DPDP Rules Explained: Parental Consent, National Security & Data Localisation

The draft ‘Digital Personal Data Protection Rules, 2025’ have been released for public feedback, with a 45-day window until February 18, 2025, for stakeholders, including big tech companies, small companies, non-profits, think tanks, and the general public, to submit their suggestions on the MyGov website.

The Secretariat had reported earlier that the delay in release of the draft rules came due to a deadlock between the government and stakeholders over finding a reliable method for obtaining parental consent for individuals below 18 years of age to access online platforms.

Parental Consent

This debate is reflected in Rule 10 of the document released by MeitY, spanning two pages. The government has put the onus on the data fiduciary (companies or individuals that store and process user data) to verify both that an individual claiming to be a child’s parent is indeed their parent and that the parent themselves is an adult.

For clarification, data fiduciaries include e-commerce, social media and gaming platforms.

In case the parent is a registered user of the platform/service, their identity and age are already verified. But if the parent is not a registered user, the parent must prove their identity and age using government-issued identity details or services from the Digital Locker system.

In the case of obtaining consent from a guardian of a person with a disability, the data fiduciary must ensure the guardian has been legally appointed—example: by a court or a designated authority.

The Secretariat spoke to Dhruv Garg, Partner at Indian Governance & Policy Project (IGAP), who said that the wording of the parental consent rule is open but vague.

“The provision is following a principle-based approach and is reasonably flexible. Any technological measures can be applied and there is no single method or measure which is forced for identifying and verifying the parent. But there will be a lot of debate as to what it means when it is implemented,” said Garg. “The government is trying to give the companies enough leeway to implement the rule in a manner which is comfortable to them.”

That has been one of the earlier critiques of the Act that it is principle-based and not prescriptive in nature. Many have drawn parallels with the European Union’s General Data Protection Regulation (GDPR), which also follows a principle-based framework.

While this approach offers flexibility and room for innovation, which has been a stance reiterated by the government, it also creates a lot of confusion. Since the Act is principle-based, it puts companies responsible for figuring out how to meet its broad requirements. Companies might find it hard to understand and apply the rules consistently, leading to gaps in compliance or uneven enforcement across industries.

National Security

Another rule that has piqued people’s interest is rule no. 22, which states that the central government can request a data fiduciary or intermediary (such as companies managing data) to provide personal information when national security is at risk. The central government can also specify how much time the data fiduciary has to hand over the information.

However, what constitutes ‘national security’ has not been explained.

Rule 22 contains a provision that has drawn significant criticism for being seen as a "governmental overreach of power." This clause allows the government, citing national security concerns, to compel a company to disclose an individual’s personal information without notifying the individual whose information is being disclosed to the government.

“This is an interesting rule. It’s not just the central government, but any entity recognised as State (through Central Government and authorised person) can ask data fiduciaries to disclose personal data on the grounds of national security or purposes of schedule 7 of the rules,” said Garg. “The government can also force data fiduciaries not to disclose said data in the interest of national security and other specified purposes.”

The said information cannot be shared unless the responsible official gives written approval beforehand.

Localisation & Cross-Border Sharing

The rules also add localisation requirements for certain types of personal data, which could have multifold ramifications for big tech, companies handling sensitive data and foreign governments. 

First off is rule 12, which deals with significant data fiduciaries (SDF), who are data fiduciaries who handle large amounts of personal data or sensitive information. 

Clause 4 of rule 12 introduces a localisation requirement for SDFs, in which they have to store and process certain types of data within India’s borders only.

“SDFs will also be subject to data localisation requirements based on the recommendations of an executive committee,” said Pallavi Sondhi, senior associate at Ikigai Law.

Experts believe this rule is likely to encounter strong pushback from industry giants such as Meta, Amazon, Google, and other organisations which handle sensitive health and financial data.

Rule 14, on the other hand, restricts the flow of Indians’ data with foreign countries. This rule, however, unlike rule 12, applies to all data fiduciaries. It says that if a company processes personal data in India or processes it outside of India for goods or services offered in India, it must follow certain requirements when it comes to sharing that data with foreign governments.

"In case of cross border data transfer, data fiduciaries will have to comply with certain conditions that the Central Government may prescribe through a separate executive order," said Sondhi. "The conditions will relate to providing data access to foreign governments or persons/entities under its control."

MeitY is yet to explain what these conditions are.

The DPDP Act had a much broader approach to cross-border data transfer, in the sense that data fiduciaries were allowed to transfer data outside of India, but not to nations that were explicitly forbidden by the government.

Under rule 14, for instance, if Facebook stores data of Indian users in India but receives a request for access from the US government, it may face obligations under Indian law. Whether Facebook is required to share this data with foreign governments would depend on the legal frameworks and agreements in place.

“The rule doesn’t apply when Indian Tech entity shares the data with its parent company in US assuming no other restrictions exist. The rule would apply when a foreign state agency asks for Indians’ data from such Indian tech entity,” explained Garg. 

What Happens After February 18

It was on August 11, 2023, when the President of India gave assent to the DPDP Bill, thus making it the DPDP Act. The Act has taken 17 months to reach the consultation threshold, but industry experts tell The Secretariat that there is still a long way to go. 

After February 18, 2025, the government is expected to review the comments and suggestions it has received from stakeholders and the public. Based on this feedback, it will decide whether to revise the draft or not, or proceed with finalising the rules. If further input is needed, the government may seek additional comments.

After the government finalises the Act's rules, companies will conduct a compliance process, starting with a gap analysis. This involves reviewing the type of data collected, how it's collected, who has access, and who uses it. Companies will then align their practices and structures with the obligations outlined in the DPDP Act and its rules. The window for this process, generally, is six to eight months.