Skip to content

Cross Border Data Transfers under the Digital Personal Data Protection Bill, 2022

Article by Tsaaro

7 min read

Cross Border Data Transfers under the Digital Personal Data Protection Bill, 2022

Introduction    

A few of the important elements of the recently updated data protection Bill include easing cross-border data flows, increasing penalties for data breaches and non-compliance, and enabling the government to exclude state institutions from the legislation for the sake of national security.   

Three months after the government retracted an earlier version that had drawn criticism from Big Tech and other segments of civil society, the new draft version was published on the 18th of November 2022. The updated draft, now known as The Digital Personal Data Protection Bill, 2022, includes clauses on “purpose limitations” for data collection, specific grounds for collecting and processing personal data, fines ranging from Rs 50 crore to Rs 500 crore, and a Data Protection Board acting as the adjudicating body to carry out Bill’s provisions.   

The draft is available for public comment until December 17; the final version is anticipated to be introduced during Parliament’s budget session the following year.   

In contrast to the contentious necessity of local storage of data inside India’s geography in the previous Bill, the latest draft makes major allowances for cross-border data transfers. The Central Government will notify areas in due time where Indians’ data may be transmitted, according to the new draft.  

 

Data Localisation   

Data protection laws often require controllers to satisfy special requirements when transferring personal data cross-border.   

For example, the General Data Protection Regulation (GDPR) requires organizations to ensure that transfers of personal data to a country or territory outside the EEA (third country) or an international organization comply with the conditions set out in Chapter 5 of the GDPR (Article 44, GDPR).    

Data localization or data residency laws mandate that information on a country’s inhabitants or citizens be gathered, processed, and/or maintained domestically, frequently before being transmitted overseas. Such information is often only shared after complying with regional privacy or data protection regulations, which may include notifying the user of the information’s intended purpose and gaining their agreement.   

The idea of data sovereignty, which limits some data kinds to those covered by the rules that apply to data subjects or processors, is the foundation for data localization. Data localization takes a step further by demanding that initial collection, processing, and storage occur inside the national boundaries, whereas data sovereignty may just require that records concerning a nation’s inhabitants or residents abide by its personal or financial data processing regulations. In rare situations, it may be necessary to erase data on a nation’s inhabitants or citizens from other systems before doing so in the country where the data subject resides.   

Data Localisation in Other Nations  

The General Data Protection Regulation (GDPR) of the European Union (EU), which sets restrictions on the free movement of data impacting all EU member states, is one of the most significant pieces of legislation on data flows.   

An “Adequacy Decision” process is part of the GDPR and it governs international transfers of personal data. So long as the European Commission has determined that the third country of data destination offers a sufficient level of privacy protection (there are presently 12 countries on the “adequate” list), personal data transfers to another country outside the European Union are permitted.  

The GDPR states that only when an acceptable degree of protection is provided or when safeguards are in place to ensure the level of protection is roughly similar to that now given inside the EU, can personal data transfers to another country outside the EU be made. These protections come in the form of certifications, binding corporate rules (BCRs), codes of conduct, standard contractual clauses (SCCs), and other legally binding documents.   

The GDPR permits data controllers to rely on specific derogations for cross-border data transfers in the event of a data transfer to a non-adequate country and the absence of safeguards. These exceptions can only be used in certain circumstances to send data to a foreign nation.  

When collecting personal information from a data subject, data controllers are required under the GDPR to inform them of any cross-border data transfers they plan to make and to provide the following information:  

  

  1. whether the Commission has made an adequacy decision or not, or  
  2. Referencing the necessary or adequate safeguards, how to receive a copy of them or the locations where they are available in the case of transfers based on derogations or appropriate precautions.  

 

If the data controller plans to use the personal data for a reason other than the one for which it was originally obtained, it is required to inform the data subject of that other purpose and any pertinent information before that further processing. The GDPR’s transparency requirements must typically be met by the data controller.  

  

China, on the other hand, mandates localization of all “essential data” about “vital information infrastructure.” In a similar vein, Russia mandates that all personal information about its inhabitants be kept domestically. Different strategies have been used by various nations. The US mandates that all defense-related data be kept domestically. Indonesia, on the other hand, mandates the localization of all information about governmental services.   

  

The New Provisions  

By dividing the data into several categories according to its nature, such as sensitive or critical, the earlier suggested regulations were said to better secure the residents’ personal information. Businesses were mandated to keep a copy of certain “sensitive personal data” of Indian individuals, such as financial and health information, in India under the previous Bill, and exporting vaguely defined “critical” personal data was forbidden. Additionally, the previous Bill gave the Central government the authority to designate any personal information as “critical personal data” that must be processed only in India. It was one of the most important complaints highlighted by tech businesses, with companies like Meta stating that it would affect its services in India.  

The government had been asked to approve the cross-border transmission of data by the Asia Internet Coalition, a lobbying organization that speaks for Meta, Google, Amazon, and several other internet companies. In a letter to the IT ministry earlier this year, they stated that cross-border transfer decisions should be free from executive or political involvement, and should ideally be minimally controlled. The organization had claimed that limiting cross-border data flows would likely lead to increased rates of company failure, hurdles for start-ups, and more expensive product offers from established market participants. In the end, the aforementioned regulations will have an impact on digital inclusion, Indian customers’ access to a genuinely global internet, and the caliber of services.   

The draft permits cross-border interactions of data with “certain notified countries and territories,” in a move that is seen as a win for tech companies.   

“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, following such terms and conditions as may be specified,” the draft says, without naming the countries.   

Users will have the right to update and erase the personal data that businesses have on them, and companies will be obligated to stop keeping user data if it no longer serves the commercial purpose for which it was gathered.   

Experts’ View   

Experts and analysts have noted that the Bill takes a rather accommodative stance on the need for data localization and allows data flow to specific international locations depending on specified predetermined evaluations. Instead of being forced to build extensive infrastructure in India for the storage and processing of personal data, this is expected to encourage country-to-country trade agreements and make it comparatively easy for multinational corporations to operate and process data with their present set-up.   

Conclusion    

By easing regulations and allowing cross-border data transfers, it would be interesting to see which countries the central government notifies and the rules it lays down for the transfer, storage, and processing of data. While it is certainly advantageous for the Multi-National Corporations carrying out businesses in India, eased data localization regulations should not mean that the personal data of citizens are exploited and safeguards should be placed, complying with principles of data protection, to ensure that the companies do not misuse the collected data.   

We at Tsaaro are conscious of the compliance, unavoidable risk of exploitation and misuse of operational, confidential data that comes along with such involvement and the importance of working with compliance for a firm to run properly. Get in touch with us at info@tsaaro.com If you want to run an audit of your consent practices, check out our Regulatory Compliance Service, and Schedule a call with our experts by clicking here. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.

234 thoughts on “Cross Border Data Transfers under the Digital Personal Data Protection Bill, 2022”

  1. Houston to Galveston shuttle services offer a range of options, such as luxury and private cars. Travelers can pick black car, corporate, express VIP, or cruise shuttle services for group transportation or special events, with airport and cruise transfers available for added convenience.

  2. Choose our bus service in Annapolis, Maryland, for unparalleled transportation options. From charter bus service Annapolis Maryland to shuttle bus services Annapolis, we offer comprehensive group transportation Annapolis, including wedding transportation Annapolis, airport transfer Annapolis, and motor coach bus rental Annapolis.

  3. Airport Limo Hamilton is your premier choice for luxury transportation in the Hamilton area. We offer a wide range of limo services, including airport transfers, corporate events, and special occasions. Our fleet of well-maintained limousines and professional chauffeurs ensure a comfortable and reliable journey. Whether you’re heading to Toronto Pearson International Airport (YYZ), Billy Bishop Toronto City Airport (YTZ), or any other destination, our Hamilton to Toronto airport limo service has you covered.

  4. Experience top-notch London Ontario airport taxi with our London ON airport transfer and YXU taxi service. Enjoy the comfort of our London Ontario airport shuttle and airport cab London Ontario. Secure your taxi to London Ontario airport for an easy travel experience!

  5. Choose our car service MSP to Rochester, MN, for a smooth journey. We provide transportation from Minneapolis Airport to Rochester, MN, and chauffeur service from Minneapolis to Rochester. Trust our reliable Minneapolis car service to Rochester, MN, for your travel needs.

  6. Get seamless PDX Airport Shuttle services, available 24/7 for your convenience. Choose our affordable Portland Airport Shuttle for private or large group travel. Experience top-notch PDX Airport Shuttle Service near you with reliable and comfortable transportation options.

  7. Experience seamless travel with London Chauffeur Service, offering a range of premium options including Luxury Chauffeur Car Hire, London Airport Transfers, and Corporate Chauffeur London. From Wedding Chauffeur Hire to VIP Car Service, our Professional Driver Services guarantee comfort and reliability.

  8. Gabriel Chauffeurs offers premium London Chauffeur Service, providing Private Chauffeur Services London with Luxury Car Hire. We specialize in VIP Transport, Airport Transfers, Wedding Car Hire, and London City Tours, ensuring Executive, Corporate, and Professional Chauffeur Services for all occasions.

  9. Experience the finest VIP Limousine Winnipeg has to offer with our affordable limousine rentals. Choose from luxury stretch limousines for weddings, corporate events, or parties. Enjoy premium chauffeur service with the best Winnipeg Limo Rentals and VIP Limousine Services.

  10. We maintain proper safety equipments for car hire in Dubai. The initial task is to deeply vacuum the entire interior to remove and remove dirt, sand, dust, hair and all dirt, both on carpets and on seat upholstery. Rubber mats, the easiest to clean, should be removed to wash with water – and soap

  11. I like what you guys are up also. Such smart work and reporting! Keep up the superb works guys I have incorporated you guys to my blogroll. I think it’ll improve the value of my website 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Tsaaro Consulting

INTRODUCTION: In a recent ruling, the Competition Commission of India (CCI) has slapped a heavy fine of 213.14 crore on …

Tsaaro Consulting

In today’s dynamic and fast-paced corporate environment businesses are increasingly adopting staff augmentation as a flexible workforce solution to address …

Tsaaro Consulting

In today’s fast-paced business environment, organisations are constantly seeking innovative methods to adapt and scale efficiently. Staff Augmentation Consulting services, …

Tsaaro Consulting

INTRODUCTION: In today’s interconnected world, businesses operate across borders, serving customers globally. This inevitably leads to the transfer of personal …

Krishna

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.