The Future of Cross-Border Data Transfers Under the DPDP Act

July 10, 2024

Anahad Narain

Founder's Office

Summary

  • The Digital Personal Data Protection Act 2023 empowers the government to put restrictions on cross-border data transfers.
  • The DPDP Act adopts a blacklist approach, allowing data transfers to all countries except those explicitly forbidden by the government.
  • Additional compliance requirements may include adequacy assessments, legal measures, and obtaining specific consent for data transfers.
  • Sector-specific laws impose stricter data localization rules, overriding DPDP Act provisions if they offer more protection.
  • Businesses must stay updated on regulatory changes, monitor for blacklisted countries, and prepare for new data transfer rules.

The Future of Cross-Border Data Transfers Under the DPDP Act

The Digital Personal Data Protection (DPDP) Act 2023 introduces a sophisticated framework for data protection in India mandating strict rules around collection, processing and sharing of personal data. For a comprehensive understanding of India's first data protection law, consult our detailed primer on the DPDP Act.

This DPDP law applies to personal data processed within India and outside India if the data is of Indian customers. Further, the DPDP Act has provisions restricting cross border transfer of data, i.e., transfer of personal data from within to outside Indian territory.

As such, businesses engaged in data-intensive operations must understand and integrate these requirements into their data governance strategies to avoid compliance pitfalls and hefty penalties up to 250 Crore Rupees.

DPDP Law on Data Localization

The Digital Personal Data Protection Act 2023 empowers the government to notify ‘restrictions’ on cross border transfer of data under Sec.16. So far there has not been any notification in this regard leaving a wide ambit of discretion with the government. However, we expect the restrictions to take the following forms:

Ban on Blacklisted Territories

Data Transfers will be allowed to all countries EXCEPT the ones blacklisted by the government

Departing from earlier drafts that suggested a whitelist approach, the enacted version of the DPDP Act adopts a blacklist approach allowing data transfers to all countries EXCEPT the territories explicitly forbidden by the government. In other words, personal data can be transferred to any country except the ones blacklisted by the government.

Consider a multinational corporation with operations in India that needs to transfer customer data to its analytics center in Singapore. Under the DPDP Act, as long as Singapore is not on the blacklist, this transfer is permissible. 

A significant loophole could arise if data transferred to a whitelisted country is subsequently transferred to a blacklisted country. This could potentially circumvent the protective intent of the Act unless mitigated by upcoming regulations.

Additional Compliance Requirements 

Notably, the restriction on data transfer need not be a blanket ban. The restrictions could be in the form of additional compliance requirements to be fulfilled before transfer is allowed to a notified territory. These requirements could be conducting adequacy assessments, where the level of data protection in the receiving country is evaluated to determine if it is equivalent to the protection offered within India.

The transfer could further be made conditional on fulfillment of legal, technical, and organizational measures. These can include standard contractual clauses or binding corporate rules that enforce data protection stipulations agreed upon by the transferring and receiving entities. The transfer could also be conditioned on a simple consent specific to cross-border data transfer.

The restrictions could be based on the type of personal data or sector involved, for instance differential conditions on transfer of sensitive personal data in the financial or healthcare sector. However, since the DPDP Act does not differentiate between types of personal data, data type based restrictions are highly unlikely. 

So far no country has been notified in the blacklist and no restrictions have been notified either. This may change with the upcoming Digital Personal Data Protection Rules (DPDP Rules) which may bring much needed clarity on what restrictions can apply on cross border data transfers.

Sector-Specific Laws

The Digital Personal Data Protection Act states that if another law offers more protection or stricter rules on transferring personal data outside India, that law will take precedence over the DPDP Act. 

Several Indian laws impose stricter data localization requirements across various sectors such as banking, finance, insurance, healthcare, telecom, and investment:

  1. RBI’s 2018 Circular on Storage of Payment System Data mandates that all data related to payment systems must be stored exclusively within India. This includes complete transaction details and any information processed in the payment instructions. However, for transactions that have a component outside India, the relevant data may also be stored in the foreign country if necessary.
  2. Framework  for  Adoption  of  Cloud  Services  by  SEBI  Regulated Entities (REs) provides under Principal 3(iii) that all data, including logs and any other related information pertaining to REs must be stored and processed within India's legal boundaries. For investors from outside India, the original data, transactions, and logs must be kept readily accessible within India.
  3. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 under Regulation 18, mandates that all original policyholder records need  to be maintained in India 
  4. IRDAI (Maintenance of Insurance Records) Regulations, 2015 under Regulation 3(9) mandates insures to ensure that the records pertaining to policies issued and claims made in India are held in data centers located and maintained in India.
  5. DoT License Agreement for Unified License under Sec.39.23(viii) requires the licensee to not transfer any accounting information relating to subscriber (except for international roaming/billing) and any user information (except relating to foreign subscribers while roaming and IPLC subscribers), outside India.
  6. Consumer Protection (Direct Selling) Rules, 2021 under Rule 5, stipulates that direct selling entities are required to store sensitive personal data within Indian territory.

Let us consider a couple of scenarios:

Let’s say HSBC is looking to upgrade its global data analytics capabilities: the bank must comply with the RBI's 2018 Circular on Payment Systems Data and set up or use existing local data centers for storing payment systems’ data, even if it wishes to analyze it on a global platform. 

Consider another case where LIC partners with a technology firm to develop AI-driven analytics for personalized insurance products. Under the IRDAI regulations, all policyholder data and claims information must be stored within India. Therefore, despite the potential efficiencies of using cloud services hosted internationally, LIC must ensure that all sensitive data is processed and stored locally.

Thus, even if a certain transfer of data is permitted under the DPDP Act, the transfer cannot take place if a different law prohibits it. 

How does the DPDP Compare with Other Data Protection Regimes? 

While the GDPR provides a structured process for cross-border data transfers, the DPDP Act's ambiguity creates uncertainty

Under the European Union’s General Data Protection Regulation (GDPR), data transfers are allowed when the receiving country or organization provides adequate protection for the personal data of European residents. The European Commission lists countries that meet this standard under Article 45. Additionally, transfers can occur between entities in different jurisdictions if they follow binding corporate rules as outlined in Article 47 or implement appropriate safeguards mentioned in Article 46. These rules help determine when and how data can be transferred across borders.

Unlike the GDPR, the DPDP Act permits transfers unless explicitly prohibited. The DPDP Act also offers no basis for determining which countries would be blacklisted. Currently, there is no requirement to justify the adequacy of data protection or to use mechanisms like standard contractual clauses or binding corporate rules to allow data transfers to restricted jurisdictions. 

How can Your Business Prepare for Future Changes?

Every step in your DPDP Compliance Journey is crucial

Much remains to be clarified while we await the notification of the Digital Personal Data Protection Rules. In the meantime, Indian businesses must proactively engage with the evolving regulatory landscape to ensure ongoing compliance. They should monitor for updates on blacklisted countries, understand sector-specific requirements, and prepare for potential new rules regarding data transfer mechanisms such as standard contractual clauses or binding corporate rules.

Compliance begins with understanding the law. We suggest you begin by reading our DPDP compliance checklist and articles on DPDP exemptions, applicability, and penalties to have a strong foundational understanding of the law as it stands now. 

In your compliance journey, you are sure to come across the need for a dedicated consent manager. Onboarding the right consent management tool is vital in nailing DPDP compliance for your business. Sign up for a demo of Leegality Consent Manager today for an easy plug and play solution to your DPDP challenges.  

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.