The government’s approach to data localisation will be guided by sectoral requirements, ensuring restrictions are imposed only where necessary, electronics and IT minister Ashwini Vaishnaw told FE on Saturday. Vaishnaw said a balanced framework is being put in place to safeguard critical personal data while avoiding disruption to industries.
A government-appointed committee will act as a central body to evaluate any localisation needs raised by sectoral ministries. This committee will consult industry stakeholders before making any recommendations. “The intent is not to disrupt cross-border data flows but to address specific sectoral requirements where localisation is necessary for citizen safety,” Vaishnaw said.
“Selective restrictions is the best practice in the world today, and the committee framework is needed to avoid any disruptions to the industry,” Vaishnaw underlined.
For instance, if the health ministry identifies certain health records that should not leave India, the committee will review the requirement, hold consultations, and then issue final recommendations. This process will prevent disruptions that could arise if ministries issue localisation notifications without following due process.
The draft rules under the Digital Personal Data Protection (DPDP) Act, released Friday, include a clause requiring significant data fiduciaries to comply with localisation mandates for specific personal data. These mandates will be determined based on recommendations from the committee and approved by the Central government.
“The rules are designed to balance regulation and innovation while safeguarding citizens’ rights,” Vaishnaw said, adding that India’s approach to personal data protection could set a global benchmark.
To ensure a smooth transition, the government is proposing a two-year timeframe for businesses to comply with the new law. This will allow industries to adapt their systems and avoid operational disruptions.
Following a 45-day public consultation period, the final rules are expected to be presented in Parliament during the second half of the Budget session or the monsoon session.
On parental consent for minors to use social media and verification of parents’ identity, Vaishnaw said the rules have carefully addressed the large harm the digital world poses to the privacy of people, especially children. “Virtual tokens for verification can be an effective way, given that we have a reasonably large digital architecture in place in India,” Vaishnaw said. Virtual tokens ensure data privacy as they eliminate the need to share sensitive identity documents, besides aligning with global standards.
The Act empowers the Data Protection Board to impose penalties of up to Rs 250 crore on data fiduciaries on non-compliance. However, it also includes a provision for voluntary disclosure, allowing organisations to proactively report breaches.
“This voluntary undertaking provision incentivises transparency and aligns with the overarching goal of fostering trust in the data protection ecosystem,” Vaishnaw explained.
The minister reiterated the government’s commitment to a phased, consultative approach that fosters innovation, protects citizens, and addresses sector-specific localisation requirements.
