The National Association of Software and Service Companies (NASSCOM) has urged the government to reconsider the proposed restrictions on cross-border data transfers under the draft Digital Personal Data Protection (DPDP) Rules, 2025.
In its submission to the Ministry of Electronics and Information Technology (MeitY) made on March 5, NASSCOM warned that restrictions on data flows could discourage investment, impact global competitiveness, and increase compliance costs for companies operating across jurisdictions.
NASSCOM’s concerns carry weight, given that India’s IT and digital industries rely heavily on seamless data transfers for global operations, including cloud computing, AI services, and multinational business processes.
Nasscom said that limiting Significant Data Fiduciaries (SDFs) from transferring personal data outside India contradicted the broader intent of the DPDP Act and could create regulatory uncertainty for businesses.
The DPDP Act was passed in the Parliament in August 2023. The rules essentially act as the operating guidelines for implementing the Act. The draft rules were released for consultation on January 3, and the deadline for submitting comments was March 5.
"The new proposal in the Draft Rules to restrict cross-border transfers for Significant Data Fiduciaries (SDF) appears inconsistent with the spirit and objectives of the Act and should be reconsidered," NASSCOM stated.
According the DPDP Act, the government can notify any data fiduciary as SDFs based on the volume of personal data that it processes and other thresholds, and such platforms will be liable to additional compliance.
It argued that since the DPDP Act already provides a mechanism for the government to regulate data flows on a case-by-case basis under Section 16, additional restrictions in Rule 12(4) could create unnecessary compliance burdens.
The industry body recommended either removing this provision entirely or ensuring that businesses can transfer data internationally with appropriate safeguards rather than a blanket restriction.
Beyond cross-border data, NASSCOM also sought greater flexibility in data breach reporting requirements under Rule 7. NASSCOM recommended a tiered approach, where only breaches requiring user action or presenting material risks should be reported.
On children’s data processing under Rule 10, NASSCOM called for clearer exemptions for certain Data Fiduciaries. It highlighted that the strict ban on tracking, behavioral monitoring, and targeted advertising for minors could unintentionally limit access to age-appropriate content and digital services.
NASSCOM also raised concerns over Rule 22, which governs government requests for data. It flagged that the requirement to keep such requests confidential could create legal uncertainty, particularly for foreign businesses processing data in India.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
