Decoding Cross-Border Data Transfers under the DPDP Act, 2023
Introduction
The global internet traffic has seen an exponential growth?over the past few years. Data transfers have also increased at an astounding rate. Data transfers have also given rise to a number of privacy concerns in this globalized world where data is considered the new gold. Data protection regulations across the globe have highlighted the importance preventing misuse of data by transferring it to a foreign land.
Approach taken by Europe
Cross-border transfers under the GDPR involve the movement of personal data outside the European Economic Area (EEA) to non-EEA countries. These transfers must adhere to GDPR regulations, ensuring the data's protection remains consistent with European standards. Organizations must demonstrate compliance by implementing safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or relying on adequacy decisions from the European Commission. Additionally, they should assess risks to individuals' privacy and seek authorization from relevant data protection authorities when necessary. Under Article 83(5)(c) of the European Union’s General Data Protection Regulation (GDPR), lays down that companies which transfer data on the basis of an improper or invalid mechanism to third-countries, would be liable to pay penalties up to €20 million or 4% of their global turnover.
The DPDP Way
In August 2023, India’s first comprehensive data protection law, the Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential Assent. The Act aims to ensure that personal data is processed only for lawful purposes, and in a lawful manner.
Under Section 16(1) of the Act, the Central Government is empowered to notify the countries to which transfer of personal data shall be prohibited. To avoid any potential conflicts with laws already enforced, Section 16(2) of the DPDP Act prioritizes existing laws with stricter data protection measures when transferring data abroad. ?In other words, if another law offers stronger protections, it applies. This ensures a strong overall data security framework. Therefore, regulations enforced by sectoral regulators like the Reserve Bank of India (RBI)?and the Securities and Exchange Board of India (SEBI), can enforce data localization (mandating storing data within the specific country, to comply with regulations) measures for sector-specific data collected by the regulated entities.
Unlike previous iterations of the law, the DPDP Act does not differentiate between sensitive personal data or critical sensitive personal data, thus, the Government, while notifying restrictions, take decisions on case-by-case basis and also, the restrictions can cover much larger ambit of personal data. Some experts stipulate?that the restrictions may be in the form of prescribing additional compliances (similar to the GDPR adequacy tests) for the transfer of personal data to the notified countries or limiting the transfer of certain types of data.
Moreover, the Act has extra-territorial application, meaning it applies to entities outside the country. This implies that foreign companies engaging with individuals in India through the provision of goods and services must adhere to the Act. Additionally, if a country is blacklisted by a notification of the Central Government, the transfer of personal data to companies based there would not be allowed.
Section 17 of the Act outlines circumstances where cross-border transfers, including those to notified countries or regions, are not restricted. These include situations where processing personal data is necessary for legal enforcement, prevention, detection, investigation, or prosecution of crimes, performing of judicial functions, fulfilment of contractual obligations with foreign entities, corporate arrangements, or financial assessment of a defaulter to a financial institution.
Conclusion
It is important to note that the Government notified rules and regulations would shed more light in this issue. Companies should be well prepared to comply with the law, given the fact that non-compliance with the DPDP Act can entail penalties up to Rs. 200 crores.
If your organization is dealing with copious amounts of data, do visit www.tsaaro.com.
?Privacy News
1. Holiday stay giant Airbnb bans indoor surveillance all over the world
It is reported that Airbnb is updating its security guidelines to prohibit the use of indoor surveillance equipment, such as cameras and audio recording devices, in its listings. This new policy, which becomes effective on April 30, will also extend to outdoor surveillance devices located in areas where privacy is more significantly expected.
2. The State of Utah Has Repealed And Replaced The Utah social Media Act
?Byte Back has reported that owing to various legal challenges cited by the tech industry, the Utah State Legislature has withdrawn the Utah Social Media Regulation Act. This revision of the law now grants minors the ability to seek legal recourse if a social media algorithm negatively affects their mental health.
3. TikTok looking towards another ban by the USA
There is an anticipation in the U.S. House to cast a vote on a bill that would compel ByteDance, the Chinese company owning TikTok, to divest its interest in the app or risk a prohibition in the U.S. within six months after the bill's enactment. This legislation would also target any firm under the control of a foreign adversary and mandates that an app must allow users to download their data prior to any significant changes in its operation. ?
?4. Automaker Giant General Motors Shared The User Driver Details With The Insurance Companies
It is alleged that driver’s data has been shared with the insurance firms via the data broker firm LexisNexis as reported by the N.Y. Times. According to a disclosure report of the consumers, G.M. shared the driving information of its consumers, which included details of the average speed driven and also the mileage of each vehicle without the owner’s consent.
5. Financial Services Company Klarna Fined By Swedish Court For GDPR Violations
Sweden's Administrative Court of Appeal increased a penalty against the financial services firm Klarna for purported breaches of the EU General Data Protection Regulation, setting the fine at SEK7.5 million. Previously, a lower court had decreed that Klarna was to pay SEK6 million in fines. On 11 March, the appeals court found that Klarna failed to adequately inform its customers regarding the storage of their personal data.
?