The Indian government has decided not to make any major changes to the rules related to data storage and cross-border data transfers in the draft of the Digital Personal Data Protection (DPDP) Rules or act according to government sources. This decision comes even after several major global tech companies and industry groups raised concerns during recent consultations.
Under the proposed rules, the government may stop certain types of personal data from being transferred or stored outside India. This restriction will depend on recommendations from a government-appointed committee. Global companies argue that such limits will hurt their ability to operate across borders. However, the government believes these rules are necessary to protect India’s data sovereignty.
The data transfer rules became a major issue during trade talks between India and the United States. The US has asked India to relax these rules as part of negotiations for a future bilateral trade agreement. Recently, a team of US officials visited India to discuss these and other trade-related matters. However, Indian officials made it clear that they are unlikely to change the restrictions.
One of the most debated parts of the draft is Clause 14. This clause says companies handling Indian citizens’ data must meet conditions before sharing it with foreign countries or their agencies. Even if data is stored outside India, companies cannot share it with foreign governments without Indian government approval.
Officials said this rule aims to protect Indian citizens’ personal data from foreign authorities. “It is our responsibility to protect the rights of Indian citizens, including their data,” a senior official stated.
While the government will stick to its stance on data transfers, officials may adjust other parts of the draft. For example, Clause 6 may be simplified by reducing the number of sub-sections. This clause lists security measures companies must follow to protect personal data. Clause 10 may also see changes, especially regarding consent for processing children’s data or data of persons with disabilities.
Officials confirmed that the government will retain the basic structure of the DPDP Act. They may make small changes to wording or formatting, but they will not weaken key principles like data protection, citizens’ rights, and data sovereignty.
The Indian government has worked for over a decade to build a strong data protection law. In 2012, the Justice Shah Committee made the first attempt. Later, the Justice Srikrishna Committee submitted another report in 2018. Since then, the government has drafted several versions and held many consultations. In 2019, it introduced the Personal Data Protection (PDP) Bill. However, it withdrew the bill in 2022 to bring a simpler and updated version.
In 2023, the government passed the DPDP Act and began drafting detailed rules. Officials expect to notify these rules within two months. However, full implementation may take up to two years.
Meanwhile, India has linked its data transfer rules to its broader trade and digital policy strategy. As part of trade talks with the US, India is considering removing the 6% equalization levy, also known as the Google tax. This tax applies to foreign digital companies providing online advertisement services.
Officials believe the DPDP Act and its rules, once fully enforced, will provide consistency and protection in India’s digital space.trong framework for protecting Indian citizens’ data and regulating digital services in the country.
ALSO READ: APAAR ID: Simplifying Education, Raising Privacy Concerns
