The United States Trade Representative (USTR) has voiced significant concerns regarding India’s Digital Personal Data Protection (DPDP) Act, the Information Technology (IT) Rules of 2021, and frequent internet shutdowns, highlighting their potential to create trade barriers and negatively impact US companies operating in the Indian market.

Illustration: Uttam Ghosh

The lack of a deemed consent mechanism for credit information companies (CIC) in the Digital Personal Data Protection (DPDP) Act and the subsequent administrative rules under the law could impact the ability of such companies, including those from the United States (US), to operate in India, the United States Trade Representative (USTR) has said.

“Financial institutions provide data on individuals to CICs for their credit information services so that financial and other institutions from various segments of the economy can use credit reports to make decisions based on the creditworthiness, or credit score, of an individual. Not providing deemed consent could impact CICs’ ability to operate in India, including US credit bureaus,” the USTR said.

Concerns Over DPDP Act Provisions

Some of the other provisions of the DPDP Act and subsequent administrative rules “impose potentially burdensome requirements on data fiduciaries, and require disclosures of personal data to the Indian Government”, the USTR said.

“Those rules also permit the Central Government to restrict cross-border data transfers to a specific country if the Government of India provides appropriate notification of such restrictions.

“The DPDPA and the DPDP Rules may also allow for sectoral regulations or laws to supersede the DPDPA and DPDP Rules if said regulations or laws are found to provide a greater degree of data protection,” the USTR said.

Data Localisation and IT Rules

Apart from the data localisation norms mentioned in the DPDP Act, the USTR has also flagged the Reserve Bank of India’s mandate to store financial data in India and said that such “data storage requirements hamper the ability of service suppliers to detect fraud and ensure the security of global networks”.

In its 2026 National Trade Estimate Report on Foreign Trade Barriers, the USTR has further said that some of the provisions of the Intermediary Guidelines and Digital Media Ethics Code of 2021, also known as the Information Technology (IT) Rules of 2021, have been flagged by US stakeholders as “concerning”.

“For example, the IT Rules impose personal criminal liability on individual employees in cases where a firm is not in compliance with the rules.

“The IT Rules also include imposition of impractical compliance deadlines and take-down protocols.

“Since 2021, US firms have been subject to an increasing number of takedown requests for content and user accounts related to issues that appear politically motivated,” the USTR said.

Impact of Internet Shutdowns

In addition, the USTR has also noted that the internet shutdowns ordered by the central and state governments across India “restrict access to information and services, disrupting commercial operations, and thereby undermining a free and open Internet and impeding trade in the digital economy”.

The US continues to monitor the impact of these events on US trade and investment, including services exports, the USTR said in the report released on March 31.