The National Association of Software and Service Companies (NASSCOM) has urged the government to reconsider the proposed restrictions on cross-border data transfers under the draft Digital Personal Data Protection (DPDP) Rules, 2025.
In its submission to the Ministry of Electronics and Information Technology (MeitY), the trade body asserted that the proposal risks causing unintended uncertainty about international data transfers. Additionally, the proposal could impact global competitiveness, and increase compliance costs for companies operating across jurisdictions.
NASSCOM warned that limiting Significant Data Fiduciaries (SDFs) from transferring personal data outside India contradicted the broader intent of the DPDP Act and the move could create regulatory uncertainty for businesses.
“Moreover, the ability of such a restriction to afford meaningful additional safeguards to the processing of personal data remains, at best, questionable,” it said.
In its letter to MeitY, the Internet and Mobile Association of India (IAMAI) has also pushed back against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes.
NASSCOM said, “The new proposal in the Draft Rules to restrict cross-border transfers for Significant Data Fiduciaries (SDF) appears inconsistent with the spirit and objectives of the Act and should be reconsidered.”
Under DPDPA Rules, MeitY proposed certain additional obligations on SDFs including requiring them to take measures to ensure that personal data, as specified by the central government, can only be processed if such personal data and its associated traffic data “are not transferred outside the territory of India.”
The industry body recommended either removing this provision entirely or ensuring that businesses can transfer data internationally with appropriate safeguards rather than a blanket restriction.
NASSCOM recommended greater flexibility in data breach reporting requirements under Rule 7 and urged for a tiered approach. Additionally, on children’s data processing under Rule 10, it called for clearer exemptions for certain DFs.