Third-Party Data Transfers and Cross-Border Data Transfers under Indian Law

Third-party data transfers in India need consent and contracts under the Digital Personal Data Protection Act, 2023 (DPDP Act).
Cross-border data transfers are allowed unless restricted, with safeguards like contracts required.
Ensuring rights in cross-border transfers involves contracts and potential standard clauses, though details are still evolving.
Contractual clauses for valid transfers include security, compliance, and data rights, but specifics may vary with future rules.

Legal Analysis of Third-Party Data Transfers and Cross-Border Data Transfers under Indian Law

The rapid digitisation of economies and the global nature of data flows have made third-party data transfers and cross-border data transfers critical issues in data protection law. In India, the regulatory framework governing such transfers is primarily enshrined in the Digital Personal Data Protection Act, 2023 (DPDP Act), supplemented by sectoral regulations and guidelines issued by authorities like the Reserve Bank of India (RBI) and the Ministry of Electronics and Information Technology (MeITY). This article provides a comprehensive analysis of the requirements for third-party and cross-border data transfers, mechanisms to ensure compliance with rights under Indian law during cross-border transfers, and the contractual clauses necessary to effect valid third-party transfers.

Requirements for Third-Party Data Transfers under Indian Law

Third-party data transfers refer to the sharing of personal data by a data fiduciary (the entity determining the purpose and means of processing personal data) with another entity, such as a processor or another fiduciary, for processing or other purposes. Under the DPDP Act, third-party data transfers are subject to stringent requirements to ensure data protection and compliance with the rights of data principals (individuals whose data is processed).

Key Legal Requirements

The DPDP Act outlines the following requirements for third-party data transfers:

Lawful Purpose and Consent: Under Section 6 of the DPDP Act, personal data may only be processed for a lawful purpose with the explicit consent of the data principal, unless an exemption applies (e.g., compliance with legal obligations or public interest). For third-party transfers, the data fiduciary must ensure that the purpose of the transfer aligns with the original purpose for which consent was obtained, or fresh consent must be sought.
Notice to Data Principals: Section 5 mandates that data fiduciaries provide clear and transparent notice to data principals about the purpose of processing, the identity of third parties with whom data is shared, and the rights available to the principal (e.g., right to withdraw consent, access, correction, or erasure). The notice must be provided in plain language and in multiple languages as prescribed.
Data Processing Agreements: When transferring data to a data processor (a third party processing data on behalf of the fiduciary), Section 8 requires a valid contract between the data fiduciary and the processor. The contract must outline the scope of processing, security measures, obligations to comply with the DPDP Act, and mechanisms for audits and oversight by the fiduciary.
Security Safeguards: Section 8(3) mandates that both the data fiduciary and the third party implement reasonable security safeguards to protect personal data from breaches, unauthorized access, or misuse. The DPDP Act does not prescribe specific technical standards but refers to industry best practices and guidelines issued by the Data Protection Board of India (DPBI).
Accountability of Data Fiduciaries: The data fiduciary remains accountable for compliance with the DPDP Act, even when data is transferred to a third party (Section 8(2)). This includes ensuring that the third party adheres to the same data protection standards as the fiduciary.
Restrictions on Onward Transfers: The third party (e.g., a data processor) is prohibited from further transferring the data to another entity unless explicitly permitted by the contract with the data fiduciary or with the consent of the data principal.

Sectoral Regulations

In addition to the DPDP Act, sectoral regulations impose specific requirements for third-party transfers in certain industries:

RBI Guidelines: For financial institutions, the RBI's Master Direction on Digital Payment Security Controls (2021) and Storage of Payment System Data (2018) require that sensitive financial data be processed only by entities compliant with RBI standards. Third-party transfers of payment data must be accompanied by robust contractual safeguards.
Health Data: The Draft Digital Information Security in Healthcare Act (DISHA), though not yet enacted, proposes strict controls on third-party sharing of health data, requiring explicit consent and anonymization where feasible.
Telecom Sector: The Unified License Agreement and guidelines by the Department of Telecommunications mandate that telecom operators ensure third-party processors comply with data localization and security requirements.

Requirements for Cross-Border Data Transfers
Cross-border data transfers involve the transfer of personal data from India to entities located outside the country. The DPDP Act introduces a flexible yet controlled framework for such transfers, balancing data protection with the needs of global businesses.
1. Legal Framework under the DPDP Act
  Section 16 of the DPDP Act governs cross-border data transfers and provides the following key requirements:
  - Permissibility of Transfers:
    Personal data may be transferred outside India unless restricted by the Central Government through a notification. The government may prohibit transfers to specific countries or entities based on factors such as national security, public interest, or inadequate data protection frameworks in the recipient country.
  - Adequate Level of Protection:
    While the DPDP Act does not explicitly mandate "adequacy" assessments (as seen in the EU's GDPR), it empowers the Central Government to evaluate whether the recipient country or entity provides an adequate level of data protection. The Data Protection Board of India (DPBI) may issue guidelines on evaluating foreign jurisdictions' data protection frameworks.
  - Contractual Safeguards:
    Cross-border transfers must be supported by contracts that impose obligations on the recipient to comply with the DPDP Act's standards, including security safeguards, purpose limitation, and data principal rights.
  - Consent for Sensitive Data:
    For sensitive personal data (e.g., financial data, health data, or biometric data), explicit consent is required before cross-border transfer, unless an exemption applies (e.g., legal compliance or public health emergencies).
  - Data Localization Requirements:
    Certain categories of data, such as "critical personal data" (to be defined by the Central Government), may be subject to localization requirements, prohibiting cross-border transfers or requiring a copy to be stored in India. The RBI's 2018 Directive on Storage of Payment System Data mandates that payment system data be stored in India, with cross-border transfers permitted only for processing, subject to strict oversight.
2. Exemptions
  Section 17 of the DPDP Act provides exemptions for cross-border transfers in specific cases, such as:
  - Compliance with legal obligations (e.g., tax reporting to foreign authorities).
  - Prevention or investigation of offences.
  - Protection of public health or national security.
  - Contractual necessity (e.g., performance of a contract with the data principal).
Ensuring Rights under Indian Law in Cross-Border Transfers
The DPDP Act recognizes several rights for data principals, including the right to access, correction, erasure, portability, and the right to withdraw consent (Sections 11-13). Ensuring these rights are protected in cross-border transfers is a critical challenge due to jurisdictional differences and varying data protection standards. The following mechanisms can be employed to safeguard these rights:
1. Contractual Obligations
  - Binding Agreements: Data fiduciaries must include clauses in cross-border transfer agreements that require the recipient to honor data principal rights. For example, the recipient must facilitate requests for data access or erasure within the timelines prescribed by the DPDP Act (e.g., 30 days for most requests).
  - Sub-Processor Compliance: If the recipient engages sub-processors, the contract must mandate that sub-processors also comply with these rights.
2. Standard Contractual Clauses (SCCs)
  The DPBI may issue model SCCs for cross-border transfers, similar to the EU's SCCs under GDPR. These clauses would require the recipient to:
  - Process data only for specified purposes.
  - Implement security measures equivalent to those required under the DPDP Act.
  - Assist the data fiduciary in responding to data principal requests.
  - Notify the fiduciary of any data breaches or non-compliance.
3. Oversight and Audits
  Data fiduciaries must conduct periodic audits of the recipient's data protection practices to ensure compliance with Indian law. The contract should grant the fiduciary the right to inspect the recipient's facilities or records.
4. Jurisdictional Mechanisms
  - Grievance Redressal: The DPDP Act requires data fiduciaries to establish grievance redressal mechanisms (Section 10). For cross-border transfers, fiduciaries must ensure that data principals can access these mechanisms, regardless of the recipient's location.
  - DPBI Oversight: The Data Protection Board of India has the authority to investigate complaints related to cross-border transfers and impose penalties for non-compliance (Section 28).
5. Transparency and Accountability
  Data fiduciaries must inform data principals about the countries to which their data is transferred and the safeguards in place. Annual compliance reports submitted to the DPBI should include details of cross-border transfers and measures to protect data principal rights.
6. Challenges and Recommendations
  - Jurisdictional Conflicts: Differences in data protection laws (e.g., weaker protections in the recipient country) may hinder the enforcement of rights. To mitigate this, fiduciaries should prioritize transfers to jurisdictions with robust data protection laws or use SCCs to bridge gaps.
  - Enforcement: The DPBI should establish bilateral or multilateral agreements with foreign regulators to facilitate cross-border enforcement of data principal rights.
  - Localization: Where localization is mandated, fiduciaries must balance compliance with operational efficiency by leveraging secure cloud solutions within India.

Contractual Clauses Necessary for Valid Third-Party Transfers

To ensure compliance with the DPDP Act and protect data principal rights, contracts for third-party transfers (including cross-border transfers) must include specific clauses.

Below is a detailed list of essential contractual clauses:

Scope and Purpose of Processing
- Clause: The contract must clearly define the scope, purpose, and duration of data processing by the third party.
- Example: "The Processor shall process personal data solely for the purpose of [specific purpose, e.g., cloud storage, analytics] as instructed by the Fiduciary and shall not use the data for any other purpose without prior written consent."
- Rationale: This ensures compliance with the purpose limitation principle under Section 6.
Compliance with DPDP Act
- Clause: The third party must agree to comply with all applicable provisions of the DPDP Act and any guidelines issued by the DPBI.
- Example: "The Processor shall process personal data in accordance with the Digital Personal Data Protection Act, 2023, and any rules or notifications issued thereunder."
- Rationale: This ensures that the third party is legally bound to adhere to Indian data protection standards.
4.3. Security Safeguards
- Clause: The third party must implement reasonable technical and organizational measures to protect personal data.
- Example: "The Processor shall implement security measures, including encryption, access controls, and regular security audits, to prevent unauthorized access, disclosure, or loss of personal data."
- Rationale: This aligns with Section 8(3) and mitigates the risk of data breaches.
Sub-Processing
- Clause: The third party must not engage sub-processors without the prior written consent of the data fiduciary, and sub-processors must be bound by the same obligations.
- Example: "The Processor shall not engage any sub-processor without the Fiduciary's prior written approval. Any sub-processor shall be subject to a written agreement imposing obligations equivalent to those in this Agreement."
- Rationale: This ensures control over the data processing chain.
Data Principal Rights
- Clause: The third party must assist the data fiduciary in fulfilling data principal rights, such as access, correction, or erasure.
- Example: "The Processor shall promptly assist the Fiduciary in responding to requests from Data Principals for access, correction, erasure, or portability of their personal data, within the timelines prescribed by the DPDP Act."
- Rationale: This ensures compliance with Sections 11-13.
Data Breach Notification
- Clause: The third party must notify the data fiduciary of any data breach without undue delay.
- Example: "The Processor shall notify the Fiduciary of any personal data breach within 72 hours of becoming aware of it, providing details of the breach and proposed remedial measures."
- Rationale: This aligns with Section 8(6) and enables timely reporting to the DPBI and data principals.
Audit and Inspection
- Clause: The data fiduciary must have the right to audit the third party's compliance with the contract and the DPDP Act.
- Example: "The Fiduciary shall have the right to conduct audits or inspections of the Processor's data processing activities, with reasonable notice, to verify compliance with this Agreement and the DPDP Act."
- Rationale: This ensures ongoing oversight and accountability.
Data Deletion or Return
- Clause: Upon termination of the contract, the third party must delete or return all personal data to the fiduciary, unless required to retain it under law.
- Example: "Upon termination of this Agreement, the Processor shall, at the Fiduciary's option, return or securely delete all personal data, except where retention is required by applicable law."
- Rationale: This prevents unauthorized retention of data.
Cross-Border Transfer Safeguards
- Clause: For cross-border transfers, the contract must include safeguards to ensure compliance with Indian law in the recipient jurisdiction.
- Example: "The Processor shall ensure that personal data transferred outside India is processed in accordance with the DPDP Act, including by implementing Standard Contractual Clauses approved by the Data Protection Board of India."
- Rationale: This aligns with Section 16 and ensures protection in foreign jurisdictions.
Liability and Indemnity
- Clause: The third party must indemnify the data fiduciary for any losses arising from non-compliance with the contract or the DPDP Act.
- Example: "The Processor shall indemnify and hold harmless the Fiduciary against any claims, losses, or penalties arising from the Processor's breach of this Agreement or the DPDP Act."
- Rationale: This allocates risk and encourages compliance.
Governing Law and Jurisdiction
- Clause: The contract must specify that it is governed by Indian law and subject to the jurisdiction of Indian courts.
- Example: "This Agreement shall be governed by the laws of India, and any disputes arising hereunder shall be subject to the exclusive jurisdiction of the courts in [city, e.g., New Delhi]."
- Rationale: This ensures enforceability under Indian law.

Practical Considerations and Challenges

Harmonization with Global Standards
- Indian businesses operating globally must align DPDP Act requirements with international frameworks like the EU's GDPR or the California Consumer Privacy Act (CCPA). For instance, GDPR's strict adequacy requirements may conflict with the DPDP Act's more flexible approach, necessitating robust SCCs or Binding Corporate Rules (BCRs).
- Recommendation: Adopt a "highest common denominator" approach by implementing safeguards that meet the strictest applicable standards.
Data Localization and Cloud Computing
- Localization requirements for critical or sensitive data may complicate cross-border transfers, especially for organizations relying on global cloud providers.
- Recommendation: Use hybrid cloud models with localized storage for restricted data and global processing for non-restricted data.
Enforcement and Penalties
- The DPDP Act imposes significant penalties for non-compliance, including fines up to ₹250 crore per instance (Section 28). Non-compliance by third parties or in cross-border transfers can expose fiduciaries to liability.
- Recommendation: Implement robust due diligence and monitoring mechanisms for third-party compliance.
Emerging Role of the DPBI
- The Data Protection Board of India will play a pivotal role in issuing guidelines, approving SCCs, and enforcing compliance. However, the DPBI's capacity and expertise remain untested.
- Recommendation: Engage with industry bodies to advocate for clear and practical DPBI guidelines.

Conclusion
The Digital Personal Data Protection Act, 2023, establishes a comprehensive framework for third-party and cross-border data transfers in India, emphasizing consent, transparency, and accountability. To ensure compliance, data fiduciaries must implement robust contractual safeguards, conduct due diligence on third parties, and adopt mechanisms to protect data principal rights in cross-border contexts.

The contractual clauses outlined above—covering purpose limitation, security, rights facilitation, and breach notification—are critical to effecting valid transfers. However, challenges such as data localization, jurisdictional conflicts, and harmonization with global standards require proactive strategies, including the use of SCCs, audits, and hybrid cloud solutions.

Sources: