The Global Data Challenge
Modern business does not respect national boundaries. Cloud computing, global service delivery, and multinational operations mean personal data routinely crosses borders. For Indian businesses, this reality must be reconciled with the Digital Personal Data Protection Act's cross border transfer provisions.
The DPDPA takes a relatively permissive approach to cross border transfers. Personal data may be transferred to any country or territory outside India, except those the Central Government specifically notifies as restricted. This negative list approach contrasts with the GDPR's adequacy framework, where transfers require either an adequacy decision or appropriate safeguards.
However, this permissiveness should not breed complacency. The government retains broad authority to impose restrictions. Certain categories of data may require localisation. And businesses operating globally must still comply with the data protection laws of destination countries.
Current Legal Position
As of now, no countries have been notified on the restricted list. This means transfers to any jurisdiction are technically permitted under the DPDPA. But this position is dynamic. The government has indicated that geopolitical considerations, data security concerns, and reciprocity will inform future notifications.
Businesses should not structure their data architecture assuming current freedoms will persist. Build flexibility into your systems. Document your transfer mechanisms. Ensure you can implement restrictions if and when they are notified.
Interaction with GDPR
For businesses processing data of EU residents, the GDPR's transfer restrictions apply regardless of DPDPA provisions. India has not received an adequacy decision from the European Commission. Transfers from the EU to India therefore require Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism.
This creates a dual compliance requirement. Data flowing from India outward must comply with DPDPA. Data flowing into India from the EU must satisfy GDPR transfer requirements. Your transfer mechanisms must address both directions.
The practical implication is comprehensive documentation. Maintain records of all cross border transfers, the legal basis for each transfer, the safeguards implemented, and the privacy policies of recipient entities. This documentation serves multiple regulators.
Localisation Considerations
While the DPDPA does not mandate broad data localisation, sector-specific requirements exist. The RBI requires certain payment data to be stored only in India. IRDAI has similar requirements for insurance data. The Telecom Regulatory Authority has indicated localisation preferences for telecom data.
These sectoral requirements operate alongside the DPDPA. Compliance with general data protection provisions does not excuse non-compliance with sectoral localisation mandates. A financial services company, for instance, must navigate both the DPDPA's transfer provisions and RBI's localisation circular.
The government has also reserved power under the DPDPA to require certain categories of personal data to be processed only in India. This power has not been exercised yet, but its existence means localisation requirements could expand without legislative amendment.
Practical Transfer Strategies
Implement a transfer impact assessment process. Before initiating any new cross border data flow, evaluate the legal position in the destination country, the nature and sensitivity of data being transferred, the purpose of transfer, and the safeguards available.
Contractual protections remain essential even where not legally mandated. Agreements with foreign recipients should include data protection obligations, security requirements, breach notification provisions, and audit rights. These protections provide recourse if data is mishandled and demonstrate due diligence to regulators.
Technical Measures
Encryption provides a technical safeguard for data in transit. Ensure data leaving India is encrypted to standards that would satisfy even stringent regulators. End-to-end encryption prevents interception during transfer and provides a defence if jurisdictional questions arise.
Access controls at the destination are equally important. Data transferred abroad should be accessible only to those with legitimate business need. Log all access and maintain audit trails. These measures demonstrate that transfer does not mean loss of control.
Group Company Transfers
Multinational corporations face particular challenges. Data flowing between Indian subsidiaries and foreign parent companies or affiliates is subject to the same transfer provisions as transfers to unrelated third parties. The corporate relationship does not create any exemption.
Binding Corporate Rules or inter-affiliate data transfer agreements should govern intra-group data flows. These agreements should specify the categories of data transferred, purposes permitted, security measures required, and individual rights procedures. A well-drafted intra-group agreement can streamline compliance across the corporate family.
Preparing for Change
The cross border transfer landscape will evolve. India may negotiate adequacy arrangements with key trading partners. The government may notify restricted countries or impose localisation requirements. International frameworks may change following ongoing negotiations at forums like the OECD.
Build adaptability into your compliance programme. Monitor regulatory developments across relevant jurisdictions. Maintain relationships with local counsel in key markets. Review transfer mechanisms periodically to ensure continued compliance.
The businesses that thrive will be those that treat cross border compliance not as a one-time exercise but as an ongoing discipline, continuously adjusted to reflect the evolving global data protection landscape.
