πŸ“– Part 2 of 5

Restricted Countries & Due Diligence

⏱️ 40 minutes read πŸ“š Section 16(2) DPDPA 🎯 Risk Assessment Skills

Understanding the Blacklist Mechanism

Section 16(2) empowers the Central Government to restrict transfers to specific countries or territories. Unlike GDPR's adequacy decisions (which whitelist approved countries), India's approach blacklists high-risk destinations while permitting transfers elsewhere.

πŸ“œ Section 16(2) - Restriction Power

"The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified."

Criteria for Restriction

While the Act doesn't specify criteria, likely factors for blacklisting include:

Factor Concern Example Countries
Mass Surveillance Government access without safeguards Authoritarian regimes
No Rule of Law No judicial protection for data Failed states
Geopolitical Hostility National security concerns Hostile nations
Cyber Crime Haven No cooperation on cybercrime Non-treaty nations
No Data Protection Law Zero legal framework Some developing nations

Due Diligence Framework

Even for non-restricted countries, prudent practitioners advise comprehensive due diligence before cross-border transfers.

The Three-Layer Assessment

Layer 1: Country-Level Assessment

  • Legal Framework: Does destination have data protection law?
  • Enforcement: Is the law actually enforced?
  • Government Access: Can government access data without due process?
  • International Agreements: MLAT, Budapest Convention signatory?

Layer 2: Recipient Assessment

  • Security Measures: ISO 27001, SOC 2 certification?
  • Compliance Track Record: Any prior breaches or violations?
  • Corporate Structure: Parent company jurisdiction?
  • Sub-Processing: Will data be further transferred?

Layer 3: Data-Specific Assessment

  • Sensitivity: Children's data, health data, financial data?
  • Volume: Mass transfer vs. limited data?
  • Purpose: Processing purpose clear and limited?
  • Duration: How long will data be retained abroad?
πŸ’‘ Example: Wipro's Due Diligence for US Transfer

Scenario: Wipro transferring Indian employee data to US cloud provider.

Assessment:

  • Country: US has sectoral laws; CLOUD Act concerns; not on restricted list
  • Recipient: AWS holds SOC 2 Type II, ISO 27001; no major breaches
  • Data: HR data (moderate sensitivity); 50,000 records; payroll purpose; 7-year retention
  • Decision: Proceed with enhanced contractual safeguards addressing CLOUD Act

Case Study: Schrems II Lessons for India

βš–οΈ Schrems II (CJEU, 2020)

Case C-311/18 - Data Protection Commissioner v. Facebook Ireland

The Court invalidated EU-US Privacy Shield because US surveillance laws (FISA 702, EO 12333) allowed government access without equivalent protection to EU standards.

Key Holding: Adequacy requires "essential equivalence" in protection, including against government surveillance.

India's Different Position

Unlike EU, India doesn't require "essential equivalence." However, practitioners should still assess US law implications:

  • CLOUD Act (2018): US can compel disclosure of data stored abroad by US companies
  • FISA Section 702: Surveillance of non-US persons' data
  • NSL Letters: Secret demands for business records
⚠️ Practical Advisory

When transferring to US entities, consider:

  • Encryption with Indian-held keys
  • Contractual notification requirements for government demands
  • Challenge clauses requiring legal resistance to invalid demands
  • Data minimization to reduce exposure

Risk Assessment Matrix

Risk Level Country Characteristics Recommended Action
LOW GDPR-adequate; strong rule of law; India treaties Standard contracts; routine documentation
MEDIUM Some protection; enforcement concerns; surveillance laws Enhanced SCCs; encryption; periodic audits
HIGH No protection; hostile; potential blacklist Avoid or minimize; strong technical measures; board approval
PROHIBITED Notified under Section 16(2) No transfer permitted; find alternative

Documentation Requirements

Maintain comprehensive records for each cross-border transfer relationship:

πŸ“‹ Transfer Impact Assessment (TIA) Contents:

  • Destination country legal analysis
  • Recipient security certification evidence
  • Data categories and sensitivity classification
  • Purpose limitation documentation
  • Sub-processor chain mapping
  • Government access risk analysis
  • Supplementary measures implemented
  • Periodic review schedule

Monitoring Restricted Country Notifications

Practitioners must establish monitoring systems for Section 16(2) notifications:

  • Official Gazette: Subscribe to MeitY notifications
  • Industry Associations: NASSCOM, DSCI alerts
  • Legal Updates: Subscribe to data protection law updates
  • Quarterly Reviews: Audit all transfer destinations against current list

Key Takeaways

🎯 Essential Points:

  • Section 16(2) creates blacklist mechanismβ€”monitor for notifications
  • Even non-restricted transfers require prudent due diligence
  • Three-layer assessment: Country β†’ Recipient β†’ Data
  • Schrems II lessons apply though India doesn't require equivalence
  • CLOUD Act concerns require contractual and technical measures
  • Document Transfer Impact Assessments for compliance evidence
  • Establish monitoring systems for regulatory changes