India has finalised and notified the DPDP Rules, which will operationalise the Digital Personal Data Protection Act, 2023. While the Act and its rules enable the central government to control cross-border personal data transfers, including blocking transfers to specific countries, they also raise questions about how these powers will interact with existing agreements, such as the Mutual Legal Assistance Treaty (MLAT), and laws like the US’s RISA Act.
For context, Section 16(1) allows the government to restrict data transfers to certain countries, Rule 15 requires data fiduciaries to follow government-imposed conditions before sending data abroad, and Section 17(2)(a) exempts certain state agencies from most compliance obligations when they process data for “national security” or for “maintaining friendly relations with foreign states.”
What Has Changed in the Final Rules?
While there aren’t major changes, the Rules have been modified slightly, simplifying the framework for cross-border transfers of personal data by removing earlier conditions that detailed where and why data was processed.
The previous draft applied to data processed in India and to data processed abroad when companies offered goods or services to individuals in India. Both jurisdictional clauses have now been removed. The final text states that a data fiduciary may transfer personal data outside India if it meets the requirements specified by the Central Government. The heading now reads: “Transfer of personal data outside the territory of India.”
These changes streamline interpretation and place the burden of compliance with future government conditions on the process, rather than on determining processing locations or service boundaries. The government retains the power to decide which foreign states, entities, or agencies may receive personal data from India. The updated provision offers a clearer path: if data falls under the Act, its transfer abroad depends on government-specified requirements. This makes the rule more flexible, less ambiguous, and easier for domestic and foreign data fiduciaries to implement.
What if Rule 15 Conflicts with Other Indian Laws?
Because the Indian government decides which countries may receive citizens’ data, a key question is how authorities will handle conflicts among different laws. India rarely has statutes mandating the sending of personal data abroad. Most cross-border transfers operate through multilateral agreements, extradition treaties, and cooperation arrangements that rely more on diplomatic relationships than on legally enforceable mandates.
Referring to such potential conflicts, Shruti Kanodia, Managing Partner at Sagus Legal, said, “Sub-section (2) of Section 16 of the Act stipulates that where any other law in force in India prescribes a higher level of protection or additional restrictions on the transfer of personal data by a Data Fiduciary, such law shall continue to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
