DPDP Act rules in final stages: Govt addresses data leaks and AI risks

The Ministry of Electronics and IT (MeitY) anticipates finalizing the rules for the Digital Personal Data Protection (DPDP) Act within six to eight weeks. Secretary S Krishnan stated on April 7, 2025 that these regulations are designed to significantly reduce personal data leaks. To further mitigate risks, particularly concerning AI, the government is exploring local storage solutions for AI models, aiming to prevent data from leaving the country.

MeitY is currently analyzing the detailed feedback received on the draft DPDP rules, which were available for public consultation from January 3 to March 5. An additional round of internal consultation might be necessary after this review. Krishnan emphasized that the DPDP Act’s enforcement will be crucial in curbing personal data leaks.

Regarding the use of Chinese AI platforms and associated risks, the government is closely observing the usage and impact of large language models (LLMs). Krishnan highlighted that data sharing via portals or mobile apps poses a significant risk of data outflow, potentially influencing the training of these models. Hosting models locally in India is seen as a way to minimize this risk.

Furthermore, Krishnan noted a positive trend in increased reporting of cyber security breaches. He stated that these increased reports help the government to understand the scale and source of the cyber security problems.