Under the Digital Personal Data Protection Act 2023 and its recently-released draft rules, personal data can be freely transferred to a foreign country and processed there as long as the country is not blacklisted by the Union government. The blacklisting approach is in contrast to the earlier approach of restricting data transfers only to a select list of countries.
The current provisions have a direct impact on the multinational companies that process, store and collect personal data in multiple countries. For instance, if an MNC operating in India is located in a blacklisted country, then its operations would effectively cease under the DPDP Act. But it’s not clear what happens if it is located in a whitelisted country, but the data is transferred to one of its branches operating in a blacklisted country where it gets processed. The Act and the draft rules have not addressed this issue.
Given that some amount of personal data is essential for providing goods and services, foreign companies operating in countries to which data transfers are prohibited (once notified by the government) may face challenges in conducting business in India. If data is already being transferred to a country that the government later restricts, immediate action would be required to halt such transfers. This gives rise to the question—is it desirable to put an outright ban on multinational organisations operating in blacklisted country without having a specific mechanism to regular cross-border transfer of data? The blacklist approach under the DPDP Act and the draft rules can backfire and harm businesses operating in India.
The Union government will issue the blacklist, based on factors it considers relevant. However, there is no clarity on what these factors would be. Neither has an illustrative or comprehensive list of factors been mentioned in the Act or the draft rules nor has an obligation been imposed on the government to outline the mechanisms for regulating this list. This is necessary as greater transparency is needed to prevent arbitrary decision-making.
It is pertinent to note here that the DPDPA’s extraterritorial scope extends its applicability to data fiduciaries outside India, which means foreign companies collecting personal data of individuals in India must comply with the same. Cross-border data transfers will be allowed to all countries unless the government issues a notification prohibiting transfers to any specific country. Unlike privacy regulations around the world, the DPDP Act doesn’t specify particular mechanisms such as adequacy decisions, standard contractual clauses, or binding corporate rules for cross-border data transfers. It was anticipated that the government would clarify through the draft rules. But that has not happened. As such, the government’s decision to blacklist certain geographic locations for cross-border data transfer may be arbitrary, discretionary and discriminatory.
There is also the possibility that India’s data localisation regime can land us in disputes before the World Trade Organization. Under the 1995 General Agreement on Trade in Services’ privacy framework, WTO members need to take a balanced approach when it comes to privacy rights and trade. Article XIV(c)(ii) of the agreement lays down that it should not prevent member states from adopting measures necessary to ensure compliance with laws related to protecting individuals’ privacy in the transfer of personal data. Article IV specifies such measures should not lead to arbitrary or unjustifiable discrimination between countries. Therefore, India’s blacklisting strategy must not lead to arbitrary or unjustifiable discrimination between countries.
This is in contrast to the cross-border transfer of data under the European Union’s General Data Protection Regulation (GDPR) that lays down a specific mechanism to facilitate cross-border transfer of data. Under the GDPR, cross-border data transfers are permitted only if adequate protection of personal data is ensured by the receiving organisation or country. As per Article 45 of the GDPR, cross-border transfers can take place provided they follow the corporate rules given in Article 47 of the GDPR. Alternatively, there needs to be compliance with safeguards mentioned in Article 46 of the GDPR for the crossborder transfer to take place. These include standard data protection clauses, binding corporate rules, codes of conduct, certification mechanisms and ad hoc contractual clauses. The government should explore similar safeguards while regulating cross-border data transfers.
Additionally, the transfer of cross-border data will have to take place in accordance with sector-specific laws. The DPDP Act stipulates that sector-specific laws will be given precedence. For instance, the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations 2017 states that records pertaining to policyholders need to be confined to the Indian jurisdiction. This means even if the cross-border transfer of data is permitted for whitelisted countries, the IRDAI regulations will take precedence and cross-border transfer of policyholders’ data will not be permitted. This could pose potential obstacles when it comes to enforceability of the DPDP Act as sector-specific laws are ever-evolving and will thereby restrict the extent of cross-border transfer of data.
The restriction on transfer of cross-border data can have an adverse impact on India’s trade and business. The upcoming DPDP rules should address the above challenges to make it a robust legislation that achieves its objective of protecting personal data without harming India’s economic interests.
Amar Patnaik | Former Rajya Sabha member, advocate and former CAG bureaucrat
(Views are personal)