US-based technology and financial services firms, including OpenAI, Microsoft, Mastercard, Visa, Netflix, Adobe, Zoom, and IBM, have urged the government to reconsider its stance on the possibility of data localisation in some cases in the draft rules for implementing the Digital Personal Data Protection (DPDP) Act.
These firms, through their industry association – Business Software Alliance (BSA) and Global Data Alliance (GDA) — have called for clearer guidelines on data transfers, specifically urging the government to specify which countries are restricted for data transfers rather than imposing broad-based localisation measures.
The deadline for submitting comments on the draft DPDP rules ended on Wednesday. In their submissions to the ministry of electronics and information technology (MeitY), these firms highlighted that the proposed localisation mandates could disrupt global data flows, hinder innovation, and add unnecessary compliance costs, contradicting the DPDP Act’s goal of facilitating cross-border collaboration.
The companies have said that the rules empower the government to classify certain categories of personal data that significant data fiduciaries (SDFs) cannot transfer outside India. This, they said, would lead to fragmented global data flows, higher costs, and regulatory uncertainty without necessarily enhancing data protection.
“The rules empower the government to specify categories of personal data that SDFs must not transfer outside India. Such selective data localisation measures fragment global data transfers, stifle innovation, and impose unnecessary costs on businesses, without enhancing data protection or security goals,” Venkatesh Krishnamoorthy, country manager, India, Business Software Alliance, said in the feedback submitted to Meity as part of the consultative process initiated by the government to seek industry views.
Joseph P Whitlock, executive director, Global Data Alliance, pointed out that the criteria for identifying such personal data categories remain unclear.
Under Rule 14 of the draft rules, firms must comply with any requirements set by the Central government regarding making personal data available to a foreign state or its entities. The companies have strongly recommended that Rule 14 be deleted or at least modified to introduce a ‘blacklist approach’ — where data transfers are presumed permissible unless explicitly restricted to specific countries posing security risks.
“We strongly recommend deleting Rule 14. This rule appears inconsistent with the DPDP Act, which presumes that personal data can be transferred outside India unless the government restricts transfers to specific countries or territories,” the companies said. They added that if the rule remains, it should be revised to allow transfers under well-defined contractual and legal data protection requirements.
The Indian Governance and Policy Project (IGAP), a policy consultancy, also said that Rule 14 should clearly differentiate between ‘conditions on transfer’ and ‘restricting transfer’ to ensure enforceability without creating undue burdens.
The firms have also urged the government to provide clarity on the criteria and process for classifying an entity as a significant data fiduciary (SDF). The absence of clear guidelines could lead to arbitrary classifications and compliance challenges, they said.
Further, they have called for a threshold for reporting data breaches. Currently, the draft rules require firms to notify the Data Protection Board immediately and submit a detailed report within 72 hours. The companies have proposed revising this to ensure only breaches that pose a significant risk to individuals need to be reported.
“We recommend setting a threshold that only requires notice for breaches that are reasonably likely to cause significant harm to data principals. No notice should be required when the personal data is unusable, unreadable, or indecipherable due to encryption or other security measures,” said BSA.
The companies have also opposed the parental consent requirement for individuals under 18 years of age, arguing that it clashes with other international data protection frameworks. They suggest limiting parental consent to children under 13 and applying stricter consent rules only for data fiduciaries handling higher-risk data for teenagers.
Additionally, they have sought a two-year timeline for compliance with the DPDP Act, allowing businesses adequate time to implement the necessary measures.
Another contentious provision is Rule 22, which grants the government authority to access information about users from data fiduciaries or intermediaries under certain circumstances, such as national security. The companies have urged the government to delete this rule or at least amend it to clarify that such data requests should be directed to the data fiduciary rather than an intermediary or processor handling data on its behalf.
The government has maintained that its approach to data localisation will be sector-specific, imposing restrictions only where necessary. Electronics and IT minister Ashwini Vaishnaw had told Fe in an earlier interaction that the intent is not to disrupt cross-border data flows but to ensure localisation where required for citizen safety.
