Understanding Cross-Border Data Transfers Under India's Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) has ushered in a comprehensive framework to govern personal data protection in India. One of the key aspects of the Act is its provisions on cross-border data transfers, which are crucial in today's interconnected digital economy. Below is an analysis of the cross-border data transfer framework under the DPDP Act and the current state of its implementation.

Overview of Cross-Border Data Transfers in the DPDP Act

The DPDP Act addresses the transfer of personal data outside India under Section 17. Here are the salient points:

1. Permissible Countries or Territories:

The Act allows cross-border transfer of personal data to countries or territories notified by the Central Government as permissible. These notifications will determine where Indian entities can transfer personal data.

2. Restrictions and Safeguards:

Transfers to countries not included in the government's notification list will be restricted. The government will base its decisions on factors such as the adequacy of data protection laws in the recipient country and any potential risks to India's sovereignty, security, or public interest.

3. No Mandate for Localization:

Unlike earlier drafts of the data protection legislation, the DPDP Act does not mandate the localization of personal data within India, except for specific requirements under sectoral regulations.

4. Data Protection Obligations:

Regardless of the transfer, data fiduciaries (organizations collecting personal data) must adhere to core data protection principles such as lawful processing, purpose limitation, and security safeguards.

Hosting Data in India: Does it Qualify as Cross-Border Transfer?

If data is hosted on servers located within India, it does not qualify as a cross-border data transfer under the DPDP Act. Here's why:

Definition of Cross-Border Data Transfer: A cross-border data transfer involves moving personal data from India to servers or entities located outside Indian jurisdiction. Hosting data within India ensures the data remains under Indian legal and regulatory oversight.

Foreign Entity Data in India: For example, if a Pakistani entity’s data is hosted on servers physically located in India, this scenario constitutes local data processing, not a cross-border transfer. Such hosting is governed by Indian laws like the DPDP Act and IT Act, 2000.

However, if the data is subsequently transferred from the Indian servers to another country, cross-border transfer provisions would apply.

Current Status of Notifications on Cross-Border Data Transfers

As of February 20, 2025, the Government of India has not issued any official notifications specifying permissible countries or territories for cross-border data transfers under the DPDP Act. In the absence of these notifications:

- There is no explicit restriction on transferring personal data to any country.

- Indian entities can currently process and transfer data across borders without the risk of non-compliance, provided they adhere to the broader principles of the DPDP Act.

However, the government may release these notifications in the near future. Stakeholders must monitor updates from the Ministry of Electronics and Information Technology (MeitY) to ensure compliance once the rules are in place.

Interplay with the Information Technology Act, 2000

The Information Technology Act, 2000 (IT Act) and its associated rules also regulate the handling of sensitive personal data. Under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

- Entities must implement reasonable security practices to protect sensitive personal data.

- Section 69A of the IT Act empowers the government to restrict or block content, which may indirectly impact data transfers involving sensitive geopolitical considerations.

Key Considerations for Cross-Border Data Transfers

1. Geopolitical Factors:

Cross-border data arrangements may be scrutinized based on India’s foreign policy or geopolitical concerns. For instance, hosting or transferring data involving entities from certain countries may invite regulatory review.

2. Consent and Transparency:

Data principals (individuals) must be informed about how their data will be used, including any cross-border transfers. Their explicit consent is essential to ensure lawful processing.

3. Sectoral Regulations:

While the DPDP Act provides a general framework, sector-specific regulators like the Reserve Bank of India (RBI) or the Securities and Exchange Board of India (SEBI) may impose additional requirements. For example, financial data may be subject to localization mandates.

Conclusion

The DPDP Act lays a strong foundation for cross-border data transfers, balancing the need for global data flows with robust data protection. While the government has yet to issue notifications specifying permissible countries, businesses must stay prepared for forthcoming regulations and ensure compliance with the Act's broader principles.

In cases where data is hosted in India, cross-border transfer provisions do not apply, but entities must still comply with Indian laws on data protection and security. The absence of immediate restrictions presents an opportunity for Indian entities to align their processes, invest in data security, and build trust with global partners. However, they must remain vigilant to adapt swiftly to any changes in the regulatory landscape.