Section 16 DPDPA

Processing of personal data outside India.


16.(1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified.

(2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.

Applicable DPDP Rule 2025

Rule 14: Processing of Personal Data Outside India

Section 17 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 16 of the Digital Personal Data Protection Act, 2023 (DPDPA)

Introduction

Section 16 of the Digital Personal Data Protection Act, 2023 (India) provides a framework for transferring and processing personal data outside the country. In an increasingly globalized digital landscape, personal data often needs to move seamlessly across borders to facilitate commerce, communication, and innovation. However, cross-border data flows must be balanced against the need to protect individuals’ rights and ensure that personal data, once transferred, remains subject to adequate safeguards.

Key Provisions of Section 16

1. Permissibility of Cross-Border Data Transfers

Section 16 acknowledges that personal data processing may occur outside India. Rather than imposing an outright ban, it sets conditions for such transfers. The objective is to allow the digital economy to function globally while ensuring that personal data, regardless of where it is processed, benefits from a robust level of protection.

2. Government’s Role in Designating Countries and Territories

Under Section 16, the Central Government is empowered to notify countries or territories outside India to which personal data may be transferred. In doing so, the Government assesses factors like the recipient country’s data protection laws, frameworks, and enforcement mechanisms—similar to adequacy determinations under international laws like the EU’s GDPR.

3. Compliance with Specified Conditions

Even when data is transferred to a notified country, Data Fiduciaries and Data Processors must comply with prescribed conditions. These could include contractual arrangements, technical safeguards (e.g., encryption), and organizational measures (e.g., access controls), ensuring data is processed only for agreed-upon purposes. Future rules will clarify these conditions.

4. Focus on Protecting Data Principals’ Interests

The ultimate goal is to safeguard the interests of the Data Principal. By requiring that notified territories provide comparable data protection standards, the Act ensures Data Principals do not lose their rights or face lower safeguards when their data is transferred abroad.

Legal Interpretation

Alignment with Global Practices:
Many data protection regimes, including the EU’s GDPR, set rules for cross-border data flows. Section 16 aligns India’s approach with international norms, using a model akin to adequacy decisions, signaling India’s global outlook.

Governmental Oversight and Assurance:
The Indian Government decides which jurisdictions are approved, ensuring not all countries qualify by default. This oversight promotes legal consistency and maintains a level of protection that mirrors India’s standards.

Flexibility and Economic Considerations:
Section 16 recognizes global economic realities. By allowing lawful cross-border data flows, India supports innovation, investment, and competitiveness, while maintaining data protection integrity.

Illustrations

1. Global E-Commerce Transaction

Scenario:
An Indian customer buys a product from an international online retailer that stores data abroad.

Application:
If the retailer’s country is approved by the Indian Government, the customer’s data can be legally transferred. The retailer must meet the Act’s conditions, safeguarding data and using it only for order processing.

2. Cloud Service Providers with Overseas Servers

Scenario:
An Indian start-up uses a cloud service provider located in another country to store customer data.

Application:
If that jurisdiction is notified, the start-up can store and process data abroad, provided it implements contractual and technical safeguards aligned with Indian standards.

3. Cross-Border Financial Services

Scenario:
An Indian bank engages a foreign analytics firm to process transaction data for fraud detection.

Application:
If the foreign jurisdiction is authorized, the bank can transfer the data. The analytics firm must comply with data protection measures and not use the data for unauthorized purposes.

Significance and Broader Impact

Facilitating International Commerce and Cooperation:
Lawful cross-border data flows enhance India’s participation in the global digital economy, encouraging foreign investment and international partnerships.

Protecting India’s Digital Sovereignty and Citizens’ Rights:
By imposing conditions on transfers, Section 16 prevents personal data from ending up in legal voids. Data Principals retain robust rights, no matter where their data travels.

Incentive for Other Countries to Enhance Data Protection:
Countries seeking access to Indian data may raise their data protection standards, promoting a global culture of stronger privacy safeguards.

Conclusion

Section 16 of the DPDP Act, 2023 strikes a balance between facilitating the global flow of personal data and safeguarding Data Principals’ rights. By granting the Indian Government the authority to select acceptable jurisdictions and by placing conditions on transfers, the Act ensures that cross-border data processing adheres to robust privacy principles. This provision exemplifies India’s commitment to upholding data protection standards in a connected, international digital environment.

© 2024 Advocate (Dr.) Prashant Mali