The Digital Personal Data Protection Act, 2023 (“DPDP Act”) seeks to regulate the sharing of personal data across international borders, as outlined in Section 16 of the DPDP Act. Section 16 addresses cross-border data transfers with the following key provisions:
- 1. Territorial Restrictions:
Transfer of personal data by a Data Fiduciary for processing must adhere to specific territorial jurisdictions designated by the Government, as and when notified [under Section 16(1)]. In effect, the Act enables the transfer of personal data by a Data Fiduciary to any unrestricted country.
- 2. Compliance with Existing Laws:
The Act must not conflict with any other existing laws in India that impose a higher degree of protection or restrictions on personal data transfers by Data Fiduciaries outside India [Section 16(2)].
Impact on Businesses:
In November 2017, the Srikrishna Committee appointed by the Central Government, released a whitepaper, chalking out a possible shape for the country’s data protection law. An aspect stressed by the committee members was to accelerate India's growth in the digital economy through global data flow, thereby fostering cross-border data transfers.
The DPDP Act aligns with this vision, offering significant advantages to international businesses compared to the General Data Privacy Regulation (GDPR). This includes reduced burdens in relation to adequacy requirements, complex documentation like binding corporate rules, standard contractual clauses, and transfer impact assessments mandated by GDPR.
Not only for big business houses, the Act is generous towards start-ups, too. It permits the Central Government to exempt certain classes of data fiduciaries, including startups, based on the nature and volume of personal data they process. Therefore, when the Act takes effect and a specific geographic location is blacklisted by the Government, startups may have additional time to relocate their data without immediate penalties.
Key Exemptions (Under Section 17):
The DPDP Act provides exemptions for cross-border data transfers if the processing is initiated for:
1. Enforcing the legal rights or claims of individuals.
2. Preventing, detecting, investigating, or prosecuting offenses or violations of Indian laws.
- 3. Initiating data processing by Indian courts, tribunals, or other judicial bodies for the performance of their functions.
4. Processing personal data of individuals outside India's territory based on contracts with foreign parties.
5. Implementing schemes of compromise, arrangement, merger, amalgamation, or reconstruction approved by competent authorities.
6. Determining financial information, assets, and liabilities of individuals who have defaulted on loans from financial institutions, in compliance with disclosure laws.
Penalties and Recommendations:
The DPDP Act does not specify penalties for cross-border data transfer breaches but allows fines of up to INR 250 crore for violations of other provisions. Businesses should prioritize compliance with cross-border data transfers and overall DPDP Act requirements. Key recommendations include:
- Mapping data flows and touchpoints to identify collection, storage, and usage locations.
- Reviewing data acquisition and sharing processes.
- Appointing a Data Protection Officer and adapting consent management processes for explicit consent requirements.
- Using user-friendly interfaces to describe data usage and provide individual control.
Conclusion:
The DPDP Act successfully shifts from the restrictive stance of the Draft to a more permissive approach in cross-border data transfers, aiming to minimize business disruption. It establishes a foundational level of protection while allowing sector-specific regulators to implement more robust safeguards if necessary.
Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.
