India’s existing data protection requirements arise out of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000. While the SPDI Rules do not prohibit cross border transfers of personal data, they require organisations to either seek consent of individuals prior to the transfer of their personal data or otherwise rely on a contractually necessity with such individual to give effect to the transfer. Transferors of data must ensure that recipients extend data protection standards in respect of the transferred data that meet both, the requirements of the SPDI Rules as well as the transferor’s standards and protocols. Practically, while transferring data, organisations ought to review recipients’ protocols to confirm the adequacy of organisational and technical standards and impose contractually impose appropriate obligations on recipients.

Unlike the SPDI Rules, the Digital Personal Data Protection Act, 2023 (“DPDPA”) does not require recipients of personal data to adhere to the same level of data protection as transferors and does not permit transferring entities to rely on contractual performance as a legal basis of transfer.  

This article provides an overview of the considerations for making cross-border data transfers in light of the DPDPA and provides businesses with practical tips and recommendations on achieving compliance.