Draft DPDP Rules Diverge From Act’s Position On Data Flows: Trade Bodies

Nine trade bodies, including the Information Technology Industry Council and US-India Business Council, have raised concerns over the draft Digital Personal Data Protection (DPDP) Rules, stating they contradict the Act’s support for cross-border data flows.

In a letter dated May 21 to the Ministry of Electronics and Information Technology (MeitY), the signatories flagged potential new data localisation provisions under Rules 12 and 14. They urged clarity on scope, process, and implementation timelines. The bodies also requested a two-year window before the enforcement of Rules 3–15, 21, and 22. Rule 22, they noted, may allow broad government access to private data without safeguards. The associations support global frameworks like the CBPR and advocate for exclusions around credit data to aid financial inclusion and fraud prevention. They also stressed the need for clear, risk-based thresholds for personal data breach reporting.