Monday, November 24, 2025

Youth Express

Youth Express is a Young Thinking News Website.

Shadow

An Insight into Cross Border Data Transfers: Subsequent to DPDP Rules, 2025

youthexpress March 7, 2025 in Editors Choice, Featured, Opinion Tagged , - 5 Minutes
DPDP Rules

An Insight into Cross Border Data Transfers:

Subsequent to DPDP Rules, 2025

The introduction of the Digital Personal Data Protection (DPDP) Rules, 2025 marks an important step towards creating a privacy-compliant environment for our society. Change is inevitable, and so is the reluctance to embrace it. With the advent of new technologies, new forms of data privacy breaches emerge, hence protection of citizen’s data becomes paramount duty of State.

The Digital Personal Data Protection (DPDP) Act, 2023 in India primarily focuses on the protection of digital personal data of individuals. It establishes rules for how organizations collect, process, store, and transfer personal data while ensuring privacy rights.

The DPDP Act covers only “Digital Personal Data,” which meansPersonal Data e.g Any data about an individual (Data Principal) that can identify them directly or indirectly. And Digitally Processed Data i.e. the data collected, stored, or processed in digital form (even if originally collected offline but later digitized).

The Data Under DPDP Act can be classified as:

  • Personal Data, such as (Name, Contact details (phone number, email), Address, Date of birth, Identification numbers (Aadhaar, PAN, Passport, etc.), Financial details (bank accounts, UPI IDs), Biometric data (fingerprints, iris scans, facial recognition), Location data, IP addresses, cookies, and device identifiers (if linked to a person); and
  • Sensitive Personal Data (Though the DPDP Act does not explicitly classify “sensitive” data separately like GDPR, certain types of personal data may require higher protection), such as (Health data (medical records, prescriptions), Financial data (bank details, credit/debit card information), Genetic data, Sexual orientation, Caste, religion (if used for identification)
  • Children’s Personal Data and Data of Individuals with Disabilities.

The adage, “Personal data is the new currency,” underscores the critical importance of safeguarding individual privacy. As personal data becomes increasingly valuable in the digital age, the preservation of privacy rights is more crucial than ever. The Government initially adopted a stringent approach by making Data Localization as the ultimate rule, however, following a regressive response from society, this provision was not incorporated into the DPDP Act, 2023. According to Section 16 of the Digital Personal Data Protection Act, 2023, read in conjunction with Rule 14 of the Draft Rules, 2025, the Central Government shall publish a list of restricted countries to which data cannot be transferred which are still impending. Furthermore, the Central Government shall, by general or special order, specify the requirements that data fiduciaries must follow when data is transferred to foreign countries in respect of certain goods and services.

The implications of the Digital Personal Data Protection Act, 2023, along with the associated Rules, 2025 for cross-border data transfers, shall have significant impacts on businesses as enumerated hereunder:

  • The restriction is not limited to any specific territory but is based on ensuring that a particular state and its agencies do not have access to personal data, irrespective of its location.
  • The Government retains the authority to determine and update, at any time, the list of countries (or their agencies) to which access should be restricted, by means of an order.
  • The extent of measures that a data fiduciary is expected to take to prevent access remains ambiguous, especially with the increasing reliance on cloud-based services that enable access from various geographies via the internet. The drafting indicates that the Government will have significant discretion in determining the countries that should be prohibited from accessing personal data, even at short notice. This adds a layer of uncertainty for businesses in determining appropriate data storage and processing solutions.
  • The Government has introduced the concept of Significant Data Fiduciaries (SDFs). Upon interpreting the Rules, it appears that the Government may impose additional compliance responsibilities on these SDFs, particularly in the context of cross-border data transfers in respect of certain goods and services, alongside other compliance obligations.
  • Continued application based on Sector Laws. This Act is not in derogation but in addition to other laws. Currently, India has cross-border data transfer restrictions across multiple sectors. The Reserve Bank of India mandates that certain categories of payment data, such as transaction information and customer credentials, must be stored within India. Similarly, specific categories of telecommunications data, including subscriber accounting information, cannot be transferred outside India. The insurance sector also has equivalent localization requirements. These restrictions will remain in effect, despite the absence of data localization obligations in the new Act. This practise will continue its existence even after enforcement of the Privacy law as these laws exist in consonance with each other.

While the Act establishes country-specific restrictions on data transfers, Section 17 clarifies that these restrictions may not apply to certain processing activities. The exempted processing activities where such exemptions may be utilized by both the government and private entities, include:

  • Prevention, Detection, Investigation, or Prosecution of Offences under Indian Law
  • Enforcement of a Legal Right or Claim
  • Processing Pursuant to a Contract with a Foreign Entity
  • Processing Pursuant to Legally Approved Mergers, Demergers, Acquisitions, and Other Arrangements between Companies
  • Processing to Ascertain the Financial Position of a Defaulter to a Financial Institution
  • Performance of Regulatory, Supervisory, or Judicial Functions.

In conclusion, as one of the largest internet markets in the world, India has embarked on a revolutionary journey to establish robust data privacy laws with the enactment of the Digital Personal Data Protection (DPDP) Act. This landmark legislation marks a significant step towards safeguarding personal data, fostering a secure digital environment, and aligning with global data protection standards. By implementing the DPDP Act, India is not only addressing the evolving challenges of the digital age but also setting a precedent for comprehensive data privacy regulations in the region.

 

Advocate Ankit Prasad

(Writer is a practicing lawyer at Hon’ble High Court of Delhi)

ankitprasad965@gmail.com

 

Related Posts

ऐसे साफ करें मिक्चर ग्राइंडर, नहीं रहेगी कोई महक
September 9, 2025
ऐसे बनाएं साबूदाना का काठी रोल, बस जानियें आसान सी विधि
September 9, 2025
September 2, 2025

youthexpress

I am a passionate writer. I draw my imagination with words. I can write on any given topic. Currently, I am working as a freelancer and author. A creative mind that wants to explore the whole world with the power of words, heart full of emotions, mind full of creative essence.

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

IND vs SA Head To Head in T20’S IPL 2022: STAT TRACKER