Provisions on data localisation in the draft rules released Friday could intensify tensions with the US and disrupt the operations of global tech giants.
The draft of Digital Personal Data Protection Rules, 2025 requires companies such as Meta, Google, Apple and Amazon to seek explicit government approval before transferring personal data abroad.
The measures, which significantly tighten earlier provisions, could complicate the sharing of Indian citizens’ data with foreign governments, particularly the US.
The regulations add to growing friction between the two countries over data governance. The US law, including the Reforming Intelligence and Securing America Act (RISAA), mandates that American companies share foreign citizens’ data with US intelligence agencies.
This conflict could leave companies caught between the legal obligations of two major markets.
The situation mirrors longstanding legal clashes between the US and the European Union over cross-border data transfers.
The EU has challenged US surveillance practices as violations of privacy rights, leading to the collapse of frameworks such as the EU-US Privacy Shield.
Industry analysts say India’s regulations could follow a similar trajectory, potentially sparking legal challenges and diplomatic standoffs.
Legal experts and tech firms have expressed concerns about the implementation of the rules.
Jidesh Kumar, managing partner at King Stubb & Kasiva, Advocates & Attorneys, said the rules lack specificity. “There are no detailed enforcement mechanisms or clear guidelines on cross-border data transfers beyond compliance with government regulations.”
Rahul Sundaram, partner at IndiaLaw LLP, called for stronger provisions. “The government should mandate simplified privacy notices and require companies to notify individuals of data breaches within 72 hours, aligning with global standards like the GDPR,” Sundaram said.
The new rules underscore India’s assertiveness in safeguarding its digital sovereignty. The government’s emphasis on controlling the flow of its citizens’ data reflects a broader global trend of prioritising national interests over global connectivity.
Karnnika Seth, a Supreme Court advocate specialising in cyber law, noted that the regulations propose a “blacklist” system for cross-border data flows.
A government-appointed committee will decide which countries are restricted from receiving sensitive data such as health and financial records.
Sector-specific laws, including those from regulators such as the Reserve Bank of India and the Securities and Exchange Board of India, may impose stricter requirements than the DPDP Act, further complicating compliance.
Child privacy
Separate draft rules under the DPDP Act, which require parental consent for minors under 18 to access online services, have ignited a heated debate.
Critics, including the Internet Freedom Foundation, warn that such measures could lead to mass surveillance by linking government-issued IDs to users’ online activities.
“The provisions risk violating principles of data minimisation and retention limitations,” the foundation said in a statement, adding that they could result in the over-collection and prolonged storage of personal data.
N.S. Nappinai, a leading cyber law expert, expressed disappointment in areas such as child data protection. “The emphasis on protection and exemptions with respect to child data is welcome, but more was expected, particularly on standards for parental consent. That’s now left to the platforms to formulate,” she said.
Probir Roy Chowdhary, partner at JSA Advocates & Solicitors, raised concerns about age-gating for child data and verifying parental consent. “The rules are ambiguous about the ability of a data fiduciary to confirm that the consenting adult is the actual parent or guardian of the child,” he noted.
Akshaya Suresh, also a JSA partner, welcomed some aspects of the rules. “They provide clarity on the role of consent managers, minimum security safeguards and responsibilities of significant data fiduciaries,” she said.
