top of page

Cross-Border Data Transfer under the DPDP Act

  • 2 days ago
  • 7 min read

Introduction


It is rather easy for data to move across borders in the contemporary digital environment, sometimes without us even realising it. Data pertaining to the person in question gets shared each time there is an exchange conducted online, while engaging socially over social networking sites, using cloud storage facilities, and other methods involving digital products or services. It has now become a matter of major importance when it comes to current day data protection regulations.


Among those measures that India introduced to exert its authority over the processing of personal data, including its export from the country, one can note the introduction of the Digital Personal Data Protection Act, 2023 (DPDP Act). Contrary to some previous versions of data localisation policies in India, which implied very strict approaches toward data localisation, the new law allows personal data to leave the country unless prohibited by the central government. This act can be viewed as some kind of balance between the two opposing principles of data protection and its free flow.


The issue of cross-border data flows is associated with several legal and policy issues, which get complicated considering the lack of consistent data protection policies and legislation at an international level. The idea of a “negative list” is referred to under the provisions of the DPDP Act, whereby data flows are allowed unless there is some restriction on the procedure of such transfers. The idea gives enough power to the government to determine the need for imposing some limitations in regard to data transfer to any particular country or under certain circumstances.


Evolution of Data Protection Law in India


The evolution in legislation pertaining to data protection in India is evident through the movement from judicial recognition of privacy rights to the formation of a legal structure for personal data. India, for decades, did not have a specific law on data protection, with concerns regarding privacy being addressed tangentially by reading into the constitution or creating legislation for specific sectors. The basis for the current data protection jurisprudence in India comes from the landmark case of Justice K.S. Puttaswamy (Retd.) v. Union of India, where the Court unequivocally held that the right to privacy is a fundamental right under Article 21 of the Constitution. This decision created a constitutional mandate for the State to establish a comprehensive data protection framework. 


The result of the judgment was that the Indian government established a panel named ‘Justice B.N. Srikrishna Committee’ to establish a system of data protection in 2017. For the very first time, a legislative effort to regulate personal data protection was made by the ‘Justice B.N. Srikrishna Committee’ in the form of the Personal Data Protection Bill in 2018. It was formulated based on the principles of consent, purpose limitation, and accountability, as per international standards like GDPR of the European Union. However, the subsequent process at the Parliament witnessed multiple revisions and policy debates. There have been multiple versions of the Personal Data Protection Bill between 2018 and 2022, considering many opposing interests such as those related to individuals, the state, and even economics, such as data localization. 


The Digital Personal Data Protection Act, 2023, that eventually formed the legal foundation for safeguarding digital personal data came to be due to this long process. Through a principle-based approach, the DPDP Act introduces such concepts as consensual data processing, data principal rights, and fiduciaries’ duties.


Overview of the Digital Personal Data Protection Act, 2023


India's first comprehensive law pertaining to the regulation of digital personal data is the Digital Personal Data Protection Act, 2023 (DPDP Act) and was tabled in Lok Sabha on 3rd August 2023. , and passed on August 9, 2023. It was then introduced and approved in the Rajya Sabha on August 9, 2023 in the Rajya Sabha. It has been created to bring harmony in two very important areas: firstly, the protection of the privacy of an individual and secondly, the effective use of such personal information. It applies to organisations situated in India and deals with Indian personal data processed by any organisation, both digitally collected as well as manually collected and then digitised.


Consent is another vital element of the DPDP Act. When collecting and processing personal information regarding the individual (a data principal), data fiduciaries, who are entities that establish the purposes and means of personal data processing, must obtain explicit and informed consent from those individuals. There are certain exceptions when consent from a particular individual is not needed, for example, in the case of rendering state services, performing certain legal obligations, etc. This Act gives individuals several rights, such as receiving information regarding personal data, correcting, and deleting personal data, as well as filing a complaint.


At the same time, individuals have a couple of responsibilities, namely, providing truthful information and not making baseless complaints. Another innovation is that the independent Data Protection Board of India will handle complaints and enforce the law and regulations. Significant fines may be imposed for violations of the provisions of the Act. From the above discussion, it is obvious that requirements imposed by the Act upon individuals and entities dealing with personal data are quite tough. One distinguishing feature of the DPDP Act is the relative simplicity of this law as compared to previous drafts regulating personal data processing. Specifically, there is no distinction between sensitive and non-sensitive personal data.


Legal Framework for Cross-Border Data Transfer under the DPDP Act


Provisions dealing with transfer of personal data internationally can be observed under Section 16 of the DPDP Act. In several ways, Section 16 of the DPDP Act indicates a paradigm shift in the policy regime of India as far as data transfers internationally are concerned. Essentially, Section 16 includes the notion of a negative list or blocklist. The idea here is that unless a country or a territory is prohibited for international transfer by the Central Government through the use of a notification, international transfer of personal data is fine. During such processes, the Central Government considers many aspects, such as national security, adequacy of data protection laws, and geopolitics. This approach deviates from the GDPR model of the European Union, which uses a whitelist or “adequacy” method to permit transfers only to nations with equivalent levels of data protection. India's DPDP framework, on the other hand, prioritises the free flow of data while maintaining sovereign power to apply limits as needed, making it rather permissive.


In addition, according to the Act, even if the data moves across the border, the data fiduciary will retain full responsibility for any compliance requirements. The fiduciary should make sure that the processing of the data is done in accordance with the DPDP norms, and the transfer of data to foreign firms should not lower down the responsibility of the fiduciary. Through this, the domestic firm acquiring such data will remain responsible for data protection and should not be relieved of the responsibility to the foreign processor. Data Fiduciary should be legally authorised to process data, either through getting the consent or using Section 7 Legitimate Use of Data, provide notification regarding transfers in the privacy policy, put contractual provisions for onward protections and breach notifications as equal, document the data transfer process in DPIA if SDF and maintain records for categories of data and its final destination. In the case of Significant Data Fiduciaries, which are usually large digital platforms that deal with massive amounts of data, there are certain restrictions for them under Rule 12 of the draft guidelines on transferring government-designated data categories.


Challenges 


A  key problem is the large degree of discretion allowed to the Central Government, especially on the matter of international data flows and exemptions for government entities. The absence of clearly defined standards for restricting data transfers may create uncertainty and inconsistent enforcement. Other significant criticism of the DPDP Act is that even though this act has less protection of an individual than international standards such as GDPR, there is no classification of sensitive personal data into a different category under the law. The provisions regarding cross-border transfer of personal data, which have been outlined in Section 16 of the DPDP Act, have received wide criticism due to their leniency. Transfer of personal data has only been prohibited where it was not otherwise allowed.


Issues have also been raised by other actors in the industry. It is very hard for most companies to identify and classify the personal data that they possess within the digital space. Issues have also been raised by civil societies and media organizations concerning transparency and accountability issues. Independence of the Data Protection Board has been questioned, along with the impact that this Act will have on freedom of expression and journalism.


Conclusion


It is essential to note that the Digital Personal Data Protection Act of 2023 reflects an innovative approach to the developing regulatory framework regarding the issue of cross-border data transfers. It is clear that the regulatory framework discussed reflects India's commitment to the promotion of digital innovations and its active participation in the global digital economy while preserving the ability to ensure its national interests.


At the same time, numerous challenges arise when discussing the new legal framework proposed. To begin with, it appears that the absence of adequate criteria may cause confusion in implementing this initiative. Furthermore, several challenges are related to the issues of accountability, privacy, and effective remedy options.


Author: Vanishri Rai, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.


Endnotes


  1. Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1, wherein the Supreme Court recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India.

  2. Government of India, Ministry of Electronics and Information Technology, Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (2018), proposing a comprehensive framework for personal data protection in India.

  3. Digital Personal Data Protection Act, 2023 (India), particularly Sections 4–9 concerning consent, rights of Data Principals, and obligations of Data Fiduciaries.

  4. Digital Personal Data Protection Act, 2023 (India), Section 16, governing transfer of personal data outside India and empowering the Central Government to restrict transfers to specified countries or territories.

  5. European Union, Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), arts. 44–50, establishing the adequacy framework for international transfers of personal data.

  6. Ministry of Electronics and Information Technology, Draft Digital Personal Data Protection Rules, 2025, including provisions relating to Significant Data Fiduciaries and data governance obligations.

  7. Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013), setting internationally recognized principles for cross-border data transfers.

  8. Graham Greenleaf, Asian Data Privacy Laws: Trade and Human Rights Perspectives (Oxford University Press 2021), discussing cross-border data transfers, accountability mechanisms, and evolving privacy frameworks across Asian jurisdictions, including India.



Comments


bottom of page