Bill to take charge of India’s digital destiny
India’s draft DPDP Rules are a declaration of intent — that power must rest with its people, not corporations. Some structural challenges need to be ironed out
Imagine this. You wake up, pour yourself a coffee, and scroll through your phone. All seems well. But what if every app and website you’ve ever used — Instagram, Amazon, or even that odd e-store — was quietly rifling through your personal data without asking you? India’s proposed Digital Personal Data Protection (DPDP) Rules, 2025 aim to ensure this nightmare doesn’t become your daily reality.

Under these rules, companies (referred to as data fiduciaries) must explain, in plain language, how they’re using your data. They must also make it just as easy for you to withdraw consent as it was to give it. Add to that mandatory encryption, breach notifications, and even a Consent Manager platform where you can control all your permissions in one place. These rules, drafted under the 2023 Data Protection Act, are an attempt to return power to the individual—data principals, as the law calls us.
But conversations with people involved in drafting these rules reveal some thorny issues. While the intent is noble, some practical and structural challenges need ironing out.
Flexibility for fiduciaries: The draft rules treat all companies — startups, multinationals, and Big Tech — as though they’re equally capable of complying. They’re not.
To place that in perspective, small companies, for instance, can easily assign data responsibility to someone like a chief security officer (CSO). Their chains of command are short and direct. But for larger entities and Big Tech such as Google, Apple, Meta and X? At these sprawling behemoths, a CSO might report to a chief technology officer (CTO), who then reports to a vice president, who may answer to someone even higher.
Adding to reporting structure complexities is that at larger entities, it’s not the tech folks who make the final call — it’s the lawyers. They will inevitably look for ways to reinterpret rules in their favour.
A senior bureaucrat who has seen it all over the decades points out that by insisting on rigid accountability, the current draft rules risk creating unnecessary hurdles for smaller companies. It is inevitable, he says, that larger players and Big Tech will work to exploit legal loopholes. To him, it appears that the current draft has placed small entities without a battery of expensive lawyers and large entities in the same bucket. While the heart is in the right place, flexibility is needed to level the playing field.
The kids’ dilemma: One of the more ambitious goals of the rules is to safeguard children’s data. Platforms are required to verify users’ ages and ensure parental consent for minors. Sounds good. But here’s what reality looks like: Kids are tech-savvy and can easily fake their age. Worse still, there’s no clear way to verify that the person claiming to be a parent is actually the child’s parent or legal guardian. Without practical solutions, this rule risks becoming a noble idea with little real-world impact.
Localisation for accessibility: Let’s come to data localisation — the requirement for companies to store certain data within India. Some argue that this is unnecessary and that what India really needs is data access. But India’s own experience says otherwise.
From a policing perspective, India has treaties with many nations to cooperate on legal matters. Yet these treaties rarely deliver results. When was the last time a criminal was extradited? Those in government have seen first-hand that western countries collaborate readily with each other. But their enthusiasm wanes when dealing with India (and pretty much every other country except Australia). So, whether it’s extraditing a fugitive or retrieving critical information stored overseas, India often finds itself waiting — and waiting. This reality is shaped by geopolitics, not promises on paper.
This is why localisation is essential. If data isn’t stored locally, it’s not accessible in any meaningful sense. Accessibility depends on proximity. Localisation ensures that India’s legal and law enforcement systems can actually enforce the rules. Without it, the ideals of data access will remain just that — ideals.
Data attainability: While localisation ensures data is within reach, the ability to retrieve and use it — data attainability — is just as important. Consider the Boston Marathon bombings in 2013. The United States (US) Federal Bureau of Investigation (FBI) recovered Apple devices belonging to the suspects and asked Apple to decrypt them. Apple refused, citing the user privacy norms it subscribes to. So, the FBI turned to Briefcam, an Israeli company based out of Jerusalem that cracked open the devices. Interestingly, many of that company’s engineers were former Apple employees. Was this a coincidence? Perhaps. Or maybe not, people in the Indian security establishment say.
The incident, they say, underscores why physical access to infrastructure matters. It’s not enough to have laws requiring cooperation; without the infrastructure to enforce those laws, whether through localisation or other means — data remains out of reach when it’s needed most. Localisation and attainability are two sides of the same coin.
In a world where data is currency, control over it is power. India’s draft rules are a declaration of intent — that power must rest with its people, not corporations. But here’s the thing about intent: It means nothing without teeth. Flexibility without accountability is surrender. Localisation without enforcement is empty. And a child’s safety, wrapped in fine print, is no safety at all.
This ought not to be looked at as just a set of rules; it’s a moment of reckoning. Outside China and the western world, India is the first country that is making a move to take charge of its digital destiny. Will long-drawn-out deliberations let it slip into the hands of those who see our lives as nothing more than data points to be mined and monetised? Make no mistake: The world is watching how this Bill is implemented. If India gets it wrong, the next time you sip your coffee and pick up your phone, you might wonder — not if someone’s watching you but why did no one stop them?
Charles Assisi is co-founder at Founding Fuel Publishing and co-author of The Aadhaar Effect. The views expressed are personal

E-Paper

