Background
The Government of India passed the Digital Personal Data Protection Act, 2023 (“DPDP Act, 2023”) on 11th August 2023. This followed seven years of policy making, starting when the central government constituted the BN Srikrishna committee(2017), which drafted the first Draft Personal Data Protection Bill, 2018. Taking note of the fact that ‘Tech is global but policy is local, ’ it is pertinent to analyse the Draft Digital Personal Data Protection Rules, 2025( hereinafter “Draft Rules”) in the backdrop of global standards.
Under the DPDP Act, 2023, Significant Data Fiduciaries are defined under Section 2(z) as Data Fiduciaries or a class of Data Fiduciaries notified by the Central Government under Section 10. They are defined on the basis of the following criteria (a) the volume and sensitivity of personal data processed;
(b) risk to the rights of Data Principal;
(c) potential impact on the sovereignty and integrity of India;
(d) risk to electoral democracy;
(e) security of the State; and
(f) public order.
Significant Data Fiduciaries are subject to additional obligations as compared to Data Fiduciaries, and must appoint Data Protection Officers, independent data auditors, and undertake period Data Protection Impact Assessment (DPIA), and periodic audits, amongst other measures as may be prescribed.
Rule 12 elaborates upon these obligations and prescribes the following-
DPIAs once every twelve months, along with an audit to ensure effective observance of the provisions of the Act and Rules. The person carrying out the DPIA and audit needs to furnish a report containing significant observations of the same to the Data Protection Board. Significant Data Fiduciaries need to observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
Significant Data Fiduciaries need to undertake measures to ensure that personal data specified by the Central Government is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
Analysis
Comparison with Previous Iterations of Data Protection Legislations in India and Other Jurisdictions:
While it is laudable that India finally has a system to operationalise the ideal of privacy envisaged by the Supreme Court in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors, there still exist some areas that would require more clarity. Impetus in this regard can be drawn from previous versions of the Data Protection Bills drafted, as well as data protection legislations in foreign countries.
One such gap that can be seen comes through in the vague definition of what a Data Protection Impact Assessment will cover. While such an assessment is vital to ensure transparency, the Rules fall short of prescribing what is to be covered during such an assessment. Article 35 of the General Data Protection Regulation lists out comprehensive guidelines for what is to be covered, including a systematic description of the envisaged processing operations and the purposes of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data. Including clarity on such fronts will help ensure that any DPIA conducted comprehensively covers all obligations of Significant Data Fiduciaries and further helps to protect the rights of users as well.
This is particularly relevant because in comparison with the Digital Personal Data Protection Bill of 2022, management of harms has not been included in the meaning of DPIA, under both the DPDP Act 2023, as well as the draft Rules. The inclusion of this language in the Rules would help guide the DPIA’s to preserve and protect user rights.
Further, previous iterations of the Data Protection Bills required Significant Data Fiduciaries to conduct an impact assessment before undertaking any processing involving:
- new technologies or large-scale profiling or
- use of sensitive personal data such as genetic data or biometric data,
- or any other processing which carries a risk of significant harm to data Principals.
This language, too, is absent under the current regime.
Lastly, all the previous Bills required these Fiduciaries to maintain records with respect to important operations in the data life-cycle, including collection, transfers, periodic review of security measures, etc. These obligations have now been removed and find no mention in the Rules.
Rule 12 introduces a new obligation hitherto unseen, mandating Significant Data Fiduciaries to observe due diligence to verify that algorithmic software deployed by them for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data they process are not likely to pose a risk to the rights of Data Principals. This is a vital requirement, considering the pace at which AI has proliferated. However, considering the vast scope of harm, it might be necessary to supplement this clause with separate legislation to regulate AI as well. While the legislation does not need to be overly prescriptive, even light touch regulation would serve to ensure that rights and development go hand in hand.
Data Localization
Under Section 16 of the DPDP Act, 2023, transfer of personal data outside India is allowed,
contingent on certain factors. The Section is couched with negative wording and states that the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be notified. A caveat has been carved out in the section, that nothing shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.
Rule 14, titled Processing of Personal Data outside India, adds further to this. The Rule states that the transfer of personal data to any country or territory outside India is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State. This Rule creates a separate obligation on Data Fiduciaries in terms of transfer to foreign states and entities under their control, adding a further layer of regulation to personal data transferred outside India. This obligation is worded to apply to all jurisdictions, even ones that have not been identified by Section 16. The blacklisting approach is further accompanied by restrictions.
The Section and Rule both delegate the process of regulation further. There is still objectively little clarity about which countries and jurisdictions are to be blacklisted, and what the requirements for transferring personal data to foreign governments are. Such clarity is imperative, as data transfer across borders has become a new form of currency in itself.
Further, Rule 12 imposes an additional layer of complexity, as it mandates that a Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
An issue that arises is that a reading of the Section and Rules shows that the distinction between sensitive, critical, and personal data has been entirely done away with. This means that requirements for localization, or the lack thereof, can be read to be applied uniformly to all data that the Act covers. Inter regulatory disputes can crop up due to the lack of suitable definitions.
The lack of clarity raises questions of compliance and shrouds the intent of the legislation in mystery. While the Act does allow free data flows, the restrictions imposed under the Rules require further elaboration.
Clarity in this regard can be sought from foreign legislations, which are similarly worded.
Taking a look at international legislations, it can be seen that Article 34 of the Brazilian Data Protection Legislation- The Lei Geral de Proteção de Dados or General Data Protection Law in English (LGPD), as well as Article 9 (2) of the Turkey Data Protection Legislation explicitly set out the factors for transfer within the provision itself. This allows for more clarity and transparency.
Recommendations:
While the brevity of language is appreciated, it must not result in the substance of the legislation getting adversely impacted. These obligations on the significant data fiduciaries are essential for protecting data principals from harms. These also enhance transparency and resultantly the accountability and fairness in processing of data of the data principals. Therefore, it is recommended that:
- The obligation of conducting an impact assessment before using new technologies, or large-scale profiling, or use of sensitive personal data, etc., is reintroduced in the text of the Rules.
- The gradation of classifying data as sensitive and critical personal data must be reintroduced into the provisions of the Act and Rules.
- The obligation of record keeping, which is essential for transparency and accountability, is also mandated.
The Rule on transferring personal data outside India- data localization- should have the conditions and factors for transfer clearly set out within the text of the Rule itself. It must be made clear what sort of data can and cannot be transferred out of the country. The previous versions of the Bill made mention of ‘Sensitive’ and ‘Critical’ personal data that needed to be mirrored and not transferred out of the country. If similar requirements are to be mandated, the same must be clarified in the Rules and not delegated further.
