A thorny issue par excellence, cross-border transfers of personal data regularly make the headlines. While a few years ago (Lexing Insights, #30, Oct. 2021) the debate was focused on EU/US transfers, today the proliferation of data protection laws around the world has made this a global issue. In the EU, even with the adoption of the Data Privacy Framework, the subject remains sensitive. The recent EDPS decision against the European Commission about the use of Microsoft 365 is a case in point, as is the decision by the French Conseil d’Etat rejecting the appeal against Microsoft’s hosting of health data.
In this context, the legislative or contractual solutions developed by the other countries described in this issue are enlightening and informative.
The Lexing® network members provide a snapshot of the current state of play worldwide. The following countries have contributed to this issue: Belgium, China, Greece, Hong Kong, India, South Africa.
FREDERIC FORSTER
VP of Lexing® network and Head of the Industries & IT, Telecoms and Banking Services division of Lexing Alain Bensoussan-Avocat
Most organisations need to be able to transfer data to other countries to do business effectively. In many cases, this can be achieved relatively easily without restrictions. In other cases, some countries place strict requirements for the lawful transfer of personal data outside their country. This article focuses on the nuances of lawfully transferring personal data, particularly on how some African countries tackle this issue.
How can you lawfully transfer personal data?
Most data protection laws (such as the Protection of Personal Information Act (1) (POPIA) in South Africa or the Data Protection Act (2) Botswana) generally agree that anyone processing personal data may only transfer it outside the country under certain circumstances. In general, these include, where.
- there is adequate protection for the personal data, similar to or consistent with the protection in the country of origin;
- an instrument such as a law, binding corporate rules, or agreement (including data protection clauses) provides protection for the personal data;
- the data subject consents to their personal data being transferred to a third party in a foreign country;
- the transfer is necessary to perform (or conclude) a contract between the data subject and the controller;
- the transfer is necessary to conclude or perform a contract concluded in the data subject’s interest, between the controller and a third party; or
- the transfer is for the benefit of the data subject, subject to certain restrictions
What are some of the country-specific nuances when transferring personal data?
Most countries use the general criteria discussed in the previous paragraph as the basis for lawfully transferring personal data with their own country-specific exceptions. For example, many countries, like Botswana (3) and Nigeria (4), have identified certain countries that they have deemed to have adequate protection of personal data, similar to adequacy findings in the GDPR (5). By contrast, South Africa’s Information Regulator has stated on many occasions that they will not produce a list of countries that provide adequate protection for personal data, and that responsible parties (South Africa’s equivalent of controllers) must assess these countries themselves to determine if they provide adequate protection to the personal data they intend to transfer.
Many other African countries require some level of confirmation from their authorities to allow the transfer of personal data. For example, Uganda’s Data Protection and Privacy Act, 2019 (DPPA) and Regulations (6) require controllers or processors to demonstrate to the Personal Data Protection Office that the destination country has adequate protection for the personal data equivalent to the protection in the DPPA or that the data subject has consented. These transfer requirements are stricter than those in other countries.
Key insights
Transferring data, especially personal data, is necessary to function in today’s society, but many countries acknowledge that their citizen’s personal data must be protected even when it is transferred. Lawfully transferring personal data can be achieved, but you should consider the following:
- Identify the countries you want to transfer personal data to.
- Ensure you understand the specific transfer requirements in the countries where you wish to transfer the personal data.
- Determine if the law in the destination country provides adequate protection by assessing the country and its laws.
If laws are not adequate, decide what to do. Work out which measures you must put in place to lawfully protect personal data based on the country’s specific requirements.
Ensure you understand the consequences and penalties for not complying with those requirements, if any. Some countries might have criminal and civil sanctions for violations of those requirements.
(1) 4 of 2013
(2) 32 of 2018
(3) Transfer of Personal Data Order 2022, published on 29 July 2022. Available at: https://www.michalsons.com/wp-content/uploads/2022/10/Botswana-Transfer-of-Personal-Data-Order-2022.pdf
(4) The Nigerian Data Protection Regulation 2019: Implementation Framework, Annexure C
(5) General Data Protection Regulation (Regulation (EU) 2016/679)
(6) Section 30 of the Data Protection and Privacy Regulations, 2021
LISA EMMA–IWUOHA
In Belgium, the issue of data transfers has arisen in the specific context of public procurement. The Council of State, the country’s highest administrative court, has indeed had to rule on this subject in several recent decisions.
The first two decisions analyzed, both pronounced before the adoption of the new data privacy framework, concern the same tendering procedure and involve a process related to the establishment of a Mobility Center launched by the Flemish Community. The special tender specifications contained a number of guarantees regarding the processing of user data, and in particular – in response to the “Schrems II” judgment – a clause requiring candidates to demonstrate full compliance with the GDPR provisions in the event of data transfer to the United States, failing which they would be excluded from the contract.
The contracting authority awarded the contract to a company, merely stating regarding the compliance of the offer with the GDPR provisions: “the processing of personal data in accordance with the current rules is a matter of concern”. Seized with an extreme urgency suspension appeal by one of the excluded candidates, the Council of State suspended the award decision on the grounds, among others, that the motivation for the challenged award decision did not allow verifying whether the contracting authority had actually examined the regularity of the offers with respect to their GDPR compliance.
Following this first decision, the contracting authority withdrew the initial award decision and took a new one, still in favor of the same company. The same unsuccessful candidate then filed a new appeal against this new decision, which was ultimately dismissed by the Council of State. The latter indeed noted the particular care taken this time in verifying compliance with the provisions relating to the processing of personal data. Therefore, it did not follow the unsuccessful candidate who argued that the mere possibility for the awarded candidate to transfer data to the United States violated Article 44 of the GDPR. (1)
The last analyzed decision involves a hospital inter-municipal company that launched a public service contract for the subscription to a collective analysis and feedback tool related to hospital activity. In this case, the contract was awarded to a candidate whose offer mentioned data transfers to a third-party company located in Russia. However, neither the report on the offers nor the award decision contained explanations regarding a possible verification of GDPR compliance. In this case, the contracting authority merely indicated “regularity: yes.”
Seized with an appeal filed by an unsuccessful candidate, the Council of State maintained its jurisprudence that it is incumbent upon the contracting authority to perform the necessary verifications and to indicate the reasons why it can consider that the offer provides sufficient guarantees that the entrusted data will be processed in accordance with the GDPR. (2)
The Belgian Council of State’s case law is thus unanimous on the importance of verifying in practice and at the stage of awarding the contract whether the candidate’s offer is indeed compliant with the GDPR. It is not enough to request justifying elements apparently confirming GDPR compliance at the time of submitting offers; a real examination of them is also required.
From the aforementioned decisions, we can conclude that the contracting authority, as the data controller, has the obligation to examine the conformity of the offers submitted to it with the GDPR, especially when they involve data transfer to third countries. To this end, it will pay particular attention to the drafting of the specifications and the motivation of the award decision.
(1) The full text of these two decisions is available in Dutch at the following addresses:
http://www.conseildetat.be/Arresten/250000/500/250599.pdf;
http://www.conseildetat.be/Arresten/251000/300/251378.pdf
(2) The full text of this decision is available in French at the following address: http://www.conseildetat.be/Arrets/253000/600/253677.pdf
JEAN-FRANCOIS HENROTTE
A data processor (1) in China, if justified by a business reason, may proceed with outbound transfer of personal information if one of the following conditions specified by the Personal Information Protection Law (PIPL) is fulfilled:
- (a) pass successfully the security assessment by cyberspace authorities;
- (b) receive personal information protection certification by professional agency in accordance with the rules set by the cyberspace authority;
- (c) A contract based on the template elaborated by cyberspace authorities entered into with the recipient of personal information based in overseas jurisdictions to clearly stipulate the rights and obligations of each party.
The condition c above enables a data processor in China to resort to export data through a legal avenue equivalent to SCC under the GDPR. A specific regulation governing the Chinese SCC was released by Chinese authorities early 2023 accompanied by the long-awaited template for cross-border data transfer.
The Chinese SCC raises a number of conditions to define its application, namely,
- (a) The data processor is not a critical information infrastructure operator;
- (b) The number of data subjects concerned is less than one million;
- (c) The accumulated number of data subjects concerned by the data export since the January 1st of the preceding year shall be less than 100K;
- (d) The accumulated number of data subjects concerned by the sensitive data export since the January 1st of the preceding year shall be less than 10K.
All of the above conditions shall be concurrently fulfilled for the application of the Chinese SCC save otherwise provided by law, regulation or by national cyberspace office.
A data protection impact assessment (“DPIA”) shall be imperatively conducted prior to the data export by the data processor to the overseas recipient. A DPIA report shall be duly filed with cyberspace office at provincial level along with the Chinese SCC within 10 working days of effective date of the Chinese SCC.
Any addendum to the Chinese SCC shall be appended thereto in form of a separate “Appendix 2” and shall not in clash with the terms of the Chinese SCC.
The data processor shall observe the following obligations:
- (a) It shall provide personal data to the overseas recipient on a need-to-know basis in light of the purpose of processing;
- (b) It shall inform the data subject of the identity and contact details of the recipient, the purpose, modality of the data processing as well as the type and retention period as documented in Appendix 1 to the Chinese SCC, the modality and procedure for the data subjects to exercise their statutory rights and it shall also inform the data subject of the necessity of provision of sensitive personal data and its impact on their personal interests where the sensitive personal data is concerned (2);
- (c) The consent from the data subject shall be secured where the cross-border data transfer has such consent as its legal basis and for any minor under age of 14 years, the consent from his/her parents or other guardian shall be secured;
- (d) It shall inform the data subject of his/her status as the third party beneficiary under the Chinese SCC;
- (e) It shall do its best efforts to ensure that overseas recipient adopt the technical and organizational measures proportional to the data security risk exposure;
- (f) It shall provide the copy of the relevant legislative text and technical standard upon the request of the overseas recipient;
- (g) It shall respond to the inquiries raised by regulator with respect to data processing by the overseas recipient;
- (h) It shall proceed with DPIA of which the report shall be kept for a period no less than 3 years;
- (i) It shall provide a copy of the Chinese SCC upon the request of the data subject and the provision of a redacted version of the Chinese SCC is possible where business secret or confidentiality is involved;
- (j) It bears the burden of proof for the performance of obligations under the Chinese SCC;
- (k) It shall provide relevant information about the overseas recipient upon the request of the regulator.
The overseas recipient shall observe the following obligations:
- (a) It shall process the data in line with Appendix 1 to the Chinese SCC and solicit the consent of the data subject or his/her parents/guardian(s) if applicable wherever the individual consent is required;
- (b) It shall provide a copy of the Chinese SCC upon the request of the data subject and provision of a redacted version of the Chinese SCC is possible where business secret or confidentiality is involved;
- (c) It shall designate a sole contact person in charge of replying to the inquiries or complaints promptly. The recipient shall inform the data processor of the same and notify the data subjects either individually or through its website;
- (d) It shall process the personal data in such manner that its impact upon personal interest of data subject will remain minimal;
- (e) It shall delete all personal data upon completion of the retention period and it shall either restitute the personal data to data processor or have them deleted where it is entrusted by the data processor for data processing and the relevant contract for entrusted processing fails to take effect or becomes invalid, cancelled or terminated;
- (f) It shall take and maintain relevant technical and organizational measures to ensure personal data security and ensure its staff in charge strictly perform confidentiality obligation and put in place access control to personal data on a need-to-know basis;
- (g) It shall take remedial and mitigating measures promptly and notify the data processor in case of data incident;
- (h) It shall fulfill a number of conditions precedents prior to its transfer of personal data to a third party located outside the People’s Republic of China;
- (i) It shall avoid unreasonable discrimination with respect to the commercial terms vis-à-vis data subjects where personal data is used for automated decision-making;
- (j) It shall provide relevant information about performance of obligations upon the request of the data processor and grant the latter access to relevant data and documents or provide facilities to the audit on data processing initiated by the data processor;
- (k) It shall document its data processing of which logs shall be kept for a period no less than 3 years and provide directly or via the data processor such log to the regulator;
- (l) It shall agree to provide assistance throughout the monitoring process put in place by regulator.
Both data processor and overseas recipient shall undertake to have used reasonable due care to ascertain there is no legislative/regulatory requirement which may prevent either of them from duly performing the obligations under the Chinese SCC. Besides, the overseas recipient shall undertake to inform the data processor promptly once it becomes aware of any legislative/regulatory change likely rendering the performance of the Chinese SCC impossible or of the request made by governmental, judiciary department to provide the personal data under the Chinese SCC.
Either party shall notify the other of its dispute with a data subject and both parties shall cooperate for purpose of dispute resolution.
The data processor is entitled to suspend its performance of the Chinese SCC where the data recipient is in breach of its obligations or there is a legislative/regulatory changes in the overseas jurisdiction concerned rendering the performance of the Chinese SCC by the overseas recipient impossible.
The data processor may terminate the Chinese SCC in occurrence of the following circumstances and notify the regulator if it deems it necessary:
- (a) The suspension as per item 8 above is in excess of one month;
- (b) The performance of the Chinese SCC by the overseas recipient will be in breach of applicable law and regulation in that jurisdiction;
- (c) The overseas recipient is materially or continuously in breach of the Chinese SCC;
- (d) The data processor or the overseas recipient has been convicted breaching obligation under the Chinese SCC as final decision rendered by competent court or regulatory body of the jurisdiction of the overseas recipient.
The overseas recipient may terminate the Chinese SCC in circumstances (a), (b) and (d).
The data subject is entitled to claim either or both of the data processor and overseas recipient should they be held liable on joint and several basis.
The data exporter shall officially adopt the Chinese SCC since June 1, 2023 and any prior data export had to be regularized by December 1, 2023 at the latest.
1) Terminology: When navigating the terminology of PIPL, we may come across a number of “false friends” of which the most notorious one is the Data Processor (Personal information processor). The term Data Processor (Personal information processor) used in PIPL (PIPL, Article 73) refers to “any organization or individual that independently determines the purpose and means of processing in their processing of personal information.” It corresponds to the definition of “data controller” in GDPR (“natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”) (GDPR, Article 4) whilst “Entrusted party for data processing” (PIPL, article 21) corresponds to the “processor” under GDPR. (See Lexing Insights #34 , “Comparative review of key aspects of PIPL and GDPR” by Jun Yang, Oct. 2022).
(2) NB: The data subject shall be entitled to request either the data processor or the recipient for purpose of his/her exercise of data subject rights where the relevant personal data has been already transferred overseas. The data processor may however inform the recipient to provide assistance if it is unable to satisfy the request made by the data subject
JUN YANG
This high-level analysis focuses on the Hellenic Data Protection Authority’s (HDPA) approach regarding the cross-border data transfers on a landmark case concerning the provision of modern distance education using technology tools to primary and secondary school students (e-learning) The e-learning platform was provided by a third-party, established in the United States of America.
In September 2020, the HDPA issued their Opinion 4/2020 (1), advising the Ministry of Education on ensuring GDPR compliance in e-learning. The HDPA flagged concerns about risks to personal data, including, inter alia, the transfer of personal data outside the EU, the terms of the contract with the third-party providing the e-learning platform, as well as the use of personal email addresses of teachers and their electronic transmission to the third-party, even if a teacher had not activated their account.
One year later, the HDPA examined the updated Data Protection Impact Assessment (DPIA), as well as the compliance actions taken by the Ministry to address the points raised by the HDPA’s Opinion 4/2020. Subsequently, Decision 50/2021 was issued to reprimand the Ministry for a series of deficiencies (2).
Regarding data transfers outside the EU, the HDPA noted in their Opinion 4/2020 that the possibility of using a data centre outside the EU, at least in the event of a ‘failure’, was not excluded. They recommended that the data controller should study the CJEU’s C-311/18 judgment and ensure that there is no possibility of data transfer of personal data outside the EU, and the applicable legal regime in the importer’s country, to ensure the application of the data subjects’ rights in all cases. Finally, the HDPA stressed that such risk may occur in case companies operating under US law (e.g. Section 702 of the FISA Act and Executive Order EO 12333) are involved in the data processing, regardless of the place where the data is located.
Following these thoughts, the HDPA evaluated with Decision 50/2021 the third-party’s data processing activities and identified several key concerns. First, there was a notable absence of a thorough study regarding the third-party’s compliance with its commitment to refrain from transferring personal data outside the EU/EEA without prior notification. Second, the HDPA questioned the reference to an assessment by the third-party, emphasizing that this assessment has not been provided and casting doubt on the applicability of binding corporate rules in the examined case. Third, the assertion that the third-party, being subject to U.S. law, lacked an adequate level of data protection. The HDPA requested detailed evidence proving that problematic U.S. legislation will not be practically applied to the transferred data or the data importer.
At that point, the HDPA underscored the need to assess how data transfers outside the EEA are ensured post the EU Commission’s Decision (EU) 2021/914 on standard contractual clauses, effective from September 27, 2021.
To conclude, this landmark case from Greece, implicating the Ministry of Education in the process of ensuring an adequate level of data protection for data subjects in the EU countries, highlights the issues that legislators across both sides of the Atlantic Ocean aspire to resolve with the newly mandated Data Privacy Framework.
(1) Opinion 4/2020 of the Hellenic Data Protection Authority on modern distance learning in primary and secondary schools
(2) Decision 5/2021 on modern distance learning process by the Ministry of Education
GEORGE BALLAS & NIKOLAOS PAPADOPOULOS
The personal data protection regime in Hong Kong does not contain a statutory restriction on the transfer of personal data outside Hong Kong. However, this does not mean that there are no protections in respect of cross-border personal data transfers. The use of contracts to protect personal data in cross-border data transfer from Hong Kong will be explained.
What are data users?
A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the personal data. Control is a key word here. Also, a person is not a data user if he does not hold, process or use personal data for any of his own purposes. A data user is similar to a data controller under GDPR.
If a person is a data user, then this triggers the obligations of the data user to fulfil a range of statutory obligations under the Hong Kong Personal Data (Privacy) Ordinance (“PDPO”). These obligations include a primary role in protecting personal data in cross-border personal data transfers conducted by the data user, whether to another data user or to a data processor.
What are data processors?
Technically, a data processor is a person who processes personal data on behalf of another person (a data user), instead of for his own purposes. A data processing arrangement is typically for specific purposes and in relation to specific services offered by the data processor to the data user. In Hong Kong, processing includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.
Regulation of data processors in Hong Kong
The Privacy Commissioner for Personal Data in Hong Kong (“PCPD”) does not directly regulate data processors. Instead, data users are required to ensure that their data processors meet certain requirements under Hong Kong data protection laws. Data users are required to adopt contractual or other means to:
- (a) prevent the data processor from keeping personal data for longer than is necessary (Data Protection Principle (“DPP”) 2); and
- (b) prevent unauthorised or accidental access, processing, erasure, loss or use of personal data (DPP 4).
There is also statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors whether inside or outside Hong Kong (section 65, PDPO).
Regulation of data transfers
Disclosure and transfer are expressly included in the definition of “use” in the PDPO. This is important, as it links to requirements of data users that collect personal data. A data user must give notice to explicitly inform data subjects of the purpose (in general or specific terms) for which the personal data is to be used and the classes of persons to whom the data may be transferred (DPP 1(3)). This means that a data user should inform data subject on or before collecting personal data that it intends to transfer the personal data to other data users or to use data processors to perform some of the purposes for which the personal data was collected. The data user must obtain the prescribed consent of data subjects before using personal data collected for a new purpose (DPP 3).
Contractual means
The most common means for a data user to protect personal data transferred in a cross-border data transfer is by written contract. This can be either a contract that covers data privacy and protection as part of the terms for the entire commercial arrangement or a contract that deals specifically with data privacy and protection. This is a good practice for a number of reasons. It demonstrates proper due diligence and compliance with the statutory obligations of the data user. It enables the data user to bring a claim against the data transferee (whether data user or data processor) for breach of contract relating to data privacy and protection obligations.
Recommended model contractual clauses
The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has published two sets of recommended model contractual clauses. These cater for two scenarios, being the transfer of personal data from one data user to another data user and the transfer of personal data from a data user to its data processor. The recommended model clauses address the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. The focus is upon cross-border data transfers of personal data that must take into account the requirements of the PDPO and its DPPs. Specifically, the purpose is to ensure adequate protection is given to the personal data as provided under the PDPO as if the personal data concerned were not transferred outside Hong Kong.
The complete verbatim adoption of the recommended model clauses is not mandatory. The PCPD has recognised that data exporters are free to use alternative wording which in substance is consistent with the requirements of the PDPO. This is different to the approach adopted under GDPR in respect of standard contractual clauses for international data transfers. In fact, the PCPD has expressly stated that its recommended model clauses are not intended to satisfy the requirements of GDPR or to be considered as alternatives to the standard contractual clauses of the European Commission in respect of the GDPR.
Recommended model clauses – Data user to data user transfers
In a personal data transfer from one data user to another data user, the transferor and the transferee will both use the personal data for their separate business purposes. This may arise, for instance, in a data sharing collaboration for their respective business activities. The recommended model clauses do not particularly account for whether the data users in question are independent data users (that is, operating independently in respect of the personal data), or joint data users (that is, making joint decisions in respect of the personal data).
The recommended model clauses are coherent and well-prepared. Nonetheless, they are not mandatory and the PCPD has acknowledged that account may be taken for commercial considerations (provided the substantive effect of the recommended model clauses is preserved). It is likely that legitimate commercial concerns will require that the recommended model clauses may need to be amended.
The approach to data subject rights required by these recommended model clauses would require collaboration with and support from the transferring data user to ensure the receiving data user can fulfil obligations that require direct communication with data subjects.
On a practical commercial negotiation level, it can be difficult to retain express references to the PDPO in circumstances where the governing law of the overall commercial arrangements is not Hong Kong law. This issue would be more problematic in respect of agreements for onward data transfer. Normally, the drafting compromise is to reflect the substance of the obligations without direct reference to the governing statute.
It is also ironic that the recommended model clauses restrict transfer of personal data to permitted jurisdictions. On the one hand, this approach does reflect recommended best practice and supports the focus on ensuring adequate levels of protection for the transferred personal data. On the other hand, this arises under a legislative regime that does not expressly or directly restrict the cross-border transfer of personal data.
Recommended model clauses – Data user to data processor transfers
In a personal data transfer from a data user to its data processor, the data processor must use the transferred personal data only for processing purposes on behalf of the data user, instead of for its own purposes.
Many of our comments in respect of the data user to data user recommended model clauses apply to these provisions. In particular, it is unusual – and perhaps misconceived – that the data processor is required to undertake that the transferred personal data is adequate but not excessive for the agreed processing purposes. This is a process that is ultimately controlled by the data user and is typically an obligation that the data user must perform.
The receiving data processor is frequently not in direct contact or communication with the data subject as it was not the party that collected the personal data. Consequently, the receiving data processor may not be in a position to review the continuing accuracy of the transferred personal data.
We could envisage that the data processor may provide information and guidance to the data user on the needs of the data processor for the data processing activities. However, this should not change the primary obligation of the data user.
Additional contractual measures
The PCPD has recognised that the recommended model clauses are not a complete solution for all cross-border data privacy and protection issues. Other contractual provisions may be needed. The recommended model clauses were prepared with a view to facilitating adoption of those provisions by medium-sized enterprises. Larger multi-national enterprises will have more complex needs and sophisticated requirements.
The PCPD provided these examples of other contractual provisions that may need to be considered:
- (a) Reporting, audit and inspection rights;
- (b) Data breach notification obligations; and
- (c) Compliance support and co-operation.
The PCPD also advocates data sharing provisions in data user to data user transfers to clarify the respective roles and responsibilities of the data users and their respective co-operation and co-ordination obligations.
We would typically expect to see liability and indemnification obligations in respect of issues arising from data transfers, though these will be carefully negotiated in each instance.
Conclusion
Data users have significant and onerous obligations in respect of cross-border data transfers from Hong Kong. There is extensive guidance on how to fulfil those obligations. That guidance has been prepared with a view to adoption by medium-sized enterprises with flexibility to adapt (without diminishing the substantive protection) to account for the overall commercial arrangements. The guidance contemplates that data users will ensure that there are contracts in place in respect of personal data sharing with other data users, and processing arrangements with data processors. These can be in separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial agreement. The form ultimately does not matter; the substance and content does.
PÁDRAIG WALSH
Introduction
In an era characterised by an interconnected global economy, the exchange and flow of data across borders has become an integral component of modern business operations. India, as a growing digital economy, stands at the intersection of innovation and regulation in the realm of cross border data transfer. The advent of cloud computing, digital platforms, and the rapid proliferation of information and communication technologies has intensified the need for a robust legal framework governing the movement of data across national boundaries.
Current Legal Framework
The primary legislation regulating the transfer of data outside the jurisdiction of India is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”). The SPDI Rules do not restrict the transfer of data when the receiving country adheres to the same level of data protection as that is followed by India under the SPDI Rules. Under the SPDI Rules, the transfer of data is based on two criteria: (i) upon obtaining consent from the data subject or when the transfer is essential for the execution of a lawful contract between the transferring organisation (or any organisation representing it) and the data subject; and (ii) if the receiving country adheres to the same level of data protection as stipulated under the SPDI Rules. Consequently, as long as proper consent is secured from the data subject and the receiving country adheres to sufficient data protection standards, additional regulatory approvals are not required. Please note however that there are certain specific sectoral requirements that are more stringent, as set out below.
Prospective Law
The recent enactment of the Digital Personal Data Protection Act, 2023 (“Act”) has been pivotal in updating India’s approach to data governance. The Act aims to overhaul and consolidate data protection laws and signifies a crucial step towards harmonising India’s regulatory landscape with contemporary global standards. The Act governs the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. The Act authorises the Central Government to restrict the cross-border transfer of personal data by a data fiduciary (1) for processing, to territories outside India as may be notified by the Central Government. Thus, the transfer of data shall be permitted to all countries expect those expressly prohibited by the Central Government. However, it should be noted that the Act is expected to be notified imminently and presently there in no notification prohibiting transfer of data to any specified countries. Now that the legal landscape has been made clear with the Act, more detailed regulations on cross-border data transfer are anticipated in the near future.
Sectoral restrictions:
Set out below are certain sectoral restrictions that may be applicable in case of cross border data transfer:
- 1. Banking: The Reserve Bank of India (“RBI”) by way of circular, named ‘Storage of Payment System Data’, (RBI/2017-18/153, DPSS.CO.OD No.2785/06.08.005/2017-2018) mandates all payment companies to store payment system data exclusively on servers located within India. In the event data is processed outside India, it must be promptly removed from overseas systems and exclusively stored within India. The implementation of data localisation by the RBI is intended to safeguard the personal data of the citizens by confining data to servers within India’s geographical borders.
- 2. Insurance: Third-Party Administrators (the “TPAs”) under the Insurance Regulatory and Development Authority of India (Third Party Administrators – Health Services) Regulations, 2016, are prohibited from sharing customer data and personal information obtained for insurance policy or claims servicing outside India.
Conclusion
India’s legal landscape concerning cross-border data transfer has undergone a significant shift with the enactment of the Act. The Act states that the Central Government by way of a gazette notification may impose restrictions on transferring personal data to certain countries. Although the Act has not come into force yet, it can be expected to do so in the near future, and it offers a preview of the expected regulatory framework.
Currently, there are no stringent restrictions on cross-border data transfers, but regulation can be expected imminently. It is also pertinent to note that Indian laws recognise sector-specific restrictions and regulators in various sectors have the authority to enforce additional protections based on the nature of the data being transferred.
(1) Section 2(i) of the Act defines Data Fiduciary as “any person who alone or in conjunction with other Persons determines the purpose and means of processing of personal data”.
SIDDHARTHA GEORGE, BILAL LATEEFI & STUTI AGARWAL