Part IV: Cross Border Transfers
🌍

Part IV: Cross Border Transfers

PART IV: CROSS BORDER TRANSFERS

India v. EU – Cross-border Transfers

Section 16(1) of the DPDPA establishes a "negative list," which empowers the Central Government to list out some countries to which transfer of personal data by a Data Fiduciary for processing can be restricted. Section 16(2) further goes on to say that it would not restrict the "applicability of any other sectoral or specific laws" currently enforced in India that provide a higher degree of protection.
First, the government has the power to protect its citizens' data from being stored or handled in jurisdictions where the legal or political environment might make it unsafe (e.g., weak privacy laws, high surveillance risk, hostile foreign relations). Second, the Act makes clear that its rules don't override other Indian laws that already give stricter safeguards in certain sectors (like banking, telecom, health). So, if RBI, SEBI, or any other regulator imposes tighter restrictions on data transfer, those rules still apply on top of the DPDPA. Parallelly, if any of these provisions contradict the provisions of the DPDPA, the latter will prevail.
It appears the legislative intent of DPDPA is to make compliance easier, and allow for convenient transfer of data unless obvious risks exist. What this means is companies do not have to wait for an adequacy decision, and can easily expand. This keeps India attractive for outsourcing, cloud services, and cross-border tech flows – which, with India's large skilled workforce, is important. However, the risks are obvious – a negative list may ease compliance but increases risks.
  1. Long-term Unpredictability: If the government suddenly puts a country on the negative list, businesses with operations or data centres there could face sudden compliance and contractual disruptions.
  1. Reactive Provisions: The system depends on the government identifying risks and then issuing restrictions. That may not always happen in time, especially in fast-changing geopolitical or tech environments. This also means data can flow to jurisdictions with weak, outdated, or unenforced data protection regimes until/unless the Indian government steps in. The absence of a "check" with respect to prevalent protections impacts data privacy standards.
However, Section 3 – which states that the Act shall apply to "...processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India." When read with Section 17(1)(d) ("Exemptions"), we understand that the provisions of Chapter III (Rights and Duties of Data Principal), and Section 16 will continue to have extra-territorial application. This means that a base level of rights is guaranteed to the Data Principals through the DPDPA, even outside India. However, enforcement abroad is difficult unless the entity has a business presence or contractual ties in India, meaning compliance often depends on voluntary cooperation or contractual enforcement rather than direct regulatory reach.
The GDPR, contrarily, adopts a "positive" list through what are known as "adequacy decisions," as per Article 45 when read with Recitals 103-107. Essentially, personal data can be freely transferred outside the EU only if the European Commission has determined that the destination country (or a specific sector within it, or an international organisation) provides an adequate level of data protection. If such a decision is in place, organisations do not need to seek any further authorisation for transferring data.
In deciding whether a country is "adequate," the Commission looks at factors such as the rule of law, protection of human rights, data protection laws and their enforcement, limits on government access to data, and whether individuals have effective rights and remedies. The presence of an independent supervisory authority with strong enforcement powers, as well as the country's international commitments, also weigh into the assessment.
Take, for instance, the landmark case of Schrems v. Data Protection Commissioner (Schrems I) (Case No: C‑362/14), which discussed EC Decision 2000/520, also known as the "safe harbour decision," where the Commission had found that the United States ensured an adequate level of protection. However, the petitioner challenged this in light of the Snowden Whistleblower files, which exposed the USA's extensive surveillance networks. The Ireland High Court found that the overreach by the USA's National Security Agency (NSA), but nonetheless referred the following questions to the CJEU:
  1. whether a National Data Protection Authority is bound strictly by the adequacy decision, and;
  1. whether the authority may or must conduct its own investigation into the adequacy of protection in light of later developments, notwithstanding the Commission's decision.
The CJEU observed that "adequacy" was not defined in the GDPR, but even if the Commission had issued a decision finding adequacy, national data protection authorities still retained the power to investigate individual complaints to ensure compliance with the Charter of Fundamental Rights. The CJEU also noted that since the state authorities of the USA could override safe harbour, it could not be held to be "adequately" protecting the data of EU citizens.
Similarly, in the Schrems II ruling of July 2020, the CJEU reshaped the framework for international data transfers from the EU. The CJEU invalidated the EU-US Privacy Shield on the ground that US surveillance laws, particularly the Foreign Intelligence Surveillance Act (FISA), granted disproportionate access to EU personal data without sufficient safeguards or effective judicial remedies. While the Court upheld the validity of Standard Contractual Clauses ("SCCs"), it required exporters and importers to undertake a case-by-case assessment to ensure "essentially equivalent" protection as under EU law. This meant that SCCs alone were not enough in jurisdictions where local laws allowed intrusive government access, and exporters would need to implement additional safeguards such as encryption, storage in GDPR-compliant jurisdictions, or contractual commitments. In this context, SCCs and BCRs become especially important to understand.

SCCs and BCRs

SCCs are model clauses adopted by the European Commission (and in the UK, adapted into the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs) that organisations can "plug into" contracts when exporting data. They create legally binding obligations on the data exporter (in the UK) and the data importer (in India, for example) to maintain GDPR-level protections. However, post-Schrems II, companies cannot simply sign SCCs and call it a day – they must also perform a Transfer Risk Assessment ("TRA") and, if needed, add supplementary safeguards (like encryption or minimising access). In other words, SCCs are a baseline legal tool, but their effectiveness depends on how they're implemented.
Binding Corporate Rules ("BCR") are internal, legally binding policies adopted by multinational groups to govern the transfer of personal data across their entities worldwide. Think of them as a "corporate constitution for data protection." A group of companies drafts rules that ensure GDPR-level protections, submits them to the ICO (or an EU authority) for approval, and then uses them to legitimise intra-group transfers to non-adequate jurisdictions. Unlike SCCs (which are external contracts), BCRs are organisation-wide frameworks, which take longer and cost more to implement (because they require regulatory approval), but once in place, they offer more flexibility and consistency for large multinationals.

Compliance Comparatives and Lessons for India

The GDPR sets global standards for data protection. However, the nature of European economies also makes it difficult to import standards directly into India. Nonetheless, the following considerations may be adopted to improve India's data risk absorption.
Proactive Risk Assessment Instead of Reactive Bans
The EU adequacy model evaluates third countries up front by examining rule of law, enforcement strength, redress mechanisms, and state surveillance powers. This gives businesses legal certainty before data flows begin. India's negative list system, by contrast, places the burden on the government to intervene after a risk arises, which provides easier compliance, but higher costs if risks do materialise. Instead, a hybrid model where India incorporates baseline risk assessments – i.e., prima facie checks instead of detailed risk assessments could prevent exposure to unsafe jurisdictions.
Independent Oversight
Under the GDPR, adequacy decisions and transfer mechanisms are overseen by the European Commission and subject to judicial scrutiny (e.g., Schrems I & II). India's DPDPA centralises this power with the government, without an independent supervisory check. India could empower the Data Protection Board (DPB) under Chapter V to issue transfer advisories or review negative-list decisions, ensuring that restrictions are evidence-based and not purely political.
Supplementary Safeguards
The EU's reliance on SCCs and BCRs shows that contractual and organisational safeguards are as important as state-to-state adequacy. Indian law currently lacks an explicit mechanism for such private law safeguards. India could encourage or even mandate contractual clauses for cross-border transfers (like SCCs) to ensure that even where data flows to "neutral" jurisdictions, fiduciaries take responsibility for ensuring equivalent protection.
Β