India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).

On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.

Part 8 of this series discusses “Restrictions on Data Transfers” under the PDPB Bill.


  1. Cross-Border Data Transfers:
      (a) Sensitive personal data may only be transferred outside India with the explicit consent of the data principal and on the basis of one of the following grounds:
      • (i) a contract or an intra-group scheme approved by the Authority in consultation with the government. Note that the contract or intra-group scheme will not be approved if it is against public or state policy;
      • (ii) the approval of the government for transfer to a country or organisation that is approved or judged “adequate”, where the transfer would not affect the enforcement of laws. For transfers in accordance with an adequacy decision, sensitive personal data cannot be shared with a foreign government or agency unless approved by the government; or
      • (iii) an approval from the Authority (where such approval is provided in consultation with the government).
      (b) Critical personal data may only be transferred outside India if such transfer is to a:
      • (i) person or entity(s) engaged in health or emergency services or purposes; or
      • (ii) country or an entity approved by the government with respect to security and strategic interest of the State.

  2. Data Localisation:
      • (a) A copy of all sensitive personal data must be stored in India.
        (b) Critical personal data may only be processed in India.

Key Divergence from the PDPB

Under the PDPB, one of the grounds for cross-border transfers of sensitive personal data was reliance on an intra-group contract or scheme approved by the Authority. Under the Bill, such approval will require the Authority to consult with the government, and such contract or scheme will not be approved if it is against “public or state policy” – that is, an act that promotes the breach of any law, is not in consonance with public policy or state policy, or has a tendency to harm the State or citizens.

Sensitive personal data that is transferred on the basis of an adequacy decision cannot be shared with a foreign government or authority without the government’s prior approval.