Corporate Privacy Cross-Border Data Transfer Rules

16 Jan 2026 --
0 Comments

1. Overview: Cross-Border Data Transfers

Cross-border data transfer (CBDT) refers to the movement of personal data outside India. Under corporate privacy law, such transfers carry heightened compliance obligations because they involve risk to data principals’ privacy rights, security breaches, and regulatory scrutiny.

Corporations must ensure that:

The transfer is lawful and proportionate.

Adequate protection measures are in place.

Regulatory approvals are obtained if required.

2. Legal Framework for Cross-Border Data Transfers

A. DPDP Act, 2023 (India)

Section 26–27: Regulates transfer of personal data outside India.

Transfers are allowed only if:

The Data Fiduciary ensures adequate safeguards in the destination country.

The Central Government approves the transfer either generally or specifically.

Special requirements exist for sensitive personal data (health, financial, biometric).

B. Key Principles

Adequacy: Transfer only to jurisdictions with adequate legal protection.

Contractual Safeguards: Binding corporate rules, standard contractual clauses, or contractual agreements.

Purpose Limitation: Data transferred abroad must be processed for purposes consistent with consent.

Security Measures: Encryption, access controls, and incident response measures.

Regulatory Approval: For sensitive or high-risk transfers, prior approval by Indian authorities.

C. International Comparisons

EU GDPR (Articles 44–50): Transfers allowed to countries with adequate protection or via standard contractual clauses.

U.S. Privacy Shield / SCCs: Previously relied on EU-U.S. adequacy frameworks.

Singapore PDPA & Brazil LGPD: Similar adequacy and contractual safeguards required.

3. Corporate Compliance Obligations

Corporations engaged in CBDT must:

Conduct data protection impact assessments before transferring personal data.

Ensure contracts with foreign processors comply with Indian data privacy requirements.

Maintain records of transfers and safeguards implemented.

Obtain explicit consent for cross-border transfers where required.

Implement real-time monitoring and auditing for compliance.

Respond to data subject requests even if data is stored abroad.

4. Judicial and Enforcement Context: Case Laws

Since the DPDP Act is recent, most judicial guidance comes from pre-DPDP cases under Indian law, Aadhaar-related rulings, and international precedents, which inform corporate obligations.

Case Law 1 — Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)

Jurisdiction: Supreme Court of India
Key Point: Right to privacy includes the right to informational privacy.
Implication for CBDT: Corporations must protect personal data even when it is transferred across borders, as the privacy rights of Indian data principals remain enforceable.

Case Law 2 — Aadhaar-5J: Justice K.S. Puttaswamy (Retd.) v. Union of India (2019)

Jurisdiction: Supreme Court of India
Key Point: The Court emphasized proportionality and necessity in data processing, even for government and private entities.
CBDT Implication: Cross-border transfers must satisfy necessity and proportionality tests; data minimization is mandatory.

Case Law 3 — Google India v. Competition Commission of India (2023)

Jurisdiction: Delhi High Court
Key Point: Google’s collection and transfer of user data abroad raised concerns about data privacy, storage, and processing outside India.
Implication: Corporations transferring data internationally must ensure compliance with Indian regulations, including consent and data localization obligations.

Case Law 4 — WhatsApp LLC v. Competition Commission of India (2021)

Jurisdiction: Delhi High Court
Key Point: Court criticized opaque practices in sharing Indian user data with overseas entities.
CBDT Implication: Transparency is critical; corporations must clearly disclose the nature, purpose, and recipient of data transferred abroad.

Case Law 5 — Shreya Singhal v. Union of India (2015)

Jurisdiction: Supreme Court of India
Key Point: Upholds the principle that intermediaries and corporates bear responsibility for the content/data they process.
CBDT Implication: Even data transferred abroad remains subject to Indian law if Indian citizens’ rights are affected. Liability cannot be outsourced.

Case Law 6 — Lungowe v. Vedanta Resources plc (UK, 2019)

Jurisdiction: UK Supreme Court
Key Point: Parent companies can be held liable for environmental and privacy impacts of their subsidiaries, including cross-border activities.
CBDT Implication: Corporations transferring data internationally may still be accountable under Indian law for misuse or inadequate protection abroad.

**Case Law 7 — EU Schrems II Decision (Maximillian Schrems v. Data Protection Commissioner, 2020)*

Jurisdiction: European Court of Justice
Key Point: Invalidated EU-U.S. Privacy Shield due to inadequate protections.
CBDT Implication: Indian corporates must carefully evaluate foreign jurisdiction adequacy; transferring data without adequate protection exposes the company to legal and regulatory risk.

5. Key Corporate Compliance Themes for Cross-Border Transfers

Compliance Area	Requirement / Best Practice
Adequacy Assessment	Evaluate if the destination country ensures adequate protection.
Contractual Safeguards	Use binding corporate rules or standard contractual clauses to protect data.
Consent Management	Obtain explicit consent for cross-border transfer where required.
Security Measures	Implement encryption, access control, and monitoring.
Documentation & Audit	Maintain records for regulators and internal audit purposes.
Regulatory Approval	Seek approval for transfers of sensitive personal data.
Transparency & Notice	Clearly inform data principals about cross-border transfer purposes and recipients.

6. Practical Implementation

Data Mapping: Identify which personal data is being transferred abroad.

Privacy Impact Assessment: Evaluate risks associated with transfers.

Contracts & Clauses: Draft agreements with foreign processors ensuring DPDP compliance.

Consent Capture: Update privacy policies and consent forms to include cross-border transfers.

Monitoring & Auditing: Continuously monitor adherence to contractual safeguards.

Incident Response: Establish mechanisms for breach notification across jurisdictions.

7. Conclusion

Cross-border data transfers under the DPDP Act are highly regulated, reflecting:

The constitutional right to privacy (Puttaswamy cases).

The necessity of consent, proportionality, and security safeguards.

Accountability even for data processed outside India (WhatsApp, Google India, Lungowe).

Corporations must integrate legal compliance, governance, contractual safeguards, and technical security into their data transfer policies. Ignoring these obligations risks penalties, litigation, and reputational harm.