Data Residency and Cross-Border Transfers
The Liberalized Approach to Global Data Flow (DPDPA Section 18)
Core Mandate: Cross-Border Flow
Global Data
The DPDPA allows the transfer of personal data outside India, except to those countries that are notified by the Central Government as restricted destinations.
01
The Default Position: Freedom to Transfer
A Shift from Previous Drafts
Unlike earlier drafts that mandated data localization, the DPDPA is jurisdiction-agnostic. Data Fiduciaries can generally transfer personal data abroad provided they remain compliant with all other aspects of the Act.
IMPERATIVE: Continued Compliance
The DF remains fully liable for the data even after transfer. The recipient entity outside India must still adhere to the same obligations.
02
Restricted Jurisdictions
Countries with Insufficient Protection
The Central Government reserves the right to notify certain countries or territories where personal data transfers will be restricted or prohibited, likely due to inadequate data protection regimes.
EXECUTION: Global Data Map
Maintain an up-to-date Global Data Map that identifies all jurisdictions where data is stored or processed, allowing for immediate compliance screening against the Central Government's list.
03
Data Processor Contracts
Ensuring Accountability Abroad
When engaging Data Processors located outside India, Data Fiduciaries must ensure the contract obligates the Processor to provide the same level of security and compliance as required under the DPDPA.
Contractual Requirements:
- Incorporate DPDPA-specific clauses on security and breach notification.
- Ensure clear rights for the DF to audit the Processor's compliance.
- Define liabilities for breaches that occur at the Processor's end.