Cross-Border Data Transfers: Can Privacy Survive Jurisdictional Fragmentation?

Introduction

Cross-border data transfer means movement of any kind of data from one country to another. Transfer of data across borders is generally required in MNC`s, Indian companies with goods and services exporting Indian company with goods and services in foreign countries. Retail cross-border transfer involves transfer of data between customer to customer, B2B or B2C.

 But with rapid digitalization, data transfer across border has become more and more common for facilitating e-commerce and financial transactions, enabling cloud computing and thus letting global trade to prosper. An immaculate balance between data sovereignty for the sake of national security and facilitating seamless global trade for Indian companies as well as opening gates for foreign investments in Indian talents as recruits and Indian markets must be sought.

Now there are multiple jurisdictions in question where data privacy issues are involved in such transfer. Judicial Fragmentation refers to conflicting laws in different jurisdiction for same issue. For Cross-Border Data Transfers, it is an important consideration when dealing with or transferring data to different countries having their own laws.

The primary legislation that deals with cross-border transfer of data is Digital Personal Data Protection Act (2023).

DPDP

The foundation for DPDP was laid when a committee was set up by the name of “Sri Krishna Committee”, on whose suggestions the Personal Data Protection bill was proposed in 2018 for data localisation mandating data to be monitored and stored in India itself. The bill was updated in 2019 but received severe criticism with regards to trade and industries. It was again drafted with numerous changes to allow data transfer to government approved countries. Eventually in 2023, DPDP act was finally passed and came into effect in November 2025. The act brought more relaxations as all barriers were removed for cross-border data transfer except transfer to blocklisted countries. The list of blocklisted countries is still not released.

1. Applicability of DPDP- According to section 16 of the DPDP act, it is applicable to processing of personal data from outside of individuals living in India. Foreign companies that provide services and goods to India are also included in its scope and have to comply with this act.
2. Stakeholders- The key stakeholders who have been assigned duties relating to transfer of data under this act are:

• Data Fiduciaries- The entity consenting and deciding the purpose of transfer of Data.
• Data Processor- The entity who process the data.
• Data Principal- Individual whose data is to be processed.

Consent to be taken before processing of data.

Government shall issue notification of countries where data cannot be transferred.

Sectoral Fragmentation- Specialized agencies and laws specific for one sector can make laws overriding DPDPA. RBI mandates data localisation for all data relating to payment system in India. SEBI has similar mandate for data relating to investment and shareholders.

European Union (EU) took rather stringent measures for cross-border data transfer through their adequacy model. As per the General Data Protection Regulation (GDPR) the transfer of data outside European Economic Area (EEA) countries is prohibited unless special conditions are met. The transfer of data to a non-EEA country can be occurred in 2 ways, i.e. by way of adequacy decisions and secondly if there are provisions of legal remedies and safeguards for transferred data.

Adequacy Decisions- The European Commission scrutinize whether that country has fundamental freedom, Rule of law in place or whether the rights of the person whose data is subjected are protected and effective or not and after such scrutiny it might allow the transfer of data to that country without further safeguard requirements. A list of such countries has been provided By European Commission.

Appropriate Safeguards-EU may allow transfer without adequate decision where the organisations where the personal data is transferred provides assurance of safety of such private data and the individuals concerned have rights and remedies available in case of breach.

Many countries such as Japan, Singapore, Thailand, etc. have similar data protection regulations as GDPR.

Contract- Standard Contractual Clauses (SCC) are issued by European Commission to bind foreign parties to comply with certain safety clauses and is used when the foreign country lacks adequacy decision.

Privacy Concerns vs Jurisdictional Fragmentation in Cross- Border Transfer of Data

1. Implied Consent- Section 7 allows data to be processed cross-border without explicit consent if there exist legitimate use. The legitimate use is not defined. If the laws of a country allow organisations to allow processing of personal data of an India employee without explicit consent, it might come under the purview of Legitimate reasons. Such data is vulnerable to be misused.
2. Weak Enforcement Mechanism- India`s Data Protection Board (DPB) established under DPDP isn`t the strong enforcement authority. They are responsible to decide on cases of cross-border data transfer. Being appointed by the government of India they don`t illustrate independence in their decisions. There is no criminal liability for Misuse of data or breach of data, corporates can get away easily. Besides, practically DPB finds it difficult to investigate data breach in foreign countries.
3. Transfer to 3^rd parties- Different jurisdictions have different laws for privacy. While India allows and protects data of nationals in cross- border transfer, if the data is transferred to a 3^rd party country from the other country due to weak laws, then there is no remedy which could be sought if in the same situation data of an EU`s individual was in question.
4. Weak Cyber Security- Where data management systems and technological robustness is weak, data privacy can be hindered through cyber-attacks. Strong Cyber security mechanisms are must in today`s world. Lack of such tool will result in discouragement among other nations to enter into trade with such country.
5. Weak Privacy Laws- The jurisdictions where privacy laws are not the strongest, there exist a risk of harm to privacy. Lack of minimum standard for data security in organisations or inadequate remedies in case of data breach for example can have this effect.

Thus, India`s data privacy laws are lenient in dealing with cross border data transfers with a week enforcement mechanism.  The act intended to enhance flow of imports and exports and attract investments in India and Indian nationals by allowing transfer of data to all countries except explicitly blocked. But such endeavour makes data of individuals vulnerable to various threats in cross border data transfer.

Suggestions

DPDP is an important legislation but has scope for modification and clarity with regards to cross-border transfer of data. It can adopt some principles of GDPR if not all.

1. INSPIRATION FROM GDPR- The GDPR requires adequacy assessment or SCC contractual obligations or data receiving organisations provide safeguards and remedial rights to Data Principle. Currently data from India can be transferred to any country except blacklisted countries. DPDP can be amended to account for stricter rules by including any assessment mechanism before allowing transfer to any country or organisation.
2. Clarity in legitimate Use- Section 7 of DPDP Act allows transfer of data cross-border without explicit consent if it is transferred for Legitimate use. The legitimate Use is not defined. Clarity on legitimate use must be given.
3. Stronger Enforcement mechanism- An independent institution will gain public trust as well as neutrality in enforcement. Strengthening powers of DBP with methods such as investigation of foreign data processors and inspection of cross-border data practices can help in effective oversee and compliance of data breaches or misuse during cross-border data transfer.

Conclusion

Cross-border transfer of personal data can be risky but a necessity in today`s digital world and rising global trade. To mitigate risks of cyber-attack, leakage of private data, misuse of data or any other harmful act pursuant to such transfer, privacy laws must contain stringent provisions for cross border transfer of data. The Digital Personal Data Protection Act (DPDPA) 2023 lacks those strict measures. GDPR of EU has comprehensive and clear rules governing rules for protection of personal data transferred or to be transferred to other country and the eligibility of that country for data to be transferred. Some provisions of cross- border can be adapted and instilled in DPDPA for better security.