Introduction
Presently, the general data protection laws in India comprise of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000. The SPDI Rules do not impose any specific restrictions on cross border transfers of personal data. However, personal data may only be transferred based on the consent of the individual or for the performance of a contract with the individual. Additionally, the recipient of any personal data must ensure at least the same level of data protection as provided for under the SPDI Rules and by the transferor.
Unlike the SPDI Rules, the newly enacted Digital Personal Data Protection Act, 2023 (“DPDPA”) does not require recipients of personal data to adhere to the same level of data protection as transferors, and does not permit transferring entities to rely on the performance of contract as a legal basis of transfer.
This article provides an overview of the considerations for making cross-border data transfers in light of the DPDP Act 2023 and provides businesses with practical tips and recommendations on achieving compliance.
A Negative-List of Prohibited Transfers Outside India
Transfers of personal data to countries and territories outside of India are generally permitted, except to countries and territories specifically notified in a “negative list” issued by the central government. We expect onward transfers to countries specified in the negative list from other permitted jurisdictions will also be prohibited. Businesses do not need to undertake a transfer impact assessment to determine the adequacy of data laws in the transferee country where such countries are not specified in the negative list.
Legal Grounds for Transfer under the DPDPA 2023
Under the Indian data protection law, DPDPA, businesses must generally ensure that they are undertaking the transfer in accordance with the provisions of the DPDPA, for a lawful purpose, and on the basis of valid grounds for processing – that is, either consent or certain “legitimate uses”. However, there are limited circumstances in which businesses are exempt from cross-border transfer requirements, such as for the enforcement of legal rights or claims, corporate restructuring approved by a court or other competent authority, debt enforcement, or prevention or investigation of offences.
Sectoral localisation norms
While personal data transfers outside of India are generally permitted (except to jurisdictions in the government’s negative list), the DPDPA provides that where another Indian law provides for a higher degree of protection for or restriction on the transfer of personal data outside India, such law will prevail over the new data protection law in India.
The following table provides an illustration of data localisation requirements under Indian law that will prevail over the DPDPA. Businesses subject to these localisation requirements may contractually pass these on to their service providers as well:
| The Law | Personal Data subject to Localisation |
| Companies Act, 2013 | The back-up of the books of account and other relevant books and papers in an electronic mode. |
| Payment and Settlement Systems Act, 2007 [The Reserve Bank of India] | End-to-end transaction details and information pertaining to payment or settlement transactions within India. |
| Guidelines on Digital Lending [The Reserve Bank of India] | Lending data. |
| The Unified License Agreement with Telecom Service Providers [The Department of Telecommunications] | Accounting information related to a subscriber except for international roaming or billing. User information except pertaining to foreign subscribers using telecom operators’ networks while roaming and IPLC subscribers. |
| Insurance Regulatory and Development Authority (Maintenance of Insurance Records) Regulations, 2015 [The Insurance Regulatory and Development Authority] | Records pertaining to insurance policies and claims made in India. |
| The Aadhaar (Authentication and Offline Verification) Regulations, 2021 [The Unique Identification Authority of India] | Servers used for Aadhaar authentication and offline verification (and therefore any personal data relevant for these purposes) must be based in India. |
Conclusion
While the cross-border data transfer requirements under the DPDP Act 2023 are light-touch, non-compliance may attract fines as high as INR 50 crores. We recommend that businesses commence with the evaluation of their grounds for transfer. At this stage, the Indian government is yet to notify the negative list and it is tricky to evaluate compliance presently. Guidance in this regard is expected from the Indian government through the issuance of rules in the upcoming months.
