Cross-Border Data Transfer under Indian Law
Cross-border data transfer refers to the movement of personal data from India to another country or territory. In India, the primary legal framework governing such transfers is the Digital Personal Data Protection Act, 2023 (DPDP Act). The law adopts a relatively liberal yet controlled approach, allowing international data flows while empowering the government to impose restrictions where necessary.
Legal Framework and Approach
Unlike earlier draft regimes that proposed strict localization, the Digital Personal Data Protection Act, 2023 follows a “negative list” approach. This means that cross-border transfer of personal data is generally permitted except to those countries or territories that the Central Government may specifically restrict or prohibit.
This framework balances India’s participation in the global digital economy with concerns relating to data sovereignty and national security.
Permissibility of Cross-Border Transfers
A data fiduciary may transfer personal data outside India provided that the destination country is not restricted by the Central Government. The Act does not require prior approval for each transfer, nor does it mandate adequacy assessments or standard contractual clauses (as seen in jurisdictions like the EU).
This makes India’s regime comparatively business-friendly and facilitates ease of global operations for companies handling personal data.
Government Powers and Restrictions
The Central Government retains the authority to notify countries or territories where transfer of personal data is restricted. Such restrictions may be based on factors such as national security, strategic interests, or adequacy of data protection standards in the destination country.
This discretionary power acts as a safeguard to ensure that sensitive data is not transferred to jurisdictions that may compromise privacy or security.
Obligations of Data Fiduciaries
Even when cross-border transfers are permitted, data fiduciaries remain responsible for compliance with the Digital Personal Data Protection Act, 2023. They must ensure that:
Data is processed lawfully and for a specific purpose
Consent requirements are fulfilled (where applicable)
Adequate security safeguards are implemented
Data principals’ rights are respected
Importantly, transferring data outside India does not dilute the fiduciary’s obligations. Accountability remains with the entity that collected and processed the data.
Special Considerations for Significant Data Fiduciaries
Entities classified as Significant Data Fiduciaries (based on volume, sensitivity, or risk factors) may be subject to additional compliance requirements. While the Act does not impose explicit localization mandates, these entities may face stricter scrutiny in terms of risk management, audits, and governance.
Cross-border transfers by such entities are expected to be handled with higher diligence and internal controls.
Interaction with Other Laws
Cross-border data transfer may also be influenced by sector-specific regulations. For example, financial data, health data, or telecom data may be subject to additional restrictions under regulatory frameworks issued by authorities such as the Reserve Bank of India or sectoral regulators.
Thus, compliance requires a layered approach, considering both the Digital Personal Data Protection Act, 2023 and applicable sectoral laws.
Data Protection Board and Enforcement
In case of violations, such as unauthorized transfer to restricted jurisdictions or failure to implement safeguards, the Data Protection Board of India may impose penalties. The Act provides for significant financial penalties depending on the nature and severity of non-compliance.
This ensures that cross-border transfers are not misused or carried out negligently.
Comparison with Global Standards
India’s approach differs from stricter regimes like the EU’s GDPR, which requires adequacy decisions or contractual safeguards for cross-border transfers. Instead, India emphasizes regulatory flexibility and executive oversight.
This model is designed to support India’s digital economy while retaining sovereign control over sensitive data flows.
Conclusion
Cross-border data transfer under Indian law is governed by a pragmatic and evolving framework under the Digital Personal Data Protection Act, 2023. By allowing transfers to most jurisdictions while empowering the government to impose targeted restrictions, the law strikes a balance between global data mobility and national interests. For data fiduciaries, the key takeaway is that international transfer does not reduce compliance obligations—responsibility for protecting personal data remains firmly within their control.
Leave a Reply