Please click here to download the Prism as a PDF.

International transfer of personal data

In the sixth instalment of the Prism, we analyse how the Digital Personal Data Protection Act, 2023 (“DPDPA”) regulates the transfer of personal data outside India. In today’s world, cross-border transfer of personal data is crucial for businesses. Therefore, it is pertinent to understand how DPDPA allows international transfer of personal data. In the latter section of the Prism, we examine how major data protection laws, such as the General Data Protection Regulation (“GDPR”), California Consumer Protection Act (“CCPA”), Singapore’s Personal Data Protection Act (“PDPA”) regulate international transfer of personal data to help businesses identify if there are any gaps in compliances.

Restriction on transfer of personal data in the DPDPA

1. The transfer of personal data can be restricted to countries or certain territories.
2. Unlike the GDPR which allows for implementing appropriate safeguards (like incorporating standard contractual clauses, or binding corporate rules), or permits relying on derogations (such as relying on data subject’s consent) for cross-border transfer of personal data, DPDPA does not allow alternative transfer mechanisms to undertake transfer of personal data outside India.
3. In the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, (“IT Rules”), a body corporate or its processors could transfer sensitive personal data to any body corporate located in any other country that ensures the same level of data protection as provided under the IT Rules for the performance of a lawful contract between the body corporate or its processors and the data subject or if the data subject has consented to such data transfer.

Applicability of other laws

1. There are various sectoral regulations that mandate the storage of data within the boundaries of India, for example; the Reserve Bank of India’s (“RBI”) circular No. 2785/06.08.005/2017-18 dated April 6, 2018 mandates entities in the payment ecosystem to store payment systems data in India; the Companies Act of 2013 mandates companies to maintain books of account in electronic mode in India, and registers and copies of the annual return filed to be kept at the registered office of the company;  companies providing voice based business process outsourcing services (which are called as ‘Other Service Providers’ (“OSPs”)) are required to maintain a copy of certain data and system logs in India if their Electronic Private Automatic Branch Exchange (EPABX) is outside in India as per the revised OSP guidelines No. 18-8/2020 dated June 23, 2021 released by the Department of Telecommunications, etc.
2. Territorial blacklists are not uncommon and are also seen in some other laws in India. For example, under the extant foreign exchange laws in India, a person cannot acquire/transfer any immovable property in India, other than lease, not exceeding 5 (five) years without permission from RBI if they belong to any of the following countries: Pakistan, Bangladesh, Sri Lanka, Afghanistan, China, Iran, Nepal, Bhutan, Macau, Hong Kong, Democratic People’s Republic of Korea. Similarly, the Export Credit Guarantee Corporation of India (“ECGC”) has classified certain countries like Afghanistan, Sri Lanka, Syria, Central African Republican, Ghana, North Korea, Palestine, Zimbabwe, etc. as restricted countries since they pose high political risks. The export of goods to such countries requires the prior approval of the ECGC.

Comparison with select data protection laws around the world

This Prism has been prepared by:

Akshaya Suresh Partner

Aravindini Magesh Associate

For more details, please contact [email protected].