The Centre is preparing a "negative list" of countries to which data pertaining to Indian users cannot be transferred, according to a report by The Economic Times.
The change, which is being mooted in the upcoming draft of the Digital Personal Data Protection Bill (DPDPB), 2022, would allow the transfer of data across border to all countries "by default" unless a nation is on the negative list, the Minister of State for Electronics and IT, Rajeev Chandrasekhar said.
"The government will have the right to restrict certain geographies and will decide the criteria for restriction," Chandrasekhar said.
Once the government notifies the list of "blacklisted" countries, transfer of data of Indian users will not to allowed.
Chapter 4 of special provisions in the current draft of the DPDPB under "Transfer of personal data outside India" states: "The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified".
Initially, the Centre was mulling a list of trusted geographies where the data could be transfered. However, after consultation, the government decided to have a "default mode" for cross border data flow and restrict the transfer to "blacklisted" countries.
DH could not independently verify the report.
Experts told the publication that notifying a list of "restricted" countries is a more practical approach.
"There is no immediate disruption. Existing data flows are happening based on several contractual (agreements) with both parties (aware) that their customer data is safe. There are also obligations built into this,” Ashish Aggarwal, head of Public Policy at Nasscom, told the publication.