Chennai: While data is a critical economic asset, the Digital Personal Data Protection (DPDP) Act, 2023, allows free transfer of data outside India except to “blacklisted countries”. However, the law does not specify the names of these countries. In order to maintain data sovereignty, India should mandate multinational big tech companies and hyperscalers to create localized data centres in India and ask them to store data within the country.
“The DPDP law says that data can be freely transferred outside India. However, data cannot be transferred to blacklisted countries. So ultimately, who these blacklisted countries are, that is a question which the government has not answered yet,” said Dhruv Kaushal, Partner, Data Privacy, King Stubb & Kasiva, in an interaction with Financial Chronicle.
If sectoral regulators such as the RBI or IRDAI require localisation, the companies must comply and store data within India. “Whether India will eventually mandate localisation more broadly remains an open question,” he said.
Data is the new oil and if India cannot monetise its data, support startups or create value from this resource, it risks significant economic losses. Cross-border data transfers should ideally be limited to jurisdictions that provide protections equivalent to those available in India.
While trade agreements can be beneficial because they can establish mutual recognition of trusted data protection frameworks and facilitate economic growth, one of the biggest concerns with regard to trade deals is data security. “We need clarity on what security standards apply and under what circumstances foreign governments can access Indian citizens’ data.
“If data simply flows from India to another country without reciprocity, India loses both revenue opportunities and control over how that data is protected. That is why any data-related trade arrangement must be bilateral and mutually beneficial,” he added.
While the DPDP Act provides a legal framework to protect personal data and establish accountability among companies handling it, concerns remain over government exemptions, cross-border data flows, the preparedness of businesses for compliance, and the country’s ability to safeguard its collective data interests.
The law empowers the Data Protection Board of India to investigate violations and impose penalties of up to Rs 250 crore on entities that fail to comply with data protection obligations.
However, concerns remain over the exemptions available to government agencies under the DPDP framework. While there are no blanket exemptions, government bodies can process data without consent in specific circumstances related to national security, public interest and crime prevention. Certain obligations, such as complying with requests for data erasure, may also not apply in all cases. Kaushal said judicial oversight and independent regulators would play a crucial role in ensuring these powers are not misused.
The law will become effective in May 2027. Businesses have been given time to prepare, but many organisations are still unaware of the scale of compliance required.
Disclaimer : This story is auto aggregated by a computer programme and has not been created or edited by DOWNTHENEWS. Publisher: deccanchronicle.com
