Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
India: Digital Personal Data Protection Act, 2023 - what it means for cross-border transfers
The Digital Personal Data Protection Act, 2023 (the Act) was passed by both houses of the Indian Parliament and has received Presidential assent. One of the key considerations of the Act is its impact on cross-border data transfers. While the Act is yet to come into force, and the rules that will prescribe further clarity on the implementational aspects are awaited, Varsha Rajesh and Huzefa Tavawalla, from Nishith Desai Associates, assess the potential impact on cross-border transfers of personal data under the new regime.
New data law on cross-border transfers of personal data
Under the Act, cross-border transfers of personal data are permitted. However, Section 16(1) of the Act enables the Government to restrict the transfer of personal data to certain countries or territories outside India by way of a notification.
The Act, in its current form, does not provide further clarity on what the restrictions would entail. Such restrictions may be in the form of prescribing additional compliances (similar to the GDPR adequacy tests) for the transfer of personal data to the notified countries or limiting the transfer of certain types of data. Alternatively, the Government may blacklist countries to which transfer of personal data may be prohibited.
Further, the Act also addresses the issue of potential conflict with sectoral laws in terms of data transfers. Currently, sectoral regulators, including the Reserve Bank of India (RBI) and the Securities Exchange Board of India (SEBI), require certain sector-centric data (payments data and securities data) to be mandatorily stored in India. Section 16(2) of the Act clarifies that any parallel law that provides for a higher degree of protection or restriction on the transfer of personal data outside India would prevail over the provisions of the Act itself.
It is also interesting to note that the previous iterations of the data law before the Act was enacted, differentiated between personal data and special categories: sensitive personal data and critical personal data. This distinction was important since higher compliances and data localization requirements were prescribed for sensitive personal data and critical personal data respectively. However, the Act itself does not make any such distinction, therefore leaving it open for the Government to decide on the criticality of data on a case-by-case basis and to notify restrictions for the same. Furthermore, a jurisdictional approach has been adopted under the Act, thereby allowing restrictions on transfers of all personal data to notified countries.
Impact on cross-border transfers
The prior data protection regime in India only prescribed compliances for the transfer of personal data which is categorized as sensitive personal data or information (passwords, financial information, physical, physiological, and mental health condition, sexual orientation, medical records and history, and biometric information). However, given that the Act applies to all kinds of personal data (including name, address, email, phone number, etc.), a wider category of personal data, including personal data that may not ordinarily be classified as critical or sensitive, may be subject to cross-border transfer restrictions.
Furthermore, the Act itself is designed to have extraterritorial applicability, i.e., applying to entities outside India. Consequently, foreign companies that collect personal data from individuals in India while offering goods and services are required to comply with the Act. In situations where a country is blacklisted, the transfer of personal data to companies in such a country would not be permissible. It could also be extended to prohibit the primary collection of data by companies located in a blacklisted country. Hence, foreign companies from a blacklisted country may be restricted from directly undertaking business in India (especially online models) as basic personal data would be required for providing goods or services.
Another key impact to note is that the restriction under the Act itself does not appear to cover further transfers of personal data. Hence, companies may operate in this vacuum by transferring data to non-blacklisted countries and subsequently transferring it to a blacklisted country. It would be interesting to see how the Government may seek to enforce the cross-border transfer restrictions on such data transactions.
Lastly, it may be noted that restrictions pertaining to cross-border transfers under sectoral laws would apply in addition to the Act. This means that while the Government may permit the transfer of personal data to a specific country, if the sectoral law restricts the transfer or requires the data to be localized the transfer would not be permissible. Further, sectoral regulators typically prescribe transfer restrictions for sector-centric data which may include both personal and non-personal datasets.
Limited exemptions
The Act prescribes general exemptions from compliances, under limited circumstances, which can be availed by both the Government and private bodies. According to Section 17 of the Act, there should be no restrictions on cross-border transfers (including transfers to notified countries and regions) under the following circumstances:
- the processing of personal data is necessary for enforcing any legal right or claim;
- prevention, detection, investigation, or prosecution of offenses and contraventions under the Indian law;
- the processing of personal data by any court or tribunal or any other body in India for judicial, quasi-judicial, regulatory, or supervisory functions;
- processing personal data of data principals outside India pursuant to a contract entered into with a foreign entity;
- processing pursuant to legally approved mergers, demergers, acquisitions, and other such arrangements between an Indian entity and a foreign entity; and
- processing personal data to ascertain the financial position of a defaulter to a financial institution.
What to keep in mind
The Act itself is broad and provides a skeletal framework for a comprehensive data protection regime in India. Much of the guidance on implementation and enforcement of the Act is anticipated to be introduced by the Government in the form of rules and regulations. It remains to be seen how the broad powers of the Government pertaining to restricting transfers to certain jurisdictions would play out once such notifications are issued under the Act. With the passage of the rules, the applicability of exemptions and practicalities may also be clarified.
A fair balance between the necessity to restrict the transfer for strategic and national interests should be struck with legitimate business interests considering that India is an outsourcing hub for many multinational businesses. Stringent restrictions would discourage data-intensive operations from being housed in India.
Varsha Rajesh Data Privacy Practice Member
[email protected]
Huzefa Tavawalla Head of Disruptive Technology Practice
[email protected]
Nishith Desai Associates, India