Tech industry apex body Nasscom on Thursday said the new proposal in the draft Rules under the Digital Personal Data Protection Act to restrict transfer of personal data outside India "appears to be inconsistent with the spirit and the objectives of the Act and should be reconsidered."
In its feedback on the draft Rules under the DPDP Act, which was published by the Ministry of Electronics and Information Technology (MEITY) in January 2025, Nasscom said the proposal, as it stands, risks causing unintended uncertainty on international data transfers. "Moreover, the ability of such a restriction to afford meaningful additional safeguards to the processing of personal data, remains at best questionable... even with a careful reading of the Act, the industry could not envisage that the proposal to restrict transfer of personal data by Significant Data Fiduciaries was possible in this manner," it said.
It stresses that there is need for appropriate safeguards when data is transferred outside India as the fact is already provided under S.16 of the Act, there is no need for the proposed Rule 12(4).
Nasscom's primary recommendation is to delete the proposed Rule 12(4) (which says a 'Significant Data Fiduciary' must take measures to ensure that personal data specified by the Central Government is not transferred outside India). Tech and financial services companies based in the US have asked the government to reconsider selective data localisation as it will incur unnecessary costs and also fragment global data transfers.
The US administration has been viewing data localisation policies of India as a barrier to digital trade.
As an alternative, Nasscom recommended that the government may examine the merit of imposing additional measures to ensure that the Significant Data Fiduciaries are able to effectively demonstrate more meaningful ability to ensure protection as envisaged in the Act, when the data is transferred outside India.
Also, in its recommendation, Nasscom has requested for the Rules to provide that in cases where the Data Fiduciary has determined that the breach does not require any action from the Data Principal to mitigate the effects of the breach, the intimation to such a Data Principal may be provided after intimation of the breach to the Board.
The industry has noted that the Act does not distinguish between elevated risk and negligible risk resulting from personal data breaches.