Digital regulation, once treated as a domestic matter, is now trade policy.
On the last day of March 2026, the Office of the United States Trade Representative released its annual inventory of foreign practices that disadvantage American businesses abroad. India earned a notable section of that document — not for tariffs or quotas, but for something newer and harder to quantify: the rules it has built around digital platforms, personal data, and online content.
The report arrives at a moment when India is no longer a peripheral market for U.S. technology companies. Its digital economy is expanding fast, its middle class is growing, and American firms have made substantial bets on its future. That makes the regulatory friction the USTR is now cataloguing more than a bureaucratic concern. It is a strategic one.
At the center of the USTR's concerns are two Indian regulatory frameworks. The first is the Information Technology Intermediary Guidelines and Digital Media Ethics Code — known as the IT Rules — which govern how online platforms handle content. Under these rules, platforms must remove or block access to specified content within tight deadlines after receiving government or court orders, maintain formal grievance channels for users, designate local compliance officers, and in some circumstances help authorities trace the origin of particular messages. The second framework is India's Digital Personal Data Protection law, which sets requirements around data security, breach notification, and the movement of personal data across borders.
For a company running global infrastructure, these requirements are not trivial. The IT Rules compress the time available to make content decisions that might otherwise involve careful legal review, and they require those decisions to be made by locally designated personnel with clear lines of authority. The data protection framework raises harder architectural questions: whether to store Indian users' data inside India rather than on shared global servers, whether cloud deployments need India-specific configurations, and whether AI systems that depend on cross-border data flows can operate as designed.
The USTR report does not treat these rules as neutral administrative requirements. It flags what it calls impractical compliance deadlines and notes that U.S. companies have received takedown requests that appear to be politically motivated rather than legally grounded. It raises concern about measures that could restrict the movement of data out of India or require companies to hand data over to government authorities. And it points to a gap that has long troubled American businesses: India has no civil or criminal statute specifically protecting trade secrets.
The framing matters. The USTR's annual report is not simply a list of complaints — it is a policy instrument. Its stated purpose is to identify barriers and support efforts to reduce or eliminate them through direct engagement with trading partners. By including India's digital rules in that document, the U.S. government is signaling that these regulatory choices will be part of the conversation when the two countries sit down to negotiate trade terms. Digital regulation, once treated as a domestic matter, is now trade policy.
For legal and compliance teams inside American companies, the practical consequences run in several directions at once. Compliance with India's platform and data rules is not optional and is becoming more operationally demanding — it requires coordination across legal, engineering, and policy functions in ways that global teams may not be structured to handle. At the same time, those requirements need to be understood in a broader context: the rules themselves may shift as bilateral trade discussions evolve, and what looks like a fixed compliance obligation today could look different after a negotiated agreement tomorrow.
Companies evaluating investments or acquisitions in India face a related set of questions. Due diligence now needs to account for how a target company stores and transfers data, how it handles government content requests, and whether its compliance infrastructure meets local requirements. These are not afterthoughts — they go to the core of how a digital business operates.
The USTR's 2026 report does not resolve any of this. It is, as the lawyers at Sidley Austin who analyzed it note, part of an evolving dialogue rather than a settled policy position. But the direction of travel is clear. India's digital rules are now on the table in Washington, and companies that treat compliance and trade strategy as separate conversations are likely to find themselves caught between the two.
Notable Quotes
The administration is focused on addressing the unfair trade practices detailed in this report and advancing the best interests of American workers and their families.— USTR, on releasing the 2026 National Trade Estimate Report
The Hearth Conversation Another angle on the story
Why does it matter that the USTR put India's digital rules in a trade report? Countries regulate the internet all the time.
Because the USTR report isn't just descriptive — it's a policy lever. Naming something as a trade barrier is the first step toward demanding it be changed in negotiations.
What's the most operationally disruptive requirement India is imposing right now?
Probably the combination of tight content takedown deadlines and the traceability obligation. Together they force near-real-time decisions that most global platforms aren't structured to make locally.
The report mentions politically motivated takedown requests. How does a company respond to that without getting into trouble with the Indian government?
Very carefully. You comply with lawful orders, but you document everything. The USTR flagging this publicly gives companies some diplomatic cover to push back through proper channels.
What's the trade secret gap about? That seems like a separate issue.
It is, but it's connected. If you're sharing proprietary technology or processes with Indian partners and something goes wrong, there's no specific legal mechanism to pursue it. That's a real exposure for technology companies.
Is data localization actually happening, or is it still theoretical?
It's real and getting more concrete. Companies are already evaluating whether their cloud architecture needs India-specific configurations. The DPDP framework hasn't fully spelled out transfer restrictions yet, but the direction is clear enough that engineering decisions are being made now.
What does it mean for a company doing M&A in India?
It means the compliance infrastructure of a target company is now a material diligence item — not just whether they filed the right forms, but how their data flows are structured and whether they can actually meet the IT Rules' response timelines.
Could U.S.-India trade talks actually change these rules?
Possibly, at the margins. Trade negotiations rarely dismantle domestic regulatory frameworks entirely, but they can shape implementation — timelines, exemptions, mutual recognition. That's why watching the bilateral dialogue matters.