- Personal data transfers outside of India will take place to countries notified by the Indian government.
- These countries will be determined after assessing factors considered necessary.
- Previous definitions and provisions for cross-border transfers of sensitive and critical personal data done away with.
- Data localisation provisions done away with.
Personal data can be transferred out of India to countries notified by the Indian government, reads a freshly published draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill).
Countries will be notified “after an assessment of such factors as it [the Centre] may consider necessary”, states the Bill’s single-sentence Section 17. These transfers by a data fiduciary will also be in “accordance with terms and conditions as may be specified”. These criteria and procedures are currently unspecified in the draft text.
The Bill notably does away with specific data localisation provisions for cross-border data transfers of “sensitive” and “critical” personal data which appeared in previous iterations of the draft law. Neither of the terms appear or are defined in the draft DPDP Bill—it applies to personal data, or “any data about an individual who is identifiable by or in relation to such data”.
Certain grounds-based transfers are also exempted from the DPDP Bill’s provisions under Section 18. “Acknowledging national and public interest is at times greater than the interest of an individual,” clarifies the Ministry in an explanatory note on the draft law.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
The Act’s provisions apply to processing “digital personal data” within India when such data is collected from data principals online, or when it is collected offline and then digitised. They also apply to digital personal data processing outside of India, if it is in connection “with any profiling of, or activity of offering goods or services to Data Principals within the territory of India”.
The Act does not apply to non-automated processing of personal data, offline personal data, personal data processed by an individual for personal or domestic purposes, and personal data about an individual contained in a record in existence for at least 100 years.
The draft DPDP Bill is the fourth iteration of India’s much-awaited data protection law. The Bill’s predecessor—the Data Protection Bill, 2021—was withdrawn by the Indian government in August, making way for this “modern” successor. Developed after perusing similar laws from Singapore, Australia, the European Union, and the United States, it seeks to provide for digital personal data processing that “recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes”.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Conditions for cross-border transfer of personal data
What the 2022 Bill says: Personal data can be transferred out of India to countries assessed and subsequently notified by the Indian government.
How will these countries be determined?: Section 17 is a single sentence of four lines—and does not specify the determination process. Source-based reports from earlier this week suggest that trusted countries may be determined by considering their “reciprocity” with India, without elaborating further. However, Section 3 of the draft bill adds that “a reference to “provisions of this Act” shall be read as including a reference to Rules made under this Act”. This indicates that rules clarifying these procedures may be forthcoming.
Which cross-border personal data transfers be exempted from the 2022 Bill?: As per Section 18, cross-border personal data transfers will be exempted from the Act’s provisions when:
- Personal data processing is necessary to enforce any legal right or claim;
- Processing is in the interests of prevention, detection, investigation or prosecution of any offence or contravention of any law;
- Processing is by any court, tribunal, or other body in India and is necessary for the performance of judicial and quasi-judicial functions;
- The personal data is outside of India and processed pursuant to a contract entered into with any person outside India by any person based in India.
The Centre can also exempt other personal data processing from the Act’s provisions by notification, when:
- It is in the interest of “sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these”;
- It is necessary for research, archiving, or statistical purposes, and if the data will not be used to make a decision specific to the Data Principal, and is carried out in accordance with the newly-established Data Protection Board’s standards.
What the 2018 Bill said: Data fiduciaries must store at least one copy of personal data on a server or data centre in India. Some categories of personal data may be exempted from this requirement “on the grounds of necessity or strategic interests of the State”—however, this does not apply to sensitive personal data. Personal data can be transferred outside India when:
- The transfer is made subject to DPA-approved “standard contractual clauses or intra-group schemes”;
- Or the Centre, in consultation with the DPA, has permitted such transfers to a particular country, sector within a country, or international organisation;
- Or the DPA has approved the transfer due to a “situation of necessity”;
- Or alongside satisfying either of the first two provisions, the data principal has consented to the transfer of personal data, or the data principal has “explicitly consented” to the transfer of sensitive personal data (barring critical data).
How did the 2018 Bill define personal data?: “Data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information,” read the Bill.
What the 2019 and 2021 Bills said: The 2019 and 2021 Bills were sharper in focus, only describing transfers for “sensitive personal data” and “critical personal data”.
What the 2022 Bill says: Penalties for non-compliance with the Act will be determined and imposed by the newly-established Data Protection Board of India. Schedule 1 of the Act does not specify specific penalties for personal data transfers under Section 17 or 18. However, non-compliance with other provisions of the Act—barring the five specific offences listed in the Schedule—can invite penalties of up to Rs. 50 crore.
The Central government also has the power to amend the Schedule by notification, under Section 27(1), although “no such notification shall have the effect of increasing a penalty specified in Schedule 1 to more than double of what was specified in Schedule 1 when this Act was originally enacted”.
Appeals against the Board’s decisions can be made at the High Court within 60 days of the Board’s order. The Board may also recommend alternate dispute resolution mechanisms when it sees fit.
The 2018 Bill: For contravening provisions regarding “personal data” transfers outside of India, a data fiduciary will be fined a penalty of up to 15 crore rupees, or 4% of its total worldwide turnover for the previous financial year, whichever is higher.
The 2019 Bill: Provision remained the same.
The 2021 Bill: Contravening provisions regarding “personal data” transfers will be liable to such penalty as may be prescribed. The Joint Parliamentary Committee (JPC) that drafted the 2021 Bill argued that “flexibility in the imposition of penalty is required as digital technology is rapidly evolving”, adding that smaller data fiduciaries and start-ups may need to be considered separately.
Proposals for Data Localisation
What the 2022 Bill says: None specified.
What the 2018 and 2019 Bills said: No such proposals were explicitly described aside from storing mirrored copies of various types of personal data (sensitive and critical) in India.
What the 2021 Bill said: The JPC suggested that mirrored copies of sensitive and critical personal data in foreign hands be mandatorily brought to India within a specified timeframe. It urged that the Bill’s data localisation provisions be followed once the DPA was established, further prodding the Centre to draft an extensive policy on data localisation alone.
Conditions for cross-border transfer of critical personal data
What the 2022 Bill says: None specified. The Bill only deals with personal data.
What the 2018 Bill said: Some categories of personal data—notified by the government as critical personal data—will only be processed in servers or data centres located in India.
What the 2019 Bill said: Critical personal data, as notified by the government, can only be processed in India. It can be transferred out of India only when the transfer is:
- To a person providing health or emergency services, and if the transfer is necessary for processing personal data without consent;
- To a country, entity within a country, or international organisation to which the Centre has permitted sensitive personal data transfers. The Centre should believe that the transfer will not prejudicially affect the State’s security and interests.
What the 2021 Bill said: The provisions for critical personal data transfers remained the same as 2019’s, as did the fact that the category was yet to be firmly defined in the Bill.
Conditions for cross-border transfer of sensitive personal data
What the 2022 Bill said: None specified. The Bill only deals with personal data.
What the 2018 Bill said: Sensitive personal data notified by the Centre can be transferred outside of India to individuals, entities, countries, sectors within a country, or organisation on limited and specified grounds.
How did the 2018 Bill define sensitive personal data?: “Personal data revealing, related to, or constituting, as may be applicable— (i) passwords; (ii) financial data; (iii) health data; (iv) official identifier; (v) sex life; (vi) sexual orientation; (vii) biometric data; (viii) genetic data; (ix) transgender status; (x) intersex status; (xi) caste or tribe; (xii) religious or political belief or affiliation; or (xiii) any other category of data specified by the Authority under section 22.”‘
What the 2019 Bill said: Sensitive personal data can be transferred outside of India, but will be stored in India. Transfers can happen, provided:
- The data principal has explicitly consented to the transfer;
- The transfer is made subject to a DPA-approved contract or intra-group scheme;
- The Centre, in consultation with the DPA, has approved the transfer to a country, entity within a country, or international organisation. Approval hinges on whether the data will be subject to an adequate level of protection, and if the transfer will not prejudice law enforcement;
- The DPA permits the transfer for any specific purpose.
What the 2021 Bill said: The JPC added new shades to 2019’s Bill, reinforcing India’s national interest in deciding whether cross-border flows of sensitive personal data can take place or not. For example, alongside gaining the data principal’s explicit consent, processing and transfer of data abroad could happen, provided:
- The transfer is made subject to a contract or intra-group scheme approved by the DPA in consultation with the Central government. Alongside pre-existing conditions from 2019, such transfers will not be approved if against India’s State or public policy;
- The Centre, in consultation with the DPA, has approved the transfer to a country, entity within a country, or international organisation. Alongside pre-existing conditions from 2019, approval hinges on whether the sensitive personal data will not be shared with a foreign government or agency without Central approval;
- The DPA, in consultation with the Centre, has allowed the transfer for any specific purpose.
How did the 2019 and 2021 Bills define sensitive personal data?: “Personal data, which may, reveal, be related to, or constitute— (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status;(x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15.”
Selected public response and feedback to the 2021 Bill
Definitions of personal and sensitive personal data unclear: “The Bill is very expansive and there is no certainty on what sensitive personal data really is because the government can notify additional data sets as sensitive data sets and we also still don’t know what critical personal data is,” said a speaker at a MediaNama event earlier this year.
Rules for other data groups unclear: “What are the requirements of transfer of personal data that are not classified as sensitive or critical?” a speaker asked.
Provisions may impact start-ups: This is especially because they may use “tools from around the world and will find it hard to comply with the data localisation mandate”, said a speaker.
When the DPA has to consult the government is unclear: Also, it is concerning that the government will review all contracts, said a speaker.
Territorial division of the Internet: “The Bill is not looking at cross-border data flows as a global value chain and is instead dividing up data and the internet based on geographical boundaries,” argued a speaker.
- BREAKING: India Releases Digital Personal Data Protection Bill, 2022
- A Complete Guide To The Data Protection Bill, 2021
- A Complete Guide To The Personal Data Protection Bill, 2019
Note: This article’s headline was updated at 4:30 pm on 18/11/2022. The submission link for public feedback was added at 6:12 pm.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.