NLR BLOG

BY NLIU LAW REVIEW

Tall Walls, Long Shadows: Data Localisation in the Draft DPDP Rules 2025

Kashika Jain

February 17, 2025

The draft Digital Personal Data Protection Rules (“DPDP Rules”) notified earlier this month seek to balance regulation and innovation in the implementation of the Digital Personal Data Protection Act, 2023 (“the Act”) by delineating rights of data principals and obligations of data fiduciaries. Key provisions relating to the role of consent manager, intimation of data breach, constitution of the Board among others have been introduced. Processing of personal data outside India has been dealt with in Rule 14, stating that such transfer in relation to offering goods and services will be subject to conditions notified by the Central Government in this respect.

This mandate of ‘data sovereignty’ is a departure from the principles of the Act in more ways than one. While the Act prescribes a negative list by restricting transfer of personal data to specified countries, the draft rules restrict the transfer overseas of all classes of data processed by all data fiduciaries. The rules thus seem to expand the scope of restriction, rather than expanding the criteria on the basis of which restrictions will be imposed. This article examines this deviation’s economic outcomes to highlight the avoidability of trade-offs being made in the path to robust data protection framework.

Tilting The Playing Field in Favour of Home Industry

The economic outcomes of restriction on transfer of data for the purpose of provision of goods and services are not difficult to foresee. There may be a hike in compliance costs for foreign players, particularly technology giants, who will need to invest in the construction of regional infrastructure to process and store data, in lieu of leveraging their existing cloud computing technology. An OECD report suggests that these types of restrictions can lead to increases in data management costs for these companies by around 55%. Further, depending on the nature of conditions imposed by the Centre, the possibility of absolute bar on access to certain classes of data by foreign entities cannot be overruled. The challenges flagged in other provisions can help us gauge its impact: difficulty in obtaining verifiable parental consent for processing children’s data as per the draft rules is feared to cause reduction in quality of services, particularly ones that rely on consumer preferences like content creation. It may also lead to reduction in marketing efficiency due to limitations on targeted advertisement. Further, bigger companies might be awarded a competitive advantage over smaller companies in operationalising this provision, owing to larger data sets and greater flexibility in data infrastructure.

Similar challenges are likely to be faced not just by foreign players when dealing with provisions of data localisation, but also by small domestic players reliant on foreign-based cloud computing services. Such an increase in operational and compliance costs, in addition to likely unequal access to consumer data, thus confers a significant competitive edge to domestic players. The desirability of this outcome depends ultimately on its costs.

China’s Experience with Protectionism’s Trade Offs

‘Data is the new oil’ is a phrase that captures the zeitgeist like no other. Further, much like other kingpins of the zeitgeist, it is no exception to the rhyme of history. The rise of high trade barriers around the new digital economy may be succeeded by the fate of protectionist measures not unknown to public policy discourse. Although a boost to the domestic industry is advantageous, it will be at the risk of securing long-term interests of the consumers, given that with little competition, players lose the incentive to improve economic efficiency and innovate.

The experience of China, a country that regards data as a national basic strategic resource, can lend us some key insights in this sphere. China introduced the Cybersecurity Law in 2016, and subsequently the Personal Information Protection Law in 2021, with provisions protecting data sovereignty and promoting its local data industry. Chapter III dealing with cross border transfer of data mandates processing of certain classes of data within its territory. Chinese technological companies Alibaba, Huawei, and Tencent Cloud dominate the local market, driving foreign players like Amazon Web Services and Microsoft Azure to the sidelines. However, the technology sector is grappling with ‘involution’, a state characterised by ‘intense domestic competition in a maturing market’, leading to diminished returns despite high investment. Various studies show ways in which the monopoly status of these companies has stifled innovation in different sectors such as financial services and mobile data services. Restrictive policies further threaten China’s leadership in the digital economy, following the shift of supply chains to countries like Vietnam, and recognition of Singapore as the global fintech hub. For China however, the quick transmutation of data sovereignty into internet sovereignty and consequent censorship seems to be a much more pressing concern.

The Way Forward

The preamble of the DPDP Act, 2023 prioritises processing of data in a manner that “recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”. Legitimate business interests are therefore part of the equation. The author does not seek to diminish the mandate of data localisation itself, and is in complete recognition of its advantages that move beyond simple enhancement of privacy and security of national interests to include strengthening of India’s bargaining power as a large generator of consumer data. It is only the inadvertent deficiencies marking the rules that operationalise this mandate which are sought to be brought to light.

Concerns surrounding transfer of data arise because it becomes more challenging to exercise adequate control over data once it leaves the borders of its origin. Alternative ways to assuage these concerns have been conceived by the Justice B.N. Srikrishna Committee constituted by the Ministry of Electronics and Information Technology (“MeitY”) in 2017 to recommend a data protection framework for India. Their 2018 Report for a ‘Free and Fair Digital Economy’ recommended entity-led transfers governed by mandatory model clauses that confer key obligations on them. Model clauses allow businesses to process data more freely outside the originating jurisdiction, without exempting them from the requirement of security and privacy of data. The committee further gave due weight to a ‘positive list’ of countries where data can be transferred freely. Both these recommendations bear resemblance to EU’s GDPR provisions of standard contract clauses and the adequate level of protection exemption to non-EU countries. 

The DPDP Act undoubtedly marks a significant milestone in India’s journey towards robust data governance. Nevertheless, ensuring that data localization strengthens both sovereignty and economic growth demands carefully calibrated rules. A pragmatic approach can minimise unnecessary trade-offs and assure sustainable welfare of all stakeholders.

This blog is written by Kashika Jain, 2nd Year B.A.LL.B student at RGNUL.

More Blogs