The Future of Cross-Border Data Transfers Under the DPDP Act

The Digital Personal Data Protection (DPDP) Act 2023 introduces a sophisticated framework for data protection in India mandating strict rules around collection, processing and sharing of personal data. For a comprehensive understanding of India's first data protection law, consult our detailed primer on the DPDP Act.

This DPDP law applies to personal data processed within India and outside India if the data is of Indian customers. Further, the DPDP Act has provisions restricting cross border transfer of data, i.e., transfer of personal data from within to outside Indian territory.

As such, businesses engaged in data-intensive operations must understand and integrate these requirements into their data governance strategies to avoid compliance pitfalls and hefty penalties up to 250 Crore Rupees.

Bullet Dodged: Initial DPDP Law on Cross Border Transfers

The initial drafts of the DPDP bill proposed stringent and complex regulations around cross border transfers. These were specific transfer restrictions for defined subcategories of personal data. Here's a look at what the law could have been: 

The initial drafts of the DPDP bill proposed stringent and complex regulations around cross border transfers. These were specific transfer restrictions for defined subcategories of personal data. Here's a look at what the law could have been: 

1. Local Storage for Sensitive Personal Data: There was a requirement for a copy of all sensitive personal data to be stored locally in India, even if transferred abroad. This would have necessitated massive expenditure on local data centers increasing operational costs - imagine a multinational tech firm having to duplicate its data storage infrastructure – the logistical challenges and expenses would be immense.
2. Additional Compliances for Cross-Border Transfers: The 2019  draft also required specific compliances for transferring of sensitive personal data abroad:
   • Explicit consent from the data principal had to be obtained.
   • If the transfer was made subject to a contract or intra-group schemes, these schemes needed approval from the Data Protection Authority (DPA) in consultation with the Central Government.
   • An adequacy determination by the Central Government was required, ensuring that the data would not be shared with any foreign government or agency unless approved, or alternatively, specific approval for the transfer could be granted by the DPA and Central Government.
3. ‍Restrictions on Transferring Critical Personal Data: Even more restrictive was the prohibition on transferring critical personal data outside India allowing for only limited exceptions. Critical personal data could be transferred in cases of emergencies or to approved entities. Specifically, the data transfer was permitted for:
   • Prompt action scenarios, such as transfers to individuals or organizations involved in health or emergency services.
   • Transfers to countries, entities, or international organizations that have been approved through an adequacy determination by the government to protect national security interests.

It seems that now restrictions on transferring personal data outside India have been left to rules under the Act as well as sectoral regulators. We talk more about this in the other sections.

The Enacted DPDP law on Cross Border Transfers

Instead, the lawmakers went with a much simpler and open ended approach where ‘restrictions’ on cross border transfers may be notified by the government. So far there has not been any notification in this regard leaving a wide ambit of discretion with the government. The Digital Personal Data Protection Rules (DPDP Rules) have not come out yet and the leaked drafts do not provide any clarity either.  

However, a look at the legislative history of the DPDP law gives us some guidance on what these restrictions could be. The earlier iterations of the law included cumbersome restrictions on cross border data transfers with the parliamentary committee inclined towards following global best practices pioneered by the European Union’s General Data Protection Regulation (GDPR). 

Ban on Blacklisted Territories

The enacted version of the DPDP Act could mean a blacklist approach allowing data transfers to all countries EXCEPT the territories explicitly forbidden by the government. In other words, personal data can be transferred to any country except the ones blacklisted by the government.

Consider a multinational corporation with operations in India that needs to transfer customer data to its analytics center in Singapore. Under the DPDP Act, as long as Singapore is not on the blacklist, this transfer is permissible. 

A significant loophole could arise if data transferred to a whitelisted country is subsequently transferred to a blacklisted country. This could potentially circumvent the protective intent of the Act unless mitigated by upcoming regulations.

Additional Compliance Requirements 

The restriction on data transfer need not be a blanket ban. The restrictions could be in the form of additional compliance requirements to be fulfilled before transfer is allowed to a notified territory. These compliance requirements could be conducting adequacy assessments, where the level of data protection in the receiving country is evaluated to determine if it is equivalent to the protection offered within India.

The transfer could further be made conditional on fulfillment of legal, technical, and organizational measures. These can include standard contractual clauses or binding corporate rules that enforce data protection stipulations agreed upon by the transferring and receiving entities. The transfer could also be conditioned on a simple user consent explicitly for cross-border transfer.

The restrictions could be based on the type of personal data or sector involved, for instance differential conditions on transfer of sensitive personal data in the financial or healthcare sector. However, since the DPDP Act does not differentiate between types of personal data, data type based restrictions are highly unlikely. 

So far no country has been notified in the blacklist and no restrictions have been notified either. This can always change with the upcoming DPDP Rules.

Sector-Specific Laws

The Digital Personal Data Protection Act further states that if another law offers more protection or stricter rules on transferring personal data outside India, that law will take precedence over the DPDP Act. Several Indian laws impose stricter data localization requirements across various sectors such as banking, finance, insurance, telecom, and investment:

1. RBI’s 2018 Circular on Storage of Payment System Data mandates that all data related to payment systems must be stored exclusively within India. This includes customer data, payment-sensitive information, and transaction details​. However, for transactions that have a component outside India, the relevant data may also be stored in the foreign country if necessary.
2. RBI's 2017 Directions on Outsourcing of Financial Services by NBFCs: Direction 7.3  mandates that all original records related to offshore outsourcing of financial services must be maintained in India. Additionally, it is required that the regulatory authority of the offshore location does not have access to data related to the Indian operations of the NBFC, simply on the ground that the processing is being undertaken there.
3. IRDAI (Maintenance of Insurance Records) Regulations, 2015  mandates insures to ensure that the records pertaining to policies, claims and related records made in India are held in data centers located and maintained in India.
4. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 mandates that all original policyholder records need to be maintained in India.
5. Framework  for  Adoption  of  Cloud  Services  by  SEBI  Regulated Entities (REs) provides under Principal 3(iii) that all data, including logs and any other related information pertaining to REs must be stored and processed within India's legal boundaries. For investors from outside India, the original data, transactions, and logs must be kept readily accessible within India.
6. SEBI Advisory regarding SaaS based solutions: The Securities and Exchange Board of India (SEBI) has issued an advisory for entities like merchant bankers, credit rating agencies, STP service providers, debenture trustees, depository participants, and other financial institutions utilizing Software as a Service (SaaS) solutions. These organizations are required to store critical data sets, including credit and liquidity risk data, market risk data, system information, supplier information, system configuration data, audit/internal audit data, network topography, and design, within India.
7. Companies Act 2013 under Section 128 says that every company must prepare and store books of account, other relevant books and papers, and financial statements at its registered office. An amendment on 5 August 2022 requires that all such records maintained electronically must be accessible in India at all times.
8. DoT License Agreement for Unified License under Sec.39.23(viii) requires the licensee to not transfer any accounting information relating to subscriber (except for international roaming/billing) and any user information (except relating to foreign subscribers while roaming and IPLC subscribers), outside India.
9. Ministry of Electronics and Information Technology’s Cybersecurity Directions 2022 mandate that service providers offering services to users in India must enable and maintain logs and records of financial transactions within India. This requirement is aimed at bolstering information security practices, procedures, prevention, response, and reporting of cyber incidents.
10. Consumer Protection (Direct Selling) Rules, 2021 under Rule 5, stipulates that direct selling entities are required to store sensitive personal data within Indian territory.

Let us consider a couple of scenarios:

‍Let’s say HSBC is looking to upgrade its global data analytics capabilities: the bank must comply with the RBI's 2018 Circular on Payment Systems Data and set up or use existing local data centers for storing payment systems’ data, even if it wishes to analyze it on a global platform. Consider another case where LIC partners with a technology firm to develop AI-driven analytics for personalized insurance products. Under the IRDAI regulations, all policyholder data and claims information must be stored within India. Therefore, despite the potential efficiencies of using cloud services hosted internationally, LIC must ensure that all sensitive data is processed and stored locally.

Thus, even if a certain transfer of data is permitted under the DPDP Act, the transfer cannot take place if a different law prohibits it. 

How does the DPDP Compare with Other Data Protection Regimes? 

Under the European Union’s General Data Protection Regulation (GDPR), data transfers are allowed when the receiving country or organization provides adequate protection for the personal data of European residents. The European Commission lists countries that meet this standard under Article 45. Additionally, transfers can occur between entities in different jurisdictions if they follow binding corporate rules as outlined in Article 47 or implement appropriate safeguards mentioned in Article 46. These rules help determine when and how data can be transferred across borders.

Unlike the GDPR, the DPDP Act permits transfers unless explicitly prohibited. The DPDP Act also offers no basis for determining which countries would be blacklisted. Currently, there is no requirement to justify the adequacy of data protection or to use mechanisms like standard contractual clauses or binding corporate rules to allow data transfers to restricted jurisdictions. 

How can Your Business Prepare for Future Changes?

Much remains to be clarified while we await the notification of the DPDP Rules. In the meantime, Indian businesses must proactively monitor where their systems, vendors and technology service providers store personal data outside India. . They should monitor for updates on blacklisted countries, understand sector-specific requirements, and prepare for potential new rules regarding data transfer mechanisms such as standard contractual clauses or binding corporate rules.

Compliance begins with understanding the law. We suggest you begin by reading our DPDP compliance checklist and articles on DPDP exemptions, applicability, and penalties to have a strong foundational understanding of the law as it stands now. 

In your compliance journey, you are sure to come across the need for a dedicated consent manager. Onboarding the right consent management tool is vital in nailing DPDP compliance for your business. Sign up for a demo of Leegality Consent Manager today for an easy plug and play solution to your DPDP challenges.  

References

1. Sec. 16 (1) and (2) The Digital Personal Data Protection Act 2023 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf 
2. Directions 2 and 4 RBI Storage of Payment System Data Directions 2019 https://www.rbi.org.in/commonperson/English/Scripts/FAQs.aspx?Id=2995 
3. Directions 7.3 RBI Directions on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs 2017 https://enforcementdirectorate.gov.in/sites/default/files/Act%26rules/THE%20PREVENTION%20OF%20MONEY%20LAUNDERING%20ACT%2C%202002.pdf 
4. Sec. 3(9) IRDAI (Maintenance of Insurance Records) Regulations, 2015 https://irdai.gov.in/document-detail?documentId=604674 
5. IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 https://irdai.gov.in/document-detail?documentId=604638 
6. Principal 3(iii) Framework  for  Adoption  of  Cloud  Services  by  SEBI  Regulated Entities (REs) https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html 
7. Clause 3 Advisory for Financial Sector Organizations regarding Software as aService (SaaS) based solutions 2020 https://www.sebi.gov.in/legal/circulars/nov-2020/advisory-for-financial-sector-organizations-regarding-software-as-a-service-saas-based-solutions_48081.html 
8. Section 128 The Companies Act 2013 https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf 
9. Sec.39.23(viii) Ministry of Communications and IT Department of Telecommunications  https://dot.gov.in/sites/default/files/Unified%20Licence_0.pdf 
10. Ministry of Electronics and Information Technology’s Cybersecurity Directions 2022 https://imc.gov.in/WriteReadData/userfiles/file/2022/admision/Cyber%20Security%20Directions.pdf 
11. Rule 5 Consumer Protection (Direct Selling) Rules, 2021 https://pib.gov.in/PressReleasePage.aspx?PRID=1785873 
12. Articles 45-47 General Data Protection Regulation Regulation (EU) 2016/679 of the European Parliament and of the Council 2016 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R067