Cross-border data transfers

India’s data privacy law prescribes certain restrictions on transfer of personal data within India and to another country. These restrictions are:

• the recipient entity must ensure adherence to the same level of data protection (reasonable security practices are prescribed under the Rules) as the transferor’s, and
• transfer the information only if it is necessary to comply with a lawful contract, or
• with the prior consent of the data provider.

Besides the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Data Protection Rules“), there is no other law that governs overseas data transfer.  Further, the data transfer restrictions / requirements are applicable to any personal information transferred outside India irrespective of the countries to which the data is transferred.

As regards the data transfer to a third party’s cloud based system, the Data Protection Rules do not prevent holding, storing or processing the data through a third party vendor’s cloud based system, subject to the above mentioned data transfer restrictions.

However, the companies must be cautious while dealing with the cloud service provider. It is advisable to put in place a lawful contract with the cloud provider which (i) ensures that contract contains security requirements and other data handling provisions which are no less onerous than those used by the company internally; and (ii) specifies retention and deletion provisions so as to ensure that the company is compliant with its obligation under the Data Protection Rules not to hold data for longer than is necessary.

It is also advisable that the agreement with the cloud provider grants the flexibility to the company to retain the highest levels of control over the cloud provider and the right to intervene with appropriate measures to ensure legal and regulatory compliance. The agreement should be on principal to principal basis.