Cross-border flows of personal data

Cross-border data flows refers to the transferring of personal data between servers across different country borders.

Brazil

1. Introduction

Brazil is a signatory to the International Covenant on Civil and Political Rights, which grants the right to privacy under Article 17, as well as the American Convention on Human Rights, which assures the right to privacy in Article 11. 

Brazil has a specific International Data Transfer Regulation which was passed on 23 August 2024 (officially Resolution CD/ANPD No. 19 of August 23, 2024). This International Data Transfer Regulation contains procedures for adequacy decisions and template Standard Contractual Clauses (SCCs). Additional mechanisms for cross-border transfers are prescribed in the Regulation, as compared to the General Data Protection Law (LGPD) from 2018. 

Context for this 2024 Regulation is discussion of creating a "sovereign cloud" as part of Brazil's Artificial Intelligence Plan, which aims to ensure government data is stored within national borders, avoiding reliance on foreign infrastructure.

Before we jump into details of the new cross-border personal data flows regulation, the below first steps through Brazil’s regulatory framework. 

2. Broader data protection landscape

We have not identified any laws that regulate cross-border data flows that apply to non-personal data, such as the EU’s Data Governance Act. We focus here on personal data. 

2.1 Constitutional / fundamental rights model

Brazil has a federal constitution from 1988 which enshrines the right to privacy in two ways: 

Article X – personal intimacy, private life, honor and reputation are inviolable; the right to compensation for pecuniary loss or emotional distress due to their breach is ensured;

Article XII – the secrecy of correspondence and of telegraphic, data and telephone communications is inviolable; except, in the latter case, by a court order, in the cases and as provided by law for the purposes of criminal investigation or finding of evidence in criminal proceedings.

In 2022, the Constitution was amended to include a specific right to data protection: 

Article LXXIX: the right to protection of personal data is ensured, including in digital media. 

National context for Brazil:  Brazil is a federation of 26 states. The current Constitution dates from 1988, giving effect to the “New Republic” that dates from 1985 and which replaces the autocratic 1967 constitution capping 21 years of military dictatorship.  Each state has its only legislative (unicameral) and judicial system. The federal system is overlaid on top, with the Federal Constitution being the supreme law. Constitutional law in Brazil is a hybrid system that combines: decentralised, incidental judicial review like in the United States; with centralised, abstract judicial review like in Germany and Italy.

2.2 The General Data Protection Law (LGPD)

The Brazilian General Data Protection Law (LGPD) entered into force in September 2020 and is Brazil’s first  comprehensive data protection regulation. Before LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation:

• Civil Code and consumer protection legislation 
• Brazilian Internet Act: imposed requirements regarding security and the processing of personal data and other obligations on service provides networks, applications providers and provided rights for internet users.  

Scope of Application

We have considered the scope of application in three ways: personal, material and territorial. 

• Personal Scope

The LGDP applies to the processing of personal data by a natural person or legal entity (Article 1).

• Material Scope

The LGDP applies to any processing operation of personal data. 

Processing means any operation performed with personal data, such as those regarding the collection, production, reception, classification, use, access, etc. (Article 5)

Personal data means information regarding an identified or identifiable natural persons.  

Excluded from the application of the LGDP is the processing of personal data by natural persons for purely private and non-economic purposes, or journalistic, artistic, or academic purposes (Article 11-12).

• Territorial scope

The LGDP applies to any processing operation carried out by a natural person or a legal entity irrespective of (1) the means used for the processing, (2) the country in which the headquarter is located or (3) the country where the data are located. Provided that: 

• • • the processing is carried out in Brazil
    • the purpose of the processing activities is to offer or provide goods or services, or the processing of individuals located in Brazil or
    • the personal data was collected in Brazil (Article 3-4).

Processing of Personal Data

Controllers and Processors (Articles 5, 37-40, 42-43) 

• A data controller is defined as the natural or legal person, whether public or private, which is responsible for decisions concerning the processing of personal data 
• A data processor is defined as the natural or legal person, whether public or private, which performs the processing of personal data on behalf of the controller 

Principles: Processing of personal data in Brazil must be carried out in good faith and based on the following principles (Article 6):

• Purpose
• Suitability
• Necessity
• Free access
• Quality of the data
• Transparency
• Security
• Prevention
• Nondiscrimination, and
• Accountability.

Legal basis: The processing of personal data may only be carried out based on one of the following legal bases (Article 7) :

• With data subject’s consent
• To comply with a legal or regulatory obligation by the controller
• By the public administration, for the processing and shared use of data which are necessary for the execution of public policies provided in laws or regulations or contracts, agreements or similar instruments
• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
• For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
• For the regular exercise of rights in judicial, administrative or arbitration procedures
• As necessary for the protection of life or physical safety of the data subject or a third party
• For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities
• To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject, and
• For the protection of credit.

The data processing must be for legitimate, specific, explicit purposes, which must be informed to the owner. The process must also be compatible with the purposes and limited to the minimum necessary to fulfill its purposes.

2.3 Interaction of the Law and the Regulation

In Brazil, a “regulation” is subordinate law or secondary legislation, which means it sits below a “Law” or “Act”. A regulation (in Brazil) traditionally offers additional detail or procedural information relevant to a specific part of a law; hence the General Data Protection Law (LGDP) being supported by a more specific International Data Transfer Regulation (Regulation). 

The Regulation provides additional detail and requirements of the processes and standards, complementing the superior Data Protection Law. The Regulation (IDTR): 

• establishes special requirements and guarantees for data exports; 
• defines the content of SCCs; 
• outlines the analysis process for specific contractual clauses and binding corporate rules; 
• specifies the adequacy decision assessment process for the data protection equivalence of foreign countries or international organizations;
• outlines procedures for the ANPD's recognition of equivalence for SCCs from other countries or international organizations, with an emphasis on prioritizing approval for widely applicable clauses; and
• proposes a template for SCCs.

3. Substantive detail of cross border data flows

Two key features of the Brazilian system for cross-border data flows are adequacy decisions and contractual instruments. For example, cross-border flows are permitted when there is an adequacy decision (but there aren’t any yet) or a contractual instrument. 

Chapter V of the LGPD addresses international data transfers, establishing a range of guarantees and safeguards designed to protect the rights of individuals whose data is being exported. 

In no hierarchy, there are various mechanisms that permit international data transfers. 

• transfers if the destination country maintains an adequate level of protection, as assessed by the ANPD.
• when the controller offers and proves guarantees of compliance with the principles and the rights of the data subject and the regime of data protection provided in the LGPD. These situations include: 
  • controller’s specific contractual clauses for a given transfer; 
  • standard contractual clauses (SCCs), prepared and approved by the ANPD establish minimum guarantees and valid conditions for carrying out an international data transfer; 
  • binding corporate rules (BCR); or 
  • seals, certificates and codes of conduct. 

The LGPD allows international data transfers only under specific circumstances and through legally defined and independent mechanisms. However, many of these mechanisms were not fully outlined by the LGPD — including the framework for standard contractual clauses — preventing data controllers from effectively implementing them until the ANPD provided necessary guidelines.

3.1 When are data transfers allowed?

The transfer of personal data to other jurisdictions must comply with the requirements of the LGPD and may only occur in the following circumstances (Article 33): 

1. The transfer is to countries or international organizations with an adequate level of protection of personal data
2. There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form of

• Specific contractual clauses for a given transfer
• Standard contractual clauses
• Global corporate norms, or
• Regularly issued stamps, certificates and codes of conduct

1. The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial agencies
2. The transfer is necessary to protect the life or physical safety of the data subject or a third party
3. The ANPD has provided authorization
4. The transfer is subject to a commitment undertaken through international cooperation
5. The transfer is necessary for the execution of a public policy or legal attribution of public service
6. The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures.

3.2 Adequacy decisions

We have not identified any adequacy decisions from the ANDP. We did find a blog post dated 22 September 2024 that also indicates no adequacy decisions have yet been issued. 

How is the level of protection assessed for adequacy in the recipient country?

Considerations for the ANPD (DPA equivalent) when making an adequacy decision include: 

• I the general and sectoral rules of the legislation in force in the country of destination or in the international body;
• II - the nature of the data;
• III - compliance with the general principles of protection of personal data and rights of the holders provided for in this Law;
• IV - the adoption of security measures provided for in the regulation;
• V - the existence of judicial and institutional guarantees to respect personal data protection rights; and
• VI - other specific circumstances relating to the transfer (Article 34).

The new Regulation lists the same considerations for adequacy decisions and provides additional considerations in Articles 11 and 12 of the Regulation:

I - the risks and benefits provided by the adequacy decision, considering, among other aspects, the guarantee of the principles, the rights of the holder and the data protection regime provided for in Law No. 13,709, of August 14, 2018; and

II - the impacts of the decision on the international flow of data, diplomatic relations, international trade and Brazil's international cooperation with other countries and international organizations. 

3.3 Contractual measures

Standard contractual clauses

The ANPD (DPA equivalent) has introduced a rigid model for SCCs, drawing inspiration from frameworks in the EU, U.K., New Zealand and Singapore. Brazil's SCCs can be part of a stand-alone contract or attached to a broader agreement, provided they are adopted in full by the parties, with no modifications to the text (Article 15).

Annex II of the Regulation provides template standard contractual clauses. For example, we have copied the below clause two (noting translation via Google Translate and not an official source). The standard contract clauses in Annex II of the Regulation also include drafting notes to assist with implementation in standard form contracts. 

CLAUSE 2. Purpose 2.1. These Clauses apply to International Data Transfers from the Exporter to the Importer, as described below. Description of international data transfer: Main purposes of the transfer: Categories of personal data transferred: Data storage period: Other information: (NOTE: fill in as much detail as possible with information relating to the international transfer)

• Transparency
• Data holder rights
• Additional protection of children's privacy and sensitive personal data 
• Reporting security incidents within 3 business days 
• Access requests (annex II IDTR).

Equivalent Standard Contractual Clauses

Notably, the ANPD may recognize the equivalence of foreign SCCs through a procedure initiated by the ANPD board or requested by any interested party (Article 18 IDTR). For the equivalent SCCs to take effect, the ANDP board must approve and publish them on the ANPD website, assessing compatibility with Brazil's SCCs, the Regulation and the Law.

Global Corporate Standards (or Binding Corporate Rules)

A global corporate standard constitutes a valid mechanism for international transfers of personal data only to organizations or countries covered by the global corporate standards (Article 25 Regulation).

• Global corporate standards are intended for international data transfers between organizations in the same group or conglomerate of companies, and are binding on the members of the group that subscribe to them (Article 25 IDTR).
• Global corporate standards must be linked to the implementation of a privacy governance program that meets the minimum conditions established in the General Data Protection Law (Article 26-27 IDTR).
• Global corporate standards must be submitted for approval by the ANPD (Article 28 IDTR).

3.4 Transparency Requirements

All contractual instruments (SCCs, equivalent SCCs, and global corporate standards) are subject to additional transparency measures, which impose two obligations on data controllers. 

1. Upon the data subject's request, controllers have 15 days to provide the full text of the contractual instruments used for the transfer, excluding any trade secrets. 
2. Controllers must also publish information on international data transfers in their privacy notice or another publicly accessible document on their website (Article 17 IDTR).

These transparency requirements seek to uphold data subjects rights, according to the objectives of the Regulation, which include: “accountability and reporting, through the adoption of effective measures capable of proving observance and compliance with the principles of the rights of the holder and the personal data protection regime provided for in Law No. 13,709, of August 14, 2018 (being the LGPD), including the effectiveness of these measures” (Article 2(4) IDTR).

China

China’s data protection framework has two strands: personal information protection, and data security. Importantly, the notion of personal information protection is however not tied to privacy, which is mainly limited to a reputational right in Chinese civil law. Additionally, Rogier Creemers argues that China’s regulatory approach implements their specific perspective and goals of cybersecurity and informatisation, rather than overarching normative conceptions of privacy. Public security is identified as a primary driving force. The data protection framework in China developed slowly and in a fragmented manner, partially due to the nature of Chinese lawmaking, wherein legislation includes primarily basic elements whilst obliging government and local departments to develop implementing regulations that involve greater detail. Comments on these implementing regulations are limited for both reasons of scope and of feasibility, as smaller, regional, highly technical, or less relevant implementing regulations have less reliable, accessible information available. Additionally, the fragmented framework has seen certain aspects of data protection integrated in other legal fields, such as competition in China’s Anti-Monopoly Law, or in consumer protection legislation, though elaboration on these aspects is also limited.

The Cybersecurity Law

In 2012, the Chinese government wished to centralise its fragmented data protection framework and aimed to facilitate the process through concentrating digital competences. As a result, the Cyberspace Administration of China (CAC) was established. The CSL came into effect 5 years later in 2017, and formed the basis for data protection regulation in China. Whilst the CSL governs a variety of topics, the most relevant include individual data protection, increased sanctions for data protection infringements, and the notion of “important data” which would be refined in the DSL. The CSL introduced a restriction on cross-border data flows, as Article 37 CSL obliges “critical information infrastructure operators [to store personal data and important data within mainland China.”] Due to the vague definitions which awaited further elaboration through guidelines and delegated legislation, this had an adverse effect on organisations which transferred data. 

A translation of Article 37 CSL follows: Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

Later, a definition of critical information infrastructure operators was delineated in the Regulations on the Security and Protection of Critical Information Infrastructure which gives a better idea of which organisations should be such operators. Article 8 of the aforementioned regulations states that relevant authorities should create lists of critical information infrastructure operators, considering the following factors (unofficially) translated as follows:

• The degree of importance of the network infrastructure, information system, etc., for the critical and core activities within the industry or sector;
• The degree of harm that might result from the network infrastructure, information system, etc., if it is destroyed, loses functionality, or has its data leaked;
• The associated influence on other industries and sectors.'

The Personal Information Protection Law

The PIPL came into force in 2021 established the Chinese personal protection framework, partly modelled on EU GDPR. The PIPL also has an extraterritorial scope similar to the GDPR, found in Article 3 PIPL, with a (unofficial) translation as follows: 

This Law applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China. Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well: Where the purpose is to provide products or services to natural persons inside the borders; Where analyzing or assessing activities of natural persons inside the borders; Other circumstances provided in laws or administrative regulations.

Chapter III provides rules on the cross-border transfers of personal information and it particularly provides restrictions on providing personal information collected within China to overseas parties. Article 38 PIPL outlines a legal basis under which a personal information processor can provide “personal information for a party outside the territory of the People's Republic of China,” which includes:

• Passing a security assessment by the CAC.
  • Meng Chen provides an additional explanation of the guidelines further saying that “transfer of personal information involving more than 1 million people or when data processors that have provided personal information of 100,000 people or sensitive personal information of 10,000 people abroad since January 1 of the previous year provide personal information abroad” requires a security assessment.
• Obtaining Personal Information Protection Certification (PIPC).
  • PIPC is suitable for Chinese entities that carry out large amounts of personal information processing activities, as well as data-driven businesses, as described by CAC on the Implementation Rules for Personal Information Protection Certification, 2022 NO. 37.
• Concluding a standard contract formulated by the CAC.
  • Such a standard contract is adopted when the amount of personal information is not big enough to trigger the security assessment requirement.
  • The CAC published the “Standard Contract for the Outbound Transfer of Personal Information” and its annexes of the “Measures for the Standard Contract on Outbound Transfers” provides complaint mechanisms to overseas recipients and joint liability between domestic information operators and overseas recipients. European Innovation Council and SMEs Executive Agency wrote an analysis, inter alia, of such measures.
• Meeting other conditions such as “individuals' separate consent, data localization, judicial and enforcement assistance, and countermeasure to malicious oversea data infringement.”

The Data Security Law

The DSL came into force in 2021 and aims to address Chinese national security concerns on access to data, such as those arising from foreign governments. The DSL classifies data by category and assigns differing levels of protections, and carries on the idea of “important data” present in the CSL. 

The DSL has an extraterritorial component. Article 2 DSL states that the Law may also apply to data processing activities outside of mainland China if it harms national security, the public interest, or the rights of Chinese citizens. An unofficial translation is as follows:

This Law applies to data handling activities and their security regulation within the mainland territory of the People’s Republic of China (PRC). When data handling activities outside the mainland territory of the PRC harm the national security, the public interest, or the lawful rights and interests of citizens or organizations of the PRC, legal liability is to be pursued according to the law.

Additionally, the DSL fills a perceived regulatory gap in the CSL regarding the cross-border transfer of important data. Article 37 CSL mandates important data collected and generated by critical infrastructure information operators, when transferred outside of China, to be subject to a security assessment. The DSL expands the scope of this obligation by mandating that all important data to be transferred undertake this security assessment regardless of its source being a critical infrastructure information operator or not.This obligation is found in Article 31 DSL, with a (unofficial) translation as follows:

The provisions of the Cybersecurity Law of the PRC apply to the outbound security management of important data collected or produced by critical information infrastructure operators operating within the mainland territory of the PRC; outbound security management measures for other data handlers collecting or producing important data within the mainland territory of the PRC are to be jointly formulated by the national cybersecurity and informatization department and relevant departments of the State Council.

The DSL also regulates cross-border data transfer at the request of foreign governments. Article 36 DSL mandates any such potential transfer to be approved by the People’s Republic of China, with a (unofficial) translation as follows:

The competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity. Domestic organizations and individuals must not provide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC.

Regulation of Cross-Border Data Flows: Changing Approaches and Recent Developments

A key tool in China’s regulation of cross-border data flows are security assessment obligations, as it impacts personal data protection and data security considerations in the Chinese legal framework. As a result, the CAC put forward three drafts that elaborated on such national security assessments: the Measures for the Security Assessment of Outbound Personal Information and Important Data Transfer, Measures for the Security Assessment of Outbound Personal Information Transfer, and Measures for the Security Assessment of Outbound Data Transfer (MSA), in 2017, 2019, and 2021, respectively. 

The proliferation of drafts shows the difficulty and significance of relegating elaboration of such legislation to authorities like the CAC. Meng Chen argues that concepts such as “important data” remain in debate and the strict rules, lack of clarity, and introduction of monetary sanctions limits China’s integration into international data governance structures and competitiveness in the data economy. For example, the definitions of critical information infrastructure operators, alongside the definition of a new category of “critical data” refer to high-level concepts of national security and the public interest.

Consequently, China has recently switched approaches to cross-border data flows, recognising that a loosening of requirements is necessary to facilitate Chinese growth and development; as a result, the CAC proposed draft Provisions on Regulating and Promoting Cross-Border Data Flow, which were published as the Provisions on Promoting and Regulation Cross-Border Data Flow (PPR) in early 2024.

The PPR tightens the vague, general scope of previous cross-border data transfer rules in the CSL, DSL, and PIPL by reducing thresholds wherein cross-border data transfer measures apply, particularly in the case of personal data, and significantly loosening cross-border data transfers occurring from Chinese free-trade zones. 

Thresholds have been lowered particularly for the cross-border transfer of personal data. Firstly, transferring non-sensitive personal information of less than 100,000 individuals does not require a transfer mechanism such as a security assessment. Secondly, transferring personal information of 100,000-1,000,000 people or sensitive personal information of <10,000 people no longer requires a security assessment by the CAC, but either a standard contract or a PIPC. Transfers exceeding these numbers however still require a CAC-directed security assessment.

Transferring important data still requires a CAC security assessment, however. The definition of important data has not been clarified and has caused significant legal uncertainty for many companies. PPR alleviates some of this burden by making data “nonimportant” by default, meaning organisations handling data do not have to consider their data important unless it is either identified as such, they fall under a category of important data as announced by relevant authorities, or they are notified by regulators themselves.

Additionally, free-trade zones are allowed to establish a negative list – cross-border data transfers falling under this list must undertake relevant measures, whether a security assessment, PIPC, or standard contract; however, cross-border data transfers falling outside this list require no measures. This is a significant liberalisation and provides greater legal certainty than the previous framework.

The Digital Silk Road

On an international level, Ye Liu argues that China promotes cooperation and builds consensus with their cross-border data flow regulations through its Digital Silk Road Initiative, wherein it signed a Memorandum of Understanding on cooperation with 16 countries and established other cooperation mechanisms, such as the Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area, which aims to establish a security system.

India

Introduction

In 2017, the Supreme Court in Justice K. S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. unanimously held, that ‘the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 [...] of the Constitution [of India]’ (emphasis added) – overruling previous judgments in M. P. Sharma & Ors. vs. Satish Chandra, District Magistrate, Delhi & Ors. (1954), and Kharak Singh vs. State of Uttar Pradesh & Ors. (1964).

In addition to cementing the place of the right to privacy as a fundamental right, the Court emphasised its negative and positive content, where the State is not only prohibited from interfering with the right to privacy, but is also obliged to take the necessary measures to protect it. Thus, the government of India has made several legislative efforts between 2018 and 2022 to establish a comprehensive legal framework to safeguard the right to privacy, culminating in the Digital Personal Data Protection Act, 2023 (DPDPA). As the DPDPA’s date of entering into force is yet to be announced by the government, the Information Technology Act, 2000 (IT Act) and the rules notified thereunder – most notably the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) – currently form the basis around which the data protection framework revolves.

Information Technology Act, 2000

Yet, the IT Act provides only sparse regulations on data protection, which are limited in scope and only become relevant in the context of data breaches – furthermore, they are poorly enforced. Central to the IT Act, as amended in 2008, is Section 43A.

‘Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected.'

Central to the cross-border transfer of data or information under the current legal framework is Section 7 of the SPDI Rules.

‘A body corporate or any person on its behalf may transfer sensitive personal data or information including any information, to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered to by the body corporate as provided for under these Rules. The transfer may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.’

The prevailing market practice is to gather extensive data based on wide-ranging, inconsistent, and bundled consents, as well as to process and transfer this data widely. 

Digital Personal Data Protection Act, 2023

Scope of Application

The DPDPA is  ‘to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.’

The DPDPA revolves around the fiduciary relationship between data principals – defined as natural persons to whom the personal data relate, regardless of their residency or citizenship – and data fiduciaries – defined as persons who determine the purpose and means of the processing of personal data. Central to the provisions of the DPDPA is the processing of digital personal data, where personal data means ‘any data about an individual who is identifiable by or in relation to such data’, digital personal data ‘personal data in digital form’, and processing ‘a wholly or partly automated operation or set of operations performed on digital personal data [...]’.

Consequently, non-personal data, and personal data that is not collected in digital form, or collected in non-digital form and not digitised subsequently, fall outside the scope. Unlike the outgoing data protection framework, there are no sub-categories of personal data, such as sensitive personal data or critical personal data. Expressly excluded from the scope of application is personal data processed by an individual for any personal or domestic purpose, or deliberately made publicly accessible by a person entitled or obliged to do so. In its territorial scope of application, the DPDPA not only extends to the processing of digital personal data within India but also processing undertaken outside India if it is ‘in connection with any activity related to the offering of goods or services to data principals within [...] India’.

Cross-Border Data Transfer

Under the DPDPA, the cross-border transfer of personal data by a data fiduciary for the purpose of processing is permitted unless the government restricts the transfer to certain countries or territories by issuing a notification. Yet, the DPDPA does not provide further clarity as to what the relevant factors for such a restriction are, nor what the restrictions would entail. 

Such restrictions could include additional requirements for the cross-border data transfer or exclude or limit certain types of data as sensitive personal data or critical personal data. Alternatively, the government could ‘blacklist’ countries or territories, entirely prohibiting the transfer of personal data. It is interesting to note that this distinction between personal data and sensitive personal data and critical personal data was actually made in previous iterations of a comprehensive data protection law, with sensitive personal data and critical personal data being subject to higher compliance standards and data localisation requirements.

It should be noted, however, that certain sector-specific laws already impose data localisation requirements and restrict the cross-border transfer of certain data.

• The Reserve Bank of India (RBI) has advised all payment system providers and their service providers, intermediaries, third party vendors and other entities in the payment ecosystem to ensure that the entire data relating to payment systems operated by them is stored in a system only in India.
• The Securities Exchange Board of India (SEBI) has issued an advisory for financial sector organisations, which are availing or thinking of availing software as a service based solution for managing their governance, risk and compliance functions so as to improve their cyber security posture, to store certain critical data sets in India.

These are just two examples of recent efforts by India to promote the local storage of ‘its’ data, in the name of ‘data sovereignty’, and driven by the belief that unfettered access to data from developing countries disproportionately benefits a few global corporations from and the economies of developed countries and creates a dependency of the former on the latter and an economical imbalance given the value of the data.

Yet, by permitting cross-border data transfers by default, Section 16 (1) seems to thwart these efforts, but Section 16 (2) addresses this potential conflict with sectoral laws by declaring that it does not restrict  ‘the applicability of any law [...] that provides for a higher degree of protection for or restriction on [cross-border] transfer of personal data [...] in relation to any personal data [...] or class thereof’. Thus, Section 16 (1) only serves as the baseline protection to regulate cross-border data transfers. Section 17 prescribes as general exemptions from compliances that cross-border transfers (including transfers to notified countries and territories) should not be restricted under certain circumstances.

In conclusion, the DPDPA provides a skeletal framework for a comprehensive data protection regime, yet creates uncertainty regarding cross-border data transfers. It remains to be seen how the government’s extensive discretionary powers pertaining to restricting transfers to certain jurisdictions will play out in practice once such notifications are issued.

United States

The United States of America (US) does not currently have a federal general consumer law for privacy and data protection, such as the General Data Protection Regulation (GDPR) for the European Union (EU) and European Economic Area. However, this does not mean the US is the Wild West when it comes to privacy and data protection. At the federal level, there are approximately 30 laws governing privacy in the United States. The 50 states generally also each have laws touching on privacy; for example, California has approximately 18 different laws that govern privacy in different contexts such as education, electronic communications, financial information, etc.

In this section, we discuss selected examples from America’s legislative framework on the federal level, including representative examples of specific sector legislation.

Federal level

1. Privacy Act (1974)

The US’ oldest data protection law, the Privacy Act, stems from 1974. It governs how federal government institutions have to handle people’s personal data. US federal agencies collect information about citizens in their systems of records, which is the grouping of information. Such info is retrievable by people’s personal identifiers (e.g. name or social security number. US federal agencies cannot Americans’ personal information without their consent. Some exceptions may apply. The Privacy Act grants individuals the following rights:

• request their records (again, subject to some exceptions)
• change inaccurate, irrelevant, outdated or incomplete records
• be protected against “unwarranted invasion of their privacy” resulting from the collection, maintenance, use, and disclosure of their personal information

This Privacy Act of 1974 was amended by the Computer Matching and Privacy Protection Act of 1988. It expanded the scope of the Privacy Act to individuals whose records are processed by automated matching programs.

The scope of the Privacy Act is limited to Federal agencies, and not to court records, various executive bodies or non-agency government organisations. Moreover, President Trump limited the scope of the Privacy Act further to only include ‘United States citizens or lawful permanent residents’. Before President Trump’s Executive Order, the Privacy Act applied to the records of every ‘individual,’ defined as ‘a citizen of the United States or an alien lawfully admitted for permanent residence’ (See Privacy Act, Section 3, Title 552a sub (a)(1))

2. Executive Order 14117 (February 28, 2024)

A more recent development related to data transfers from the US to third countries is President Biden’s Executive Order 14117 (EO 14117), which aims to prevent access to Americans’ bulk sensitive personal data and US government-related data to ‘countries of concern’. With this EO, signed on February 28, 2024, Biden expands the scope of the national emergency declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain).

The goal of EO 14117 is to strengthen America’s national security interests, rather than safeguarding individual privacy and data protection. The US explicitly still supports the Free Flow With Trust concepts and does not wish to impose measures that may hinder the commercial transactions of data. EO 14117 aims to set out six defined categories of U.S. sensitive personal data, mostly related to finances, health, biometrics, etc. Such sensitive data would be in ‘bulk’ when it reaches the threshold of 1000 persons.

Important to remember is that an EO is not legally binding, it merely sets guidelines for agencies to make regulations. Consequently, the Attorney General issued an Advance Notice of Proposed Rulemaking (ANPRM). This means the Department of Justice (DoJ) is collecting commentary before drafting a Proposed Rule that, once finalized, will implement EO 14117 into actual administrative regulations. During the implementation of EO 13873 from 2019, the identified ‘countries of concern’ were China, Russia, Iran, North Korea, Cuba, and Venezuela. In the questions set out for commentary in the ANPRM for EO 14177, the DoJ indicates that, in addition to (re-)establishing a list of countries of concern, they are looking to create a process for adding or removing countries to that list.

3. PADFA (HR 815, Pub. L. 118-50)

Even more recent is law H.R. 815, signed by President Biden on April 24th 2024, called the Protecting Americans’ Data from Foreign Adversaries Act (or PADFA). This legislation is separate from EO 14117, but it does align with the ANRPM set out for the EO 14117. In general, PADFA covers a broader scope of data and transactions than EO 14117. It is mostly focused on preventing data brokers from selling Americans’ data to ‘foreign adversary countries’. This sounds similar to the ‘countries of concern’ under EO 13873 and possible EO 14117, but they only encompass China, Russia, Iran and North Korea (see Sec.2(4) of PADFA which refers to section 4872(d)(2) of title 10, United States Code, under ‘(1) covered foreign country’). The ‘sensitive data’ covered by PADFA relates to health data, financial information, government issued IDs, information about race, ethnicity, information about minors (<17y), private communications, geolocation information, biometric and genetic information (See Sec.2 (5)-(7) of PADFA). As briefly stated above, PADFA is aimed at data brokers (with some exceptions of, for instance service provides or news agencies, see Sec.2 (3)(B) of PADFA). However, PADFA also covers ‘entities controller by a foreign adversary’. In practice this means an entity (legal or natural person), that has strong financial, business or legal organizational ties to such a country, or an entity that is at least 20% owned by a (combination of) foreign person(s).

While PADFA will be enforced by the Federal Trade Commission, EO 14117 will be enforced by the DoJ. It is not clear how these two entities will cooperate on any similarities and overlap in scope of the sensitive data.

Examples of federal sectorial legislation

Health and medical data (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most signficant law at the federal level addressing privacy of personal health information in the US. The law includes implementing regulations issued by the US Department of Health and Human Services (HHS). The law covers many subjects, including the HIPAA Privacy Rule (summarized here), as well as a cybersecurity rule (the Security Rule).

The Privacy Rule addresses the use and disclosure of all ‘individually identifiable health information’ (‘protected health information’ or ‘PHI’)  held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. It also sets standards for individuals' rights to understand and control how their PHI is used. The law permits use and disclosure of PHI either with an individual’s consent, or under a limited and regulated list of purposes or situations: (1) To the individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.

With regard to moving data outside of the United States, the Privacy Rule does allow a covered entity (or business associate) to move data outside of the US, so long as that entity enters into an agreement with the entity holding data outside the US, and the entity outside the US otherwise complies with HIPAA Rules. There is no additional special requirement specific to protection of electronic protected health information processed or stored outside of the United States, but HHS notes that the risks may vary greatly depending on the data’s geographic location. Thus, when a covered entity conducts the risk analysis and risk management required by the HIPAA Security Rule, risks that arise with storing or transmitting data outside the US must be taken into account. For example, if PHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks, such risks should be considered, and reasonable and appropriate technical safeguards must be implemented.

Within HHS, the Office for Civil Rights implements and enforces the Privacy Rule. Civil penalties for violations of HIPAA include fines over USD $1.9 million. Criminal penalties can include money penalties and imprisonment up to 10 years in some cases.

HIPAA is not the only federal law that protects health information privacy in the United States; another example is the Health Information Technology for Economic and Clinical Health Act of 2009 (the ‘HITECH Act').

2. Financial data privacy (GLB Act)

The Gramm-Leach-Bliley Act of 1999 is a federal law that reformed certain aspects of the financial industry in the late 1990s and provided for consumer financial privacy in the United States. The law includes implementing regulations that are promulgated and enforced by the Federal Trade Commission (FTC). The GLB Act includes a Privacy of Consumer Financial Information Rule (also called the “Financial Privacy Rule”).

The law applies to non-public personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the covered institutions. Covered institutions are those whose business is engaging in an activity that is financial in nature or incidental to financial activities described in the Bank Holding Company Act.

Under the Privacy Rule, unless an exception applies, a financial institution cannot disclose the consumer’s financial information to a non-affiliated third party before first: providing particular notices to the consumer in compliance with the law, providing an opt-out notice in compliance with the law, and giving the consumer reasonable opportunity to opt-out before disclosing, and the consumer has not opted out. with certain limitations on disclosure of nonpublic personal information. The exceptions include: the financial institution gives the notice AND enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed; disclosure for processing transactions at a consumer’s request (can include marketing); the consumer consented to not receiving notice and opt-out; to maintain the financial institution’s cybersecurity; as required by law; to be responsive to intitutions that may be rating or auditing compliance of the financial institution; and in connection with a sale or merger of the financial institution.  

The Privacy Rule does not specifically prohibit cross-border transfers of consumer data. The GLB Act is not the only legislation regulating consumer financial records in the United States, other examples include laws such as the Fair Credit Reporting Act.

3. Data protection for children (COPPA)

In the US, children’s online privacy is protected by the Children’s Online Privacy Protection Act of 1998 (COPPA). The law also includes implementing regulations which were created by and are enforced by the FTC. The FTC updates these regulations over the years to address changes in technology. The most recent final rulemaking was in 2013, but the FTC is currently actively reviewing the regulations. In January 2024, the FTC issued a Notice of Proposed Rulemaking soliciting public comments on proposed updates to the COPPA regulations.  Members of Congress are also considering an update to COPPA, a draft law entitled ‘Children and Teens Online Privacy Protection Act” was introduced in the House of Representatives and the Senate in 2023 (also referred to as “COPPA 2.0”).

As the law currently stands, COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children under the age of 13 on the Internet. COPPA does this by imposing certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. COPPA also prohibits conditioning a child’s participation in an online activity on the collection of personal information.

COPPA applies to a broad swathe of “operators” including commercial websites directed to children or providing goods/services to children, government websites and all government contractors, online gaming platforms, Internet-connected mobile apps and software, Internet-enabled devices such as toys and smart devices, and any technology that can be used to track location via the Internet. Thus, this includes plug-ins and ad networks. It also applies to entities that collect or maintain personal information from or about a child on behalf of an operator, or who benefits by allowing another entity to collect personal information directly from users of websites or online services. There is an exception for nonprofit organizations, unless the nonprofit is collecting and using information about children for commercial purposes.

Essentially, COPPA gives children’s parents or legal guardians control over children's data that is collected online from children. Operators are required to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented. Parents also have the right to review and request deletion of information about their child. The implementing regulations contain detailed definitions, rules and guiding principles regarding parental consent, rules for providing sufficient notice to parents and what must be contained in the notice, rules regarding parents’ rights to review information provided by a child, requirements for confidentiality, security and integrity of personal information, enforcement, data retention and deletion of personal information, and a safe harbor provision, among other topics.

COPPA does not specifically address the issue of transmitting a child’s personal information outside of the US, but the effect of the parental consent requirement is to prohibit any such transfer without verifiable parental consent that meets the requirements of the law. There are no other mechanisms provided in the law that would permit transmission of children’s personal information, such as legitimate interest or public interest; in this regard COPPA is very strict.

The FTC enforces COPPA and can impose fines for violations. The amount of the fines is updated from time to time, currently it is up to USD $51,744 per violation.

COPPA is not the only privacy law specifically protecting children’s personal information. Other federal US laws that protects children’s privacy include the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA), which the US Department of Education oversees.

US State Laws

In general, state-level general consumer data privacy laws in the US, such as the California Consumer Privacy Act, do not regulate cross-border transfers of data.