New Delhi: India’s draft rules under the Digital Personal Data Protection Act (DPDPA), released on 3 January, introduce stricter data localisation requirements, prompting businesses to reassess compliance strategies.
The Ministry of Electronics and IT (MeitY) initially invited public feedback until 18 February, but then the consultation period for the said DPDP rules was extended to 5 March.
The earlier version of the Act, passed in August 2023, proposed a whitelist-blacklist model for cross-border data transfers. However, the draft rules now introduce a layered regulatory framework. A government-appointed committee will assess and impose conditions for transferring personal data to foreign states or entities. This may increase complexity for companies operating under international data protection laws.
A key addition in the draft is the regulation of Significant Data Fiduciaries (SDFs). These entities may be barred from transferring personal and traffic data outside India, subject to the committee’s recommendations.
Overall, while this legislation is considered to be the biggest game-changing Act in the country, several experts have been highlighting the many core factors over the past few months.
According to reports, legal experts say this shift is significant as the original Act did not include such a clause. However, there is ambiguity around who qualifies as an SDF. While Rule 22 allows MeitY to request information to declare SDFs, no clear timeline has been provided, raising concerns among businesses.
Sectors expected to be most affected include IT services, healthcare, e-commerce, telecom, and media. While financial services already comply with RBI’s localisation norms, they may now face additional obligations. Experts suggest aligning with existing sectoral regulations could avoid regulatory duplication.
Despite the rules being simpler than previous iterations of the data protection bill, industry leaders believe the sudden shift in localisation policy could burden cross-border operations. Many are expected to seek clarity on classification criteria and transition timelines during the consultation phase.
The draft marks a stricter turn in India’s data governance approach, potentially reshaping how businesses handle personal data across borders.
Discussion about this post