In July, the Cabinet approved a revised version of the Digital Personal Data Protection Bill, 2023, (DPDP), which is now ready to be introduced the Lok Sabha. Despite strong dissent, a parliamentary committee adopted a favourable report on the bill just a few days ago — although the revised draft is yet to be made public. Nevertheless, since these proceedings will continue until August 11, DPDP may become law soon.
Like the EU’s GDPR, India’s DPDP will apply extra-territorially, i.e., to data processing outside the country when it is connected with the ‘profiling’ of, or relates to activities that offer goods/services to, individuals within India. Further, DPDP applies to the processing of any digital personal data within the country but several issues remain unclear. For instance, eventhough DPDP exempts ‘non-automated’ processing, it defines both ‘automated’ and ‘processing’ in such broad terms that most business activities will be covered. Thus, like in GDPR, ‘processing’ will include a diverse range of activities such as data collection, recording, organisation, structuring, storage, indexing, sharing, etc.
The bigger question is: will DPDP apply to data processing in India even if the underlying information relates to individuals outside Indian territory? Further, can the same processing entity transfer the data to a third country?
Unlike Recital 14 of GDPR, DPDP does not explicitly state that it will apply irrespective of the individual’s nationality or residence. The law falls shy of Brazil’s LGPD too — where the latter specifies that it may not apply when the data originates outside Brazil. On the other hand, as far as GDPR goes, the territorial location of neither the processing, nor the individual related to the data is as important as the fact that a business organisation has an ‘establishment’ in the EU.
However, Section 18(1)(d) of DPDP provides an important exemption: when data relating to individuals outside India are processed pursuant to a contract between a ‘person’ based inside and a ‘person’ outside, India — several DPDP restrictions will not apply, including data transfer. As such, DPDP appears to exempt outsourced processing activities when there exists a contractual basis, and where the data is transferred to a government-approved jurisdiction.
In Europe, pre-approved standard contractual clauses (SCCs) allow data controllers and processors to comply with obligations under EU law. Such SCCs combine general clauses with modules adapted for different scenarios, which parties need to choose from based on their role. For instance, if an Indian company uses Luxembourg’s cloud services to manage its customer database, Module 4 can be used by the latter to transfer the data back to its client. Further, when a European company outsources its HR operations to an Indian service provider, Module 2 can be used by the former to transfer information about its employees to India for processing.
Under Section 9(9) of DPDP, a data ‘fiduciary’ (the same as a GDPR ‘controller’) is allowed to use or involve a data processor under a valid contract. However, DPDP could give rise to EU-style SCCs as well.
(The author is a lawyer with S&R Associates, a law firm.)