback under draft data protection rules, which were released late Friday evening. The rules come more than a year after the Digital Personal Data Protection Act, 2023 received President’s assent in August 2023.
Under the draft Digital Personal Data Protection Rules, 2025, the Central Government will specify the personal data – following the recommendations of a committee it is envisioned to form – which can be processed by significant data fiduciaries, subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India.
“A significant data fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India,” the draft rules said.
Under the Digital Personal Data Protection Act, 2023, a significant data fiduciary will be determined basis the volume and sensitivity of personal data they process, the impact they might have on the sovereignty and integrity of India and its electoral processes, among other things. All major tech companies including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
The long awaited rules are crucial for the operationalisation of the data protection Act.
Previous avatar
Under the data protection Act which was cleared last year, the government had said it would simply notify the territories where personal data of Indians can not be taken to. This was seen a big win following immaculate lobbying efforts by the tech companies against a provision in an older version of the draft law which mandated strict localisation mandates. Under the data protection Bill, which was withdrawn from Parliament in 2022, companies were required to store a copy of certain sensitive personal data – like health and financial data – within India and the export of undefined “critical” personal data from the country was prohibited.
With the fresh draft rules, these localisation requirements have made a reentry.
The government has invited comments to the draft rules until February 18.
Discover the Benefits of Our Subscription!
Stay informed with access to our award-winning journalism.
Avoid misinformation with trusted, accurate reporting.
Make smarter decisions with insights that matter.
Choose your subscription package