Cross-Border Data Transfers: Best Practices under India’s Data Protection Laws

India passed the Digital Personal Data Protection Act, 2023 (“DPDPA”) – the nation’s first dedicated data protection statute – on August 11, 2023. The DPDPA undeniably marks a significant advance in aligning India’s domestic laws with international standards for data protection and privacy and is intended to replace the existing Indian Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

Notably, the DPDPA sets out a comprehensive legal framework for protection of personal data of individuals residing in India, akin to the European Union (EU) General Data Protection Regulation (GDPR). Like the GDPR, the DPDPA has extra territorial application – it also regulates processing of personal data (of individuals resident in India) by a person located outside Indian territory, provided such processing is carried out in connection with offering of goods or services to Indian residents. Accordingly, any person engaged in processing personal data of Indian residents (in digital form) is required to comply with the provisions of the DPDPA – irrespective of whether or not such person is located in India.

While the DPDPA parallels the GDPR in certain aspects, however, it has its own distinct structure and requirements – including, notably, requirements in relation to regulation of the cross-border transfer of personal data. For Indian as well as foreign business organizations (whether targeting Indian consumers and/or engaging in cross border trade with Indian business partners) which are now subject to regulation under the DPDPA – it is accordingly exceedingly relevant to understand the scope and application of requirements set out thereunder in respect of transfer and processing of personal data of Indian residents and to implement necessary steps to ensure compliance thereto.

Moreover, it is also relevant for stakeholders to have awareness and understanding of statutory requirements ahead of the upcoming (eminent) release of the draft Rules formulated under the DPDPA by the Indian Government (for the purpose of implementation of statute). This is also since it is speculated that the draft Rules will likely provide a short transition period (of around 6-8 months) to stakeholders for statutory compliance.

Scope and Application of the DPDPA

The DPDPA regulates the processing of digital personal data of “Data Principals” (i.e. the individuals to whom the data relates). Simply put, the statute applies to the processing of any personal data in digital form – whether collected in digital form or collected in non-digitized format and subsequently digitized.

In relation, the DPDPA adopts a broad statutory definition of the term “personal data” – classifying this as any data about an individual “who is identifiable by or in relation to such data”. Further, where the individual to whom personal data relates comprises a child (i.e. any individual less than 18 years of age) the term Data Principal includes the parents or lawful guardian of such a child per the statue. The statute further stipulates that in so far as the personal data relates to any person with “disability” the term Data Principal would also include his/her lawful guardian

Further, the statue is also extra-territorial in application – as mentioned above, it applies to the processing of digital personal outside Indian territory, provided such processing is carried out in connection with offering goods or services to Data Principals located in India. Thereby, it applies to any business organization engaged in processing digital personal data of Indian consumers for commercial purposes, irrespective of whether the relevant business organization is located within India.

Key Stakeholders under the DPDPA

For the purpose of regulation, the DPDPA principally recognizes and demarcates stakeholders as “Data Fiduciary” and “Data Processor”. Under the statute, a “Data Fiduciary” comprises any person who, alone or in conjunction with other persons, determines the purpose and means of the processing of personal data. Meanwhile, the term “Data Processor” broadly encompasses any person who processes personal data on behalf of a Data Fiduciary.

The above designations employed by the statute are arguably akin (but not alike) to the designation of Data Processor and Data Controller under EU’s GDPR. It is important for international stakeholders, in particular, to note that these terms do not carry equivalent connotations in respect of statutory obligations.

Illustratively, the DPDPA places the primary liability for management, security and processing of personal data (and the protection of the rights and interests of Data Principals) on the Data Fiduciary. The Data Fiduciary is held responsible for the Data Processor(s) engaged by it, including for ensuring appropriate conduct and statutory compliance at the end of such Data Processor(s). It is anticipated, however, that the forthcoming Rules under the DPDPA could further elaborate upon the obligations and duties applicable to the Data Processors.

It is worth noting also that the DPDPA empowers the Indian Government to classify a certain Data Fiduciary or a certain class of Data Fiduciary as a “Significant Data Fiduciary”. The statute (non-exhaustively) stipulates that such classification may be based on factors such as the volume and sensitivity of the data processed by the Data Fiduciary, the risk of harm to the Data Principal and potential impact on the sovereignty and integrity of India and its security. The statute also prescribes enhanced compliance obligations for Significant Data Fiduciaries, which include the mandatory appointment of a local Data Protection Officer in India, engagement of an independent Data Auditor and the conduct of periodic Data Protection Impact Assessments. Further information on such measures and classification of the Significant Data Fiduciaries is also anticipated to be provided by the Indian Government under the forthcoming Rules.

Regulation of Cross Border Data Transfer

The DPDPA introduces certain important provisions in relation to cross-border processing and transfer of personal data, which are elaborated below.

• Restrictions on Transfer of Personal Data

The DPDA empowers the Indian Government to restrict the transfer of personal data by a Data Fiduciary to certain foreign countries or territories (as may be notified). Thereby, the Indian Government can exercise this statutory power to blacklist a foreign territory or country prospectively and prohibit stakeholders from transfer of any personal data thereto.

In this regard, it is worthwhile to note that the DPDPA doesn’t provide for the criteria basis which such restriction may be imposed by the Indian Government as regards a particular jurisdiction. However, it is speculated that clarity on this aspect may be incorporated in the draft Rules (to be issued under the DPDPA).

• Statutory Exemptions

The DPDPA exempts certain instances of data processing and transfer from prohibition (in exercise of the statutory power granted by the Indian Government. This exemption extends to instances where data processing is necessary for the following purposes:

1. 1. for enforcing any legal right or claim;
   2. for discharge of functions any competent court or judicial or quasi-judicial or authority in India;
   3. for prevention, detection, investigation or prosecution of any offence or contravention of any law in force in India;
   4. where personal data of Data Principals (located outside India) is processed subject to contract between an Indian and any foreign (offshore) entity;
   5. for carrying out legally approved acquisition, merger or amalgamation or similar arrangement between two or more companies;
   6. for ascertaining the financial information and assets and liabilities of any person who has defaulted in payment of a loan or advance taken from a financial institution

• Concurrent Application of Additional Laws

The DPDPA clarifies that its provisions will not impact existing law in India which provides for “…a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India…” than the threshold of protection established under the DPDPA.

This indicates that while transferring personal data outside India, multinational and other organizations will also require to comply with any Indian laws (as may be applicable) which provide for higher degree of protection or restriction than the DPDPA itself.

Conclusion: Key Ramifications & Best Practices for Businesses 

• Key Ramifications

The introduction of the DPDPA carries significant implications for domestic as well as international businesses engaged in trade in India – given its extraterritorial nature. With the enactment of the statute, a diverse set of stakeholders including multinational/international corporations or services providers with or without corporate presence in India, particularly in the e-commerce and IT industry are now subject to carry out compliance thereunder.

From a practical perspective, stakeholders under the statue – including international or domestic business(es) operating in India – may qualify as Data Fiduciary or Data Processor or both. While businesses qualifying simply as a Data Processor will admittedly have a relatively lesser compliance burden under the DPDPA, they can still expect to deal with contractual obligations and negotiations regarding statutorily prescribed practices and procedures as part of their business arrangements/dealings with Indian stakeholders.

Further, while the DPDPA does not impose specific restrictions or requirements on the transfer of data overseas, it – unlike the SPDI Rules – provides for prohibition of transfer of personal data to certain foreign jurisdictions or territories, as may be “blacklisted” by the Indian Government. This aspect of the DPDPA carries significant implications for businesses reliant upon outsourcing or overseas operations or otherwise operating in industries where data processing is integral to the offering of goods and services. Such businesses may face significant challenges in conducting business with Indian customers – since should the foreign country or territory, where important affiliates or partners are located, be blacklisted by the Indian Government subject to the DPDPA.

• Considerations & Best Practices for Businesses

If a territory or country is blacklisted by the Indian Government, it is implicit that any collection or processing of data by relevant affiliates or partners in such territory or country will also be restricted. For adequately safeguarding business interests, it thus becomes necessary for relevant stakeholders to seek advisory to align their practices with the procedures prescribed in the DPDPA as well as to understand the recourse available to them under the statute.

Illustratively, it can be inferred that the statutory exemptions set out in the DPDPA are largely intended to facilitate the discharge of official functions by law enforcement, banking and judicial authorities in India. For multinational and other business organizations, however, it is relevant to note that the statute exempts the processing of personal data where such processing is carried out as part of a merger or amalgamation or similar arrangement between two or more corporate entities. Further, it exempts the processing of data subject to a contract between a domestic party (located in India) and a foreign party.

Consequently, relevant stakeholders – in particular businesses involved in outsourcing services or goods to or from India or business groups having or seeking control or ownership of entities in India – can employ the aforementioned two exemptions as grounds to transfer personal data of Data Principals to a foreign jurisdiction which has been blacklisted by the Indian Government prospectively (in exercise of its powers under the DPDPA) – provided that data transfers are otherwise conducted in alignment with the requirements under the DPDPA.

To provide context, relevant considerations and requirements for stakeholders under the DPDPA include collection of informed consent from Data Principals, including for transfer of their; the management of such consent (including accounting for withdrawal of consent); employment of adequate protocols and contractual arrangements with third parties for maintaining confidentiality and security of data and/or handling of requests from Data Principals for retention/erasure/correction of data etc.

In addition to the DPDPA, stakeholders must be prepared also for additional compliance under applicable laws and sector-specific regulations in India which prescribe a higher threshold of protection for the transfer and protection of personal data in India. For reference, these include relevant regulations of the Reserve Bank of India (RBI), Telecom Regulatory Authority of India (TRAI), Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority (IRDAI), per which requirements are set out for applicable stakeholders in relation to localization of storage of certain kinds of data and records. Interestingly, the SPDI Rules are also included within the scope of applicable laws at present – and will remain applicable until the time the DPDPA is fully implemented in India.

Author: Ms. Ashneet Hanspal (Senior Associate)