๐Ÿ“ง contact@cyberlawacademy.com
๐Ÿ“‘ Part 2 of 5

Rule 14: Transfer Requirements

Deep dive into Rule 14 DPDP Rules 2025 โ€” understanding foreign State data availability requirements and their impact on cross-border personal data transfers.

๐Ÿ“– ~40 mins read ๐Ÿ“œ Rule 14 DPDP Rules ๐ŸŽฏ 4 Learning Objectives

5.7 Introduction to Rule 14

While Section 16 DPDPA establishes the blacklist framework for transfer restrictions, Rule 14 DPDP Rules 2025 adds an additional compliance layer. It addresses a specific concern: what happens when transferred data becomes available to foreign States or their controlled entities?

Rule 14 reflects India's strategic concerns about data sovereignty and national security. Even if a destination country isn't blacklisted under Section 16, Rule 14 imposes conditions on how that data can be made available to foreign governments.

๐Ÿ’ก Key Insight

Rule 14 doesn't prohibit transfers โ€” it regulates the conditions under which transferred data can be shared with foreign State actors. This is a separate compliance layer from Section 16.

5.8 Rule 14: The Complete Text

"Transfer to any country or territory outside India of personal data processed by a Data Fiduciaryโ€”

(a) within the territory of India; or

(b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India,

is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State."

โ€” Rule 14, DPDP Rules 2025

Anatomy of Rule 14

Breaking Down the Provision

Scope
"Transfer to any country or territory outside India"

Covers ALL cross-border transfers, not just to specific countries. Rule 14 applies universally.

Coverage (a)
"personal data processed... within the territory of India"

Data originally collected and processed in India that is then transferred abroad.

Coverage (b)
"outside the territory of India in connection with... offering goods or services"

Extraterritorial scope โ€” foreign entities serving Indian Data Principals.

Restriction
"meet such requirements as the Central Government may... specify"

Empowers Government to impose conditions via general or special orders.

Target
"making such personal data available to any foreign State, or to any person or entity under the control of... such a State"

Focuses on government access โ€” direct or through controlled entities/agencies.

5.9 Scope & Applicability

Who Does Rule 14 Apply To?

๐Ÿ‡ฎ๐Ÿ‡ณ

Indian Data Fiduciaries

Any organization processing personal data in India that transfers data abroad

๐ŸŒ

Foreign Entities

Companies outside India that offer goods/services to Indian Data Principals

๐Ÿ”„

Data Processors

Through the Data Fiduciary's obligations โ€” processors must enable compliance

What Transfers Are Covered?

Transfer Type Covered? Example
Cloud storage abroad โœ… Yes Indian company using AWS Singapore for customer data
Intra-group transfers โœ… Yes Indian subsidiary sending HR data to US parent company
Vendor processing โœ… Yes Outsourcing analytics to a German data processor
Foreign entity serving Indians โœ… Yes US social media company processing Indian users' data
Transit through foreign servers โš ๏ธ Potentially Data routing through foreign nodes during transmission
โš ๏ธ Extraterritorial Reach

Rule 14(b) mirrors Section 3(b) DPDPA's extraterritorial scope. A company based entirely outside India that offers services to Indians and processes their data is subject to Rule 14 requirements regarding foreign State access.

5.10 The "Foreign State" Concept

Rule 14 targets data availability to foreign States and their controlled entities. Understanding this scope is crucial for compliance.

What Constitutes "Foreign State Access"?

  • Direct government requests: Law enforcement, intelligence, or regulatory demands for data
  • Compulsory legal processes: Subpoenas, court orders, or statutory obligations in foreign jurisdictions
  • National security orders: FISA requests (US), investigatory powers orders (UK), etc.
  • State-owned enterprises: Entities controlled by foreign governments
  • Government agencies: Tax authorities, regulatory bodies, intelligence services

"Person or Entity Under Control of... a State"

This phrase captures:

  1. State-owned enterprises (SOEs): Companies where the government holds majority ownership or effective control
  2. Government contractors: Private entities operating under government contracts with data access
  3. Regulated entities with mandatory disclosure: Banks, telecoms, and others required by foreign law to share data with authorities
  4. Intelligence agency intermediaries: Companies known to cooperate with foreign intelligence services

Practical Scenario: Cloud Provider in Country X

Situation: An Indian e-commerce company uses a cloud provider headquartered in Country X. Country X has laws requiring cloud providers to give government agencies access to stored data upon request without user notification.

Analysis: This triggers Rule 14 concerns. The cloud provider, while not "controlled" by the State, is legally obligated to make data available to the foreign State. The Indian company must ensure it meets any Central Government requirements regarding such arrangements.

5.11 General vs Special Orders

Rule 14 empowers the Central Government to specify requirements through two mechanisms:

๐Ÿ“‹

General Orders

Broadly applicable rules affecting all or classes of Data Fiduciaries โ€” published for universal application

๐ŸŽฏ

Special Orders

Targeted requirements for specific Data Fiduciaries, sectors, or situations โ€” more flexible but less predictable

What Requirements Might Be Specified?

While no orders have been issued as of January 2025, potential requirements could include:

Potential Requirement Description Compliance Impact
Prior notification Inform Indian authorities before sharing with foreign State Administrative process + documentation
Consent requirement Obtain Data Principal consent before foreign State access Consent flow modifications
Data categories Prohibit certain data types from foreign State access Data classification + segregation
Country restrictions Specific rules for data in certain jurisdictions Jurisdiction-specific compliance
Technical measures Encryption, anonymization, or access controls Technical implementation
Contractual requirements Specific clauses in processor agreements Contract renegotiation
โœ… Proactive Compliance

Even without specific orders, prudent organizations should: (1) map data flows to identify foreign State access risks, (2) include contractual provisions addressing government access in vendor agreements, and (3) establish processes to respond to foreign government requests consistently with Indian law.

5.12 Relationship with Section 16

Two Parallel Frameworks

Section 16 and Rule 14 operate in parallel, each addressing different concerns:

Dual Compliance Framework

Section 16
Is destination country blacklisted?
โ†’
If No
Transfer permitted
โ†’
Rule 14
Foreign State access requirements met?
โ†’
If Yes
Transfer compliant
Aspect Section 16 Rule 14
Focus Destination country Foreign State access
Trigger Country on blacklist Data availability to foreign State
Effect Transfer prohibited Transfer conditional
Mechanism Gazette notification General or special orders
Current status No blacklist published No orders issued

๐ŸŽฏ Key Distinction

Section 16 asks: "Can I transfer to this country?"
Rule 14 asks: "What happens when foreign governments want access to the transferred data?"

5.13 Compliance Strategies

Immediate Actions

  1. Data Flow Audit: Map all cross-border transfers and identify where data might be accessible to foreign State actors
  2. Vendor Assessment: Evaluate cloud providers and processors for government access obligations in their jurisdictions
  3. Contractual Review: Ensure agreements address foreign government requests and require notification to you
  4. Monitoring System: Establish process to track Rule 14 orders when issued

Contractual Provisions to Include

๐Ÿ“ Sample Clause Elements
  • Government Request Notification: Processor must promptly notify Data Fiduciary of any government access request
  • Challenge Obligation: Processor agrees to challenge overbroad requests where legally permissible
  • Transparency Report: Processor provides annual report on government requests received
  • Data Minimization: Processor limits data accessible to only what's necessary for the service
  • Indian Law Compliance: Processor acknowledges Data Fiduciary's obligations under DPDPA/Rules

Technical Measures

  • Encryption with Indian-held keys: Even if data is abroad, keys remain in India
  • Data segmentation: Keep sensitive categories in India, transfer only non-sensitive data
  • Anonymization before transfer: Reduce foreign State access risk by removing identifiers
  • Access logging: Maintain audit trails of all data access including government requests

๐ŸŽฏ Key Takeaways

  • Rule 14 adds a foreign State access layer โ€” separate from Section 16's country restrictions
  • Extraterritorial scope โ€” applies to foreign entities serving Indian Data Principals
  • "Foreign State" includes controlled entities โ€” SOEs, contractors, legally obligated companies
  • No orders issued yet โ€” but proactive compliance is advisable
  • Contractual provisions are key โ€” address government access in all processor agreements
  • Technical measures reduce risk โ€” encryption, segmentation, anonymization