After implementing various rules throughout the years, in 2023, the parliament passed the Digital Personal Data Protection Act 2023¹. It brought some major changes for ensuring the right of privacy of the people digitally. This Act brought some key concepts like: People now will be told that for what purpose’s their information will be used, now the companies cannot keep hoarding data for indefinite period or unexpected purposes, citizen can enquire about the information from organization and ask for corrections. A new data protection board will be formed which will protect and the ensure rights of people are not violated and if violated will enforce penalties for the same.

On January 3, 2025, the Ministry of Electronics and Information Technology (Meity) introduced the draft rules for Digital Personal Data Protection to support the implementation of the Digital Personal Data Protection Act, 2023. These rules were added to ensure the smooth functioning of the Act. These rules include :

Specific timeframes: 72-hour timeline for breach notification (rule 7), specific time frames for data deletion (rule 8), and technical methods for verifying parental consent (rule 10).

Detailed security standards: Specific security measures like encryption, access controls, logging, and backup mechanisms (Rule 6).

Procedural Specifics: Detailed procedures for Consent Manager registration (Rule 4), Specific processes for exercising user rights (Rule 13), Detailed mechanisms for the functioning of the Data Protection Board (Rules 16-20)

Implementation Details for Cross-Border Transfers: Specific conditions and approval processes for international data transfers (Rule 14)

Operational Guidelines for Exemptions: Specific standards for research, statistics, and archiving exemptions (Rule 15), Practical guidance on how these exemptions should be implemented

Localisation requirements and digital sovereignty

Among the most consequential aspects of India's approach to digital regulation is its emphasis on data localisation. This policy requires data to be stored in different data categories within India. This will reflect the growing concerns about foreign control over the information of Indian citizens.

Data storage within the national boundaries can help law enforcement agencies and the judiciary. During the investigations when digital evidence is needed, having it's access within the national boundaries simplifies the process and work of the regulatory bodies. It helps avoid agreements and complications with foreign countries regarding data. For Example: In Cybercrime cases having the access of data can help in resolving the dispute faster and fluently.

Nonetheless, global technology firms have expressed reservations about the practicality and cost implications of such requirements. A high- ranking official from an international cloud services company, who requested anonymity, explained that building separate data infrastructure solely for one country leads to increased operational costs-expenses that are likely to be passed on to consumers. According to the executive, the key challenge is to strike a balance: ensuring national data sovereignty while avoiding a fragmented internet landscape.

Localisation standards present unique obstacles for small and medium- sized businesses. Smaller businesses that lack the resources of digital giants may be disproportionately affected by compliance costs².

Cross-Border Data Flows in a Connected Economy

Policymakers increasingly recognise that overly restrictive data sovereignty measures could hamper India's competitive position in global digital services.

Recent regulatory frameworks have attempted to resolve this tension through tiered approaches to cross-border transfers. Critical personal data receives the highest protection with strict localisation requirements, while other categories can flow more freely under appropriate safeguards.

In the digital era, where evidence might be dispersed across international server networks³, traditional legal assistance accords appear burdensome.

Metadata, Authentication and Trust Frameworks

Digital privacy regulation intersects significantly with questions of authentication and verification. Establishing trusted digital identities while protecting personal information presents complex technical and legal challenges that Indian regulators continue to address.

Metadata—information that describes digital interactions and records— serves a vital function in verifying authenticity and safeguarding privacy.

Techniques based on cryptography, which can confirm identity traits without disclosing excessive personal details, are emerging as a viable solution. Initiatives like the India Stack—comprising platforms such as the Unified Payments Interface (UPI) and DigiLocker—illustrate how secure identity verification can be achieved while still respecting

The content created or modified through artificial intelligence is on the rise which raises another privacy concern in the modern era including deepfakes and AI-generated content, For Example: The recent Ghibli art trend on the social media platforms raised various privacy concerns.

Vladislav Tushkanov, Group Manager at Kaspersky AI Technology Research Centre, stated in the article published in the Hindi Newspaper⁴ That "Although some businesses do guarantee the confidentiality and safety of the information they gather and retain, this does not imply that the defences are impenetrable”, he further stated "Due to technical issues or malicious activity, data can leak, become public or appear for sale at specialised underground websites. Moreover, the account used to access the service can be breached if the credentials or user device is

compromised.”. Another view by Rohan Vaidya, Area Vice President, India & SAARC, CyberArk, said that “The widespread sharing of images for Studio Ghibli-style portraits presents growing cybersecurity risks, particularly in the areas of digital identity theft, deepfake manipulation, and unauthorised data exposure," he further added "Additionally, metadata embedded in images, such as location, timestamps, and device details, can be exploited for recce and identity theft. Moreover, the trend's popularity can lead to a surge in similar websites offering image-sharing and Ai-powered editing features, many of which may lack proper security safeguards or be outright malicious”.

Thus, while technology makes it easier to create highly realistic but fabricated content, verifying it’s authenticity and security safeguards⁵ features become more difficult.

The Path Forward

India continues to shape and develop its digital privacy landscape, and several critical factors are likely to influence the direction of future regulation:

1. To strike a balance between privacy and ideas of the people: Regulatory efforts made by the indian government must safeguard the personal rights of the people without hindering the technological progress. A framework based principles which focuses on desired outcomes rather than rigid technological mandates may offer greater flexibility in responding to the rapid innovation.
2. Regulation in relation to specific context: Privacy concerns vary significantly across various sectors such as healthcare, finance, and education. Addressing these unique challenges of different sectors while complying with the rules of the sectors while upholding privacy values of individuals, will be essential.
3. Regulations should be in Par with International Commitments: India can preserve it’s national interests and benefit from ratifying to international commitments, it will promote seamless digital trade between nations and international collaboration with other countries.
4. Empowering individuals: Strong privacy protections depend on giving users not only rights but also effective tools and mechanisms to manage how their data is collected and used.

(Authored by Shivam Bhalla, Final Year Law Student at Vivekananda Institute of Professional Studies, IPU, New Delhi, views expressed are personal.)

Citations

1 https://www.ciplawyer.com/articles/152507.html