SearchTodayMainsCSAT

USTR Highlights Challenges in India's DPDP Act and IT Rules

Concerns raised over deemed consent mechanisms affecting credit information companies' operations in India.
S
Surya
5 mins read
US flags India data rules concerns

Introduction

India's Digital Personal Data Protection (DPDP) Act, 2023 — the country's first comprehensive data protection law — has emerged as a flashpoint in India-US trade relations, with the USTR's 2026 National Trade Estimate Report flagging its provisions on credit data, cross-border flows, and content moderation as potential trade barriers.

"Data is the new oil, but unlike oil, its value multiplies when it flows freely across borders."

IndicatorFigure
India's projected digital economy (2030)$1 trillion
USTR report release dateMarch 31, 2026

Key Concepts

TermMeaning
Data FiduciaryEntity that determines the purpose and means of processing personal data
Deemed ConsentConsent assumed by law for certain legitimate purposes without explicit user action
CIC (Credit Information Company)Entities like CIBIL that collect and process credit data from financial institutions
Data LocalisationRequirement to store and process data within national borders
DPDP RulesSubordinate regulations under the DPDP Act, 2023, notified by the Central Government

Background & Context

The DPDP Act, 2023 replaced the earlier Personal Data Protection Bill framework and came into force with rules notified in 2025. While it aligns India with global data governance trends (EU's GDPR, US state-level privacy laws), its specific provisions on consent architecture, cross-border transfers, and government access to data have drawn scrutiny from US trade bodies.

The USTR's annual NTE Report is a key instrument of US trade policy — it identifies foreign practices that impede American commercial interests and often precedes formal trade consultations or WTO disputes.

Core Issues Flagged by USTR

  • Financial institutions share individual credit data with CICs (e.g., CIBIL, Experian India, Equifax India) to generate credit scores.
  • The DPDP Act lacks a deemed consent provision for this flow — meaning explicit user consent may be required at each stage.
  • This could disrupt the operational model of credit bureaus, including US-headquartered bureaus operating in India.
  • Credit scoring underpins retail lending, home loans, and MSME finance — making this operationally significant for India's financial sector as well.

2. Cross-Border Data Transfer Restrictions

  • The DPDP Act allows the Central Government to restrict data transfers to specific countries through notification — a provision the USTR views as discretionary and opaque.
  • The RBI already mandates financial data storage within India, which the USTR argues hampers fraud detection and global network security management.
  • These provisions effectively create a two-layer localisation regime: one under the DPDP Act, another under sectoral regulators like RBI and SEBI.

3. Government Access to Personal Data

  • The Rules permit disclosure of personal data to the Indian Government, raising concerns about surveillance and commercial confidentiality.
  • US stakeholders view this as inconsistent with data minimisation principles.

4. IT Rules, 2021 — Criminal Liability & Takedowns

  • The Intermediary Guidelines and Digital Media Ethics Code (IT Rules, 2021) impose personal criminal liability on individual employees for non-compliance.
  • Compliance deadlines are viewed as impractical by US firms.
  • Since 2021, there has been a rise in politically motivated content and account takedown requests directed at US platforms.

5. Internet Shutdowns

  • India leads globally in internet shutdowns — over 100 shutdowns per year in recent years.
  • USTR notes these disrupt commercial operations and undermine digital trade.

Comparative Perspective

ParameterIndia (DPDP Act)EU (GDPR)USA (Federal — No Single Law)
Consent ModelExplicit + deemed (limited)Legitimate interest as basisSector-specific (HIPAA, FCRA)
Cross-border TransferGovernment-notified whitelistAdequacy decisionsBilateral arrangements (Privacy Shield successor)
Data LocalisationSectoral (RBI, SEBI) + potential DPDPNot mandatedNot mandated
RegulatorData Protection Board (DPB)Data Protection Authorities (DPAs)FTC + sector regulators
Criminal Liability (Intermediaries)Yes (IT Rules)LimitedLimited

Implications & Challenges

For India:

  • Overly restrictive data rules could deter FDI in digital services and limit India's integration into global data supply chains.
  • Friction with the US could affect broader India-US trade negotiations, including the ongoing efforts to restore GSP benefits.
  • Lack of clarity on deemed consent may slow credit penetration in semi-urban and rural India where CIC-based scoring is critical for financial inclusion.

For US Firms:

  • Compliance uncertainty increases operational costs for financial data companies, cloud service providers, and social media platforms.
  • Criminal liability exposure for local employees creates talent and governance risks.

For Global Digital Governance:

  • India's approach reflects a broader tension between data sovereignty (asserting national control) and data liberalisation (enabling free flows for economic growth).
  • This mirrors similar friction between the EU and US over GDPR's extraterritorial reach.

India's Position & Rationale

India's data governance posture is shaped by legitimate concerns:

  • National security and protection from foreign surveillance.
  • Regulatory capacity — ensuring Indian authorities can access data for law enforcement.
  • Digital colonialism concerns — preventing foreign platforms from extracting value without accountability.

The DPDP Act's framework also explicitly preserves the supremacy of sectoral regulations where they provide greater protection — giving RBI, SEBI, and TRAI continued authority in their domains.

Conclusion

The USTR's flagging of India's DPDP Act reflects a deeper structural tension: India's sovereign right to regulate data versus the expectations of an open, rules-based digital trade order. The absence of deemed consent for CICs is not merely a technical gap — it signals the broader challenge of designing data laws that serve domestic governance goals without inadvertently excluding India from global digital commerce. As India aspires to be a $10 trillion economy, the design of its data governance architecture will be as consequential as its tariff policy. Bridging this gap requires not just legislative refinement but sustained bilateral engagement — ideally through a formal India-US Digital Trade Agreement.

Quick Q&A

Everything you need to know

Overview of the DPDP Act: The Digital Personal Data Protection (DPDP) Act is India’s primary legislation governing the collection, processing, and storage of personal data. It introduces key concepts such as data fiduciaries, consent-based data processing, purpose limitation, and accountability. The law aims to balance individual privacy rights with the need for data-driven innovation in the economy.

Impact on Credit Information Companies (CICs): CICs, such as credit bureaus, rely heavily on access to financial data to generate credit scores and reports. The absence of a “deemed consent” mechanism under the DPDP framework means that CICs may need explicit consent from individuals for each data-sharing instance. This could disrupt their traditional operations, where data flows seamlessly from financial institutions to credit bureaus.

Implications: For example, if a bank cannot automatically share borrower data with a CIC, the efficiency of credit assessment may decline. This could affect loan approvals, especially for individuals without extensive credit histories. While the Act strengthens privacy protections, it also raises concerns about operational feasibility and financial inclusion, particularly in a data-driven credit ecosystem.

Concerns Over Regulatory Burden: The USTR has highlighted that certain provisions of the DPDP Act and related rules impose potentially burdensome compliance requirements on data fiduciaries, including foreign firms. These include obligations related to data storage, processing, and disclosure to government authorities, which may increase operational costs and complexity for multinational companies.

Issues of Data Localisation and Cross-Border Transfers: Another major concern is India’s approach to data localisation and restrictions on cross-border data flows. The government retains the power to restrict data transfers to specific countries. Additionally, mandates such as the Reserve Bank of India’s requirement to store financial data locally are seen as barriers to global data integration, affecting fraud detection and network security.

Broader Trade Implications: From a trade perspective, these regulations may hinder the growth of the digital economy and reduce foreign investment. For instance, US-based credit bureaus or tech firms may find it difficult to operate efficiently under such constraints. Thus, the USTR views these measures as non-tariff barriers that could impact bilateral trade and services exports.

Understanding Data Localisation: Data localisation refers to policies that require data to be stored and processed within a country’s borders. While such measures are often justified on grounds of data sovereignty, privacy, and national security, they can have significant economic implications.

Impact on Businesses and Innovation: Restricting cross-border data flows can limit the ability of firms to leverage global data networks. For example, multinational financial institutions rely on integrated systems to detect fraud patterns across jurisdictions. Localisation mandates may fragment these systems, reducing efficiency and increasing costs.

Case Illustration: Consider a global payment company that uses centralized servers to monitor transactions. If required to store and process data locally in India, it may need to duplicate infrastructure, leading to higher operational costs. While this may benefit domestic data infrastructure, it could also discourage foreign investment. Thus, the challenge lies in balancing economic efficiency with regulatory sovereignty.

Key Provisions of IT Rules, 2021: The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, impose obligations on digital platforms regarding content moderation, user data handling, and compliance mechanisms. While intended to ensure accountability, certain provisions have raised concerns among foreign stakeholders.

Specific Issues Highlighted:

  • Criminal liability: Individual employees of companies can be held personally liable for non-compliance.
  • Strict compliance timelines: Firms must adhere to tight deadlines for content takedowns.
  • Content regulation: Increased takedown requests, sometimes perceived as politically motivated.

Implications: These provisions may create a chilling effect on digital platforms, discouraging innovation and free expression. For example, a social media company may over-comply with takedown requests to avoid legal risks, potentially affecting user rights. Thus, while the rules aim to enhance accountability, they also raise concerns about regulatory overreach and ease of doing business.

Need for Data Protection: Strong data protection laws like the DPDP Act are essential for safeguarding individual privacy, preventing data misuse, and building trust in the digital economy. In an era of increasing data breaches and surveillance concerns, regulatory frameworks are necessary to ensure accountability of data handlers.

Challenges for Businesses: However, stringent regulations can impose compliance costs, operational constraints, and legal uncertainties. For instance, requirements such as explicit consent, data localisation, and government access to data may deter foreign firms and complicate business operations. This is particularly relevant for sectors like fintech and e-commerce, which rely heavily on data flows.

Balancing the Trade-off: The key challenge is to strike a balance between protecting नागरिक rights and promoting economic growth. Countries like the European Union, through GDPR, have attempted such a balance, though not without criticism. India must adopt a pragmatic approach that ensures robust data protection while maintaining an enabling environment for innovation and investment. A calibrated, transparent, and consultative regulatory framework is essential for achieving this balance.

Understanding Internet Shutdowns: Internet shutdowns are often imposed by governments for reasons such as maintaining public order or national security. However, they have significant economic and social consequences, particularly in a digital-first economy.

Economic and Trade Impacts: Shutdowns disrupt business operations, e-commerce, digital payments, and communication networks. For example, during prolonged shutdowns in regions like Jammu & Kashmir, businesses faced severe losses due to the inability to conduct online transactions or access digital services. Such disruptions can undermine investor confidence and affect international trade relationships.

Broader Implications: From a global perspective, frequent shutdowns may be seen as barriers to a free and open internet, impacting cross-border digital trade. For instance, IT and outsourcing firms depend on uninterrupted connectivity to serve global clients. Repeated disruptions can damage India’s reputation as a reliable digital services hub. Therefore, while security concerns are valid, the use of shutdowns must be proportionate, transparent, and limited to minimise economic harm.

Attribution

Original content sources and authors

AA
Aashish Aryan
BS
Business Standard
Sign in to track your reading progress

Comments (0)

Please sign in to comment

No comments yet. Be the first to comment!