INTRODUCTION

The digital economy’s contribution to India’s GDP is expected to cross 20% by 2026. This growth coincides with a significant increase in cross-border personal data transfers to and from India. Organisations engaging in such transfers ought to be mindful of any potential restrictions under data privacy laws in India and seek assistance from the best data protection law firms to stay on top of compliance. India’s data protection and cybersecurity laws are in a state of flux. This note by our data protection lawyers provides a brief overview of the legal framework governing the storage and transfer of personal data in India.

LEGAL FRAMEWORK

General Indian Data Protection Laws

Currently, there is no specific data localisation requirement under data protection law in India. The data protection laws in India are governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). The SPDI Rules were issued under the Information Technology Act, 2000 (“IT Act”). Additionally, the Cybersecurity Directions, issued under the IT Act by the nodal authority, the Indian Computer Emergency Response Team, requires organisations to maintain logs of their ICT systems. CERT-In has clarified that logs may be stored outside India as long as they are provided to CERT-In within a reasonable timeframe when requested. Furthermore, the Companies Act, 2013, requires organisations to maintain back-ups of their books of accounts and other documents at their registered office.

Sectoral Requirements

Indian data localisation requirements extend beyond general data protection laws and include cybersecurity laws as well as sector-specific laws applicable to the telecom and financial sectors. For instance, apart from a few limited exceptions, regulated entities in the payments and lending sectors must store payments and lending-related data within India. Similarly, regulated entities in the securities sector that have adopted cloud services must ensure that all data resides within India. Insurers are required to maintain all records pertaining to insurance policies and claims within India. Additionally, laws enabling identity verification through Aadhaar data require the servers used for identity verification to be based within India. Lastly, Indian telecom service providers must store certain subscriber-related information within the country.

DPDPA

While the Indian government has enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law, it is not yet in effect. Once in effect, the DPDPA will replace the SPDI Rules, the present privacy act in India. The DPDP Act 2023 generally permits the cross-border transfers of personal data, except to jurisdictions notified in a “negative list” to be issued by the Indian government. Furthermore, if any other legislation provides a higher degree of protection for or restriction on the transfer of personal data, such restriction will continue to apply. Even where cross-border transfers are permitted under the DPDPA, the sectoral restrictions detailed above will continue to apply.

CONCLUSION

Organisations subject to data localisation requirements must prepare server maps of their data flows to identify all cross-border data transfers, determine the restrictions applicable to such transfers, and include necessary protocols in their data privacy policy in India. Additionally, such organisations often contractually pass down these restrictions to their service providers. Service providers may have to structure their offerings to accommodate these data transfer restrictions. For instance: cloud service providers provide financial sectoral regulated entities with the ability to store all personal data within India. Organisations subject to data transfer restrictions must engage competent data protection lawyers for assistance with such transfers as well as to stay compliant with the new Data Protection Act in India.