Associate, GameChanger Law Advisors
With the introduction of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”) by the Ministry of Electronics and Information Technology (“MeitY”), corporate entities that process personal data may now be allowed to transfer your personal data abroad – subject to certain conditions, of course! This is a change in stance from the Personal Data Bill, 2019 (“PDP Bill 2019”), which placed restrictions on the transfer of personal data abroad.
Interestingly, the DPDP Bill, similar to data privacy legislations in other jurisdictions, such as the General Data Protection Regulation (“GDPR”), does not define what ‘data transfer’ is. In the case of the GDPR, the European Data Protection Board has identified the following three conditions that qualify as a data transfer: (i) the controller (i.e., the corporate entity that processes personal data) is subject to the GDPR for processing data, (ii) the controller discloses, by transmission, or otherwise makes personal data available to another controller (importer), and (iii) the importer is located in a third-country or is an international organization (and need not necessarily be subject to GDPR). Essentially, data transfer is an intentional sending of personal data, or making it accessible to a third-party entity.
Before explaining the concepts and mechanisms behind transfer of personal data to third countries, we need to first understand what ‘personal data’ means. As discussed in our previous articles on children’s personal data and consent, personal data refers to any data that can identify an individual, and includes their name, address, email address, phone number, date of birth, an identification card number and so on.
This explainer note is divided into four parts. The first part lays down the importance of permitting transfer of personal data to other countries. The second part explains the mechanism by which such transfer can take place. The third part discusses situations under which such transfer would be impermissible. The fourth part of the note explains the new changes introduced by the Government, in comparison to the previous law. The note concludes with the concerns relating to transfer of personal data to third countries and the remedies that an individual can claim in the event of a breach.
(1) The economic logic for permitting cross-border transfer of personal data
In order to appreciate the law governing cross-border transfer of personal data, it is imperative to understand why it is needed in the first place. According to the MeitY 2019 report titled ‘India’s Trillion Dollar Digital Opportunity’, India has the potential to become a 1 (one) trillion dollar digital economy by 2025. How can this be achieved? One way for India to do so is by creating a network and policy around borderless transfer of data, to enable capital, innovation, data and design capabilities to flow from India to third countries.
Permitting corporate entities to transfer personal data allows corporate entities to (i) expand their business globally; for example, a multi – national company may need to transfer personal data of their employees, consumers or clients, in order to provide services on a global scale, (ii) they can use and analyze the data, which will enable them to improve their services and business operations, and (iii) will encourage foreign corporate entities to start their business within the Indian
(2) The proposed mechanism for cross-border transfer of personal data
According to Clause 17 of the DPDP Bill, the Central Government will first notify countries, based on an assessment of certain factors as deemed necessary by it, to which personal data may be transferred to. In order to protect an individual’s personal data, such transfers outside the territory of India will be subject to the terms and conditions laid down by the Government.
There are two main issues that arise out of this Clause. First, the Bill is currently silent on the basis on which the Government will notify countries to which personal data can be transferred to. Under the GDPR, the European Commission makes an ‘adequacy decision’ to determine which third-countries data may be transferred to; i.e., as long as the transfer of data to a third-country will be comparable to a transmission of data within the European Union. Essentially, this means that the European Commission will assess and determine whether the third– country to which data is being transferred to, has an adequate level of data protection and safeguards, similar to that of the GDPR, to protect personal data. Thus, one way for the Central Government to approach this situation is to adopt a similar approach, whereby, the Government will assess whether such countries have an adequate level of data protection and that which is similar to the Indian laws.
Second, this Clause is silent on the terms and conditions that will apply to such transfers to third countries. As mentioned in our previous articles, this means that the notified countries along with the terms and conditions of transfer will be included in the rules prescribed under the eventual DPDP Act, which is yet to be published.
(3) Can all ‘Personal Data’ be Transferred?
No, not all personal data can be transferred outside India. Clause 18 of the DPDP Bill has laid down the following exceptions for transfer-
- A matter of public or State interest– When the processing of personal data is necessary for (a) enforcing any legal right, (b) claim, (c) for the performance of any judicial or quasi-judicial function, or (d) for prevention, detection, investigation or prosecution of any offence or contravention of any law; or
- A matter of jurisdiction– when personal data outside India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India. This means that where the personal data of an individual outside the territory of India is processed, because of a contract entered into with a person outside India, by an individual or entity within India.
(4) A Comparative Analysis with the previous 2019 Bill
Clause 33 of the PDP Bill, 2019, split cross-border transfer of data into two parts. First, only ‘sensitive personal data’ was permitted to be transferred outside India. Clause 3 (36) of the PDP Bill provided a list of data that would be considered as sensitive personal data, such as biometric data, genetic data, official identifier, health data, financial data, caste or tribe, and so on. Second, ‘critical personal data’ (data as notified by the Central Government- a subjective classification) was only permitted to be transferred within the Indian territory. Only under rare circumstances, such as health or emergency services, was critical personal data allowed to be transferred. The terms and conditions set out in the PDP Bill, 2019, for transfer of sensitive personal data was as follows:
- Individuals had to consent to such transfer;
- The transfer would be made subject to the Data Protection Authority (“DPA”) approved contract or intra group scheme;
- The Central Government approved the transfer to a particular country, based on an assessment of adequate level of protection and that the transfer will not prejudice law enforcement; and
- The DPA allowed for the transfer of sensitive personal data for any specific purpose.
Why was there a need to revise these provisions? These provisions are similar to the GDPR, which allowed for cross border data transfers under ‘standard’ contract clauses, which the data regulators would then approve. While the PDP Bill, 2019, allowed for these standard contractual clauses, these contracts would be rejected if the objective of transfer of data was prejudice to public or state policy. The subjective nature of this provision and the lack of uniformity led to a ‘case-by- case’ approval from the DPA resulting in unnecessary delays that hindered business operations.
Further, the Central Government did not clarify what data would be considered as critical personal data, which made this provision also subjective in nature. In essence, the Central Government had the power to decide the scope of critical personal data.
The DPDP Bill, 2022, tackles this situation by eliminating classification of data altogether by defining ‘personal data’ only. While this is a positive step to reduce the subjective nature of the PDP Bill, the Central Government is still vested with the power to determine what data may be transferred to third countries and the exemptions for doing so (as discussed in point 2). In order to limit any misuse or misinterpretation of this provision, the author is of the view that any terms and conditions or exemption of transfer of data sought by the Government must be backed by the standards of legality, necessity and proportionality- as per the landmark right to privacy judgment, Justice K.S. Puttaswamy and Anr. v Union of India and Ors. (2018).
(5) The remedies an individual can claim in case of non-compliance of the DPDP Bill, 2022
The committee of experts headed by Justice B.N. Srikrishna acknowledged that cross-border transfer of data is essential for a free and fair digital economy. While the Committee acknowledged the importance of cross-border transfer of data, it also highlighted that such autonomy cannot be absolute and in order to protect the rights of individuals, certain restrictions must be placed.
While there are economic benefits to cross-border transfers, the individual is at risk of such transfers. The most important aspect is the right to privacy, which is a fundamental right provided under Article 21 of the Constitution of India. Clause 25 and Schedule I of the DPDP Bill provide for financial penalty in the case of non- compliance by an individual or entity, by considering factors such as the nature and gravity of the crime, the type of personal data, the repetitive nature of non- compliance and so on. We believe that this is a practical approach, as opposed to merely providing a blanket financial penalty for all cases of breach of cross border transfer. This way, the Data Protection Board (“DPB”) has the power to assess the various factors in the event of a breach, and then determine the penalty accordingly.
The maximum financial penalty for non-compliance with respect to cross – border transfer is upto INR 50,00,00,000 /- (Rupees Fifty Crores Only), which, we believe, is an amount adequate enough to ensure that corporate entities abide by the DPDP Bill. While the DPB is required to consider the factors, as mentioned above, and then provide a penalty, the DPB will need to ensure that the maximum financial penalty possible is imposed in the event of breach, to ensure that such breaches are not committed in the future, and to deter other corporate entities from committing such breaches. Since this is a generic penalty clause, we recommend that the Government clarify the application of this clause to on-going breaches of cross-border transfer of personal data; for instance, if an entity is transferring personal data to another entity in a third-country on a daily basis, in breach of the law on cross-border transfer of personal data, would this penalty apply to each individual transfer of personal data, or would it apply collectively to all transfers of personal data undertaken between the entities?
While the DPDP Bill, 2022, provides stringent penalties in the event of any breach, the Government must balance out the interests of the individual along with the economic benefits that cross-border transactions have for India and corporate entities. This is a fine line; however, in no case, should any person or corporate entity benefit from a breach of an individual’s privacy, including cases of data leak, or selling data of an individual without their consent.
The Author would like to thank Amrut Joshi (Founder, GameChanger Law Advisors) and Saket Rachakonda (Senior Associate, GameChanger Law Advisors) for their inputs.
Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.
Click here to know more about our Technology practice.