Data>Nuance Logo
DPDPA Resources/Section 16 - Cross-Border Data Transfer
International

Section 16 of the Digital Personal Data Protection Act, 2023

Cross-border data transfer regulations and government authority over international data flows

14 min readInternational Data TransferGovernment Authority
Introduction

In the contemporary era, the flow of personal data across national borders has become a crucial element of global business operations. The Digital Personal Data Protection Act, 2023 (DPDP Act) addresses cross border flow of data under Section 16. When read alongside Rule 14 of the Draft DPDP Rules, these provisions collectively shape how organizations operating in India can transfer personal data internationally.

Understanding Cross Border Flow of Data

Section 16 of the DPDP Act provides for the authority of the government over cross-border data transfers while preserving the applicability of existing protective legislation:

1. Government Authority to Restrict the Transfer of Data

The first clause grants the Central Government the power to restrict data transfers to specific countries or territories. It provides for a notification-based restriction mechanism rather than a blanket prohibition on data transfers. In other words, the approach adopted by the government is flexible in nature. It signifies that the government can selectively restrict transfers to specific jurisdictions based on various considerations. These considerations may include:

  • Inadequate data protection frameworks in recipient countries
  • National security concerns
  • Geopolitical considerations
  • Diplomatic relations

This provision grants the government significant discretion in determining the territories to which data transfers may be restricted. This practice establishes a regulatory framework that underscores evolving national interests alongside adherence to global data governance standards.

2. Preservation of Existing Protections

The provision is a non-obstante clause which preserves the applicability of any existing legislation providing for a higher degree of protection or restriction on the transfer of personal data by a Data Fiduciary outside India. In other words, the provision ensures that Section 16 does not inadvertently weaken existing sectoral regulations that may impose stricter requirements on cross-border transfers. For example, the regulations of the Reserve Bank of India requiring data localisation of payment related data in India.

Implementation Framework for Cross-Border Transfers

Section 16 of the DPDP Act establishes the legal basis for regulating cross-border data transfers, while Rule 14 of the DPDP Rules outlines the implementation framework. Rule 14 operationalizes Section 16 by:

  1. Mandating compliance with government requirements as a precondition for all cross-border data transfers.
  2. Enabling implementation through both broadly applicable general orders and specifically targeted special orders.
  3. Establishing a flexible compliance mechanism that can be adapted without legislative amendments.

An annexure detailing data transfer specifics suggests a developing and comprehensive regulatory strategy is anticipated once the legislation is in force. This approach permits the government to modify transfer requirements in response to evolving international data protection standards and ongoing negotiations of international data-sharing agreements.

Practical Implications for Data Fiduciaries

Organizations operating as Data Fiduciaries under the DPDP Act might face several practical considerations when navigating Section 16 and Rule 14:

1. Ensuring Compliance Under Uncertainty

With the government retaining discretion to issue notifications restricting transfers to specific territories and pending further details in the annexure, Data Fiduciaries might face challenges in ensuring compliance with the provisions of the DPDP Act. Thus, it is crucial for the organisations to:

  • Ensure comprehensive data mapping to identify all cross-border data flows
  • Develop contingency plans for potential restrictions on transfers to key jurisdictions
  • Monitor government notifications and policy signals regarding potential restricted territories
  • Build flexibility into data processing agreements with international partners

2. Implications on Cloud Service

Section 16 of the DPDP Act carries substantial implications for the utilization of cloud services. Restrictions by the government in the near future on the processing of personal data outside India necessitated that organizations employing cloud services or engaging in offshore data processing reassess their IT infrastructure and overall strategy to ensure sustained compliance with the DPDP Act 2023.

3. Sector-Specific Compliance

Section 16(2) of the DPDP Act, concerning the preservation of existing higher protections, introduces considerable compliance complexities for organizations with operations spanning multiple sectors. Entities such as financial institutions, healthcare providers, and telecommunications companies must take steps to:

  • Identify all pertinent sectoral regulations governing cross-border data transfers.
  • Implement the most rigorous stipulations across all operational facets.
  • Develop and institute sector-specific data governance protocols.
  • Continuously monitor regulatory developments issued by all relevant authorities.
Future Developments

The effectiveness of Section 16 and Rule 14 will largely depend on how the Central Government exercises its authority once the legislation is implemented. However, we would like to highlight the factors that the government may take into consideration when determining restrictions on the transfer of data outside India.

  • Adequacy of recipient country data protection frameworks
  • Reciprocity in data sharing arrangements
  • National security considerations
  • Strategic economic and trade interests
  • International relations and diplomatic factors

The DPDP framework establishes a foundation that is likely to evolve once implemented and is in practice. Some of the key pointers include:

  • Initial implementation may focus on high-risk countries with inadequate protections
  • Future annexures could introduce more structured transfer mechanisms similar to the concept of Standard Contract Clauses under the GDPR
  • Bilateral data transfer agreements may be negotiated with key trading partners
  • Industry-specific guidelines could be developed for sectors processing sensitive data

This approach offers flexibility as it adapts to the evolving international data governance standards. However, at the same time it creates compliance challenges for Data Fiduciaries navigating regulatory uncertainty. Organizations must develop robust data mapping, contingency planning, and strategies to mitigate the risks associated with potential transfer restrictions.

As the regulatory framework will continue to mature, Data Fiduciaries should proactively engage with industry associations, regulatory consultations, and international data governance forums to help shape a balanced approach that protects the data of Indian citizens while enabling the legitimate cross-border data flows essential to global digital commerce.

Previous: Section 12 - Data Correction & ErasureNext: Section 17 - Exemptions Framework

Need Help with Cross-Border Data Transfer Compliance?

Our experts can help you navigate the complexities of international data transfers under the DPDP Act

Schedule ConsultationBook Free Call