In today’s seamlessly interconnected global economy, cross-border data flows serve as the lifeblood of international business, driving operations, optimising logistics, and fortifying supply. For India, these flows are particularly vital, fuelling its digital economy and positioning the country at the forefront of the Fourth Industrial Revolution by enabling advanced technologies, automation, and innovation. According to the United Nations Conference on Trade and Development (UNCTAD), the international data bandwidth, the primary measure for cross-border data flows in terms of volume, rose by 35% in 2020, marking the largest one-year increase since 2013.

In this context, regulating cross-border data flows becomes imperative to balance economic growth, innovation, and data security. The Digital Personal Data Protection (DPDP) Act, 2023 serves as the cornerstone of India’s data governance framework. The DPDP Draft Rules, 2025 operationalise the Act’s provisions, translating its legal mandates into enforceable mechanisms.

Legislative History of Regulating Cross-Border Data Transfers

India’s approach to regulating cross-border data flows has evolved significantly over the years, shaped by global data governance trends and domestic policy considerations. The discourse gained prominence with the B.N. Srikrishna Committee Report (2018), which laid the foundation for India’s data protection framework. The Committee’s report emphasised the need for a balanced approach—one that ensures data security and privacy while fostering India’s digital economy and global trade participation. It proposed data localisation requirements, arguing that critical personal data should be stored within India to safeguard national interests. These requirements were incorporated into Section 33 of the Personal Data Protection Bill, 2019 which explicitly prohibited the processing of sensitive personal data and critical personal data outside India. However, despite claims that strict data localisation would enhance national security, law enforcement efficiency, and domestic innovation, scholars, civil society, and industry experts have questioned its tangible benefits.

Recognising these concerns, the Digital Personal Data Protection (DPDP) Act, 2023, takes a more flexible approach in Section 16. Instead of blanket localisation mandates, it empowers the Central Government to restrict cross-border transfers to specific countries via notification. Rule 14 of the Draft Rules further gives teeth to the provision by granting absolute discretion to the government in deciding permitted or restricted destinations without any predefined criteria, adequacy framework, or procedural safeguards. This marks a significant shift from earlier prescriptive localisation requirements.

While the government aims to exercise strategic oversight over data exports, the rule, in its present form, raises several concerns. It lacks a structured adequacy assessment framework, grants excessive discretionary power to the Central Government, and fails to provide necessary safeguards against potential misuse. These deficiencies could lead to arbitrary or inconsistent decision-making, misalignment with global best practices, and unintended economic repercussions. The following discussion critically examines the core issues with cross-border data transfers under these rules and explores potential solutions to ensure a robust, transparent, and fair mechanism for the same.

Issues with Rule 14 and their Implications

1. Lack of an Adequacy Assessment Framework

One of the most glaring deficiencies of Rule 14 is the absence of a well-defined framework to evaluate the adequacy of a foreign country’s data protection regime before permitting data transfers. The rule grants the government authority to determine which jurisdictions qualify for data transfers without specifying the parameters guiding such assessments.

On the other hand, other international frameworks such as the OECD Privacy Guidelines (Paragraphs 8 and 9) emphasise that data transfer restrictions must be legitimate, necessary, and narrowly tailored to their objectives. This also aligns with the Supreme Court’s observations in Justice K.S. Puttaswamy v. Union of India, which established the proportionality principle as a fundamental standard for privacy-related restrictions. Rule 14, however, lacks explicit safeguards to ensure that any restriction or approval of data transfers meets these requirements. Potentially, this situation makes it susceptible to legal challenges and international scrutiny.

2. Excessive Discretionary Power to the Central Government

Rule 14 vests disproportionate authority in the executive, allowing the Central Government to regulate cross-border data flows without sufficient legislative or procedural oversight. Beyond being a cornerstone principle established in the Puttaswamy case, the imperative for robust data and procedural safeguards has been consistently reinforced by global institutions such as the OECD and the United Nations.

However, the unchecked discretion provided by Rule 14 creates risks of inconsistent policymaking, lack of accountability, and politically motivated decisions. Businesses, particularly multinational corporations and startups dependent on global data flows, may face unpredictability in compliance requirements, thereby discouraging foreign investment and innovation in India’s digital economy.

A lack of procedural safeguards also raises concerns about potential overreach. Without independent review mechanisms, there is a risk that data flow decisions may be influenced by factors beyond privacy and security considerations, including trade and geopolitical interests. This unpredictability could reduce India’s attractiveness as a data hub and strain international partnerships in digital trade.

3. Absence of Safeguards Against Unwarranted Foreign Access

An equally pressing concern is that Rule 14 does not specify the conditions under which foreign states or organisations can access Indian citizens’ personal data once it is transferred abroad. In the absence of stringent safeguards, there remains a risk that foreign governments—particularly those with expansive surveillance programs—may exploit such transfers for mass data collection. Given India’s increasing digital footprint, protecting its citizens from undue surveillance should be a priority.

In this regard, the Digital Economy Report on Cross-Border Data Flows and Development also highlights concerns about citizens’ personal data being governed by foreign laws that do not provide the same level of protection as domestic regulations. Without explicit due process protections, foreign jurisdictions may use cross-border data access mechanisms in ways that infringe upon individual privacy. This concern is particularly relevant in light of revelations regarding mass surveillance programs by global intelligence alliances such as the Five Eyes. Rule 14 must, therefore, incorporate strong restrictions on data access by foreign governments and entities, ensuring that Indian users’ personal data is not exploited beyond the intended purposes.

Recommendations for Cross-Border Data Transfers

To address these concerns, Rule 14 should be revised to incorporate global best practices and ensure greater transparency, accountability, and predictability.

1. Establish a Clear Adequacy Assessment Framework

India should adopt an adequacy assessment model which outlines specific criteria to evaluate the adequacy of foreign data protection laws. These parameters should include:

• The existence of comprehensive privacy legislation in the recipient country.

• Enforcement mechanisms, including independent regulatory authorities.

• Commitments to international data protection agreements.

• Protection of individual rights, including access to remedies in case of data misuse.

Such a framework would ensure consistency in the decision-making process and enhance India’s credibility in global data governance circles.

2. Introduce Legislative and Independent Oversight

To mitigate the risks of executive overreach, decisions under Rule 14 should be subject to independent review. This can include:

• Requiring parliamentary or judicial oversight for data transfer approvals and restrictions.

• Establishing an independent Data Protection Authority (DPA) with the mandate to evaluate adequacy decisions.

• Providing a mechanism for affected stakeholders—such as businesses, civil society organizations, and individuals—to challenge data transfer restrictions.

Independent oversight would introduce much-needed checks and balances into the system, ensuring that decisions align with constitutional principles and global best practices.

3. Define Clear Safeguards for Foreign Data Access

Rule 14 should include explicit conditions under which foreign governments and entities can access Indian personal data. These conditions should incorporate:

• Due process requirements to ensure any access request is legally justifiable and subject to scrutiny.

• Prohibition of bulk surveillance, thereby limiting access to specified and justified requests.

• Reciprocity conditions, ensuring that Indian authorities have equivalent access to foreign data under similar safeguards.

Such measures would help prevent indiscriminate foreign surveillance while maintaining necessary international data-sharing arrangements.

Conclusion

Rule 14 of the draft DPDP Rules represents a crucial attempt to regulate cross-border data flows in India’s fast-evolving digital landscape. However, in its current form, it suffers from significant shortcomings which not only risk undermining individuals’ privacy rights but also create an unpredictable environment for businesses and international cooperation. To ensure a balanced and effective regulatory regime, the rule needs to implement robust safeguards. A well-structured and proportionate approach will not only enhance digital privacy protections but also position India as a leader in global data governance, striking the right balance between sovereignty, security, and economic growth.

Suhana, an undergraduate student at National Law University, Jodhpur, has contributed this article to the blog.