The introduction of the Digital Personal Data Protection (DPDP) Rules, 2025 represents a crucial milestone in India’s journey toward creating a privacy-compliant environment in the digital age. As new technologies continue to evolve, so do new risks and privacy challenges. Consequently, the protection of citizens’ data has become one of the state’s most pressing duties.
The Digital Personal Data Protection (DPDP) Act, 2023, focuses on safeguarding digital personal data, setting forth regulations for how organizations collect, process, store, and transfer personal data while ensuring individuals’ privacy rights. As data becomes increasingly valuable, the need for robust privacy protections has never been clearer.
Understanding Personal Data Under the DPDP Rules
The DPDP Act applies to “Digital Personal Data,” defined as any information about an individual that can identify them, directly or indirectly, and any data that is collected, processed, or stored in a digital format—even if originally collected offline and later digitized.
Personal data can be classified into:
- Personal Data: This includes identifiable information like name, contact details (phone numbers, emails), address, identification numbers (e.g., Aadhaar, PAN, Passport), financial details (bank accounts, UPI IDs), biometric data (fingerprints, iris scans), and more.
- Sensitive Personal Data: While the DPDP Act does not explicitly classify sensitive data like the GDPR, certain types of personal data require heightened protection. Examples include health data, financial details, genetic data, and even sensitive categories like sexual orientation, religion, and caste (when used for identification purposes).
- Children’s Personal Data and Data of Individuals with Disabilities: These categories are also given special protection under the DPDP Act.
As the saying goes, “Personal data is the new currency,” emphasizing the growing value of personal information in today’s digital economy. Thus, safeguarding privacy is essential, not only for individual rights but also for national security and economic stability.
Cross-Border Data Transfers: The Shift Toward Global Compliance
One of the most significant aspects of the DPDP Act is its focus on cross-border data transfers. Initially, it promoted data localization, requiring all personal data to be stored in India. However, due to concerns raised by businesses and industry players, this provision was excluded from the final version of the Act.
Instead, Section 16 of the DPDP Act, read alongside Rule 14 of the Draft Rules (2025), stipulates that the Central Government will maintain a list of restricted countries—those to which personal data cannot be transferred. While the specifics of this list are yet to be finalized, it indicates that data can only be transferred to countries that meet the required standards for data protection, ensuring that Indian citizens’ privacy rights are not compromised.
Implications of the DPDP Act on Businesses
The DPDP Act has significant implications for businesses, especially in the context of cross-border data transfers:
- Geopolitical Restrictions: Data transfer restrictions are not bound by territoriality but are primarily focused on preventing unauthorized access by certain foreign governments or agencies. The Central Government retains the authority to modify the list of restricted countries at any time, which could affect the global data flow for businesses operating in or with India.
- Uncertainty for Cloud-Based Services: As organizations increasingly rely on cloud infrastructure, which inherently spans across multiple jurisdictions, the uncertainty around cross-border data transfers becomes even more critical. Businesses must navigate these ambiguities to ensure compliance with India’s data protection requirements.
- Significant Data Fiduciaries (SDFs): The DPDP Act introduces the concept of Significant Data Fiduciaries (SDFs)—entities that handle large amounts of personal data or handle sensitive categories of data. SDFs may face additional compliance requirements, particularly regarding cross-border data transfers. These obligations are still evolving but are expected to be more stringent.
- Sector-Specific Laws and Regulations: The DPDP Act is not the only law governing data privacy and transfers in India. Other sector-specific regulations, such as those issued by the Reserve Bank of India (RBI), mandate that certain types of financial and payment data be stored within India. Similarly, there are restrictions in the telecommunications and insurance sectors regarding cross-border data transfers. These sector-specific rules will remain intact even after the DPDP Act is fully enforced, requiring businesses to comply with both sets of regulations.
Exemptions to Cross-Border Data Transfer Restrictions
While the DPDP Act imposes restrictions on cross-border data transfers, Section 17 clarifies certain exemptions where such restrictions may not apply. These include:
- Prevention, Detection, Investigation, or Prosecution of Offences: Data transfers are permitted if they are necessary for law enforcement activities.
- Enforcement of Legal Rights or Claims: Transfers related to legal rights, such as contracts or litigation, are exempt.
- Processing according to a Contract with a Foreign Entity: If data processing is part of an international business contract, such transfers are allowed.
- Mergers, Demergers, and Acquisitions: Data can be transferred to facilitate corporate restructuring or financial activities.
- Performance of Regulatory or Supervisory Functions: Regulatory bodies and supervisors may have the authority to transfer data across borders when required for compliance.
Conclusion: A Step Towards Robust Data Protection
India, as one of the largest internet markets globally, is at the forefront of establishing comprehensive data protection regulations. With the enactment of the DPDP Act, 2023, and the forthcoming DPDP Rules, 2025, India is taking significant strides toward safeguarding personal data and privacy, aligning with international standards such as the GDPR.
The DPDP Act not only addresses the evolving challenges of the digital age but also sets a precedent for other countries in the region. It protects the right to privacy and allows businesses to operate in a secure and data-compliant environment.
As India continues to shape its data protection framework, businesses must adapt to the changing legal landscape, especially regarding cross-border data transfers. The evolving rules and regulations present both challenges and opportunities for those who are proactive in ensuring compliance.
Advocate Ankit Prasad
(Writer is a practicing lawyer at Hon’ble High Court of Delhi)
ankitprasad965@gmail.com
