Part one of this series on India’s Digital Personal Data Protection Act, 2023 (the Act) looked into the Act’s scope and application and part two delved into consent and legitimate uses. In part three of this series, Rachit Bahl, Rohan Bagai, and Karishma Sumi discuss the provisions applicable to transfer (including cross-border transfer) of digital personal data under the Act in India.
Introduction
India enacted the Digital Personal Data Protection Act, 2023 (the Act) on August 11, 2023. Once provisions of the Act come into force, the DPDP Act will replace Section 43A of the Information Technology Act, 2000 (the IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (the SPDI Rules).
The Act introduces a unique concept of a fiduciary relationship between data subjects (natural persons to whom the personal data relates) and data controllers (persons who determine the purpose and means of the processing of personal data) and classifies them as ‘data principals’ and ‘data fiduciaries,’
respectively. Akin to data protection regimes across jurisdictions, the Act also envisages the role of data processors who process personal data on behalf of data fiduciaries and imposes obligations on data fiduciaries to ensure that their data processors comply with the Act through contractual arrangements.
Local transfer of personal data
As per the Act, personal data can be freely transferred within India as long as such transfer complies with all the requirements envisaged for ‘processing’ of personal data under the Act, which includes the requirement for processing to be based on: (i) the data principal’s consent for processing their personal data for a lawful purpose; or (ii) certain legitimate uses1, as specifically identified under the Act.
Cross-border transfer of personal data
The Act allows a data fiduciary to transfer personal data for processing to any other country or territory outside India unless the Central Government restricts transfer to certain specified countries by issuing a notification. In other words, the Act adopts a blacklisting approach that enables the cross-border transfer of personal data from India without any hurdles, unless the transfer is proposed to be made to a territory or a country that is ‘blacklisted’ by the Central Government. All other obligations applicable to local transfer of personal data (as discussed above) will also need to be adhered to for cross-border transfer of personal data.
Interplay with other laws or sector-specific regulations
If there is any other law or sectoral regulation, that provides for a higher degree of protection for, or restriction on, transfer of personal data outside India, whether it is in relation to certain personal data or a class of data fiduciaries, such law or regulation will apply.
For instance, the Reserve Bank of India (RBI) through its circular dated April 06, 2018, on Storage of Payment System Data (the Circular) advised all payment system providers to ensure that all payment data is stored in systems located only in India. In this regard, the RBI clarified that in case the processing of a payment transaction is done abroad, the payment data related to such transaction should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from payment processing, whichever is earlier. Given that the sectoral regulator has prescribed a higher standard of data storage for payment system operators that requires hard localization of payment system data, such sector-specific regulation will prevail and will not be impacted by the Act.
Transfers to data processors
If the personal data is transferred by a data fiduciary to a data processor for processing, the ultimate responsibility for compliance with the Act in respect of such processing will be on the data fiduciary itself. In this regard, a data fiduciary will need to ensure that any transfer to a data processor is backed by a valid contract between the data fiduciary and such data processor. This contract must inter alia include:
- suitable representations, warranties, and indemnities to ensure that the data fiduciary remains safeguarded in case of any unauthorized processing of personal data by the data processor; and
- obligations that the data fiduciary imposes on the data processor to ensure that the latter implements appropriate technical and organizational measures for its effective observance of the provisions of the Act and also protects personal data in its possession or controls by taking reasonable security safeguards to prevent breach of personal data.
Footnote:
1. See: India: Digital Personal Data Protection Act, 2023 part two – consent and legitimate uses, for more details on ‘legitimate uses.’