The Digital Personal Data Protection (DPDP) Act of 2023 has rightly been criticised for failing to uphold good consent and data subject rights. One provision that has been largely overlooked is Clause 16, which pertains to the transfer and processing of personal data outside India. Clause 16 permits data fiduciaries to transfer personal data for processing to any country, as long as that country is not part of a blacklist of countries/territories to which data transfers are restricted by the central government. Additionally, such data transfers must not violate other legislation in operation. This blacklist approach to regulating cross-border data flows poses several significant risks to data sovereignty, as understood in its most democratic sense—people’s rights over their data.
The DPDP Act does not contain specific guardrails to prevent privacy violations and personal data sovereignty breaches in the case of such cross-border transfers. It only includes a weak safeguard in Clause 16(2), which states that a higher degree of protection through restrictions on personal data transfers outside India as mandated by other laws in force shall not be overridden by the Act. Paradoxically, Clause 44 of the Act weakens this safeguard further. It dismantles one of the core legislation that could be invoked, as it calls for the repeal of Section 43A of the Information Technology Act, a provision that enables the Central government to define specific penalties for negligent processing of sensitive personal data.
The failure to establish guardrails contradicts the foundational principle of protecting citizen interests in the extraterritorial processing of personal data, as acknowledged by drafters of personal data protection legislation worldwide. The EU and the People’s Republic of China may have vastly different approaches when it comes to their visions of citizen data sovereignty, but both jurisdictions are equally committed to instituting procedural safeguards to protect their respective visions of citizen data sovereignty in instances of cross-border data processing. The EU GDPR adopts an adequacy mechanism to ensure that the personal data of EU citizens is not transferred to territories with less stringent privacy and data protection legislation. China’s Personal Information Protection Law introduces a data localization requirement for critical information infrastructure operators and information operators dealing with a significant volume of personal data to protect citizens’ cybersecurity.
Most problematically, the current Act’s approach to cross-border data flows contradicts the guidance of the Justice B N Srikrishna Committee. In its 2018 report, the Committee recommends a three-pronged model for cross-border data flows: ensuring that a copy of all personal data covered under the regulation is stored in India; restricting foreign transfers of certain categories of personal data deemed critical to national interest; and vesting the Central government with the power to undertake case-by-case evaluations to permit free data flows across borders based on strategic or practical considerations.
In debates surrounding digital trade and data policy on the global stage, India has historically played a significant role as a champion of the Global South. It has emphasised the importance of ‘development sovereignty’ in the regulation of cross-border data flows. At the WTO MC-11 in Argentina, India played a key role in countering the US digital trade agenda by preventing the hyper-liberalisation of cross-border data flows and the resulting consolidation of the global reach and dominance of US digital services companies.
Similarly, at the G20 meeting held in Japan in 2019, India abstained from endorsing the Osaka Track, a framework to promote free cross-border data flows with some basic privacy protections (popularly known as the ‘data flows with trust’ agenda), which was being advocated by the EU, Japan, and other US trade allies. India’s principled objection then revolved around the idea that data was a new form of wealth critical for digitally-enabled development pathways that nation-states could not thoughtlessly trade away or relinquish. A rights-based approach to the governance of cross-border data flows must be seen as a matter of the right to development, where privacy also includes the autonomy to collectively determine, as a society, if, why, and how data will flow.
Considering that India is building national-level data exchanges as public goods in foundational sectors like health, agriculture, and urban development, there is a genuine risk. The wealth of open government data with large amounts of citizen personal data may easily be cannibalised by Big Tech firms to consolidate their market power in India. A de facto laissez-faire model for cross-border data flows can thus limit the potential for domestic enterprises in the digital economy.
However, it is not too late to act. Sectoral policies in India must urgently re-centre the sovereignty agenda in cross-border data transfers, thereby integrating citizen trust into the social contract for data.
(The writers are with IT for Change, a not-for-profit organisation)