Thread by @nixxin - 20250104 - fulltext - Prateek's Digital Garden

## Full Text **Nikhil Pahwa** @nixxin [2025-01-04](https://x.com/nixxin/status/1875415805363421278/history) India released its draft Data Protection Rules yesterday, and my initial thoughts are that it appears to be disconnected from reality. I'm still reading and will add more, but first the positive change, then the rest. Btw, expect a complete overview of the Rules on @medianama today, & more next week. It's what we do best. My comments: 1\. User notification on data breaches: The DPDP Act said that users should be informed about data breaches after the Data Protection Board allows. However, the Rules fix this by saying that users and the board need to be informed immediately. This is +ve 2\. Data Breach notification timelines are problematic: the Data Protection Board needs to be given a fairly comprehensive overview of the data breach within 72 hrs of discovery, along with remedial measures. This seems to be impossible to comply with. Understanding the breach sometimes takes longer. What if it's a ransomware attack? -ve 3\. Everyone will have to be verified: The rules mandate that children will only be allowed to access the Internet with parental consent. This was a flaw in the law (which I had pointed out repeatedly over the past few yrs, but MEITY didn't listen). Parental consent is via parents a/c, Digilocker or govt auth (aadhaar?). How do you know if someone is a parent or not? Means platforms will have to verify EVERYONE. madness. Very -ve 4\. Data localisation is back? Not quite... The Data Protection Act allowed for global data transfers (pls note all global SAAS customers & Indian SAAS co's), except to blacklisted countries. The rules now say that companies must comply with "any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities." Now this is interesting, in terms of the US RISA Act which allows the US government to snoop on data stored in datacenters and cloud services. This means the Indian law will conflict with the US law. I think this is a good move. Why should we allow US companies collecting data from India allow the US govt to snoop on us? +ve move for Indian citizens. Terribly -ve for US companies because of the conflict between US and India law. ## Colophon title:: Thread by @nixxin type:: [[full-text]] url:: https://x.com/nixxin/status/1875415805363421278 date:: [[2025-01-04]] published:: 2025-01-04T05:35:46.000Z