Draft Data Protection Rules Allow Authorities To Restrict Data Transfer To Foreign Countries

The revisions suggested in the Digital Personal Data Protection (DPDP) Act draft state that authorities will have the right to restrict data transfer to foreign countries. The draft, made public on January 3, 2025, stated that the government will be permitted to place restrictions on cross-border data transfer to countries, entities, or persons in case of national security or privacy concerns.

The draft document will remain open for public feedback till February 18, 2025, reported Moneycontrol. These rules suggested in the draft shall be applicable to both Indian and global firms.

Rule 14 of the draft document specifically mentions that that the data transfer to any region outside India shall be subjected to general or special orders of the Central government, ‘in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State’.

This also means that the rules place power in the hands of the Central government to keep a tab or curb the transfer of personal data. While the rules don’t specify the criteria or basis of the concerns on which the government may give such orders, however, Sec 17(2) of the DPDP Act allows the authorities to put in place restrictions citing concerns about security of State, sovereignty, etc.

Also Read : New Data Privacy Rules Suggest E-Commerce Players, Social Media Platforms Should Delete User’s Info After 3 Years

Therefore, the rule provides flexibility for the government to impose conditions or restrict the transfers to nations via notifications, without predefining a list of blacklisted countries.

The DPDP Act draft said, “The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.”

Further, the draft rules also categorise the different types of data fiduciaries and stated that these entities including e-commerce platforms and online gaming services should delete user data in a three-year period after it is not required for its intended purposes anymore.

Also Read : N Chandrasekaran Says Slowdown In Indian Economy Temporary, India To ‘Remain Fastest-Growing In The World’