TRANSFER OF PERSONAL DATA OUTSIDE INDIA
40. Restrictions on Cross-Border Transfer of Personal Data. —
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.
41. Conditions for Cross-Border Transfer of Personal Data. —
(1) Personal data other than those categories of sensitive personal data notified under sub- section (2) of section 40 may be transferred outside the territory of India where—
(a) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; or
(b) the Central Government, after consultation with the Authority, has prescribed that transfers to a particular country, or to a sector within a country or to a particular international organisation is permissible; or
(c) the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity; or
(d) in addition to clause (a) or (b) being satisfied, the data principal has consented to such transfer of personal data; or
(e) in addition to clause (a) or (b) being satisfied, the data principal has explicitly consented to such transfer of sensitive personal data, which does not include the categories of sensitive personal data notified under sub-section (2) of section 40.
(2) The Central Government may only prescribe the permissibility of transfers under clause (b) of sub-section (1) where it finds that the relevant personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements, and the effectiveness of the enforcement by authorities with appropriate jurisdiction, and shall monitor the circumstances applicable to such data in order to review decisions made under this sub-section.
(3) Notwithstanding sub-section (2) of Section 40,sensitive personal data notified by the Central Government may be transferred outside the territory of India—
(a) to a particular person or entity engaged in the provision of health services or emergency services where such transfer is strictly necessary for prompt action under section 16; and
(b) to a particular country, a prescribed sector within a country or to a particular international organisation that has been prescribed under clause (b) of sub-section(1), where the Central Government is satisfied that such transfer or class of transfers is necessary for any class of data fiduciaries or data principals and does not hamper the effective enforcement of this Act.
(4) Any transfer under clause (a) of sub-section (3) shall be notified to the Authority within such time period as may be prescribed.
(5) The Authority may only approve standard contractual clauses or intra-group schemes under clause (a) of sub-section (1) where such clauses or schemes effectively protect the rights of data principals under this Act, including in relation with further transfers from the transferees of personal data under this sub-section to any other person or entity.
(6) Where a data fiduciary seeks to transfer personal data subject to standard contractual clauses or intra-group schemes under clause (a) of sub-section (1), it shall certify and periodically report to the Authority as may be specified, that the transfer is made under a contract that adheres to such standard contractual clauses or intra-group schemes and that it shall bear any liability for the harm caused due to any non-compliance with the standard contractual clauses or intra-group schemes by the transferee.