Data PrivacyCross Border Data Transfer

August 10, 20220


With the evolving times, the importance of data in the wake of widespread usage of the internet has increased manifolds. Across the nations, data protection laws have changed drastically over the past few decades.

Globalisation and the accessibility of the global market to the world have also led to a better connect and communication in terms of the internet. Trade, foreign direct investment, short-term financial flows, knowledge, and labour migrations are a few of the distinct components of globalisation.

Localized, or the free flow of ideas that has resulted from the reduction of transmission costs and the closer integration of societies, is at the top of the list.

Security of data in general and personal data specifically during cross-border transactions has become significant and will continue to be critical to businesses in the future given that the data transfers will only increase as more and more businesses go digital.

Economic globalisation is, in a limited sense, the growth of international trade and investment. One aspect of economic globalisation is the increase in the digitization of economic activity, especially in the key information industries like finance and specialised business services.

There are many different ways that the Internet has impacted globalisation. The modernisation and advancement of the business sector on the World Wide Web (hereinafter referred to as “WWW”) are among the benefits of the Internet for globalisation.

With more effective electronic transaction processing and immediate access to information, businesses increase their productivity and competitiveness on a worldwide scale. Due to the increased market competition, consumers now have wider options.

However, this digital development has also posed concern for the data safety and protection of sensitive data of the user for ensuring non-exploitation and misuse of data and thus, the discussion on Cross Border Data Transfer (“hereinafter referred to as “CBDT”) becomes important in present time.


On a personal level, a tremendous amount of personal information is exchanged, gathered, and stored online under the guise of personalising and thereby making our online existence more comfortable. One of the most prominent concerns that has arisen as a result of the spread of the digital economy and space is the “adequacy” of the security of the personal data of the users.

Data transfers across international borders are permitted if the user expressly consents to the code of conduct that has been approved by the appropriate supervisory body. This code of conduct must contain vital details on the measures in place to protect data and data rights.

The businesses in the digital economy work on an international level, thereby necessitating the transmission of personal data across borders. The five main factors that allow cross-border transfers of personal data in jurisdictions with dedicated data protection laws are:

1. Adequacy;

2. Informed permission;

3. Contractual needs;

4. Interest of the Data Subjects or other people; and

5. Overriding state or legal purpose.

According to the concept of adequacy, data can only be transmitted across international boundaries if the Receiving State has laws in place that provide adequate data protection, or at the very least, equal to the minimum level of protection provided in the Transferor State.

General Data Protection Regulation and its compliances across the globe

European privacy laws, and now the General Data Protection Regulation (hereinafter referred to as “GDPR”) permit the free flow of personal data within the European Union (hereinafter referred to as “EU”).

Cross-border transfer of personal data to the non-EU country also ensures that the personal data enjoys an ‘adequate’ level of protection in such countries which are essentially ‘equivalent’ to that within the EU.

The United States of America (hereinafter referred to as “USA”) introduced the EU-US Safe Harbour Framework (hereinafter referred to as “Safe Harbour Framework”). The Safe Harbour Framework is a set of guidelines or principles that is to be followed by businesses that receive data from the EU.

The Safe Harbour Framework has resulted in the free flow of personal data from the EU to the USA provided that the entity receiving the personal data complies with the privacy principles contained in Safe Harbour framework.

Position in India

Comprehensive general data protection legislation for India is eagerly awaited since the Supreme Court declared the Right to Privacy as a Fundamental Right in Justice K.S. Puttaswamy vs. Union of India [(2019) 1 SCC 1].

In December the Joint Parliamentary Committee (hereinafter referred to as “JPC”) presented its report on the Personal Data Protection Bill, 2019 (hereinafter referred to as “PDP Bill”), after almost two years of deliberations. It proposed nearly 81 amendments were proposed and 12 recommendations to the 2019 Bill and also proposed the draft of the Data Protection Bill, 2021 (hereinafter referred to as “DP Bill”). These changes include language which could affect the cross-border data flows both under approved “standard” contractual clauses, and under data adequacy decisions.

Subsequent to the various amendments, the Indian Government has withdrawn its long-awaited Personal Data Protection Bill which drew scrutiny from several data privacy experts and tech giants who apprehended that the legislation could restrict how they managed sensitive information while giving the Government broad powers to access it. The Government is now working on creating a more ‘comprehensive legal framework” and presenting a new Bill.

Cross-border data flows are of the essence to modern international trade and commerce. Restrictions, or uncertainty, on these flows can impede transactions such as outsourcing and investments. India, as a country which is a global locus for both; outsourcing and investments needs to strike a balance between the needs of sovereignty with enabling business.

Localisation comes in several flavours, and certain forms are more easily complied with than others. For instance, Soft Localisation, such as requiring that copies of sensitive personal data be available within India, mainly means additional cost and infrastructure. Hard Localisation, however, such as the prohibition on export of undefined “critical” personal data under the PDP Bill, can require re-architecting business processes or stop data flow entirely.

Under the PDP Bill, sensitive personal data which includes financial, health, and biometric data could be sent outside India under a contract or intra-group scheme approved by the Data Protection Authority (hereinafter referred to as “DPA”). This is a familiar mechanism internationally and significant volumes of cross-border data flows are enabled under “standard” contractual clauses which data regulators approve.

Lack of proper protection has also become an increasing worry over the past few months. Due to the breach of users’ data privacy, the Indian Government recently banned a number of Chinese programmes, including TikTok, UC Browser, and BeautyPlus.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as “IT Rules”) in India recognise the need for sufficient protection while sending sensitive personal data across international borders.


At the moment, countries are struggling to translate de facto global standards on data privacy and protection into local contexts, creating a risk regarding adequate protection of the data of their citizens. The inadequate data protection will also come up as a hurdle in the development of the domestic digital economies of such countries.

While there is a broad agreement on the principles put forward in the Organisation for Economic Co-operation and Development Guidelines (hereinafter referred to as “OECD Guidelines”) on the Protection of Privacy and Transborder Flows of Personal Data and Convention 108+, guidance on how to implement these principles effectively and in a manner flexible enough for them to be tailored to the priorities and capacities of different Governments is lacking.

Developing such practical guidance would be enormously valuable for the Governments seeking greater clarity on how to best implement these principles. However, in the present situation, the institutional arrangements needed to support coordination between Government Officials working on data policy at the global and regional levels remain underdeveloped.

To address this gap, the new Bill ought to take into consideration financial, health, and biometric information in India and limit the companies store certain categories of “sensitive” and “critical” data.


The changing landscape of the digital space has supplemented the transfer of ideas and information in form of data across the globe. The said changes have induced a threat to the data of the user that can be misused and exploited and hence the need for proper rules governing the issue is pertinent to be observed.

In the light of the present era of big data, it is impossible to achieve genuine protection adequacy without introducing national legislation. Nations and entities may soon realise that the principle of sufficiency is evolving into an unexpected trade barrier if strong cross-border data transmission methods are not developed.

Data importers and exporters would have to work towards achieving International standardisation of legal concerns as it appears to be more of a utopian dream than a soon-to-be-realized reality.

– Team AMLEGALS assisted by Mr. Rishav Kumar (Intern)

For any queries or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.