11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

India Corporate Law

A Fine Balance:The DPDA and Data Localization

By Cyril Shroff, Arun Prabhu, Arjun Goswami, Anirban Mohapatra, Varun Mehta, Arpita Sengupta, Anoushka Soni &
Sabreen Hussain on August 17, 2023

 Listen to this post

On November 18, 2022, when the Ministry of Electronics and Information Technology (“MEITY”)
tabled an entirely new draft Digital Personal Data Protection Bill, 2022 (“Draft”)[1], the concerns
around one section, namely Section 17 dealing with cross-border data transfers, were perhaps
more pronounced than the shock which accompanied the withdrawal of a long debated
previous draft.

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 1/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

The criticisms around this section which essentially required the Central Government
(“Government”) to “whitelist” territories to which transfer of personal data[2] was permissible,
revolved around two specific issues:

1. Whether this approach would simply “break” global business processes by creating
uncertainty around what was permissible until the notification; AND

2. Given the purported overriding effect of the Draft,[3] whether transfer to a “whitelisted”
location would be permissible in view of the extensive, sector specific, localization regime
which is already applicable in India.[4]

As a part of our series of analysis on the Digital Personal Data Protection Act, 2023 (“Act”)[5], we
now examine the revised approach to cross border data transfers under the Act, as well as some
comparative global positions.

The Story So Far

The conflict between the imperatives of data sovereignty and creating a “single market” to
enable free data flows, is a conundrum that regulators globally have attempted to solve in
different ways. Attempts leaning towards the former approach, like China’s great firewall,[6] and
Russia’s data balkanization[7], have also demonstrated their negative impact on innovation and
global competitiveness.[8]

Sadly, the most famous example of the “open” approach, Europe’s General Data Protection
Regulation (“GDPR”) is today, something of a cautionary tale. Between the disruption
surrounding key international data flows through the Schrems decisions[9], and the multiple
efforts to resolve them[10], there is a sense of palpable relief around what is hopefully, a
sustainable international transfer framework under revised the standard contractual clauses.
[11]

In a global socio-economic context where data (and by natural extension, innovation in areas
such as AI and Big Data) is increasingly recognized as a strategic game changer, India, as a key
stakeholder which also bears the responsibility of global leadership, had to find a balance.

Given India’s breakneck speed of growth, India’s regulators have not had the luxury for waiting
for its general data protection law. Perhaps, as a consequence, India’s numerous regulatory
interventions in the space have not had the smoothest journey. For instance, in April 2018, the
Reserve Bank of India introduced a requirement to store payment data locally,[12] violation of
which led to a ban on two of the world’s key card networks.[13] In the end though, India has

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 2/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

demonstrated its will to stay the regulatory course, until the bans were removed after the
underlying issues were addressed.[14]

Today, India sees a range of localization requirements in its regulations pertaining to securities
market,[15] insurance,[16] telecom,[17] and direct selling.[18]

It is in this context that the old Section [17] threw up a storm. Of the more than 20,000
submissions and more than two dozen consultations[19] which reportedly accompanied the
journey from the Draft to the Act, several, including those in which we were involved, dealt with
the thorny issue of localization.

Perhaps consequently, while much of the Act resembles the Draft, it adopts a markedly different
position on data localization from that of the Draft.

In effect, Section 16 of the Act enables the transfer of personal data by a Data Fiduciary[20] to
any unrestricted country.[21] Interestingly, unlike the Draft, the Act does not specifically state
that the countries will be notified after assessment of factors that may be considered necessary
by the Government and the transfer will be subject to safeguards that will be spelt out in rules
that can be notified later. However, it is possible that the safeguards may still be prescribed in
the notifications under Section 16 of the Act. Some of these safeguards may also be prescribed
as additional obligations on ‘significant’ Data Fiduciaries,[22] or be adopted voluntarily by
organisations in compliance with the requirements to implement technical and organisational
measures to ensure effective observance of the Act,[23] or to ensure compliance by data
processors.[24]

While there is presently no indication of what such safeguards could be, some surmise on their
nature is possible. Given that international data adequacy decisions, and ensuring predictability
for global businesses is a key enabler of India’s avowed purpose of improving ease of doing
business[25], it is likely that these measures could possibly take the shape of:

1. A specific consent requirement for cross border transfers;

2. Some form of data adequacy or equivalence requirement; and

3. Either in combination with, or as an alternative to the above, some form of “private”

protection for transferred data such as standard contractual clauses or schemes/ binding
corporate rules.

The first of these requirements, if not read into existing consent or notice requirements under
the Act[26] may stand out in contrast to the current position under the Information Technology

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 3/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

Act, 2000 which mandates specific consent for transfers of ‘sensitive personal data or
information’.[27]

The latter two requirements may be driven by imperatives of economics and geo-politics.

Of these, data adequacy (and its close companion, reciprocity) is a key point for existing trade
negotiations[28], while private protections such as standard contractual clauses are likely going
to become a necessary measure to enable transfers to countries where the relevant regulatory
environment is not as secure.

The above being said, if predictability, and minimizing business disruption were key imperatives
for the significant movement from the prohibitory tone of the Draft, to the far more facilitative
and liberalized, approach of the Act, this outcome may be said to have been safely achieved.

Conflicting Imperatives

Much was made in policy circles about how the Draft was intended to have overriding effect, and
how it would override (and therefore liberalize) data flows which were restricted under various
localization regimes in India.[29]

This may be seen in retrospect as a bit of an own goal as the Act tries to remove all ambiguity,
and states that it will not restrict applicability of any law which “provides for a higher degree of
protection for or restriction on transfer of personal data” by a Data Fiduciary outside India.[30]
For instance, will a different recommendatory regime, say, the EHR Standards[31] which provide
for removal of patient identifying information or anonymization, qualify as higher degree of
protection and restrict transfers that do not follow these recommendations?

In any event, by enabling stricter laws on data protection to prevail with respect to cross-border
data sharing, what becomes clear is the intent of the Act, i.e., to provide only a baseline level of
protection, while leaving enough space for sectoral regulators to come up with stronger
safeguards as may be required.

[1] The Digital Personal Data Protection Bill, 2022 (“Draft”), available here.
[2] Section 2(t), Act: “personal data” means any data about an individual who is identifiable by or
in relation to such data.
[3] Section 29(2), Draft.
[4] Reserve Bank of India, Notification, Storage of Payment System Data, RBI/2017-18/153
(“Localization Circular”), available here.

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 4/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

[5] The Digital Personal Data Protection Act, 2023 (“Act”), available here.
[6] Article 40, Personal Information Protection Law of the People’s Republic of China, 2021,
available here; Article 37, PRC Cyber Security Law, 2017, available here. See also, The Economic
Times, China: Everything you should know about the Great Firewall of China – Massive censorship
network, August 1, 2017, available here.

[7] Russia Federal Law No. 152-FZ of July 27, 2006 on Personal Data, available here. See also Erica
Fraser, Data Localisation and the Balkanisation of the Internet, Scripted: A Journal Of Law,
Technology & Society, Volume 13, Issue 3, December 2016, available here.
[8] See Frontier Economics, The Extent and Impact of Data Localisation, Report prepared for DCMS,
page 108, June 01, 2022, available here; GSMA, Cross-Border Data Flows: The impact of data
localisation on IoT, January 2021, available here; UNCTAD, Data Protection Regulations and
International Data Flows: Implications for Trade and Development, page 4, 2016, available here.
[9] Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18)
(the Schrems II case), the Court of Justice of the European Union (CJEU), July 16, 2020, where CJEU
upheld the validity of standard contractual clauses while striking down EU-US Privacy Shield;
Maximillian Schrems v. Data Protection Commissioner (Case C‑362/14), the Court of Justice of
the European Union (CJEU), October 06, 2015, where CJEU ruled that the European Commission’s
adequacy determination for the U.S.-EU Safe Harbor Framework was invalid.
[10] European Commission adopted its adequacy decision for the EU-U.S. Data Privacy
Framework, see Data Protection: European Commission adopts new adequacy decision for safe
and trusted
EU-US data flows, European Commission, July 10, 2023, available here.
[11] European Commission, Standard contractual sections for international transfers, June 04,
2021, available here.

[12] Localization Circular.

[13] Reuters, India bans Mastercard from issuing new cards in data storage row, July 14, 2021,
available here; Firstpost, Explained: Why American Express was banned in India for 16 months,
August 25, 2022, available here.
[14] Reserve Bank of India, Press Release, Reserve Bank of India lifts the business restrictions
imposed on American Express Banking Corp, August 24, 2022, available here; Indian Express, RBI
lifts new card ban on Mastercard, June 17, 2022, available here.
[15] Principle 6, Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs), SEBI,
March 06, 2023.
[16] Regulation 18 of the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017
(available here), mandates that all original policyholder records continue to be maintained in
India;
Regulation 3(9) of IRDAI (Maintenance of Insurance Records) Regulations, 2015 (available here),
https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 5/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

insurers are required to ensure that the records pertaining to policies issued and claims made in
India (including the records held in electronic form) are held in data centres located and
maintained in India.
[17] Section 39.23(viii) of the Unified License (available here) requires the licensee to not transfer
any accounting information relating to subscriber (except for international roaming/Acting) and
any
user information (except relating to foreign subscribers using Indian Operator’s network while
roaming and IPLC subscribers), outside India.
[18] Rule 5 of Consumer Protection (Direct Selling) Rules, 2021 (available here) stipulates the
obligations of the direct selling entities. The obligations include the requirement to store sensitive
personal data within the jurisdiction of India, in accordance with the applicable law for the time
being in force.
[19] The Hindu, Cabinet clears Data Protection Act, July 05, 2023, available here.

[20] Section 2(i), Act: “Data Fiduciary” means any person who alone or in conjunction with other
persons determines the purpose and means of processing of personal data.
[21] Section 16, Act.
[22] Section 10(2)(c)(iii), Act.
[23] Section 8(4), Act.
[24] Section 8(1), Act.
[25] Money Control, Data Draft Bill tries to balance ease of doing business, privacy and national
security: Jaishankar, November 29, 2022, available here.
[26] Sections 6, 7, Act.

[27] Rule 7, Information Technology (Reasonable security practices and procedures and sensitive
personal data or information) Rules, 2011 (“SPDI Rules”). See also, Article 49(1), GDPR, and
Regulations 10(2) and 10 (3), Personal Data Protection Regulations 2021 (available
here) read with Section 26 of the Personal Data Protection Act 2012 (Singapore), available here.
[28] World Trade Organization, Negotiation documents, available here; Centre for Law & Policy
Research, India’s Engagement with Global Trade Regimes on Cross-Border Data Flows, available
here.

[29] See generally, MediaNama, How Will The Data Protection Bill Approach Personal Data
Transfers Outside Of India? #NAMA, December 17, 2022, available here.
[30] Section 16(2), Act.

[31] Electronic Health Record (“EHR”) Standards For India 2016, Standards Set Recommendations
v2.0, Ministry of Health and Family Welfare, December 30, 2016, page 21.

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 6/7
11/4/23, 10:29 AM A Fine Balance:The DPDA and Data Localization | India Corporate Law

Copyright ©2023, Cyril Amarchand Mangaldas. All Rights Reserved.

https://corporate.cyrilamarchandblogs.com/2023/08/a-fine-balancethe-dpda-and-data-localization/ 7/7