Abstract
In the age of globalization and digitization, the free flow of data across borders has become indispensable for economic and technological growth. Recognizing this, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) to create a regulatory framework for managing personal data, including provisions for cross-border data transfers. However, the Act’s approach to international data transfers has sparked debate due to the broad discretionary powers it grants the Central Government under Section 16, which allows it to “notify” permissible countries for data transfer without specifying clear standards or safeguards. This paper critically examines whether such discretion undermines data security and individual privacy. The study compares India’s model with the European Union’s General Data Protection Regulation (GDPR), which employs a robust “adequacy” framework grounded in detailed legal, human rights, and enforcement assessments. The paper also explores emerging US-India data cooperation frameworks, including DEPA, which are still evolving and lack enforceable safeguards. Additionally, it evaluates Section 17(1) of the DPDP Act, which provides wide exemptions to public authorities, enabling them to bypass standard data protection obligations under vague grounds like investigation and legal enforcement. Through legal and policy analysis, this article highlights that India’s current approach is potentially too lenient and could compromise individuals’ privacy, legal certainty for businesses, and international interoperability. It emphasizes the need for transparency, binding contractual safeguards, and alignment with global standards to ensure adequate data protection. The paper concludes with concrete recommendations for reforming the cross-border data transfer framework under the DPDP Act, suggesting a balance between national discretion and rights-based protection.
Keywords: Cross-Border Data Transfer, Digital Personal Data Protection Act, 2023, GDPR Adequacy, Right to Privacy, Data Protection Law India.
Introduction
In today’s interconnected digital world, the ability to transfer data across borders is not just a convenience, it’s a necessity. Global businesses rely heavily on international data flows for everything from cloud storage and customer service to analytics and product development. As a result, regulating how personal data is transferred outside national borders has become a central concern for privacy laws around the world.
India took a significant step in this direction with the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act)[1]. Among its many provisions, the Act seeks to establish a legal framework for the transfer of personal data to countries outside India. However, one of the more debated aspects of the law is the level of discretion it grants the Central Government in deciding which countries or territories are eligible to receive such data. Specifically, Section 16[2] of the Act allows the government to “notify” countries where personal data may be transferred, without laying down any detailed conditions or evaluation standards for such decisions. This approach raises an important question: Is the Act too lenient in allowing cross-border data transfers without strong, transparent safeguards? Unlike jurisdictions like the European Union, where data transfers are strictly regulated based on the recipient country’s level of data protectionthrough what is known as the “adequacy” test under the General Data Protection Regulation (GDPR)[3], the DPDP Act does not appear to require any such robust review before authorizing transfers. Similarly, while India and the United States are working toward establishing frameworks for trusted data exchanges, these arrangements are still evolving and do not yet provide the kind of formalized protection that many experts believe is necessary.[4]
In particular, it looks closely at the European Union’s General Data Protection Regulation (GDPR) as a benchmark for strong cross-border transfer safeguards and discusses how India’s model stands in contrast. It also considers the broader implications of giving the government such wide-ranging powers in the context of a country where the constitutional right to privacy[5], as upheld in Justice K.S. Puttaswamy v. Union of India,[6] has become a cornerstone of digital rights jurisprudence.
[1]Digital Personal Data Protection Act, No. 22 of 2023, § 16, Gazette of India, Aug. 11, 2023.
[2]Id.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), 2016 O.J. (L 119) 1.
[4] India-U.S. Joint Statement, India-U.S. Strategic Partnership: Shared Values and Common Goals, The White House (June 2023), https://www.whitehouse.gov
[5]India Const. art. 21.
[6]Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).