Data PrivacyRegulation Of Cross Border Data Transfers Under The Digital Personal Data Protection Act, 2023

INTRODUCTION

The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”) attempts to regulate personal data transfer beyond the Indian borders through section 16 of the DPDP Act. Section 16 of the DPDP Act talks about cross borders data transfers and primarily aims on the following fronts:

• Section 16(1) states that the central government may restrict the transfer of personal data outside the border of India specifying certain countries by issuing a notification as it deems fit.
• Section 16(2) develops a synergy between the existing laws in force and itself by allowing the application of already existing higher data protection measures.

Globally, many of the developed countries have come up with stringent policies on cross border data protection. European union’s (hereinafter referred to as “EU’s”) General Data Protection Regulation (hereinafter referred to as “GDPR”) lists out provisions for personal data transfer from an EU country to a non – EU country.

THE GENERAL DATA PROTECTION REGULATION PROVISIONS ON FOREIGN DATA PROCESSING

The European GDPR dedicates a whole chapter for the provisions of cross-border personal data protection and provides strict sanctions for the breach including a penalty up to €20 million or 4% of the annual turnover of the next fiscal year. Such stringent penalties make it essential to comply with the rules.

Personal data transfer within EU member nations make it mandatory for the data controllers and data processors to sign an agreement, setting up the subject matter, type of personal data, and nature, duration and purpose of the processing of such data.

Cross-border data transfer, or data transferred to a non-EU country, are subject to an ‘Adequacy Decision’, this adequacy decision is essentially a measure of standard which verifies that that a third country, territory or an international organisation offers levels of Data Protection that are essentially equivalent to that within the EU.

Once the adequacy decision is found to be affirmative then any personal data is allowed to be transferred from the EU to the relevant country.

Under the GDPR regime Data Controller also rely upon the appropriate measures provided under the rules for cross-border data transfer which includes complying with corporate rules which is useful for group of companies established in different companies. EU has approved certain standardised clauses and certification mechanism for data protection which are a must for cross border transfer of data.

NEED OF CROSS-BORDER PERSONAL DATA TRANSFER POLICIES

Cross-border data transfer facilitates international trade and supports the production and distribution of goods and services effectively. According to the World Development Report by the World Bank, the global internet traffic has been estimated to be around 4.8 zettabytes by the year 2022. This rapidly increasing internet traffic indicates huge amounts of data transfer happening globally which requires stringent policies for economic growth and data privacy. Presently, countries like EU, China, Japan and Canada have the most stringent data privacy laws worldwide.

The DPDP Act is aimed to be a contender to such other data protection laws by synergizing the existing Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), 2011 and the Information Technology Act, 2000 which requires companies to take explicit free consent of the individual before processing their data further. Financial services and digital lenders are being regulated by the Reserve Bank of India guidelines on data processing, protection and retention.

Despite the positive efforts the 2023 Act, in its present form, lacks stricter and well-defined provisions which are clear about the personal data transfer outside the territory of India. However, much of this is attributable to the approach of the Indian government to make the DPDP Act not prescriptive in nature and rather frame it in a manner to provide a comprehensive framework that outlines principles and standards while allowing flexibility for technological advancements.

AMLEGALS REMARKS

Being one of the largest internet markets in the world, India has started its revolutionary journey to formulate data privacy laws by the enactment of DPDP Act. The Act is in check with the global privacy laws but still needs a faster implementation which is currently estimated to take 8-9 months. It certainly put forth the provision of restricting data fiduciaries to transfer personal data to some particularly notified countries but currently lacks specific penalising provisions for such data breach. Cross border personal data transfer policies must be clear, precise and stringent in nature as it can be a question of the nation’s security.

– Team AMLEGALS, assisted by Ms. Khanak Sharma (Intern)