Ever wondered why your online shopping preferences seem to influence ads from companies halfway across the globe?
Or how your Instagram stories, posts, and comments magically show up for your friends and family, no matter where they are?
This fascinating phenomenon is the result of personal data travelling across borders in our interconnected world.
Think about the convenience of cloud storage, where you can access your documents and photos from any device, anywhere in the world.
Or
Those eerily accurate streaming service recommendations—they know your next favourite show before you do, all by analyzing the viewing habits of millions of users globally.
Every time you make an online purchase, book a flight, or use a GPS service, your data is sent across borders to facilitate these transactions and services.
Did you know that in 2022 alone, over 97 zettabytes of data were created, captured, copied, and consumed worldwide?
Additionally, the global data sphere is expected to grow to 175 zettabytes by 2025!
This massive exchange of information not only makes our lives easier but also fuels innovation, allowing companies to offer super personalized and efficient services.
But wait—how do we know that all this personal data flying around is safe and secure?
That’s where data protection laws come in to save the day.
And this is where your role steps in as a privacy manager. If your Indian company is engaged in the exchange of data across borders, you need to make sure it happens hassle-free and doesn’t call for any scrutiny or violations of the DPDPA—the Indian law that acts as a guardian for transfers beyond Indian borders.
So let’s explore the intricacies of managing international data transfers and drafting Data Sharing Agreements (DSAs) to ensure compliance with the DPDPA.
What are Cross-border Data Transfers under DPDPA
DPDPA is designed to ensure that personal data remains protected, even when it crosses borders.
To transfer data internationally, businesses must comply with two conditions.
Firstly, the DPDPA takes a negative list approach. As per Section 16 of the Act, transfers of personal data to countries and territories outside of India are generally permitted, except to countries and territories specifically notified in a “negative list” issued by the central government.
You also need a lawful basis to transfer personal data outside. Businesses must generally ensure that they are undertaking the transfer for a lawful purpose, as specified in Section 4 of the Act, and on the basis of valid grounds for processing – that is, either consent or certain “legitimate uses”.
Importance of Data Sharing Agreements under DPDPA
Under DPDPA, if you want to share Personal Data, as a data fiduciary, you need to enter into an Agreement with entities that you wish to engage, appoint, use, or otherwise involve as a Data Processor to process personal data.
This is where DSAs become Important.
DSAs are typically used when businesses need to share data with each other in order to collaborate on projects, provide services to customers, or improve their products and services.
Here are some situations under which companies would need to enter into DSAs under the DPDPA:
- A business that uses a cloud computing service to store customer data needs to enter into a DSA with the cloud computing provider.
- A business that uses a third-party data analytics company to analyze customer data needs to enter into a DSA with the data analytics company.
- A business that partners with another business to jointly market or sell products or services needs to enter into a DSA with the partner business.
Did you find this interesting?
Want to learn more about Data Sharing Agreements?
Our expert, Pooja Luktuke, has created this video in which she discusses the key elements of a Data Sharing Agreement. She will also use advanced AI tools to draft a Data Sharing Agreement.