DPDP: Big Tech must not transfer personal data outside India

DPDP: Big Tech must not transfer personal data outside India
04 Jan 2025

The draft Digital Personal Data Protection (DPDP) rules have proposed strict measures for Big Tech companies operating in India.

The firms will have to ensure their personal data processing algorithms are safe for users, and certain Indian government-specified personal data isn't transferred outside the country.

The draft rules were released for public consultation yesterday, with feedback being accepted till February 18.

DPDP Act and its implications for Big Tech
Act details

The DPDP Act was passed in Parliament in August 2023.

It empowers the government to designate any data fiduciary as a significant data fiduciary, depending on the volume of personal data processed, potential risk to users, threat to democracy, etc.

This means that major multinational corporations (MNCs) and big tech platforms could potentially be classified as significant data fiduciaries.

Additional obligations under DPDP rules
Obligations explained

Section 12 of the DPDP rules also lays out extra obligations for these platforms. These include algorithm safety and restrictions on the transfer of personal data.

Specifically, rule 12(3) reads, "A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals."

Restrictions on data transfer outside India

Rule 12(4) of the DPDP rules requires that certain personal data, as defined by the Indian government, must be processed and stored within the country's borders.

The rule reads, "A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of recommendations of a committee constituted by it is processed subject to restriction that personal data and traffic data pertaining to its flow is not transferred outside territory of India."

Other obligations for Big Tech companies
Compliance requirements

Along with algorithm safety and data transfer restrictions, Big Tech companies are also mandated to conduct a data protection impact assessment and an audit.

They will also have to submit a report of the data protection impact assessment to the Data Protection Board.

These additional compliance measures are aimed at further safeguarding user data and ensuring responsible handling by significant data fiduciaries.

Regulate or limit the transfer of personal data
Data transfer restrictions

According to the draft rules, the government also has the authority to restrict cross-border data transfers to countries, entities, or individuals due to concerns related to national security, sovereignty, or privacy.

These rules will apply to both Indian and international companies.

Rule 14 specifically states that any transfer of data outside India will be subject to general or special orders from the Central government, regarding the sharing of personal data with foreign states, entities, or agencies controlled by those states.