International Transfer Of Personal Data

J
JSA

Contributor

JSA is a leading national law firm in India with over 600 professionals operating out of 7 offices located in: Ahmedabad, Bengaluru, Chennai, Gurugram, Hyderabad, Mumbai and New Delhi. Our practice is organised along service lines and sector specialisation that provides legal services to top Indian corporates, Fortune 500 companies, multinational banks and financial institutions, governmental and statutory authorities and multilateral and bilateral institutions.
In the sixth instalment of the Prism, we analyse how the Digital Personal Data Protection Act, 2023 ("DPDPA") regulates the transfer of personal data outside India.
India Privacy

In the sixth instalment of the Prism, we analyse how the Digital Personal Data Protection Act, 2023 ("DPDPA") regulates the transfer of personal data outside India. In today's world, cross-border transfer of personal data is crucial for businesses. Therefore, it is pertinent to understand how DPDPA allows international transfer of personal data. In the latter section of the Prism, we examine how major data protection laws, such as the General Data Protection Regulation ("GDPR"), California Consumer Protection Act ("CCPA"), Singapore's Personal Data Protection Act ("PDPA") regulate international transfer of personal data to help businesses identify if there are any gaps in compliances.

Restriction on transfer of personal data in the DPDPA

1528330a.jpg

  1. The transfer of personal data can be restricted to countries or certain territories.
  2. Unlike the GDPR which allows for implementing appropriate safeguards (like incorporating standard contractual clauses, or binding corporate rules), or permits relying on derogations (such as relying on data subject's consent) for cross-border transfer of personal data, DPDPA does not allow alternative transfer mechanisms to undertake transfer of personal data outside India.
  3. In the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, ("IT Rules"), a body corporate or its processors could transfer sensitive personal data to any body corporate located in any other country that ensures the same level of data protection as provided under the IT Rules for the performance of a lawful contract between the body corporate or its processors and the data subject or if the data subject has consented to such data transfer.

Applicability of other laws

1528330b.jpg

  1. There are various sectoral regulations that mandate the storage of data within the boundaries of India, for example; the Reserve Bank of India's ("RBI") circular No. 2785/06.08.005/2017-18 dated April 6, 2018 mandates entities in the payment ecosystem to store payment systems data in India; the Companies Act of 2013 mandates companies to maintain books of account in electronic mode in India, and registers and copies of the annual return filed to be kept at the registered office of the company; companies providing voice based business process outsourcing services (which are called as 'Other Service Providers' ("OSPs")) are required to maintain a copy of certain data and system logs in India if their Electronic Private Automatic Branch Exchange (EPABX) is outside in India as per the revised OSP guidelines No. 18-8/2020 dated June 23, 2021 released by the Department of Telecommunications, etc.
  2. Territorial blacklists are not uncommon and are also seen in some other laws in India. For example, under the extant foreign exchange laws in India, a person cannot acquire/transfer any immovable property in India, other than lease, not exceeding 5 (five) years without permission from RBI if they belong to any of the following countries: Pakistan, Bangladesh, Sri Lanka, Afghanistan, China, Iran, Nepal, Bhutan, Macau, Hong Kong, Democratic People's Republic of Korea. Similarly, the Export Credit Guarantee Corporation of India ("ECGC") has classified certain countries like Afghanistan, Sri Lanka, Syria, Central African Republican, Ghana, North Korea, Palestine, Zimbabwe, etc. as restricted countries since they pose high political risks. The export of goods to such countries requires the prior approval of the ECGC.

Comparison with select data protection laws around the world

DPDPA GDPR CCPA PDPA
Under DPDPA, the Central Government may release a list of countries or territories to which personal data may not be transferred.

Any applicable law that provides for a higher degree protection of personal data or higher restriction on transfer of personal data will supersede the provisions of DPDPA.

The GDPR permits the cross-border transfer of personal data based on an adequacy decision. In the absence of such a decision, transfers may occur by implementing appropriate safeguards, which may include the use of standard contractual clauses or binding corporate rules. If neither an adequacy decision nor appropriate safeguards are in place, the GDPR allows for the transfer of personal data under specific derogations. These derogations include situations where the data subject has given explicit consent, where the transfer is necessary for the performance of a contract, or where it serves a legitimate public interest. Transfers may also be conducted if they are necessary for the establishment, exercise, or defence of legal claims, among other valid grounds. The CCPA does not specifically mention any restriction on international transfer of personal data. An organisation may transfer personal data to a country or territory outside of Singapore, provided that the organisation ensures a standard of protection for the personal data transferred as provided under the PDPA.

The Personal Data Protection Commission may exempt organisations from the above requirement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More