Participants at MediaNama’s open house discussion “Understanding the Draft Digital Personal Data Protection Rules” discussed data localisation mandates and the obligations of significant data fiduciaries under the Act. MediaNama held the discussion under Chatham House Rules, which mandates keeping the identities of speakers and other participants confidential.
The draft version of the rules stated that data fiduciaries must meet currently unspecified government restrictions when transferring Indian personal data to other countries, especially when they want to make it available to foreign governments. This implied a possible conflict with the American Reforming Intelligence and Securing America Act (RISAA), which compels US-based enterprises to share the data of foreign citizens with American agencies.
Key Points From The Discussion:
The Rules Could Lead To A Conflict Between American and Indian Laws:
“So then there’s going to be a conflict of laws because RISAA was passed in Jan last year and is applicable till April 2026, when it comes up for renewal,” said a speaker. “It’s the new version of the FISA Act, which again allowed the US government access to data. So for example, US companies will be in conflict because at the same the Indian law will prevent them from giving access, US law will allow the US government access,” they added.
“That’s where the conflict will come – the company will be able to use the data, process the data outside Indian jurisdiction, but will not be allowed to share data with the foreign authorities,” said another participant.
Data Localisation Requirements Increase The Government’s Bargaining Power:
“Exactly, so this is where some sort of bargaining can be done—that you allow this data under section 22 and we don’t put that restriction there under 14, so indirectly it is empowering government here,” said a speaker. Section 22 of the Rules allows the government to acquire specific data from data fiduciaries or intermediaries, while Section 14 places the aforementioned restrictions on transferring personal data outside of India.
A participant stated that the Ministry of Electronics and Information Technology (MeitY) had finalised the Rules quite some time ago, but that the Ministry of Home Affairs had held them up. They pointed out that the Rules actually came out after the Trump victory in the US and suggested that they may play the role of a bargaining lever in negotiations. “My guess is once that is bilaterally sorted out, this will dilute a little bit because the industry had made peace with MeitY on data localization in consultation,” they claimed.
Can Data Localisation Requirements Stop Cross-Border Data Transfers?
A speaker pointed out that the Rules state that Data Fiduciaries can continue making cross-border transfers as long as they meet the specific requirements set out by the government. The speaker pointed out that the requirements could be as low as requiring companies to sign an undertaking before continuing data transfers or restricting them entirely.
Almost Every Country Has Laws Allowing The Government To Access Data:
“I know that you are taking the example of the US as one country, but every country will have some level of access to data that you take into their borders,” they added, giving the example of Australia and Singapore. “Rule 14 brings back restrictions on data transfers as not envisaged in the act. In the act it’s about selecting countries which you can take out.”
Are the Rules Compatible with the Law?
“Are the rules going beyond the law?” asked a speaker.
“They are not in resonance is what I would say. Because what is beyond the law is based on how vaguely things have been worded and how much power the government has. I don’t know whether you can completely say that,” said another speaker.
The Rules Add New Restrictions:
“Right, but here it is a new way to restrict. So the challenge for companies is – already with the first iteration of the rules coming up, we’ve had two new additional ways to restrict data transfer, in addition to the list that has been identified,” said a speaker.
DPDP Data Localisation Norms Setting Up The Notion Of ‘Trusted Geographies’ In India?
Another speaker affirmed their belief that the Rules did in fact go beyond the law, but in the sense that they were trying to set up the idea of “trusted geographies,” in an Indian context, an idea that was already taking root in other jurisdictions. They suggested that these trusted geographies could be based on groupings like QUAD or other national security or economic imperatives for India. “A lot of this is very fluid at the moment, not set in stone, but goes back to giving the Indian government a lot of negotiating power in these other negotiations,” said the speaker.
How Would the European Data Protection Authorities Look At This?
Another speaker pointed out that under the Schrems II judgement of the European Court of Justice, European Data Controllers had the authority to assess whether the personal data of Europeans was going to jurisdictions with adequate data protection norms. “So you’re getting into a very interesting inquiry when you do that, and it’s theoretical right now,” they said, which would depend on the potential revision of the rules and the act itself. “If the objective of the act was to discipline state behaviour, which was in some sense the expectation from Puttaswamy, there are questions on whether that itself has happened with the act, whether it’s adequate or do you get separate legislation for things like surveillance reform,” said the speaker.
Whether the EU Authorities would review the DPDP Act and Rules was still a hypothetical question, depending on if someone filed a case or if the data protection board in Europe would evaluate the law. “But it’s definitely not beyond the pale of that inquiry. So I think the issues, in some sense, still sit on the table,” they said.
Key Recommendations:
Make The Data Localisation Requirements As Detailed As Possible:
A speaker stated that stakeholders had expected greater clarity on how the so-called blacklist of countries would come about. They pointed out that a lot of companies still used mechanisms to transfer data like contractual clauses and asked if they were under consideration. “Because that’s the global norm. We have deviated from some of the global norms, so then we have to put a lot of detail into that deviation,” they said.
Also Read:
Support our journalism: