The "construct of the DPDP Act" cannot be changed at this stage, though there may be some minor tweaks in the language of the Rules and formats in certain legitimate cases.
The government is unlikely to make any changes to the data storage and cross-border data transfer norms mentioned in the draft of the Digital Personal Data Protection Act (DPDP) Rules, sources told Business Standard.
In an extensive consultation process that ended earlier this month, major tech companies and their representative industry bodies expressed reservations on a clause, which proposes that based on the recommendations of a government appointed committee, some kind of data may not be allowed to be transferred out of India or stored outside the country's geographical limits.
Also, the need for liberalisation in digital services, including data localisation and cross-border data transfer norms in the DPDP Rules came up, as part of negotiations on non-tariff barriers, between India and the US while the two sides tried to hammer out a Bilateral Trade Agreement (BTA), according to sources.
A team of US officials, headed by Assistant US Trade Representative Brendan Lynch, was in India till March 29 to hold trade agreement talks with the commerce department ahead of the reciprocal tax announcement by the Trump administration.
The draft DPDP Rules, which were released in January, are expected to provide clarity on the operational guidelines for the provisions of the Act that was passed by Parliament and ratified by the President in 2023.
Though the Rules are expected to be notified in six to eight weeks, implementation of the specific provisions in its entirety could take up to two years from the date of official notification, a senior government official said.
The "construct of the DPDP Act" cannot be changed at this stage, though there may be some minor tweaks in the language of the Rules and formats in certain legitimate cases, an official at the ministry of electronics and information technology (Meity) told Business Standard.
The clause on transfer of data, which is being loosely referred to as data localisation norms mostly by international companies, is not among those shortlisted for any change, the official pointed out, adding that the DPDP Rules do not mention data localisation specifically.
Clause 14 in the draft DPDP Rules 2025 deals with processing of personal data outside India.
It states that 'transfer to any country or territory outside India of personal data processed by a data fiduciary -- (a) within the territory of India; or (b) outside the territory of India in connection with any activity related to offering of goods or services to data principals within the territory of India, is subject to the restriction that the data fiduciary shall meet such requirements as the central government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a state.'
The clause implies that companies that work on the data of Indian citizens must refrain from sharing it with foreign governments' agencies even if such data is stored in the geographical limits of that government's jurisdiction.
"Domestic data cannot be given to foreign authorities. It is our duty to protect the sovereign rights of Indian citizens and that extends to their data," another source said.
While maintaining its stance on cross-border data transfer, the IT ministry could slightly tweak clause 6 of the DPDP rules, which is focussed on companies ensuring reasonable security measures for citizens' data.
Here, the number of sub-sections could be reduced to four or five from seven currently proposed in the draft, one of the officials quoted above said.
Section 10 of the draft DPDP Act rules could also see minor changes, especially with respect to the "verifiable consent for processing of personal data of child or of person with disability who has a lawful guardian", an official said.
India has been trying to come out with a comprehensive regulation to ensure the online safety and privacy of its citizens for nearly 15 years.
In 2011, a group of experts under the chairpersonship of former Delhi high court Chief Justice A P Shah made the first attempt.
The Justice Shah committee submitted its report in 2012 but the files kept gathering dust for the next five years.
In 2017, the IT ministry formed another expert-committee under the chairpersonship of retired Supreme Court judge, Justice B N Srikrishna. The Justice Srikrishna committee also submitted its report in 2018.
In 2019, the government for the first time, introduced the Personal Data Protection (PDP) Bill for consideration and passage in the Lok Sabha.
It was almost immediately referred to a joint committee of Parliament, which introduced several amendments and new clauses over the next two years.
The final version of the bill, as presented in the Lok Sabha with amendments proposed by the joint committee of Parliament, however, was withdrawn by Union IT Minister Ashwini Vaishnaw in 2022.
The aim, Vaishnaw had then said, was to introduce a fresh version of the privacy bill that would be simpler.
A year later, the latest version of the privacy bill, now called the DPDP Act, was passed in both Houses of Parliament and ratified by the President.
The operationalisation of the Rules under the DPDP Act could ensure uniformity in digital services provided to Indian citizens, according to officials.
Feature Presentation: Ashish Narsale/Rediff.com
© 2025