The Author, Wafiya Faiz, 3rd year, BA.LLB, Jamia Millia Islamia. She is currently interning with LatestLaws.com and the Indian Dispute Resolution Centre.
Introduction
In a digital world, entities render services to users across the world. They cater world wide customers from every corner. In such cases, data transfer is inevitable. It plays an important role in facilitating global trade and services for business organisations.[1] There is also a direct link to the economic growth of a nation. The ability to transfer data across borders triggers the financial growth of industries, which escalates the economy of the country. The complexity that lies in data transfer is more stringent in case of protection of sensitive information[2]. Varying transfer of data across borders requires privacy protection laws to protect from any misuse of data. There are jurisdictions which impose data protection laws for the transfer of sensitive personal data. Purchase of online clothes, accessories and even books involve data transfer. Retail cross-border transfer usually involves consumer-to-consumer business. In common parlance, cross-border involves those kinds of transfers which took place between individuals or entities of different countries. It also enforces financial transactions between parties located in varying jurisdictions. These transactions require transfer of stringent data from one jurisdiction to another. Private data are also transferred which may concern the privacy law. Unrestricted transfers are more prone to risk to individual privacy and even national security. Considering this, India also recently enacted the Digital Personal Data Protection Act, 2023 (DPDA). In its initial draft, the bill proposed complex regulations around cross border transfers.[3] Previously, it proposed versions of India’s data protection bill that contained stringent data localisation mandates. While the new act has adopted a more flexible approach, it also broadens the scope of having more stringent data protection law.
Cross-Border Data Transfer Framework
The Digital Personal Data Protection (DPDP) Act, 2023, is a comprehensive data privacy law in India, enacted to regulate the processing of digital personal data. The Act received the President's assent on August 1, 2023.[4] At the moment, India does not have a standalone law on data protection. Personal data laws are regulated by the Information Technology (IT) Act, 2000.[5] Back in 2017, the central government constituted a committee of experts to look on data protection in the country. A report of the committee was submitted in July 2018.[6] It was after the committee’s recommendation that the Personal Data Protection Bill, 2019, was introduced in the Lok Sabha in December 2019.[7] Soon the bill was referred to a Joint Parliamentary Committee. The report was submitted in December 2021. It was in November 2022 that a draft Bill was released for public consultation, and finally, in August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in the Parliament.[8]
It is said that data is the “modern -day gold”. An efficient safeguard is required to protect it from cyberattacks. Modern-day crimes are digitalised, expanding beyond one's jurisdiction. DPDP Act, 2023 being the latest law in India permits cross-border data transfer unless the Indian government specifically restricts them to certain countries through a notification[9]. Section 16[10] of the Act is central to cross-border transfers. According to this section, the central government is to notify certain countries or territories to which personal data may not be transferred[11]. There is an unfettered transfer of data from India to different countries across the globe, it poses privacy issues to the security of the nations, Section 16(1) provides the blanket restriction to countries that pose a threat to national security. An analysis by the Indian Council for Research on International Economic Relations (ICRIER)[12] revealed that “a mere 1% decrease in cross-border data flows can potentially result in a loss of 696.71 million US dollars in trade for India. Therefore, stringent restrictions on data flows can also severely impact India’s trade prospects.” Thus, the open-ended approach of DPDPA with regard to cross-border data transfer can be attributed to India’s economic need and strategy[13].
It is to be noted that the Act does not explicitly mention where data can be sent, instead it restricts to specific nations which are to be notified by the government.
International Roots of India’s DPDP Act
The Digital Data Protection Act of 2023 is inspired by the core principles of the European Union's General Data Protection Regulation (GDPR). The famous K.S. Puttaswamy v. Union of India (2017)[14] Judgment is the foundation stone for privacy consciousness in the digital realm.[15] This decision stemmed from the challenge to the Aadhaar scheme, which was later asserted to have violated privacy rights. In this case, the Hon’ble Supreme Court held that privacy is a fundamental right under Article 21[16] of the Constitution and any data processing must adhere to the principles of necessity, proportionality, and informed consent. As a result of this judgment, the Justice B.N. Srikrishna committee drafted a personal data protection bill, now the Digital Personal Data Protection Act (Herein referred to as DPDP Act). This judgment has indirectly influenced the development of data protection law globally, including the GDPR. It has been cited in different countries in discussions and debates on data protection and privacy worldwide[17]. GDPR supersedes the UK Data Protection Act 1998 (DPA 1998). It was based on the principle of lawfulness, fairness and transparency. Section 8[18] of the DPA act 1998 addresses the rules for cross-border transfer of personal data. It is also known as the eighth data protection principle. As per this section, personal data is not to be transferred to any country which is outside the European Economic Area unless an adequate level of privacy protection is provided for the personal data.[19] Following the DPA Act 1998, subsequent legislation like the Data Protection Act 2018 and the UK GDPR has expanded the scope, albeit section 8 remains the primary reference for cross-border data transfer. It was after Brexit that DPA 2018 and UK GDPR replaced the DPA 1998 and the EU GDPR in the UK[20].
Article 32 of the General Data Protection Regulation (GDPR)[21] mandates that data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Also, Article 17 of the International Covenant on Civil and Political Rights (ICCPR)[22] protects the right to privacy and ensures protection under the law against such interference or attacks. Under GDPR, Article 44 to 50[23] in chapter V addresses the cross-border data transfers. Article 44 of GDPR sets out the general principle of personal data that can only be transferred to third parties if conditions laid down in chapter V are met. In a much broader term, Article 45 deals with data that can only be transferred in countries or organisations that provide adequate protection for personal data to European residents. Article 46 led down appropriate safeguards such as binding corporate rules. Herein, transfers of data are permissible only in those countries which are deemed by the European Commission to have adequate data protection mechanisms, whereas in the DPDP Act, 2023, transfers are allowed in countries that the Indian Central government explicitly notifies. There is no requirement in Indian data protection law in regards to contractual safeguards while in GDP, Standard Contractual Clauses or Binding Corporate Rules are required. For business operating internationally, under GDPR, transfer of data is done with careful compliance of legal safeguards while under DPDP, cross border transfer of data requires government regulation.
Challenges Ahead
The Digital Personal Data Protection Act (DPDP) Act, 2023 has adopted a progressive approach by adopting several regulatory, operational and policy-related changes, it also sets for restrictive data localisation. There are unresolved questions regarding the current legal framework. Section 16(1) of the act only states about countries where data transfer is not permitted as per the notification release by the Central Government which creates a negative connotation. There is no strict formula set for the selection of these countries. This uncertainty has the possibility to create an impact on multinational companies that are relying on global cloud infrastructures. In addition to this, this power to restrict the transfer of personal data to countries is with the Central government, with no mechanism for public consultation or parliamentary approach. This shows a lack of transparency in the system. Unlike GDPR, there is no standard contractual clause available for the transfer of data. There is a need to fill the gap of incomplete cross-border data transfer for an efficient approach.
Conclusion
The DPDP Act is a structured framework for cross-border data transfers[24]. It facilitates the transfer of data in accordance with statutory limitations. However, with increasing importance, it also poses challenges. Stringent safeguards are required to protect data from cyberattacks. There is a need to opt for a liberal approach to overcome challenges posed by the DPDP Act. Understanding its implications is essential; thus, Sensitive data of one jurisdiction should not be transferred outside, as it concerns national and individual security. The term “sensitive personal data” is defined in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, a subordinate legislation flowing from the IT Act. These specialised rules define sensitive personal data under Rule 3 as: Sensitive personal data or information of a person means such personal information which consists of information relating to— (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract[25]. The international legal framework has also adopted measures to protect sensitive data. While the GDPR has adopted a more restrictive model, DPDP has adopted a more open-ended approach by restricting only those countries which are explicitly blacklisted. India’s DPDP Act strikes a balance between digital innovation and citizen protection in a rapidly digitalised economy.
References:
[5] Report of the Joint Committee on The Personal Data Protection Bill, 2019, ( December 2021).
[6] “ A free and Fair Digital Economy Protecting Privacy, Empowering Indians’, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 2018.
[7] The personal Data protection Bill,2019 was introduced in Lok Sabha.
[10] Digital Personal Data Protection Act, 2023, § 16
[14] K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
[16] Indian constitution Art. 21
[18] UK Data protection Act 1998, § 8.
[20] G. Bolatbekkyzy, “Legal Issues of Cross-Border Data Transfer in the Era of Digital Government” ( Vol 2, No 2, 2024).
[23] Supra note 20 at Art. 44 to 50
[25] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 3.
