The government has taken a significant step toward the implementation of the Digital Personal Data Protection Act, 2023 with the release of the draft DPDP Rules, 2025 on 3 January. These rules, open for public consultation till 18 February, introduce both expected and unexpected provisions aimed at operationalising the DPDP Act and regulating the use of personal data. Among the most surprising changes is a data localisation mandate for larger entities—a move not explicitly outlined in the parent Act.
The DPDP Act, 2023 does permit the government to restrict the transfer of personal data, but only to notified countries—presumably because we live in an uncertain and unfriendly world. It makes sense to reserve the right to deny data transfers to adversaries.
However, under the draft rules, Significant Data Fiduciaries (SDFs)—large enterprises processing substantial amounts of data—may now face a data localisation obligation for specific classes of personal and related traffic data. This provision effectively treats all countries as unfriendly for these data classes, raising questions about its implications.
The challenges
Globalisation has driven harmonisation of standards and reduced trade barriers in recent decades. Conversely, data localisation mandates an approach that inherently curtails market efficiency by obstructing free flow of data. Thus, institutions are compelled to maintain a larger workforce and technology within designated jurisdictions, increasing operational intricacy and compliance risks. In some cases, data localisation even renders markets economically unattractive, leading companies to exit and depriving them of valuable services. The European Union’s experience after implementing a compliance–heavy data protection framework serves as a cautionary tale.
Also read: 6 reasons why privacy is a lost cause in India. Don’t wait for DPDP Act to fix it
Inconsistent differentiation
The draft rules create an artificial and inconsistent differentiation among data fiduciaries—entities that determine how personal data is processed. Specifically, they restrict data transfer for SDFs based on data categories, presumably by sensitivity, while allowing smaller entities to transfer the same types of data abroad. For example, if health data is deemed non-transferable outside India by SDFs, smaller fiduciaries (non-SDFs) may still transfer this data. The rules fail to explain why this distinction exists, creating a regulatory gap and potential for regulatory arbitrage, where smaller entities could exploit the relaxed restrictions to gain an advantage.
Ironically, larger entities—often equipped with better security infrastructure due to greater resources—face stricter controls, potentially undermining data protection goals. Further, if a particular category of data is so sensitive that it must remain within India, why should the nature of the fiduciary—SDF or non-SDF—matter?
Imagine, health data is classified as so sensitive that it cannot be transferred outside India. Why should smaller entities be allowed to transfer this?
Similarly, does any category of data exist that only SDFs collect? The rules appear to ignore the non-rivalrous nature of data, where the same data (like medical records) can be used by multiple entities simultaneously. This approach undermines the Act’s goal of consistent protection for personal data, regardless of the entity handling it.
Contradictions with parent Act
The DPDP Act, 2023 also does not categorise personal data into subtypes such as ‘sensitive’ or ‘critical’; it mandates uniform protection for all digital personal data, irrespective of its nature. Yet, the draft rules introduce a new layer of categorisation, restricting the transfer of certain data categories for SDFs. This divergence sets a problematic precedent. Subordinate legislation is expected to align with the intent and framework of the parent law, not contradict or expand upon it. Such overreach risks undermining the legislative process, which is predicated on parliamentary approval and oversight. The draft rules dilute the law’s clarity and could invite legal challenges.
Also read: Data sharing policies can’t be one size fits all. Crucial to address privacy, ownership
Overgeneralisation in restrictions
The DPDP Act’s original approach allowed for restricted data flows based on a negative list of countries, barring transfers to nations deemed hostile to India’s interests. North Korea could make the cut on such a list. This would make sense, as it is a rogue state known for cyber-attacks on democracies. However, the draft rules extend this restriction indiscriminately by prohibiting SDFs from transferring entire classes of data to any country, effectively equating allies with adversaries. Such a blanket restriction risks straining relations with strategic partners and could erode trust in India’s commitment to fostering global collaboration in data-driven domains.
India’s ambitions in global services could be severely impacted by restrictive data localisation policies. For instance, the development of artificial intelligence (AI) depends on the efficient flow of data across borders, as does the success of India’s Global Capability Centres (GCCs). The government’s focus on the IndiaAI Mission and the opening up of 1,700 GCCs is a testament to the fact that both are now national priorities; and its axiomatic that both depend on data. Restricting data transfers may provoke retaliatory measures from friendly nations, limiting India’s ability to process global datasets and jeopardising its leadership in these industries.
As the world edges toward protectionism and insularity, India stands at a crossroads. Following the trend might seem easier, but the smarter path lies in leading by example—championing the kind of governance that aligns with national priorities while fostering global collaboration.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
(Edited by Aamaan Alam Khan)