This article is part of a six-part series on the operational impacts of India's DPDPA. The full series can be accessed here.
Published: October 2023
Navigate by topic
India's Digital Personal Data Protection Act is a simple, principle-based law that leaves the details, procedures and specifics of compliance to delegated legislation that will be issued before it comes into effect as law. It introduces various obligations on data fiduciaries, the equivalent of data controllers under the EU General Data Protection Regulation, and provides data principals, the equivalent of data subjects under the GDPR, with several rights and duties. It establishes a new authority — the Data Protection Board — to enforce the law and articulates a set of principles to define the nature of data protection regulation in the country.
Looking at provisions related specifically to the cross-border transfer of personal data, the Indian government's approach to data localization has evolved over the course of deliberations and consultations around the law. India's approach offers similarities and differences to those in other jurisdictions — most notably Europe's GDPR.
In Section 40 of the first draft of India's data protection legislation, the Personal Data Protection Bill, 2018 required a copy of all personal data to be stored within the territory of India at all times. A wide cross-section of stakeholders stridently objected to this data localization approach, as it fundamentally disrupts the way business is conducted online.
As a result, subsequent versions of the law, namely Section 17 of the Digital Personal Data Protection Bill, 2021, progressively diluted this stance. The first step in this direction was permitting transfers of personal data to certain "whitelisted" countries that the government would separately provide.
This was further diluted in the version that was finally enacted into law. DPDPA Section 16 permits personal data to be freely transferred to all countries or territories outside India, except those the central government specifically identifies.
With that, a law that initially looked like it would impose an absolute prohibition on the cross-border transfer of data ended up taking a "blacklist" approach to cross-border data transfers, limiting them to specifically enumerated countries or territories.
Basis for permitted data transfers
Under the GDPR, data transfers are permitted where the jurisdiction or entity receiving the data offers a level of protection that is sufficient to safeguard the personal data of the European residents whose data is being transferred. Thus, data transfers are permitted to countries the European Commission determined ensure an adequate level of protection in Article 45, or between entities in jurisdictions that are subject to binding corporate rules in Article 47 or appropriate safeguards in Article 46. These provisions set out the principles according to which the permissibility of cross-border data transfers can be evaluated.
The DPDPA, on the other hand, offers no such basis for determination of countries to which data transfers will be prohibited. It only states countries to which data transfers will be restricted will be listed. There is no obligation to provide justifications of adequacy or offer any other mechanism, equivalent to standard contractual clauses or binding corporate rules by which data transfers may be permitted to entities in such prohibited jurisdictions.
Significant data fiduciaries
The act also introduced the concept of a significant data fiduciary — an entity that is subject to a higher threshold of compliance on account of it processing high volumes of data, processing high-risk data or operating in a politically sensitive industry.
It reserved the right to subject significant data fiduciaries to additional compliance requirements determined by the central government.
That being the case, it is conceivable that the central government could use this power to restrict significant data fiduciaries from transferring personal data outside the country or to specified jurisdictions.
Even as the act lays the groundwork for country-specific restrictions on data transfers, Section 17 clarifies that these restrictions may not apply in relation to certain processing activities. Examples of such exempted processing activities, along with indicative use cases where such exemptions may be utilized by both the government and private entities, include:
- Prevention, detection, investigation or prosecution of offences under Indian law.
Even if restrictions on the cross-border transfer of personal data to specified jurisdictions exist, Indian police and law enforcement agencies will not be subject to them in relation to international criminal investigations or extradition mandates. Arguably, private companies could also avail this exemption when data needs to be transferred in relation to ongoing internal investigations or fraud.
- Enforcement of a legal right or claim.
Restrictions on the cross-border transfer of personal data to a specified jurisdiction will not come in the way of transfers that are necessary to enforce legal rights, such as property disputes, matrimonial disputes, immigration cases, financial claims, etc.
- Processing pursuant to a contract with a foreign entity.
Restrictions on the cross-border transfer of personal data will not apply to any processing pursuant to a contract with a foreign entity. This is particularly relevant to the portion of the Indian outsourcing industry that deals primarily with non-Indian personal data, which they process for their foreign clients.
- Processing pursuant to legally approved mergers, demergers, acquisitions and other such arrangements between companies.
Any Indian entity that enters any such arrangement with a foreign company will be able to avail of this exemption to transfer employee information and other personal data to such foreign company, even if it is located in a jurisdiction to which data transfers are prohibited.
- Processing to ascertain the financial position of a defaulter to a financial institution.
The fact that the cross-border transfer of personal data has been prohibited to a specified jurisdiction will not operate to prevent such transfers when financial institutions need to ascertain financial assets and liabilities of defaulting customers.
- The performance of regulatory, supervisory, or judicial functions.
Regulatory authorities will not be prohibited from transferring personal data as needed for cross-border enforcement, regulation, or supervision, even if the jurisdictions in question are listed as those to which data transfers are prohibited.
Continued application of sectoral laws
Section 16(1) of the DPDPA explicitly states restrictions providing additional requirements or higher degrees of protection under existing laws will also continue to apply. This suggests any restrictions set by the central government under Section 16(1) will serve as the baseline protection across all categories of personal data, but sectoral regulators could, if they so choose, prescribe additional restrictions or protections, as required depending on the nature of data or the needs of the industry.
At present, India has cross-border data transfer restrictions in multiple sectors. For instance, the country's banking regulator — the Reserve Bank of India — stipulated certain categories of payment data, such as transaction information and customer credentials, can only be stored within India.
Similarly, certain categories of telecommunications data, including accounting information related to subscribers, cannot be transferred outside India. There are equivalent localization requirements in the insurance sector. All these restrictions will continue to operate, notwithstanding the lack of data localization obligations set out under the act.
Indian data protection law has come a long way from the early draft that introduced the concept of data localization into the lexicon. In contrast, the current framework offers a far more open and permissive cross-border data transfer regime.
While some level of uncertainty regarding which countries will be blacklisted remains, the central government is not likely to impose strict localization norms, given the pivotal role India plays in the global market. Instead, it is far more likely to carefully balance sovereign interests with business stability.
The IAPP Resource Center additionally hosts an "India" topic page, which updates regularly with the IAPP's latest news and resources.