The Future of Data Protection in India: A Roadmap for Regulators | 1

First edition: 2023

The Future of Data Protection in India

Published by:

4th Floor, NASSCOM Campus

Plot No. 7-10, Sector 126, Noida
Uttar Pradesh 201303, India

© Copyright 2023

All rights reserved

The information contained herein has been obtained from sources believed to be reliable. It should not
be relied upon as a substitute for specific professional advice. Professional advice should always be
sought before taking any action based on the information provided.

DSCI shall have no liability for errors, omissions or inadequacies in the information contained herein, or
for interpretations thereof. DSCI disclaims all warranties as to the accuracy, completeness or adequacy
of such information.

No part of this publication may be reproduced either on paper or electronic media without the prior
permission of DSCI. Request for permission to reproduce any part of the volume should be sent to DSCI
at [email protected], or mailed to our address.

2 | The Future of Data Protection in India: A Roadmap for Regulators The Future of Data Protection in India: A Roadmap for Regulators | 3
 Section 2 Section 3
Background
Consent Tools and Modalities
6 Managers: for Cross-Border Data
Best Practices Flows - A Primer for
Contents Section 1 and Frameworks Policymakers
Navigating Data 39 69
Breaches and
Breach Reporting
Mechanisms Conclusion
9 91

4 | The Future of Data Protection in India: A Roadmap for Regulators The Future of Data Protection in India: A Roadmap for Regulators | 5
 concern, which will be discussed in detail. Part 1 of this report delves into three key areas
These concerns will be supported by evidence pertaining to data protection regulation in
and analysis to provide a comprehensive India: Data Breaches, Consent Managers, and
understanding of the issues at hand. By Cross Border Data Transfers.
identifying and addressing these concerns, it is
expected that the DPDPA can be refined and
that outline the best practices for consent
improved to provide a more effective and robust
managers, address concerns surrounding
framework for data protection in India. There are

Background
their use, and provide additional safeguards
three thematic areas that have been identified in
to protect data.
defining the scope of Part I of this report:
3. Cross Border Data Transfers: Under the
1. Data Breaches: The DPDPA defines a
DPDPA, transfers of personal data outside
personal data breach and delineates the
India are permitted except to jurisdictions
legal obligations on data fiduciaries and
The history of data protection & privacy framework can be traced back to the Information which are notified as being restricted.
regulatory mechanisms for reporting data
Technology Act, 20001 (hereinafter referred to as IT Act, 2000) & the Information Technology This section of the report seeks to identify
breaches. This section seeks to identify
(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) the challenges and issues posed by the
and address potential issues posed by the
Rules, 20112 (hereinafter referred to as SPDI rules). The IT Act, 2000 & the SPDI rules marked current legal framework and provides
current definition and the framework for
the brief advent of data protection & privacy framework in India. Organizations are required to recommendations for the addressal of these
breach reporting requirements. The section
adhere to the regulations outlined in the IT Act of 2000 and the SPDI rules, which necessitate potential challenges. It also highlights that
examines the current definition of personal
the implementation of reasonable security practices and procedures to safeguard sensitive data. addressing these challenges / issues will
data breach as well as the obligations
create a more robust framework and will
imposed on data fiduciaries. Through a
ease the compliance burden on the data
robust analysis of the provisions proposed
In addition to the IT Act, 2000 & SPDI rules, their personal data, the need to process personal fiduciaries.
in the Act and a corresponding study of
Personal Data Protection Bill, 2019 (hereinafter data for lawful purposes and for other incidental requirements globally, this section makes Overall, while India’s data protection framework
referred to as PDPB 2019), was introduced purposes.8 recommendations about changes that is still evolving, the Digital Personal Data
in the Indian Parliament in December 2019.3 may be required in the provisions of the Protection Act, 2023, along with other laws and
In furtherance to a data protection regime being
PDPB 2019 was construed as a steppingstone Act, as well as the guidelines that may be guidelines, exhibits a comprehensive framework
developed by the Centre, sectoral regulators
acknowledging the need to have an exhaustive required in the future. The goal of these for regulating data breaches and protecting the
in the country have released guidelines and
framework governing data protection & privacy. recommendations is to ultimately establish privacy and security of personal data in India.
advisories related to personal data protection.
PDPB 2019 aimed to regulate the collection, a more robust framework for regulation of This report aims to provide recommendations
The objective of these guidelines and advisories
storage, processing, and transfer of personal personal data breaches in India. for future guidelines that can simplify the
is to ensure that organizations comply with
data of individuals in India. Furthermore, PDPB compliance obligations imposed by the current
best practices for managing personal data and 2. Consent managers: Consent manager has
2019 provided for the establishment of a Data Act and strike a balance between being strict
have adequate safeguards in place to prevent been defined as a person that facilitates an
Protection Authority (DPA) to oversee the and easy to comply with. The purpose is to
unauthorized access, use, or disclosure. This accessible, transparent, and interoperable
implementation and enforcement of the law.4 identify the challenges faced by data fiduciaries
paper seeks to examine these guidelines and platform for individuals to give, manage,
However, in August 2022, PDPB (2019) was advisories in detail to identify similarities and under the current Act and suggest practical
review, and withdraw their consent. The
withdrawn5, and the Central Government rolled differences in the approaches taken by various solutions to streamline compliance. By analyzing
second section of this report highlights
out a new draft Digital Personal Data Protection sectors to address data privacy concerns. the global best practices and examining the
that there is a lack of comprehensive
Bill in November 20226 for public consultation. current legal framework in India, this report
commentary and guidance surrounding
Further, it is noteworthy that the DPDPA has intends to propose measures that can facilitate
Finally, in August 2023, a revised version of consent managers, which has resulted
introduced a comprehensive framework to the creation of a more efficient and effective
the same was introduced and passed before in confusion and uncertainty regarding
tackle data privacy concerns. The purpose of this framework for the implementation of provisions
the Parliament of India. The notified Digital their roles and responsibilities. The
report, however, is to identify and examine the related to data breaches, consent managers and
Personal Data Protection Act 2023 (’DPDPA‘)7 suggestions also emphasize the need for
potential concerns arising from the Act while cross border data transfers.
was devised with the intention to provide for the the development of detailed guidelines
substantiating it with research from global
processing of digital personal data in a manner
data protection statutes and best practices.
that recognizes the right of individuals to protect
The report focuses on three main areas of

6 | The Future of Data Protection in India: A Roadmap for Regulators The Future of Data Protection in India: A Roadmap for Regulators | 7
 Section 1
Navigating Data
Breaches and Breach
Reporting Mechanisms
Executive Summary 10

1. Understanding Personal Data Breaches 12

2. Personal Data Breaches – A Comparative Perspective 19

Under Data Protection Laws

3. Data breach requirement under different sectors 24

4. Recommendations 28

8 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 9
 regulations. This chapter further explores To understand the regulatory approaches in
guidance from Data Protection Authorities, harmonizing sectoral requirements with national
providing a comprehensive review of breach data protection laws, it highlights the prevailing
implications, obligations, and organizational data breach regime in various jurisdictions such
responsibilities. as Singapore, Brazil, India, etc.

The third chapter examines sectoral The final chapter provides recommendations
requirements regarding data breaches across derived from overall research and analysis.

Executive Summary
the banking & finance, insurance, healthcare, and These recommendations are intended for
telecom sectors. This portion of the report sheds regulatory authorities and policymakers to
light on the current legal landscape surrounding consider, catering to the needs of industry
breach reporting and highlights the challenges stakeholders and data principals.
associated with multiplicity of obligations.

This section will examine and explore the regulatory practices revolving around personal data
breaches globally. Taking reference from the global practices across jurisdictions, it examines
the existing framework for personal data breaches proposed under the Digital Personal Data
Protection Act (‘DPDPA’) 2023. The aim to put forth recommendations for regulatory changes
that may be required to implement the legal requirements effectively and efficiently around
data breach mitigation, reporting, and notification.

The first chapter puts forth a comprehensive regulations in Brazil. This chapter looks at eight
outline of what personal data breaches are, key parameters which define legal obligations
the distinction between security incidents, data surrounding personal data breaches:
breaches, and personal data breaches, and i. prescribed time for breach reporting and the
their impact on organizations and individuals. supervisory authority to which the breach is
Following this, it expands on the understanding to be reported,
of what constitutes a personal data breach
ii. scope of a personal data breach,
by looking into the definition of a personal
data breach as proposed under the DPDPA iii. criteria for reporting a breach to the
and examines the distinction between data supervisory authority,
breaches and unauthorized processing. The iv. criteria for notifying a breach to data
ultimate purpose is to review the definition principals,
and outline any challenges that may arise from
v. responsibility for reporting a breach,
the conflation of incidents of unauthorized
processing with breach incidents. vi. contents of a breach report to the
supervisory authority,
After outlining the conceptual notions of a
vii. contents of a breach notification to the data
personal data breach, the succeeding chapter
principals, and
delves into the regulatory requirements in other
jurisdictions. The review focuses on regulations viii. the consequences of non-compliance with
in the APAC region (Singapore, South Korea, these obligations.
Japan, and Australia), references to the
Analyzing these parameters reveals common
obligations under GDPR in the European Union
practices, trends, and legal requirements across
and derives insights on the regulatory trends
jurisdictions, informing effective data protection
regarding personal data breaches from the

10 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 11
 A security incident, however, is defined as security procedures, or acceptable use policies.”

1
“An occurrence that actually or potentially
There exists a distinction between the conceptual
jeopardizes the confidentiality, integrity, or
notions of a security incident, a data breach, and
availability of an information system or the
a personal data breach. To understand the scope
information the system processes, stores, or
of this document, it is pertinent to clarify these

Understanding Personal
transmits or that constitutes a violation or
distinctions at this juncture.
imminent threat of violation of security policies,

Data Breaches Security incidents

1.1 How do personal data breaches 1.2 Personal data breaches as security
occur? incidents Data breaches

A data breach refers to the deliberate or ‘Personal data breach’ means a breach of
accidental exposure of confidential information security leading to the accidental or unlawful Personal data breach
to unauthorized individuals. In today’s digital destruction, loss, alteration, unauthorized
age, data holds immense importance for disclosure of, or access to, personal data
enterprises, making data leakage a grave transmitted, stored or otherwise processed11
concern. Such incidents pose severe threats to This includes breaches that are the result of
organizations, leading to substantial reputational both accidental and deliberate causes.12 A
harm and financial setbacks. Further, data personal data breach can broadly be defined
breaches can jeopardize an organization’s as a security incident that has affected the The above illustration explains that security website of an airline company is faced
long-term stability. These breaches may result confidentiality, integrity or availability of incidents constitute the wider ambit of scenarios with a distributed denial-of-service
from internal or external sources, whether personal data.13 In short, a personal data which impact an organization’s systems, (DDoS) attack, this would amount to
intentional, such as data theft by intruders or breach occurs whenever any personal data including changes to software or hardware a security incident as it would lead to
insider sabotage, or inadvertent, like accidental is accidentally lost, destroyed, corrupted or without the consent of the organization, mala overwhelming the airline’s website and
disclosure of sensitive information by employees disclosed; if someone accesses the data or fide disruption of services17, and violations its network traffic, making it impossible
or partners.9 passes it on without proper authorization; of internal security policies by legitimate for users to access and use the website.
or if the data is made unavailable and this individuals.18 While this is a security incident, it does
Data breaches can occur because of stolen not necessarily amount to a data breach
unavailability has a significant negative effect Additionally, data breaches also constitute
information, deployment of ransomware, as long as the confidentiality, integrity, and
on individuals.14 some part of the larger bucket of security
recording of keystrokes, phishing attacks, etc.10 availability of any data is not affected.
According to Peter Carey, a personal data incidents. It is therefore accurate to state that,
At this stage, it would be important to ’all data breaches are security incidents but not ii. Data breaches vis-a-vis personal data
breach is “any incident in which personal data
understand the conceptual contours of what all security incidents are categorized as data breaches: It is also important to highlight
is accidentally or unlawfully destroyed, lost,
constitutes a ‘‘data breach’, more specifically, a breaches’.19 Finally, not all data breaches amount that not all data breaches would amount
altered, disclosed, or accessed”. He notes that a
‘personal data breach’. to personal data breaches and be governed by to a personal data breach. For instance,
personal data breach can result from a variety
personal data protection laws. if the proprietary information of an IT
While a personal data breach is a type of of causes, including human error, technical
company is stolen from its servers, such
security incident, not all security incidents are failures, and deliberate attacks.15 The below illustrations further illuminate this an incident would qualify as a data
considered personal data breaches. It is crucial to distinction-
From the above definitions, personal data breach but not as a personal data breach.
delineate these concepts, as this understanding
breach may be generally understood to be a i. Security incidents vis-a-vis data Therefore, if the data in question does
would form the basis for defining personal data
security incident that involves the exposure, breaches: As highlighted above, not contain any personally identifiable
breaches in the country’s data protection law.
loss, theft, destruction, or alteration of personal malicious, coordinated disruption of information, it does not amount to a
The succeeding paragraphs therefore, aim to
information — either intentional or accidental.16 an organization’s services amounts to personal data breach.
explore the intersection between personal data
a security incident. For instance, if the In conclusion, personal data breaches
breaches and security incidents.

12 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 13
 are recognized as security incidents in principal”.20 While the DPDPA 2023, defines subjects may suffer harm or loss because of
both academic writings and statutory
regulations. By recognizing personal data
a personal data breach as,” any unauthorized
processing of personal data or accidental
their personal data being compromised, while
data fiduciaries may face fines, legal action, or
The conflation
breaches as a type of security incident, disclosure, acquisition, sharing, use, alteration, reputational damage.22 of ‘unauthorized
organizations can implement measures destruction of or loss of access to personal data,
DPDPA 2023 overlooks the distinction between processing’ with
to prevent and mitigate such incidents, that compromises the confidentiality, integrity or
safeguarding individuals’ privacy and availability of personal data”.21
‘unauthorized processing of personal data’ and ‘personal data
data breaches. This may lead to a situation
confidentiality. Therefore, it is important
It is pertinent to note that the definition of where both scenarios are treated similarly in breaches’ may also
for the framework on personal data
breaches under the DPDPA to recognise
‘personal data breach’ has evolved over the the adjudication process by the Data Protection inadvertently lead
the nexus between “security incidents”
period of 3 years, i.e., since the withdrawal
of PDPB 2019 and the advent of DPDPA
Board, resulting in duplicate penalties and
shared obligations for data fiduciaries. For
to a misalignment
and “personal data breaches”.
2023. DPDPA 2023 has widened the scope of instance, if the data fiduciary fails to notify a of internal measures
The upcoming paragraphs analyse the
definition of personal data breaches outlined
‘personal data breach’ by including ‘unauthorized
processing of personal data’ within the ambit of
breach, the data fiduciary may face penalties of
up to Rs. 200 crores, which is the same penalty
taken by data
in the Digital Personal Data Protection Act. ‘personal data breach.’ imposed for non-fulfillment of additional fiduciaries to identify
The research below provides insights into the
Unauthorized processing of personal data,
obligations related to processing children’s and mitigate incidents
differences between unauthorized processing personal data (also considered unauthorized
of personal data and data breaches. By
however, can be broadly categorized as the
processing). This lack of differentiation may of unauthorized
processing of personal data which falls within
examining how these incidents are defined and
one of the following three scenarios:
lead to redundant/dual consequences for data processing.
addressed in different regulatory frameworks, fiduciaries in such cases.
a more comprehensive understanding of the  Processing of personal data which is not
Preventing unauthorized processing of
complexities involved in addressing such authorized by the data fiduciary; fairness, and transparency. The below
personal data is the first and foremost step
incidents has been provided. illustration further exemplifies the distinction
 Processing of personal data not a data fiduciary undertakes to ensure lawful
1.3 Definition of Personal Data Breach processing of personal data. Consequently, between unauthorized processing and personal
permitted by law; or
in DPDPA adopting preventive measures to forestall data breaches:
 Processing of personal data which is in unauthorized processing becomes imperative to
PDPB 2019 defined personal data breach as When a social media platform faces a situation
violation of the purpose for which the ensure the lawfulness of processing. Similarly,
“any unauthorized or accidental disclosure, where personal data collected and processed
data was originally collected. adopting mitigating efforts in the event of
acquisition, sharing, use, alteration, destruction by them is leaked on an online hacking platform,
Both personal data breaches and unauthorized a ‘data breach’ becomes essential for the it falls under the category of data breach. On
of or loss of access to, personal data that
processing can have serious consequences safeguarding of personal data. the other hand, if the social media platform
compromises the confidentiality, integrity
or availability of personal data to a data for data subjects and data fiduciaries. Data The preventive measures to proscribe the does not offer adequate information about
unauthorized processing of personal data their processing activities in their privacy notice
may include assigning passwords, granting to users, leading to the absence of informed
limited access to systems, audit trails, log-on consent by the users, this may be considered an
procedures etc.,23 instance of unauthorized data processing.

Whereas mitigating efforts for data breach may While the General Data Protection Regulation
include maintaining offline, encrypted backups (GDPR) defines a data breach as a breach
of data and regularly testing the backups, of security leading to the accidental or
maintaining a basic cyber incident response unlawful destruction, loss, alteration,
plan, conducting regular vulnerability scanning, unauthorized disclosure of, or access to,
implementing firewalls, etc.24 personal data transmitted, stored or otherwise
processed” (Article 4(12)), the UK Information
As highlighted above, ensuring that personal Commissioner’s Office (ICO) defines a data
data processing is carried out in an authorized breach “is a security incident that has affected
manner is the primary consideration to ensure the confidentiality, integrity, or availability of
compliance with the principles of lawfulness, personal data” (ICO, 2021).25

14 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 15
Similarly, the GDPR defines unauthorized “An APP entity can only use or disclose personal 1.4 Conflation of Personal Data Breach and Unauthorised Processing: Implications
processing as processing of personal data information for a purpose for which it was and Way Forward
without the consent or knowledge of the data collected (known as the ‘primary purpose’), or for
subject or in violation of the purpose for which a secondary purpose if an exception applies.” Defining personal data breaches in a manner which includes unauthorized processing can create
the data was originally collected (Article 4(2)), three distinct sets of challenges for organizations which process personal data. These are highlighted
Whereas, a data breach is defined as an below:29
the UK ICO defines it as the processing of
unauthorized access or disclosure of personal
personal data in a manner that is not authorized
information, or loss of personal information.
by the data controller or permitted by law (ICO
2021).26 The above-mentioned paragraphs outline Prevention of unauthorized processing of personal data
Response and generally involves compliance with the principles of
the importance of keeping the two concepts,
Further, the Australian Privacy Act 1988 Mitigation Strategies
unauthorized processing and data breaches, Preventing unauthorized processing of personal data
and the Office of the Australian Information
distinct from each other and detail the The approaches for involves adhering to principles such as Purpose Limitation,
Commissioner (OAIC) also differentiate between
challenges arising from the consolidation of responding to and Lawfulness, Fairness and Transparency. On the other hand,
the two concepts in some manner. Principle 6
these two separate concepts. The next portion mitigating unauthorized responding to and mitigating a data breach typically involves
of the Australian Privacy Principles mentioned
of this chapter further catalogs the challenges processing and data reporting to supervisory authorities, notifying data subjects
under the Privacy Act 1988 elucidate the
which may be encountered by the organizations breaches are entirely if necessary, and implementing security measures. Hence, it
obligation of the organization to process the data
(data fiduciaries) and the supervisory authorities distinct. is evident that both the scenarios are divergent and require
for the primary purpose only and states that:
by the conflation of these two topics. separate response and mitigation strategies.

Reporting and notification requirements of breach incidents

Reporting and and unauthorized processing incidents are completely
Notification diverse. Depending on the jurisdiction, organizations may
Requirements be required to report data breaches to data protection
authorities or notify affected individuals. If unauthorized
The obligation to report processing is included in the definition of a data breach,
and notify data breaches incidents which exemplify as unauthorized processing but
to both the supervisory do not qualify as data breach will be erroneously reported
authority and the to data protection authorities as “data breach” incidents.
affected individuals Organizations may need to determine whether reporting or
differ significantly. notification is required even if there was no unlawful access
or disclosure of personal data.

Enforcement
Mechanism
The enforcement mechanism for both the scenarios remains
Penalties for data separate across the globe. The penalties imposed on the
breaches and data fiduciary in the event of unauthorized processing are
unauthorized processing traditionally different and distinct than the penalties imposed
are separate and are not in the case of a data breach.
commonly applied across
different jurisdictions.

16 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 17
Further, it is important to highlight that and should be treated as such. While the Digital

2
the DPDPA already imposes penalties for Personal Data Protection Act incorporates
unauthorized processing of personal data. The unauthorized processing within the definition
penalties are outlined in Schedule of the Act and of data breaches, it is important to recognise
include failing to fulfill additional obligations the underlying distinction between these

PERSONAL DATA
concerning children under Section 9 and not concepts. This will enable effective regulation
complying with the provisions of the Act, such and compliance with data protection laws,
as processing data only for lawful purposes with ultimately safeguarding the privacy and security
the Data Principal’s consent as outlined in the
Act.
of individuals’ data.

In the implementation of the DPDPA it will

BREACHES – A
Therefore, it is worth considering that if the
definition of unauthorized processing is included
therefore be important for the Data Protection
Board to take into account the nuanced COMPARATIVE
PERSPECTIVE UNDER
within the definition of a personal data breach, it distinction between unauthorised processing
could result in duplicative penalties for the same and personal data breaches. In the absence of
offense. the same, Data Fiduciaries may end up bearing

In conclusion, it is clear that data breaches and

unauthorized processing are distinct concepts
hefty and dual costs for a singular instance of
non-compliance. DATA PROTECTION LAWS

This chapter undertakes a study of various obligations under data protection regulations
in APAC and EU, such as complying with prescribed criteria and thresholds, and promptly
notifying supervisory authorities and affected individuals. Identifying the commonalities in
obligations, it brings to light guidance for personal data breach reporting under the data
protection framework in India.

The obligation to report and notify personal data notifying supervisory authorities and affected
breaches is mentioned under Section 8(6) of the individuals. Identifying the commonalities
DPDPA. This Section requires that in the event in obligations, it brings to light guidance for
of personal data breach, the Data Fiduciary personal data breach reporting under the data
shall notify the Board and each affected Data protection framework in India.
Principal, in such form and manner as may be
2.1 Data Breach Response: A
prescribed.30
Comprehensive Examination of Breach
Personal data breaches are a significant issue Reporting Obligations:
in today’s interconnected world, impacting
There are no standard criteria or thresholds
individuals and organizations alike. It is
for breach reporting requirements as these
essential to grasp legal responsibility due to
criteria and thresholds vary across jurisdictions.
the increasing occurrence and seriousness of
Singapore, South Korea, Brazil, Japan, European
these breaches. Compliance with data protection
Union and Australia prescribe an obligation to
laws in different jurisdictions can be achieved by
report a data breach to the supervisory authority
studying global regulations and best practices.
in case it affects more than 500/1000 or more
This chapter undertakes a study of various
individuals, or the breach is likely to result in
obligations under data protection regulations
a high risk to natural persons31. Similarly, the
in APAC and EU, such as complying with
respective laws of these jurisdictions provide
prescribed criteria and thresholds, and promptly

18 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 19
an additional obligation to notify the affected themselves (e.g., change password, cancel credit has issued a Notifiable Data Breaches (NDB)
individuals in case the breach is likely to result card, monitor account for unusual activities). scheme wherein any organization or agency that
in harm or damage to the individual whose are covered under the Privacy Act 1988 must To properly address
To provide certainty to organizations on the
personal information has been compromised.
data breaches that are notifiable, the Personal
notify affected individuals and the OAIC when
a data breach is likely to result in serious harm
data breaches,
Content of a Breach Report or
Notification and Timelines
Data Protection (Notification of Data Breaches)
Regulations 2021 provides the personal data
to an individual whose personal information is breach notification is
Global regulations prescribe the content of the
(or classes of personal data) that is deemed to
involved.
a vital process with
above-mentioned notifications to make sure
result in significant harm to affected individuals
if compromised in a data breach. Where a data
There are a number of key criteria to examine
when determining if “serious” harm is likely to
staged actions and
that affected data principals adopt adequate
precautions to avoid harmful consequences of
breach involves any of the prescribed personal result from a breach which should be assessed protocols. The impact
data, the organization will be required to notify holistically and taken into account: the kinds
breach. The notifications generally include the
the affected individuals and the Commission of of information, sensitivity, security measures on operations and
nature of the personal information that has been
breached, the number of individuals affected by
the data breach.35 protecting the information, the nature of the reputation is reduced
harm (i.e. physical, psychological, emotional,
the breach, the cause and extent of the breach,
description of likely consequences, etc.
Similarly, other APAC jurisdictions set a concrete
threshold for reporting obligations and prescribe
financial or reputational harm) and the kind(s) by using a staged
Furthermore, emphasis is placed on the data
criteria for the organizations to report breaches
of person(s) who may obtain the information.
The OAIC has also released several guidance
approach, minimizing
fiduciaries’ liability to report data breaches in the
to the authorities and notify the affected
individuals. Personal Information Protection
notes relating to the regime which include topics further harm.
prescribed time which helps data fiduciaries to such as the security of personal information and
Commission (PPC) of Japan prescribe guidelines
come up with a quick response plan to address whilst these are not legally binding, they are
that suggest that business operators (i) make
data breaches. European Union and Singapore considered industry best practice.37
necessary investigations and take any necessary
prescribe 3 days’ time to report a breach available during this initial period. As such, it
preventive measures, and / or (ii) make public the Implementing a Phased Approach for
incident32, while on the other hand Brazil, South allows for notification in phases.40
nature of the breach and steps taken to rectify Data Breach Reporting
Korea, Japan, Australia do not specify time for
the problem, if appropriate and necessary.36
reporting data breach. Instead, the regulations Globally, guidelines issued by supervisory In Brazil, as per the guidelines issued by the
state that an organization should report a breach Further, entities functioning in the Australian authorities such as the European Data Protection Brazilian data protection authority (ANPD), if
incident as soon as the entity becomes aware jurisdiction must report an eligible data breach. Board and Brazilian Data Protection Authority, the data controller does not have complete
of the breach33. This makes it necessary for An “eligible data breach” occurs when all the Personal Information Protection Commission of information about the incident or is unable to
these organizations to come up with an incident conditions prescribed are satisfied. The Office of Japan provide for the reporting of breaches in notify all holders within the recommended
response plan to rectify the incident within a the Australian Information Commissioner (OAIC) a phased manner in the event the nature of the period, the communication to the ANPD may
reasonable time in order to avoid leakage of as breach requires so.38 be carried out in stages: preliminary and
much personal information as possible. Similarly, complementary. The data controller must justify
The Guidelines on breach reporting issued by the impossibility of complete communication.
as per the regulatory framework of Singapore,
the European Data Protection Board (EDPB) Supplemental communication should be sent
Japan, European Union, Brazil, South Korea &
state that depending on the nature of a breach, promptly, within 30 calendar days of the
Australia, the obligation to inform supervisory
further investigation by the data controller may preliminary communication.41
authority of the breach incident falls upon the
be necessary to establish all the relevant facts
data fiduciary.
relating to the incident.39 Article 33(4) of GDPR Similarly, the guidelines issued by Personal
Notifiability of a data breach: Taking a therefore states that where, and in so far as, it Information Protection Commission (PPC), Japan
risk-based approach is not possible to provide the information at the prescribe two stages of reporting obligations:
same time, the information may be provided in a preliminary and a final report. The amended
Organizations are required to assess whether a APPI requires a business operator to submit
phases without undue further delay. This means
data breach is notifiable as it is likely to result a preliminary report “promptly after the
that the GDPR recognizes that controllers will
in significant harm34 to the affected individuals. recognition of the occurrence of a potential data
not always have all the necessary information
Given the likelihood of harm arising from a data breach” and further prescribes the submission of
concerning a breach within 72 hours of
breach, notification ensures affected individuals a final report within 30 days from the recognition
becoming aware of it, as full and comprehensive
are aware and able to take steps to protect
details of the incident may not always be

20 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 21
of a data breach (60 days is the deadline for data Hence, it is evident that global data protection sectors operating internationally. However,
breaches likely to have been committed for an
improper purpose, such as a cyberattack).42
While the DPDPA authorities have implemented statutory
obligations in a consistent manner while
the DPDPA lacks clarity and uniformity in this
aspect. The forthcoming chapter explores the

Manner of reporting and notifying a

specifies that data allowing for necessary adaptations. For limitations of the DPDPA’s regulatory approach

data breach - Ensuring Consistency and fiduciaries are example, the EDPB guidelines on reporting a
data breach permit organizations to carry out the
and emphasizes the significance of sectoral
regulatory authorities. With a rise in breach
Transparency
obligated to inform reporting process in stages to avoid compliance incidents, sectoral regulatory authorities can
In addition to the notification obligations of burdens. Similarly, the OAIC recommends ensure compliance within their industries.
organizations with respect to a data breach, the board and affected the use of an online form to report the breach The chapter provides an overview of breach
it is also imperative to specify the manner in data principals in the to supervisory authorities, while the PDPC incidents globally in each sector, highlighting
which such notifications are to be made. Global of Singapore exemplifies making personal the importance of sector-specific data protection
authorities prescribe guidance/ guidelines which manner as may be phone calls through trained professionals to measures. Overall, it emphasizes the need for a
attempt to eliminate ambiguity and ensure
consistency in compliance.
prescribed (Section inform affected individuals about breaches.47
Global data protection statutes and authorities
sector-specific approach to data protection for an
effective and consistent regulatory framework.

In Australia, entities with obligations to comply

8(6)), it is important for prioritize compatibility and coherence across

with the Privacy Act must comply with the the prescribed rules to
mandatory data breach notification regime. The
regime requires that where it is not practicable
adopt a clear, concise,
to notify the affected individuals individually, and nuanced approach
an organization that has suffered an eligible
data breach must make a public statement to notification, in
on its website containing certain information
as required under the Privacy Act and take
line with global
reasonable steps to publicize the contents of the regulations. This could
statement.43 The notification to the OAIC should
be made using the online Notifiable Data Breach
involve undertaking a
form.44 graded approach for
In Brazil, the Brazilian data protection authority’s reporting breaches to
(‘ANPD’) Inspection General Coordination
published a new form for sending security the relevant authorities
incident reports by data fiduciaries to the and notifying
ANPD. The form specifies various methods
through which affected individuals will be individuals whose data
notified. These methods include individual
written communication, public announcement
has been impacted.
on the controller’s website, social media or
applications, individual written communication
with acknowledgement of receipt. (Electronic determine the most efficient and effective mode
message / letter / email, etc.)45 of notification to inform affected individuals.
Similarly, the Personal Data Protection The guidelines further elucidate the manner of
Commission (PDPC) of Singapore issued an providing notification to the affected individuals
Advisory Guidelines on Key Concepts in the by way of a recommendation wherein the
Personal Data Protection Act. The guidelines individuals are informed through personal
categorically mention that as there are many phone calls by trained personnel to address any
different modes of notification that could immediate questions and allay their concerns.46
evolve with technology, organizations may

22 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 23
 Further, there are also various sector-specific reporting obligations that apply to entities in different

3
sectors:52

In India, the insurance sector is governed by Insurance Regulatory &

Data breach requirement Development Authority of India (IRDAI). IRDAI (Protection of Policyholders’
Interests) regulations 2017, requires the insurer to maintain total

under different sectors

confidentiality of policyholder information, unless it is legally necessary
to disclose the information to statutory authorities. Moreover, the IRDAI
Insurance (Maintenance of Insurance Records) Regulations, 2015, stipulates that
Insurers are required to ensure that: (i) the system in which the policy and
claim records are maintained has adequate security features; and (ii) the
records pertaining to policies issued and claims made in India (including
This chapter intends to analyze the sectoral regulations and statutes that describe the data the records held in electronic form) are held in data centres located and
breach obligations for different sectors such as insurance, banking & finance and healthcare. maintained in India.
These sectors are more vulnerable to security incidents since these sectors involve large scale
processing of personal & sensitive personal data. Consequently, the regulation of these sectors
requires highly focused supervisory authorities to yield effective remedial actions promptly.
RBI in its guidelines titled as “Cyber Security Framework in Banks” states
that “It has been decided to collect both summary level information as
Banking well as details on information security incidents including cyber-incidents.”
In the Banking Finance Services and Insurance The data above emphasizes the vulnerability
Hence, Banks are required to report the security incidents promptly, within
sector (BFSI), India has been at the forefront of and hazards that the insurance, banking and
2-6 hours in the format provided in Annex-3 to the guidelines”
attacks targeted at the Asian region, with 7.4% finance, and healthcare sectors face. As a result,
of the targeted attacks in the year 2022 being regulatory and supervisory entities have built
towards the Indian subcontinent. Whether it was strong frameworks to reduce cyber threats and
nationalized banks, cryptocurrency exchanges protect personal data. The following paragraphs
Under the current legal framework for healthcare service providers the
or wallets, NBFCs, or credit card data leaks, outline the guidelines provided by authorities in
supervisory authority for breach reporting in the healthcare industry is
India emerged as Asia’s newfound hotspot for different sectors.
Data Protection Officer (DPO) of National Digital Health Mission (NDHM).
cyberattacks.48
3.1 Sectoral regulations in India: The NDHM draft Health Data Management Policy 2022 mentions that
Further, in 2023, Over 1.6 million cyber-attacks Compliance Obligations and Statutory the data fiduciary will ensure that any instance of non-compliance with
were blocked on Indian insurance companies Guidelines Across Various Sectors the provisions of the Policy, or any instance of unauthorized or accidental
every day in January. On average, insurance disclosure, acquisition, sharing, use, alteration, destruction of or loss of
In India, there are separate reporting
sector applications face 430,000 attacks each, access to personal data that compromises the confidentiality, integrity
requirements for companies operating under
which is close to the overall average of 450,000 Healthcare or availability of personal data to a data principal is promptly notified to
different sectors. Under the IT Act and the
attacks per app across all industries, according relevant entities as may be required by applicable law, including the
Directions issued by Computer Emergency
to the report by Indusface, an application Information Technology (The Indian Computer Emergency Response
Response Team (CERT-In), service providers,
security SaaS Company funded by TCGF II (Tata Team and Manner of Performing Functions and Duties) Rules, 2013. This
intermediaries, data centers, government
Capital).49 highlights the multiplicity of reporting data breach incidents such as any
organizations and body corporates are required
organizations falling under the category of healthcare industry will have
Additionally, the healthcare industry in India to report certain kinds of cyber security incidents
to report the breach incident to the Indian Computer Emergency Response
had faced 1.9 million cyberattacks in the year (including data breaches) to CERT-In. The
Team as well as to the Data Protection Officer of the National Digital Health
2022, as per the data published by cybersecurity Directions mandate that such a report must be
Mission (NDHM)
think tank CyberPeace Foundation and Autobot filed within six hours of noting or being notified
Infosec Private Ltd. The attacks came from a of the incident in the prescribed format.51
total of 41,181 unique IP addresses.50

24 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 25
Additionally, there are also inconsistencies in suggests that any proposals for legal remedies practice to carefully observe and follow these
definitions of data breach across these sectors.
As per the CERT-In Rules, “cyber security
Given the multitude of or causes of action related to privacy invasion
should align with existing laws and regulatory
guidelines.60

It is therefore clear that the global data

breach” means unauthorized acquisition or regulatory obligations frameworks, promoting uniformity across
protection statutes, in addition to being self-
unauthorized use by a person as well as an jurisdictions. This principle also highlights the
entity of data or information that compromises imposed by various significance of avoiding unnecessary overlaps
contained, also consider the legal frameworks
of different sectors, thus ensuring that they are
the confidentiality, integrity or availability of regulatory authorities between different legal regimes to maintain
coherence and consistency.56
compatible with existing laws.
information maintained in a computer resource.53
The recently issued Information and Cyber on organizations The South Korean Personal Information
Through an analysis of the practices adopted by
various countries, three distinct approaches have
Security Guidelines 2023, by the Insurance
Regulatory Authority of India, define an incident
operating within Protection Act (PIPA) also mentions its
been identified. The first approach, exemplified
relationship with other acts. Article 6 of
as the occurrence of any exceptional situation specific sectors, it is PIPA states that the protection of personal
by South Korean jurisdiction, involves
that could compromise the Confidentiality, consolidating all provisions related to personal
Integrity or Availability of Information assets of
crucial for the law information shall be governed by this Act,
except where special provisions exist in other
data processing into a single primary data
Organization. Further, the guidelines lay more to acknowledge laws.57 The Act on Promotion of Information
protection law, which also includes separate
sections for sector-specific requirements.
emphasis on defining the ‘security incidents’ and Communications Network Utilization and
by providing a list of events that shall be the significance of Information Protection, etc. (“Network Act”) The second approach, exemplified by the GDPR,
categorized as security incidents.54
guidelines prescribed previously regulated personal information
processing by online service providers but was
emphasizes cooperation among supervisory
authorities to enhance law enforcement and
Regulations issued by the RBI, however, do not
specifically define “cyber security incident” or
within these sectors. consolidated into the amended PIPA. Effective alleviate compliance burdens for data fiduciaries,

incident pertaining to information security.55 Adopting an approach from August 5, 2020, online service providers
are now governed by the PIPA’s dedicated
promoting consistency and collaboration within
the data privacy framework.
In conclusion, industries in India, such as that minimizes “Special Section” for personal information
The third approach, as used by the Singapore
insurance, banking, and healthcare, have processing while providing online services.58
obligations to protect customer data. The rising
conflicts will alleviate Similarly, Article 60 of General Data Protection
jurisdiction, involves issuing sector-specific
guidelines, which serve as advisory references
cyber threats on the organizations operating the compliance Regulation (GDPR) prescribes Cooperation for data fiduciaries to navigate compliance
under these industries highlight the need for
strong cybersecurity measures. Organizations burden faced by data between the lead supervisory authority and
the other supervisory authorities concerned.
with multiple laws, thereby reducing their
compliance burden. Further, the global statutes
must proactively safeguard data, report breaches
promptly, and the DPDPA should adopt a
fiduciaries. Article 60(1) further states that the lead also provide for collaboration and cooperation
supervisory authority shall cooperate with among different supervisory authorities. This
harmonized approach to ease compliance the other supervisory authorities concerned in ensures that these authorities work together
burdens. accordance with this Article in an endeavor to in a harmonious and coordinated manner,
provision of this Act shall prevail to the extent of reach consensus. The lead supervisory authority sharing information and expertise as needed to
3.2 Fostering Harmony: Global such conflict. and the supervisory authorities concerned shall effectively regulate and oversee various aspects
Approaches to Align Sectoral exchange all relevant information with each of the global economy. This approach helps to
Regulations with National Data Section 38(2) of the Act may create ambiguity
surrounding the application of sectoral other.59 promote stability and sustainability in the global
Protection Laws system, as well as improve the overall efficiency
guidelines to data fiduciaries that operate in Singapore too, provides for a harmonious
DPDPA, under Section 38, contains the of global data protection framework.
multiple sectors such as IRDAI (Protection of approach for interpreting various privacy laws
provisions on consistency of the Act with other policyholders’ interests) regulations 2017, of the country. In addition to the Personal Post conducting a thorough analysis of the
laws: National Digital Communications Policy, 2018 Data Protection Act, the Singapore data global statutory framework and best practices
Section 38(1): The provisions of this Act shall and various other authorities. protection regime consists of various general employed by supervisory authorities, it becomes
be in addition to, and not in derogation of the or sector / industry-specific guidelines issued essential to present recommendations for
Globally the data privacy laws provide for better
provisions of any other law for the time being in by the Personal Data Protection Commission optimizing the breach notification system. These
clarity with respect to obligations specified in
force (“Commission”). While these guidelines are suggestions draw inspiration from various
other statutes. Principle 7 of the Australian advisory in nature and not legally binding, they countries’ approaches to minimizing friction
Section 38(2): In the event of any conflict Law Reform Commission’s Guiding Principles indicate the manner in which the Commission between sectoral laws and national data
between a provision of this Act and a provision emphasizes the importance of coherence will interpret the Act. Therefore, it is best protection regulations.
of any other law for the time being in force, the and consistency in Australian privacy laws. It

26 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 27
 Commission requires breaches to be to publicize the contents of the statement.
reported within three days. Some countries, Similarly, the Board may consider the form
however, such as Brazil, South Korea, Japan, issued by the Brazilian data protection
and Australia, do not establish a precise authority (ANPD) for communicating a data

4 timeline. To avoid fines and penalties, data

fiduciaries must rigorously adhere to the
reporting timelines.
breach.
Therefore, it is recommended that any
future rules or guidelines related to data

RECOMMENDATIONS
o Further, the breach reporting requirements, breach reporting must be precise and
including the criteria and thresholds, vary clear, explicitly outlining the aspects of
across different jurisdictions. Countries reporting breaches, including timelines
like Singapore, South Korea, Brazil, Japan, and procedures. This will provide clear
European Union, and Australia require guidance to data fiduciaries and facilitate
reporting a data breach to the supervisory compliance with breach reporting
The first section of this report delved into breaches, in line with technical and global authority if it affects a certain number of obligations.
the conceptual nuances of personal data regulatory understanding of these concepts. individuals or if it poses a high risk to them. Additionally, it is suggested that the
breaches and the regulatory approaches Additionally, there is an obligation to notify
Further, the Data Protection Board, in DPDPA adopts a risk-based approach for
adopted in jurisdictions globally. Based on affected individuals if the breach is likely to
adjudicating and investigating upon complaints reporting data breaches. This means that
an analysis of common trends and breach result in harm or damage to their personal
received pertaining to personal data breaches breaches are reported and notified if they
reporting mechanisms which have been information.
should also factor in this underlying distinction. are likely to result in significant risk to the
found to be practically implementable, some
In the absence of the same, Data Fiduciaries 2.2 Content of Breach Report and Breach affected individuals or organizations.
recommendations are made below for both
may end up paying hefty penalties twice for a Notification By taking a risk-based approach, data
rule-making pertaining to personal data breach
singular instance of non-compliance. fiduciaries can prioritize their resources
reporting as well as for the Data Protection o The content of a breach report is similar
across various jurisdictions. Typically, it and focus on the most critical breaches,
Board to investigate and adjudicate on breaches. 2. Risk-Based Approach for Breach
involves providing information on the date rather than reporting inconsequential and
The intent of these recommendations is to Reporting
advocate for a comprehensive, concise, and the organization discovered the data breach, minor incidents. Moreover, penalties for
robust framework for regulation of personal Section 8(6) of the DPDPA mentions that the steps taken by the organization in response non-compliance with breach notification
data breaches. data fiduciary must inform the board and affected to the breach, and the number of individuals requirements should be commensurate with
individuals of a personal data breach. The manner affected, among other details. the level of risk to rights of data principals
1. Distinguishing between Personal of doing the same is expected to be prescribed caused by the breach. In simpler terms, the
Data Breaches and Unauthorised through rules by the Central Government. In 2.3 Manner of Notifying and Reporting Breach approach would require data fiduciaries
Processing drawing up these procedures, reference may be o Different global authorities have prescribed to report only significant breaches, which
made to global best practices used by different different methods for reporting and would help them allocate their resources
Personal data breach is defined under Section
authorities worldwide as a reference. Many global notifying breaches. For example, the more effectively. The penalties for non-
2(u) of DPDPA61. It is important to note that
data protection authorities have issued guidance Notifiable Data Breaches (NDB) scheme compliance should reflect the severity of
the definition of a personal data breach in
and guidelines to assist data fiduciaries in issued by the Office of the Australian the risk posed by the breach.
the DPDPA, which includes unauthorized
complying with their obligations. These guidelines Information Commissioner (OAIC) provides
processing, lacks clarity and creates confusion in 3. Breach Reporting in a Phased Manner
outline the compliance requirements for various a Notifiable Data Breach form that may be
the legislation. It is recommended that concepts
data protection laws. Below are some examples a useful reference for the Data Protection o To ease the reporting burden on data
be treated separately in implementation and
of best practices adopted by various global Board. According to the OAIC, if it is not fiduciaries, supervisory authorities and
adjudicatory proceedings under the law.
authorities, accompanied by recommendations for practical to notify affected individuals data protection statutes around the world
In implementing the law and in framing the Indian data protection framework: individually, an organization that has have provided exemptions for reporting
rules surrounding the breach reporting experienced an eligible data breach should breaches within the prescribed timeline.
2.1 Breach Reporting This exemption allows data fiduciaries
and notification mechanisms, the Central make a public statement on its website that
Government should take into consideration the o Supervisory authorities around the globe contains certain information required by to report the breach in stages, permitting
distinction between instances of unauthorised have varying reporting requirements for the Privacy Act and take reasonable steps them to provide complete information after
processing and instances of personal data personal data breaches. In Singapore, for an initial reporting of the breach if they
example, the Personal Data Protection

28 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 29
 don’t have all the information at the time insurance, and healthcare where there is a • By examining these laws and the
of the breach. Examples of this phased multiplicity of regulations on cybersecurity regulatory bodies that oversee them, the The DPDPA
breach reporting can be seen in different and data protection. CERT-In and sectoral DPDPA framework can gain valuable
jurisdictions. For instance, Article 33(4) regulators such as RBI, IRDAI, etc. insights into how to create rules and framework should
of GDPR allows providing information in have created guidelines based on the regulations under the DPDPA which take allow a phased
phases without undue further delay if it’s unique needs and requirements of these into consideration sector-specific nuances
not possible to provide the information at industries. that balance the need for data protection approach for reporting
the same time. In Brazil, ANPD guidelines
allow communication of breaches in
• The DPDPA can benefit from examining with the unique needs and challenges of
each sector.
a breach, wherein
how other countries and their regulatory
stages: preliminary and complementary, if bodies have approached creating data • Further, data protection statutes across the data fiduciary can
the data fiduciary doesn’t have complete
information or is unable to notify all
protection laws that accommodate the the world provide guidance for the provide information
requirements of specific sectors. For adoption of a provision in law that
holders within the recommended instance, the approach, adopted by provides consistency with other privacy in stages instead of
period. Similarly, PPC guidelines in
Japan prescribe two stages of reporting
South Korea, consolidates all provisions
related to personal data processing into
laws. The need for such provisions is
exemplified by the approach taken by
providing complete
obligations: preliminary and final reports. a comprehensive law, including separate countries like Singapore and Australia. information at the time
The DPDPA framework should allow a sections for specific sectoral requirements. Article 6 of the Personal Data Protection
phased approach for reporting a breach, GDPR’s approach focuses on cooperation Act (PIPA) of Singapore states that the of the breach.
wherein the data fiduciary can provide and coherence among different protection of personal information shall
information in stages instead of providing supervisory authorities to improve law be governed by the Act, except where
complete information at the time of the enforcement and reduce the compliance special provisions exist in other laws. To ensure that DPDPA and
breach. This approach is suggested to burden on data fiduciaries. Singapore’s The approach in Australia is similar, with sectoral regulations are interpreted
reduce the compliance burden on data approach involves issuing industry or Principle 7 of the Guiding Principles issued complementary to each other and to
fiduciaries, as it may not always be sector-specific guidelines to reduce the by the Australian Law Reform Commission protect sensitive data in these vulnerable
possible to gather all relevant information compliance burden on data fiduciaries, (ALRC) recommending that the privacy sectors, it’s recommended to clarify the
immediately after the breach has occurred. who can refer to the guidelines to ensure laws of the country should be coherent inherent legislative intent of Section 38
By allowing a phased approach, the data compliance with different laws. These and consistent. These examples illustrate and adopt a more consistent approach.
fiduciary can provide initial information on guidelines are advisory in nature and the importance of ensuring consistency
the breach and follow up with additional provide data fiduciaries with necessary and coherence in data protection laws,
information as it becomes available. This guidance to comply with multiple laws. even when other laws may provide special
approach has been adopted by other provisions or exemptions.
global data protection authorities, such
as GDPR, ANPD, and PPC, and has been
found to be a useful way to manage
breach reporting requirements.

4. Harmonizing Sectoral Regulations

• According to Section 38(1) of the DPDPA, *****
LOGIN
PASSWORD
*******
the Act shall be construed as consistent
with other laws, but Section 38(2)
contradicts this by stating that the Act’s
provisions will override any conflicting
provisions in other laws. This approach
creates an interpretational challenge
and could create compliance challenges
particularly in industries like banking,

30 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 31
 13
ibid
14
ibid
15
Peter Carey, “Data Protection: A Practical Guide to UK Law,” https://global.oup.com/academic/prod-
uct/data-protection-9780198853565?cc=in&lang=en
16
National Institute of Standards and Technology (NIST), Computer Security Resource Center
Glossary,

REFERENCES https://csrc.nist.gov/glossary/term/security_incident
17
National Cyber Security Centre, “What is a cyber incident,”
https://www.ncsc.gov.uk/information/what-cyber-incident
18
NIST, “Computer Security Incident Handling Guide,”
1
Information Technology Act 2000,
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
https://www.meity.gov.in/writereaddata/files/itbill2000.pdf
19
European Data Protection Board (EDPB), “Guidelines 9/2022 on personal data breach notification
2
Information Technology (Reasonable security practices and procedures and sensitive personal data
under GDPR,”
or information) Rules 2011,
https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notifi-
https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf
cation_v2.0_en.pdf
3
The Personal Data Protection Bill 2019,
The Personal Data Protection Bill 2019, Clause 3(29), http://164.100.47.4/BillsTexts/LSBillTexts/
20
http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
Asintroduced/373_2019_LS_Eng.pdf
4
The Personal Data Protection Bill 2019, Clause 41, http://164.100.47.4/BillsTexts/LSBillTexts/Asin- 21
Digital Personal Data Protection Act 2023, Section 2(u),
troduced/373_2019_LS_Eng.pdf
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20
5
Times of India, “Centre withdraws Personal Data Protection Bill, 2019: Will present new legislation, Act%202023.pdf
says IT minister,” 22
Peter Carey, “Data Protection: A Practical Guide to UK Law,” https://global.oup.com/academic/prod-
https://timesofindia.indiatimes.com/india/centre-withdraws-personal-data-protection-bill/article-
uct/data-protection-9780198853565?cc=in&lang=en
show/93323625.cms
23
Donaldson and Lohr, “Health Data in the Information Age: Use, Disclosure, and Privacy,”
6
Digital Personal Data Protection Bill 2022,
https://www.ncbi.nlm.nih.gov/books/NBK236546/
https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potec-
tion%20Bill%2C%202022_0.pdf 24
Cybersecurity and Infrastructure Security Agency (CISA), “Protecting Sensitive and Personal Infor-
mation from Ransomware-Caused Data Breaches,”
7
Digital Personal Data Protection Act 2023,
https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Per-
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20
sonal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
Act%202023.pdf
25
GDPR Article 4(12),
8
ibid
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679;
9
Cheng and Liu, “Enterprise data breach: causes, challenges, prevention, and future directions: Enter-
ICO, “Personal data breaches: a guide”
prise data breach,”
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breach-
https://www.researchgate.net/publication/318152978_Enterprise_data_breach_causes_challeng-
es-a-guide/
es_prevention_and_future_directions_Enterprise_data_breach
26
ICO, UK GDPR data breach reporting (DPA 2018),
10
Seh, Zarour, Alenezi, Sarkar, Agrawal, Kumar, & Khan, “Healthcare Data Breaches: Insights and
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protec-
Implications,
tion-regulation-gdpr/personal-data-breaches/#whatisa
https://www.mdpi.com/2227-9032/8/2/133
27
Office of the Australian Information Commissioner (OAIC), Chapter 6: APP6 Use or disclosure of
11
GDPR Article 4(12),
personal information,
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/
12
Information Commissioner’s Office (ICO), Personal data breaches: a guide, chapter-6-app-6-use-or-disclosure-of-personal-information
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breach-
es-a-guide/

32 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 33
28
OAIC, Part 1: Data breaches and the Australian Privacy Act, 35
Personal Data Protection Commission, “Advisory Guidelines on Key Concepts in the Personal Data
https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/pre- Protection Act,”
venting-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/ https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Ad-
part-1-data-breaches-and-the-australian-privacy-act; visory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf
Privacy Act 1988, 36
IAPP, “Practical notes for Japan’s important updates of the APPI guidelines and Q&As,”
https://www.legislation.gov.au/Details/C2023C00130 https://iapp.org/news/a/practical-notes-for-japans-important-updates-of-the-appi-guidelines-and-qas/;
29
GDPR, Articles 33 and 34, DLA Piper, Data Protection Laws of the World – Japan,
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679; https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=JP
Data Protection Commission, Data Protection Commission announces decision in WhatsApp inquiry, 37
DLA Piper, Data Protection Laws of the World – Australia,
https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announc- https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=AU;
es-decision-whatsapp-inquiry OAIC, About the Notifiable Data Breaches scheme,
Data Protection Commission announces decision in Facebook data scraping inquiry, https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-announc- 38
EDPB, “Guidelines 9/2022 on personal data breach notification under GDPR,”
es-decision-in-facebook-data-scraping-inquiry https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notifica-
30
Digital Personal Data Protection Act 2023, Section 8(6), https://www.meity.gov.in/writereaddata/ tion_v2.0_en.pdf;
files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf DLA Piper, Brazil,
31
Singapore- Personal Data Protection Act 2012, Section 26B(3)(a), https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=BR&c2=;
https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?DocDate=20210129; IAPP, “Practical notes for Japan’s important updates of the APPI guidelines and Q&As,”
Brazil- Brazilian General Data Protection Law, Article 48, https://iapp.org/media/pdf/resource_center/ https://iapp.org/news/a/practical-notes-for-japans-important-updates-of-the-appi-guidelines-and-qas/
Brazilian_General_Data_Protection_Law.pdf; 39
EDPB, “Guidelines 9/2022 on personal data breach notification under GDPR,”
Japan- Act on the Protection of Personal Information, Article 24, https://www.japaneselawtranslation. https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notifica-
go.jp/en/laws/view/4241/en#je_ch1at2; tion_v2.0_en.pdf
EU- GDPR, Article 34, 40
ibid
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679; 41
DLA Piper, Data Protection Laws of the World – Brazil,
Australia- Notifiable Data Breaches Scheme, https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=BR;
https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme ANPD, Security incident reporting,
32
GDPR, Article 33, https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-inciden-
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679; te-de-seguranca-cis
Personal Data Protection Act 2012, Section 26D, 42
IAPP, “Practical notes for Japan’s important updates of the APPI guidelines and Q&As,”
https://sso.agc.gov.sg/Act/PDPA2012 https://iapp.org/news/a/practical-notes-for-japans-important-updates-of-the-appi-guidelines-and-qas/
33
Brazil- Brazilian General Data Protection Law, 43
OAIC, Part 4: Notifiable Data Breach (NDB) Scheme,
https://iapp.org/media/pdf/resource_center/Brazilian_General_Data_Protection_Law.pdf; https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/pre-
South Korea- Personal Information Protection Act, Article 34(1), venting-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/
http://www.pipc.go.kr/cmt/english/news/selectBoardArticle.do?nttId=6699&bbsId=BBSM- part-4-notifiable-data-breach-ndb-scheme#identifying-eligible-data-breaches;
STR_000000000128&bbsTyCode=BBST03&bbsAttrbCode=BBSA03&authFlag=Y&pageIndex=1; DLA Piper, Data Protection Laws of the World – Australia,
Japan- Act on the Protection of Personal Information, Article 26, https://www.dlapiperdataprotection.com/index.html?t=breach-notification&c=AU
https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en#je_ch1; 44
OAIC, About the Notifiable Data Breaches scheme,
Australia- Privacy Act 1988, Sections 27, 28, and 29, https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
https://www.legislation.gov.au/Details/C2023C00130 45
ANPD, ANPD’s Inspection General Coordination publishes a new form for sending Security Incident
34
Significant harm could include severe physical, psychological, economic and financial harm, and Reports,
other forms of severe harms that a reasonable person would identify as a possible outcome of a data https://www.gov.br/anpd/pt-br/assuntos/noticias/coordenacao-geral-de-fiscalizacao-da-anpd-divul-
breach. ga-novo-formulario-para-envio-de-comunicados-de-incidentes-de-seguranca

34 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 35
46
PDPC, Advisory Guidelines on Key Concepts in the Personal Data Protection Act, 53
Information Technology (The Indian Computer Emergency Response Team and Manner of Perform-
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/ ing Functions and Duties) Rules 2013, Rule 2(i),
Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-17-May-2022.pdf https://www.meity.gov.in/writereaddata/files/G_S_R%2020%20%28E%292_0.pdf
47
ibid 54
IRDAI, Information and Cyber Security Guidelines 2023,
48
CloudSek, “Cyber Threats Targeting Global Banking & Finance Customers,” https://irdai.gov.in/document-detail?documentId=3314780
https://cloudsek.com/whitepapers-reports/cyber-threats-targeting-global-banking-finance-customers; 55
RBI, Cyber Security Frameworks in Banks,
India Times, “India’s Banking & Financial Services Sector Is Top Target For Cyber Attacks In Asia: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0
Report,” 56
Australian Law Reform Commission, “Serious Invasions of Privacy in the Digital Era”, Principle 7:
https://www.indiatimes.com/worth/news/indian-bfsi-sector-most-cyber-attacks-in-asia-583422.html Privacy laws should be coherent and consistent,
49
Business Standard, “Over 1.6 mn cyber attacks blocked on Indian insurance firms a day in Jan,” https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-dp-80/2-guid-
https://www.business-standard.com/article/finance/over-1-6-mn-cyber-attacks-blocked-on-indian- ing-principles/principle-7-privacy-laws-should-be-coherent-and-consistent/
insurance-firms-a-day-in-jan-123022000404_1.html 57
Personal Information Protection Act, Article 6,
50
CyberPeace Foundation, “Threat Analysis Report based on Captured Cyber Attack on Simulated https://elaw.klri.re.kr/eng_service/lawView.do?hseq=53044&lang=ENG
Healthcare Sector,” 58
Personal Information Protection Act
https://www.cyberpeace.org/wp-content/uploads/2022/12/20221205-Threat-Analysis-re- https://elaw.klri.re.kr/eng_service/lawView.do?hseq=53044&lang=ENG
port-based-on-captured-Cyber-Attacks-on-simulated-Healthcare-sector_2.pdf; 59
GDPR, Article 60,
LiveMint, “Indian healthcare sector suffers 1.9 million cyberattacks in 2022,” https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
https://www.livemint.com/technology/tech-news/indian-healthcare-sector-suffers-1-9-million-cyber- 60
PDPC Guidelines,
attacks-in-2022-11669878864152.html https://www.pdpc.gov.sg/Guidelines-and-Consultation
51
CERT-In, Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 61
Digital Personal Data Protection Act 2023, https://www.meity.gov.in/writereaddata/files/Digi-
relating to information security practices, procedure, prevention, response and reporting of cyber inci- tal%20Personal%20Data%20Protection%20Act%202023.pdf
dents for Safe & Trusted Internet,
https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
52
Baker Mckenzie, Sector-specific or Non-personal Data Security Breach Notification Requirements,
https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/asia-pacific/india/topics/
sector-specific-or-non-personal-data-security-breach-notification-requirements;
Insurance
IRDAI, (Protection of Policyholders’ Interests) Regulations 2017, Regulation 19(5),
https://irdai.gov.in/document-detail?documentId=385593
IRDAI (Maintenance of Insurance Records) Regulations 2015, Regulations 3(3)(b) & 3(9),
https://irdai.gov.in/document-detail?documentId=604674;
Banking and Finance
RBI, Cyber Security Frameworks in Banks,
https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0
RBI, Template for reporting Cyber Incidents,
https://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN3.pdf;
Healthcare
Ayushman Bharat Digital Mission, Draft Health Data Management Policy,
https://abdm.gov.in:8081/uploads/Draft_HDM_Policy_April2022_e38c82eee5.pdf
National Digital Health Mission, Health Data Management Policy,
https://abdm.gov.in:8081/uploads/health_data_management_policy_455613409c.pdf

36 | The Future of Data Protection in India: A Roadmap for Regulators Navigating Data Breaches and Breach Reporting Mechanisms | 37
 Section 2
CONSENT MANAGERS:
BEST PRACTICES AND
FRAMEWORKS
Executive Summary 40

1. Understanding the role of Consent Managers 42

2. Analogues from existing frameworks and industry sectors 44

3. Consent Managers under DPDPA: Evaluating risks 49

and ambiguities

4. Global Approach: Examining regulations and prevalent practices 54

5. Recommendations 61

38 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 39
 The concluding chapter shifts the focus valuable insights are gained into the diverse
towards comprehending the global approach to strategies and practices employed by various
managing the consent of data principals. It aims jurisdictions. This comparative analysis helps
to explore and analyze the perspective of global to draw meaningful observations and potential
authorities in devising frameworks for effectively lessons that can inform and enhance the
managing the consent of data principals. By framework for consent management within the
examining the approaches adopted globally, context of this study.

Executive Summary
This section aims to analyze the approach taken by the Digital Personal Data Protection Act
(DPDPA) concerning the role of Consent Managers (CMs). This comprehensive examination will
shed light on the challenges associated with this approach. To conduct a thorough analysis,
this section will explore the approaches adopted by various sectors in India and examine the
practices followed by global authorities, highlighting their best practices. By synthesizing
these insights, this section of the report seeks to provide recommendations to enhance the
current approach pertaining to the role of CMs in giving, managing, reviewing and withdrawing
the consent of data principals through an accessible, transparent and interoperable platform.
Through this endeavor, the goal is to contribute towards the improvement of data protection
mechanisms and consent management practices.

The first chapter of this section focuses on approach taken by the DPDPA. Further, this
comprehending the role of CMs as stipulated chapter thoroughly assesses the concerns and
in the DPDPA. This aims to provide a clear challenges associated with these frameworks
and informative introduction to the topic, to comprehensively evaluate their feasibility
emphasizing the importance of effectively in effectively managing the consent of data
managing and reviewing the consent of data principals.
principals. It offers valuable insights into
The third chapter delves into an extensive
the pivotal role played by CMs in efficiently
examination of the risks and challenges
managing the consent of data principals. This
intertwined with the current approach employed
chapter essentially aims to shed light on the
by the DPDPA. This chapter meticulously
significance of CMs and their instrumental role
elucidates various facets of the existing
in safeguarding the privacy and data protection
approach that have the potential to undermine
rights of data principals.
the interests of data principals and compromise
The second chapter explores the involvement data security. By thoroughly analyzing these
of entities resembling CMs in various sectors aspects, it aims to provide a comprehensive
within India, including banking, finance, and understanding of the potential pitfalls and
telecom. This analysis focuses on examining vulnerabilities within the DPDPA’s approach,
the approaches adopted by these frameworks shedding light on the areas that require
across different sectors, aiming to identify improvement to better safeguard the rights and
reference points that can enhance the security of data principals.

40 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 41
 in the banking sector, the Reserve Bank of India
Consent Management
1
(RBI) has developed a technical infrastructure
known as Account Aggregators (AA). AAs are
RBI-regulated NBFC which retrieves or collects involves a process of
financial information pertaining to its customer,
requesting, receiving
UNDERSTANDING THE
as specified by the Bank, and presents such
information to customer or any other financial and storing users’
user specified by Bank.2 This unique structure
consent parallel
ROLE OF CONSENT
was designed to give consumers and businesses
alike simple access to their financial data.
Consent, according to the RBI’s standards, is
to information
MANAGERS critical in the AA environment. Without the
customer’s explicit authorization, AAs are strictly
barred from sharing, accessing, or transferring
provided about data
acquisition and usage
their financial data.3 practices, through a
Consent is the ability granted to individuals to determine the nature and extent of personal
A consent manager framework has also been
adopted for the Health Information Exchange.
consolidated platform
information that they share with a data fiduciary or processor, as well as its control and
processing. It is the foundational pillar of data protection, where explicit affirmative consent
The National Digital Health Mission Data hosting multiple
is required to establish a systematic and trustworthy framework involving the data principals,
Management Policy defines a CM as an
electronic system that interacts with the data
data fiduciaries and
organizations and their personal data. Consent Management involves a process of requesting,
receiving and storing users’ consent parallel to information provided about data acquisition
principal and obtains consent from him/her for processors.
any intended access to personal data.4 Further,
and usage practices, through a consolidated platform hosting multiple data fiduciaries and
the Health Information Exchange & Consent
processors.
Manager (HIE-CM) is defined under the Draft collecting and managing consent for personal
Health Data Management Policy and refers to data processing, the AAs collect consent
The concept of a consent management as a single point of contact to enable a Data a digital system which facilitates exchange of specifically for sharing banking transaction data
framework first came to the forefront of Principal to give, manage, review and withdraw health information and management of consent.5 among participating banks on the network.
Indian technology law and policy through the her consent through an accessible, transparent Moreover, the AA framework is designed
Additionally, Telecom Regulatory Authority of
Personal Data Protection Bill, 2019 and the and interoperable platform. The Act takes the to gradually encompass a broader range of
India (TRAI) in furtherance of its directions under
Data Empowerment and Protection Architecture concept of CMs a step forward by describing financial data, including tax data, pensions
Telecom Commercial Communication Customer
(DEPA) in 2020, with the objective of ensuring their functions, establishing their scope and data, securities data (such as mutual funds
Preference Regulations, 2018 (TCCCPR,
separation of consent flow and data flow. It stipulating their accountability to the Data and brokerage), and insurance data, making
2018), has prescribed the implementation of a
envisaged a user-centric model for obtaining Principal. The use of CMs has not been made it accessible to consumers. Under the AA
Digital Consent Acquisition (DCA) Platform for
consent, instead of the onus being on each data mandatory, and has instead been proposed as a framework, it is evident that consent is intended
seeking, maintaining and revoking the customer
fiduciary as the custodian of consent and data. voluntary, alternative method of seeking consent to be collected for purposes that extend beyond
consent to promotional texts and calls. With the
Therefore, the consent manager, expected to be in addition to other direct ways. the processing of personal data, and the larger
proposed framework, the gathered consent data
implemented sector-wise, would exempt the objective is to generally facilitate more efficient
Section 6(9) states that every Consent would be shared on a digital ledger platform
existing network of market players and service exchange of information.7 While there is
Manager shall be registered with the Board in for verification by all Access Providers. Only a
providers from taking consent again and again, significant overlap in these functions, all types
such a manner and subject to such technical, common short code, being 127XXX, may be
while securing the authentication mechanism of information exchange may not necessarily
operational, financial and other conditions as used for sending consent-seeking messages,
from a customer perspective.1 involve the processing of personal data.
may be prescribed. However, this leaves great clearly indicating the purpose, scope of consent
The Digital Personal Data Protection Act ambiguity in terms of the implementation model and name of the PE.6 To assess existing practices in India relating to
(DPDPA) too acknowledges the significance of that the Act envisages for CMs. consent management, the specific mechanisms
It is worth noting that there are distinct
consent management and therefore advances put in place by RBI, TRAI and the Draft Health
DPDPA’s consent management structure has differences between the frameworks discussed
the concept of ‘Consent Managers (CM)’ to Data Management Policy have been examined
certain operational and functional similarities earlier and the CM framework adopted by
address this need. Section 2(g) of the DPDPA under chapter 2 along with their respective
with the frameworks adopted in India’s banking, DPDPA. While CMs under DPDPA focus on
defines the term ‘Consent Managers’ as a limitations.
healthcare and telecom sectors. For example,
person registered with the Board, who acts

42 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 43
 Account Aggregator empowers the individual with control over their personal
financial data, which otherwise remains in silos

2 Financial Information
Providers
Financial Information
Users
1. Consent to
share data

ANALOGUES FROM
Cash Flow-Based
Banks/NBFCs Lending (Bank/NBFC)

Personal Finance

EXISTING FRAMEWORKS
Mutual Fund
House Account Management
2. Request Data Aggregators
Insurance Wealth
through Open

AND INDUSTRY SECTORS

Provider Management
APIs
Invoice/Tax
Robo Advisors
Platform 3. Data Flows to FIUs
End-to-End Encrypted; Digitally signed &
tamper proff; real time

Source: Know all about Account Aggregator Network- A financial data-sharing system, PIB10
CMs have emerged as a significant aspect of privacy and data protection across diverse
sectors in India. Their role in enhancing privacy and data protection has gained prominence,
extending from the financial sector to healthcare and beyond. CMs play a vital role in fostering It is worth noting that under the current 11 of the policy specifically defines the role
transparency and ensuring a secure environment for data sharing and privacy across different ecosystem, AAs essentially function as data of CM and outlined its responsibilities. The
domains. A detailed overview of the roles played by entities resembling Consent Managers blind entities. AAs act as interoperable CMs policy further elaborated on the methods and
(CMs) across various sectors is provided below. with limited access to consumer data. They are procedures for obtaining consent from data
unable to read or resell consumer data. End principals using CMs.12
to end encryption ensures that FI cannot be
The rationale behind the introduction of such a
2. 1 Transforming Financial Services: AAs are RBI-regulated entities (with an NBFC- collected (‘aggregated’) by AA and used for
policy was that individuals should have control
The Emergence of Account Aggregators AA license) which enables the customer profiling.11
and autonomy over their personal health
to securely access and share their financial In addition to the AAs that enable data exchange information by designating specified institutions
The introduction of the AA framework presented information (FI) across regulated financial
a groundbreaking financial data-sharing system in the finance sector, the regulatory framework as CMs. These must be able to fully inform data
institutions. There are three stakeholders in in India also introduces the concept of Health principals of the objective, extent and duration of
with the potential to revolutionize investment this process, being FI Providers (bank, banking
and credit practices. The framework aimed Information Exchange and Consent Managers data sharing, so as to facilitate specific voluntary
company, NBFC asset management company, (HIE-CM). These entities perform similar roles as consent.
to provide consumers with increased access depository, depository participant, insurance
and control over their financial records, while AAs, but specifically in the healthcare industry.
company, insurance repository, pension fund, The Draft Health Data Management Policy
also expanding the customer base for lenders and GST network), FI Users (entity registered 2.2 Uplifting Healthcare Sector through further defines HIE-CM under the ambit of a
and fintech companies. By leveraging AAs, with and regulated by any financial sector Health Information Exchange & Consent digital system.13 It is essential to emphasize that
individuals gain empowerment and autonomy regulator such as SEBI, RBI, IRDAI, PFRDA, Manager (HIE-CM): Enhancing Data utilizing HIE-CMs to share health information
over their personal financial data, which would MoF) and the customer. The AA is tasked with Sharing and Consent Management is entirely optional for the providers of such
otherwise be fragmented and inaccessible obtaining consent from the customer through a information. The adoption’s voluntary nature
across various platforms or institutions.8 HIE-CM had been introduced in the National
standardized consent artefact, which would be ensures that patients retain control over their
Digital Health Mission Data Management Policy,
verified by the FI Provider.9 personal health information and are free to
aimed at striking a balance between promoting
choose the degree of their involvement in the
data sharing for improved healthcare outcomes
process.14
and respecting privacy of individuals. Clause

44 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 45
2.3 Driving Innovation in the Telecom customer data, which may then be approved by provisions for specifying a ‘revoker’ for revoking 2.6 Challenges and Issues with Existing
Sector: Empowering User Privacy and the Data Principal. E-Sahamathi also propounds consent, as well as options for notifying the Data Frameworks
Consent Management through Digital the concept of ‘open consent’, which a data Consumer and Data Provider.
In order to introduce a sector-agnostic consent
Consent Acquisition principal may give to all or specific TPSPs even There has been a tectonic shift across Indian
before they raise consent requests. There are manager framework as proposed in the DPDPA,
Through its direction dated 2nd June 2023, industries to implement and take advantage the challenges posed by existing frameworks
three significant benefits to such a framework: of the Digital India initiative. Primacy has
TRAI has sought to mandatorily introduce a (1) it eliminates the need for physical document need to be addressed to reduce potential risks
Digital Consent Acquisition (DCA) Framework been given to user-centric experiences to data security. The CM framework does bear
verification, (2) it restricts data processing to and data interoperability, and each of the
for seeking, managing and revoking consent to the specific purposes for which consent has certain similarities with AA and HIE-CM, being
promotional calls and texts, under the existing abovementioned consent management data blindness, consent flow logs, notifications
been granted by the citizen, and (3) it ensures framework seeks to empower data principals
TCCCPR, 2018. This aims to combat spam by data authenticity as government entities of changes to consent, and a grievance redressal
creating a unified digital ledger for customers to with greater control over their personal mechanism, yet it would be prudent to analyze
and universities share datasets with digital information and its use. However, it is
digitally register their consent across all service signatures.17 the concerns of each industry-specific framework
providers.15 important to note that these frameworks are as against an overarching consent management
2.5 Exploring the Synergy Between not devoid of their respective drawbacks, regime.
The framework prescribed by TRAI will place a Electronic Consent Framework and which have been discussed in the following
strong emphasis on user consent, ensuring that DEPA paragraphs. The challenges to the AA framework are
telecom providers have the ability to block any twofold. Firstly, there is a potential risk to
calls or messages that users have not explicitly The Electronic Consent Framework (ECF) was data security as the AA framework permits
introduced to create an open, secure, user-
consented to receive. By making user consent
a priority, this framework looks to empower centric, and application-agnostic consent There has been a the sharing of extensive amounts of sensitive
personal information with potentially unlimited
individuals to have greater control over the management mechanism, the specifications of tectonic shift across entities, without specific purposes outlined.
communications they receive. which can be applied across sectors. It involves This raises concerns about the protection and
four parties, the Data Provider (original holder of Indian industries to misuse of such data. Following the emergence
This framework’s focus on user consent may
serve as a cornerstone for creating a more user-
data about the User), Data Consumer (accessing
and using the data), Consent Collector (maybe
implement and take of alleged unauthorized sharing of financial
information, which led to cases of fraud with
centric and privacy-conscious communication Data Consumer, Data Provider or any other advantage of the customers, the RBI is poised to conduct a review
environment. By empowering users to have
control over their communications, it will
service provider) and the User. ECF and DEPA
both envision a shift to digital equivalents of
Digital India initiative. of the business model of AAs.

promote a cohesive experience for individuals

while prioritizing their consent and privacy.
the physical paper-based consent acquisition Primacy has been Secondly, there are operational challenges
as well as it is essential to establish a
process, in the form of consent artifacts. These
The DCA is to be established by Access electronic documents are traceable, verifiable given to user-centric robust consent architecture and maintain
comprehensive audit trails. The Financial
Providers and is widely understood as an and specify the parameters and scope of data
sharing that a user wishes to consent to.18
experiences and Information Providers (FIPs) will need to
improvement over the previously existing
consent regime, where various Principal Entities The roles and responsibilities of the consent
data interoperability, implement interfaces that facilitate the
submission of consent artifacts and mutual
obtained and managed consent in a fragmented collector have been clearly outlined. It is the and each mentioned authentication by AAs, ensuring a secure flow of
manner. It would enable verification of customer
consent as well as consolidate and identify the
duty of the consent collector to ensure that the
user is provided with clear information regarding
consent management financial information.19

process for individuals and telecom companies.16 the scope and purpose of data sharing. If the framework seeks Further, the framework established by the
National Digital Health Mission (NDHM) also
2.4 State Specific Guidelines: Karnataka user agrees to the specified sharing scope, they
– e-Sahamati Framework may be prompted to digitally sign the consent, to empower data faces its own set of challenges. One notable
challenge is the absence of specific provisions
In December 2021, the Karnataka Government
resulting in the inclusion of their digital signature principals with greater that address corporate governance concerns
within the consent artifact. Alternatively, the
introduced the ‘e-Sahamathi’ Platform to consent collector may obtain data sharing control over their related to Consent Managers (CMs). This lack
facilitate data sharing between Data Principals of explicit guidelines can lead to ambiguity and
and Third-Party Service Providers (TPSPs).
authorization through different means, such as
having the user click a button or sign a physical
personal information potential issues regarding the governance and
It functions in the form of a portal, where form. Moreover, the consent artifact includes and its use. accountability of CMs.
TPSPs may raise requests for individual or bulk

46 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 47
Additionally, the NDHM policy does not impose for CMs in the health data domain leaves them

3
restrictions on CMs engaging in other business susceptible to potential malpractices by entities
activities. This creates a significant concern providing consent management services.
related to data resale and profiling.
The lack of stringent regulations on CMs
especially in the health data sector raises

It is imperative concerns about unauthorized use and disclosure

of data, breaches of consent, and the potential CONSENT MANAGERS
that before
UNDER DPDPA:
exploitation of data for commercial gain at
the expense of users’ privacy and commercial
operationalising the interests. Without proper safeguards and
concept of CM in the
DPDPA, the Indian
oversight, there is a risk of harm to individuals
and communities, both in terms of their privacy EVALUATING RISKS AND
AMBIGUITIES
rights and potential negative commercial

statutory authorities consequences.

thoroughly examine Addressing these concerns would be crucial

to ensure the responsible and ethical handling
the CM mechanism in of health data by CMs. This would help
safeguard the privacy and interests of users and 3.1 Ambiguity Surrounding the Legal an account aggregator, for a fee or otherwise, as
both the banking and communities, preventing any potential misuse or Status of Consent Managers defined at clause (iv) of sub-section 1 of section

healthcare sectors. exploitation of sensitive health information.

The DPDPA outlines a brief framework for the
3 of these directions.20

Jurisdictions across the world are now CMs and defines it as a person registered with Similarly, the National Digital Health Mission
prioritizing consent management and have the Board, who acts as a single point of contact Data Management Policy, under Para 4(e),
While the RBI guidelines for AA mandate certain defines the term CM as an electronic system
developed their own methodologies to address to enable a Data Principal to give, manage,
disclosures regarding the transfer of shares and that interacts with the data principal and obtains
it. The subsequent chapter delves into these review and withdraw her consent through
control, as well as documentation on technical consent from him/her for any intended access to
practices and provides a comprehensive an accessible, transparent and interoperable
protocols, corporate details such as the board personal data.21
analysis. platform. The framework characterizes CMs
of directors, and audits, such checks are absent
as a “person,” a term further expounded upon
Hence, it is evident that both the frameworks
in Section 2(s). This definition of “person”
comprehensively define the legal status of a
encompasses individuals, companies, firms, and
CM as an entity or an electronic system. These
other entities, leading to uncertainty regarding
frameworks offer a clear understanding of how
the legal status of CMs.
CMs function and contribute to data sharing by
This ambiguity in the definition of CM could lead explaining the CM’s role as a mediator in data
to confusion in their implementation and may exchange.
have implications for the way personal data is
Further, academic literature from around
handled in India.
the world emphasizes the importance of
In other industries, such as banking and establishing the entity status of Consent
healthcare, CMs are clearly defined as entities Managers (CMs). One such paper, titled
that permit data transmission between “Consent Management Architecture for
information providers and its recipients. As per Secure Data Transactions,” advocates for the
the Non-Banking Financial Company - Account development of a personalized communication
Aggregator (Reserve Bank) Directions, 2016, an interface. The authors argue that this interface
AA means a non-banking financial company as would enable individuals to effortlessly view,
defined in sub-clause (iii) of clause (f) of section manage, and exercise control over their consent
45-I of the Act, that undertakes the business of in a transparent and standardized manner.

48 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 49
 obligates the CMs to address the grievances of
the data principal, it is noteworthy that as the It is evident that the
importance of CMs grows, it becomes necessary
to develop a robust mechanism to resolve absence of a clear
concerns and develop an appeals framework. legal status for CMs
These safeguards are required to appropriately
address any potential harm that may result creates uncertainty
from CMs’ data-sharing actions. Therefore, it
is imperative that DPDPA efficiently safeguard
and complexity
the rights and interests of data principals by in their expected
providing measures to address grievances and
provide an option for recourse. functions. This lack
The frameworks implemented in banking and of clarity hampers
healthcare sectors serve as examples of well- CMs’ ability to
defined grievance procedures established
within the statutory regulations governing understand their rights
The paper, therefore, makes a compelling and procedures for withdrawing consent. The
those sectors. For instance, under the Directions
regarding Registration and Operations of
and responsibilities
case for the implementation of a Consent subsequent paragraphs delve into this matter in NBFC - AAs, issued pursuant to section 45- and impedes their
Manager platform in the form of an interface. greater detail. JA of the Reserve Bank of India Act, 1934, a
Such a platform would empower individuals comprehensive procedure is listed for addressing
operational efficiency
3.2 Uncertainty Regarding the
by providing them with the ability to easily
Functionalities of Consent Managers
and resolving customer grievances/complaints. in providing services.
select and switch service providers based on It stipulates that an AA must have a Board-
and Consent Withdrawal Procedures
their consent preferences. By streamlining approved policy in place to handle and resolve
the process, this interface would enhance The lack of clear rules and guidelines customer grievances/complaints, along with
user autonomy and foster greater choice and surrounding the functionalities, as well as a dedicated system specifically designed to in a speedy manner. Further, the data fiduciary
flexibility in selecting service providers.22 roles and responsibilities of CMs may create address such matters. Further, it states that the is required to designate a Grievance Officer
significant ambiguity. AA shall display the name and contact details and publish his name and contact details on its
The reference to national laws and global
of the Grievance Redressal Officer who can be website in order to facilitate effective redressal.25
academic literature emphasizes the crucial need Grievance Redressal and Appeals Procedure
approached by the public for complaints against
to clearly define the legal status of consent The existence of mechanisms to address
The DPDPA in Section 6(8) mentions that the the company. These provisions ensure that
managers. It is evident that the absence of a grievances in the banking and healthcare
CM shall be an entity that is accountable to the AAs have effective mechanisms to address and
clear legal status for CMs creates uncertainty sectors demonstrates the significance
Data Principal and acts on behalf of the Data resolve any grievances or complaints raised by
and complexity in their expected functions. attributed to the rights of data principal.
Principal.23 their customers.24
This lack of clarity hampers CMs’ ability to It, therefore, highlights the need for clarity
understand their rights and responsibilities and This provision establishes a clear legal Additionally, the Draft Health Data Management around the grievance redressal and appeals
impedes their operational efficiency in providing relationship between the CM and the data Policy which prescribes the utilization of HIE- mechanism for the CM setup in the DPDPA as
services. Addressing this issue by establishing principal, emphasizing the CM’s duty to act in CM for obtaining consent of data principals also well.
a clear legal framework and recognition for the best interests of the data principal. Given the mentions a mechanism of grievance redressal
Governance and Oversight Mechanism
CMs would enable them to fulfill their role as relationship between a CM and a Data Principal, under Clause 32. The policy states that a
intermediaries in data sharing effectively and it is the CM’s responsibility to prioritize the data complaint can be made by the data principal It is the obligation of every CM to get registered
ensure smooth functioning in consent-driven principal’s best interests and ensure that their regarding any contravention of the Policy that with the Data Protection Board in accordance
data exchange. personal data is used only for the authorized has caused or is likely to cause harm to the data with Section 6(9) of the DPDPA. However, to
purposes for which consent was originally principal. The data fiduciary is expected to have guarantee the autonomy and integrity of the
Further, it is important to highlight that alongside
granted. Though the DPDPA provides a right of a procedure and effective mechanisms to redress institutional structure, it is imperative to clarify
the ambiguous legal status of CMs, the DPDPA
grievance redressal to the data principals which the grievances of data principals efficiently and the Data Protection Board’s role in overseeing
lacks clear instructions on the operations of CMs

50 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 51
and controlling CM institutions in detail. By draw inspiration from such frameworks in order Commissioner of Canada, supported by the performance to centralized systems. This
adopting such elements, the data protection to create a solid governance framework for CMs Ontario Privacy Commissioner, provided perspective aligns with the global academic
framework can create a strong regulatory that assures adherence to best practices and guidance titled “At Your Fingertips – Biometrics discourse that favors decentralized architectures
structure that enables effective governance encourages effective data management and and the Challenges to Privacy.” The guidance for data storage.
of CMs while also fostering openness and protection.26 emphasized in great detail the importance of
The absence of a single point of failure in a
accountability within the ecosystem. storing data locally rather than in centralized
An effective governance mechanism plays a decentralized system eliminates the vulnerability
databases, as centralization increases the risk of
The Data Protection Board can draw inspiration crucial role in overseeing the operations of present in centralized systems, where a single
data loss or inappropriate cross-linking of data
from the rule-making process utilized by the CMs and ensuring their accountability to data failure could result in the compromise of all
across systems.27
Reserve Bank of India (RBI) to regulate AAs principals. Alongside safeguarding the credibility stored data. Furthermore, decentralized systems
(AAs) when developing governance mechanisms of CMs, it is essential to clearly define the Academic literature worldwide consistently alleviate communication bottlenecks that can
for CMs. The RBI guidelines provide valuable responsibilities they must fulfill to facilitate emphasizes the drawbacks of storing data impede efficient data transfer in centralized
insights into such aspects as AA registration efficient consent management. The following in centralized databases. This viewpoint is setups.28
procedures, AA responsibilities and functions, paragraphs present a case for establishing reinforced in a research paper titled “Secure
The concerns associated with centralized
data security standards, pricing regulations, a definitive role for CMs in relation to their decentralized electronic health records sharing
consent management highlight the need for a
auditing requirements, risk management obligations in consent management. system based on blockchains,” where the
more privacy-conscious and secure approach.
practices, and corporate governance authors assert that employing a decentralized
considerations. The Data Protection Board could file system offers enhanced security without After shedding light on the risks and concerns
compromising performance. inherent in the current framework recommended
by DPDPA, it becomes crucial to examine the
The paper’s authors argue that a decentralized
approach employed by international authorities
file system presents superior security features
Consent in effectively managing user consent.
Data while maintaining a comparable level of
Data Manager
Consent Encrypted Fiduciary
Principal Facilitates data
Determines
Provides the exchange of
the scope
data data
and nature of
processing

Exchange of Data

In addition to the challenges listed above, The sheer concentration of data in a single
a significant tenet of the CM framework as location increases the risk of data breaches,
described by the DPDPA is the centralization making it an attractive target for cybercriminals.
of consent management. A centralized setup Additionally, a centralized system can provide
would pose concerns across various channels an opportunity for bad actors to have access
including security, privacy and data protection. to large amounts of personal data, potentially
leading to privacy violations.
3.3 Concerns Arising from Centralized
Consent Management Privacy authorities around the world are
increasingly enacting or considering legislation
Centralized consent management, where a
to prevent the collection and consolidation
singular entity or software manages the consent
of private data in a centralized system. For
of multiple users, has the potential to raise a few
example, in 2011, the Office of the Privacy
concerns related to privacy and security.

52 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 53
 raised by them. The CMP acts as an intermediary to processing for any Vendor or Purpose and

4
between a publisher (i.e., the entity responsible following the requirements set by the relevant
for operating a digital property for instance a Authorities. CMPs are also required to resolve
blog or website), an end user (i.e., the individuals conflicts in Signals or merge Signals before
toward whom advertisements are targeted), transmitting them, in accordance with the

GLOBAL APPROACH:
and vendors (i.e., the company responsible for Policies and Specifications.31
delivery of the digital advertisements).
IAB Europe is responsible for periodically

EXAMINING REGULATIONS
reviewing and verifying a CMP’s compliance
End user consenting to digital with the Policies and/or Specifications, following
advertisements established procedures that are periodically

AND PREVALENT updated. In cases where CMPs commit willful

and/or severe violations of the Policies, they

PRACTICES
may face suspension from participating in the
C M P Framework.32

Vendors deploying and distributing digital The periodic review

4.1 Industry associations and These frameworks and best practices are advertisements on publishers’ platforms
and verification
supervisory authorities detailed below:
process conducted by
(a) Interactive Advertising Bureau (IAB) Under the TCF, a consent management platform
Acknowledging the significance of consent
management, industry associations and performs the following functions: IAB Europe ensures
IAB is the European-level association for the
regulatory authorities across the globe have
digital marketing and advertising ecosystem. • Providing transparency to end users; compliance and holds
established diverse frameworks and best
practices to alleviate the compliance burden
It has prescribed a Transparency & Consent • Assisting Vendors and Publishers in CMPs accountable for
Framework (TCF), recently updated in 2023, establishing Legal Bases for processing;
placed on organizations.
which is an accountability tool that relies on • Acquiring user consent as needed
their actions
By prescribing these frameworks and best standardization to facilitate compliance with and managing user objections, and
practices, these bodies aim to provide certain provisions of the ePrivacy Directive and communicating Legal Basis, consent or
organizations with practical guidance the GDPR.29 This provision emphasizes the importance
and/or objection status to the ecosystem.
and standardized approaches for consent of ensuring CMPs adhere to the established
The framework may be used as a valuable
management. These resources are designed A CMP may be the party that surfaces, usually standards and guidelines to maintain the
point of reference for understanding the
to streamline the compliance process, reduce on behalf of the publisher, the User Interface to a integrity and effectiveness of the consent
technical and operational aspects involved in
ambiguity, and ensure that organizations can user, though that may also be another party.30 management ecosystem. The periodic review
the functioning of consent managers. Though
meet the requirements set forth by applicable and verification process conducted by IAB
the TCF’s applicability is limited to the context The definition of CMP under the framework
data privacy regulations. Europe ensures compliance and holds CMPs
of digital advertising and marketing, some unambiguously clarifies the legal standing of
accountable for their actions. By enforcing
Organizations can leverage these frameworks to elements of it may be replicable in cross- the CMP as a separate company or organization,
consequences for non-compliance, the
implement comprehensive consent management industry use cases as well. eliminating any uncertainty around the platform
Framework aims to foster a trustworthy
strategies tailored to their specific industry being merely a software operated by vendors or
(i) Legal Status of Consent Managers and responsible environment for consent
and regulatory requirements. By adhering to publishers.
management.33
these prescribed frameworks, organizations can The IAB TCF Policies define Transparency
(ii) Obligations and Accountability of CMs
demonstrate their commitment to responsible and Consent Management Platform (Consent (iii) Functional Role of CMPs
data handling, build trust with their customers, Management Platform or CMP) as the company The framework provides specific guidelines for
Under the framework, the CMP’s role has
and mitigate potential risks associated with non- or organization which is entrusted with ensuring the operation of Consent Management Platforms
been established as an intermediary between
compliance. transparency for end users along with the (CMPs). These obligations include reminding
Publishers, end users, and Vendors. This
centralization of consents given and objections users of their right to withdraw consent or object

54 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 55
classification establishes that the CMP’s The following paragraphs demonstrate the cookies and other tracking technologies, which making informed decisions about access and
responsibilities lie in facilitating exchange of changes made in various legislation because required all website operators to implement purpose.40
data, rather than determining the means and of the increased emphasis on consent it by the end of March 2021. This directive
An examination of the laws and regulations
scope of data processing.34 management: covers various important aspects, including
in the above stated jurisdictions makes it clear
GDPR-compliant consent, the discontinuation
(b) UK Information Commissioner Office (ICO) Germany that a precise replication of the Indian model
of opt-out mechanisms where explicit consent
of consent managers, as proposed under the
While the ICO, as the supervisory authority for In Germany, data protection and the associated is required, compliance with transparency
DPDPA, is not currently being implemented
data protection in the United Kingdom, does not consent related obligations find their foundation requirements, an easily accessible option for
globally. However, for limited use cases, such as
prescribe guidelines for consent management in the right to informal self-determination revoking opt-ins, and the ability to verify all opt-
consent related to cookies in the EU in general or
platforms, it suggests the use of preference- granted in the Basic Law. In this context, ins.
consent related to financial data-sharing, there
management tools like privacy dashboards to on 20 May 2021, the Bundestag (German The cookie and tracking directive in France is are some frameworks which have been adopted
allow people to easily access and update their Parliament) adopted a draft law entitled the highly comprehensive and provides detailed in other jurisdictions.
consent settings to manage consent. It is quite “Telecommunications and Telemedia Data guidance ranging from the technical aspects
evident that the UK follows a model of consent Protection Act” (TTDSG), which aimed to to the visual design of consent management 4.3 Prevalent industry practices for
management wherein the data user (i.e., the amend the Telecommunications Act (TKG) and on websites. Its aim is to ensure that consent consent management
data fiduciary) establishes mechanisms for the Telemedia Act (TMG), thereby adapting practices related to cookies and trackers align In today’s regulatory landscape, laws and
consent management in-house and incorporates both laws within the meaning of the ePrivacy with the requirements of the GDPR while also regulations are giving greater significance to
a consent management tool along with the other Directive of the EU to the GDPR.36 promoting transparency and user control over informed consent as a crucial legal foundation
services it provides to the data principal.35 their personal data.39
Section 26 of the TTDSG offers the choice of for processing personal data. As a result,
The contours of operation of consent utilizing approved services known as “Personal Brazil organizations are increasingly realizing the
management platforms or tools should be spelt Information Management Services” (PIMS) for importance of efficiently managing the consent
out clearly to achieve the three-fold objective consent management. PIMS allows users to Consent management holds significant they acquire in accordance with these relevant
of (I)users’ empowerment, (II) accountability either grant or reject consent for specific data importance in Brazil, particularly in the realm statutes. This entails implementing robust
and transparency in functioning of consent processing, with the information centrally stored. of open finance. It entails obtaining explicit consent management practices and systems
managers, (III) and ease of integration with Websites can then access the stored information permission from consumers to share their to ensure compliance with data protection
digital service providers. in PIMS, aiming to provide users with enhanced financial data with Third-Party Providers, also regulations and establish transparent and
control and security over their consent choices.37 referred to as TPPs. Consumers are empowered trustworthy relationships with data subjects.
While the framework implemented by the with the facility to grant, manage, modify,
IAB and the recommendations of ICO on Additionally, the German Federal Ministry for revoke, or close active consents for data sharing
incorporation of privacy dashboards offer some Economic Affairs and Energy, in a press release with third-party providers. Consent management As an industry practice, many
insight, it is equally important to examine further explained the process of consent plays a crucial role within Brazil’s open finance businesses have adopted the
proposals for technical interventions like consent management with respect to obtaining consent initiative, which seeks to foster competition and
managers in other jurisdictions. The succeeding for placing cookies on the user’s terminal innovation in the financial sector by enabling use of Consent Management
section examines this facet of consent equipment: consumers to share their financial data with Platforms (CMPs) or
management. other institutions.
“With regard to cookies, the TTDSG is platforms with consent
4.2 Regulatory Approaches to Consent also intended to achieve user-friendly and To enable this process, Brazil’s open finance
Management- A Global Perspective competitive consent management, which should framework may require the participating
management capabilities
With the increasing significance of consent,
include recognized services, browsers and financial institutions to offer clear and user- to effectively manage and
TeleMedia providers.”38 friendly tools for consent management. These
statutory authorities have taken a proactive monitor the personal data of
stance in addressing challenges related to France tools may include a dashboard or interface
seeking informed, affirmative, and action-based displaying active consents, shared data, and their customers. Irrespective
In France, consent management primarily
consent. To address the challenges associated purposes. of the specific data privacy
focuses on the use of cookies and the
with obtaining and managing consent in a
optimization of the opt-out consent mechanism. Through the dashboard, users may easily modify regulations they must adhere
compliant manner, regulatory authorities are or revoke consents and access a history of
taking steps to integrate consent management
The French data protection authority, CNIL,
past consents. This will ensure users maintain
to, organizations require
issued a directive in October 2020 concerning
principles into their laws. complete control over their financial data,

56 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 57
 CMPs play a crucial role in assisting organizations Additionally, a record of collected data is maintained to ensure compliance with various data privacy
a clear understanding of with compliance and avoiding potential fines by laws.
ensuring adherence to relevant legal provisions.
which users have provided These platforms promote transparency by
consent for different types of providing users with comprehensive information
about how their personal data is processed.
data processing. Moreover, Additionally, CMPs facilitate the association of a
it is crucial for them to user’s identity with their consent, enabling them
to easily withdraw their consent when desired.
maintain robust evidence
of consent. Additionally, By implementing CMPs, organizations can
effectively navigate the complexities of data
organizations seek privacy regulations and avoid penalties for
streamlined processes to non-compliance. These platforms provide the
necessary tools and mechanisms to ensure that
handle these tasks, not only businesses meet the requirements set forth by
for their own convenience laws such as the GDPR or other applicable data
protection regulations.43
but also to ensure a user-
Collection of consent is the core functionality of
friendly experience for their
the CMP. The consent is collected in a detailed
customers.41 manner wherein the users are first informed that
their personal data is being processed. Next,
detailed information about the scope of data
processing is included in the Privacy Policy or a
A CMP is a software solution that helps an
pop-up notice (or both). At the same time, users
organization to legally collect, document and
decide if they agree to the specific purposes
manage consents in line with data protection
of processing. The principle of free consent is
laws and regulations like the EU’s GDPR,
followed consistently while the collection of
California’s CCPA, or Brazil’s LGPD.42
consent.

Source: Consent Manager Admin Panel, Piwik PRO Consent Manager45

Several researchers have advocated for managing consent in the context of Internet
the implementation of a robust Consent of Things (IoT) devices.46 The idea behind
Management Platform (CMP) to effectively proposing a CMP for consent management is
handle the consent of data principals. In one to provide data principals with more control
study, the focus was on leveraging a blockchain- over their consents and to create policies that
based platform specifically designed for correspond to data principals’ consents.

Source: Single Consent Form, Piwik PRO Consent Manager44

58 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 59
An illustration of the framework proposed in the paper is given below:

5
RECOMMENDATIONS
The thorough evaluation of frameworks encompass their specific guidelines for
adopted in specific industries, such as the IAB organizations operating within those sectors.
framework which is utilized in the context of Introducing a consent manager framework
digital advertising or the Account Aggregator within the DPDPA may potentially create a
framework which is currently implemented in the conflict with the existing initiatives already
banking and finance sector in India, establishes in effect. Furthermore, sectoral regulators or
that a reference point for and industry and use- industry associations are better positioned to
case agnostic framework for consent managers assess the unique intricacies of user consent
does not yet exist. within their respective contexts. They can then
develop appropriate guidance or obligations for
The proposal under the Digital Personal
consent managers operating within their specific
Data Protection Act 2023 to institute consent
sectors.
Source: A Blockchain-Based Platform for Consent Management of Personal Data Processing in the IoT Ecosystem47 managers which (I) seem to function across
industries and different types of digital products Therefore, we recommend that subsequent
It is evident that the CMPs have been adopted However, it is worth noting that consent and services, and (II) are accountable to the data rules which outline the operational framework
as a best industry practice to manage the management solutions which are popularly principals may therefore prove to be difficult to for Consent Managers under the DPDPA should
consent of the data principals and to facilitate used by organizations are in the nature of B2B implement. ensure that CMs as a technical intervention
the interoperability of the data. These platforms solutions. Therefore, organizations providing should not become a mandate.
provide essential functionalities for obtaining these solutions are ultimately accountable to In this background, we propose the following set
and recording consent, enabling organizations data fiduciaries by whom they are onboarded. of recommendations: 2. Clarity on scope and
to establish transparent and accountable data
1. Avoiding technical functioning through
processing practices.
prescriptions in the legislation delegated legislation
The DPDPA introduces consent managers as Alternatively, if the legislative intent is to create
a means to effectively manage the consent an overarching mechanism for operation of
of data principals. However, it is important consent managers across industry sectors, we
to acknowledge that various sectors have recommend that delegated legislation should
developed their own frameworks to address shed clarity on the legal status of consent
consent-related issues. These include the managers.
Account Aggregator framework by RBI for Entities akin to consent managers, including
banking and finance, Health Information account aggregators and health information
Exchange under ABDM for health data, exchange managers, have well-defined legal
Digital Consent Acquisition proposed by TRAI statuses. For instance, account aggregators are
for telecom, and the Karnataka e-sahamati classified as Non-Banking Financial Companies,
framework. while the National Digital Health Mission
The various sectoral frameworks in place Data Management Policy, specifically in Para
4(e), defines Consent Managers as electronic

60 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 61
systems. Hence, to explicitly delineate the legal and legally recognized under the DPDPA
standing of consent managers, it is imperative to framework. This would entail holding consent
establish a precise and unambiguous definition managers accountable to data fiduciaries
that recognizes them as distinct legal entities through contractual obligations, allowing them
and not merely categorize them as “persons”. to align with industry norms while fulfilling their
responsibilities.
3. Recognition of existing

REFERENCES
industry practices around 4. Operational guardrails for
consent management consent managers
In the context of the DPDPA, consent managers In furtherance of the above recommendation,
are envisioned to be responsible to data it is recommended that if consent managers 1
Niti Aayog, Draft Data Empowerment and Protection Architecture,
principals. However, adopting an ecosystem are to be legally recognized under the DPDPA
https://www.niti.gov.in/sites/default/files/2023-03/Data-Empowerment-and-Protection-Architecture-
where data principals choose a specific entity’s framework, the subsidiary rules and regulations
A-Secure-Consent-Based.pdf;
consent management solution could necessitate under the law may prescribe operational
guardrails for the functioning of such entities. The Personal Data Protection Bill 2019,
businesses to restructure their technical
The nature of such guardrails may be inspired http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf
architectures to accommodate multiple consent
management solutions. On the contrary, current from efforts undertaken globally. 2
PIB, Know all about Account Aggregator Network- A Financial data-sharing system,
industry practices suggest that organizations For instance, the Transparency & Consent https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1753713;
integrate consent management tools and Framework (TCF) by the Interactive Advertising RBI, Directions regarding Registration and Operations of NBFC - Account Aggregators under section
solutions at the backend to streamline their Bureau (IAB) may serve as a good reference 45-IA of the Reserve Bank of India Act 1934,
internal processes for legal compliance. point. It provides guidelines for consent https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142
After examining global statutes and practices, management platforms (CMPs) in the digital
advertising and marketing sector. Similarly,
3
ibid
it is apparent that numerous jurisdictions
have endorsed the adoption of consent The UK’s Information Commissioner’s Office 4
National Digital Health Mission: Health Data Management Policy,
management platforms to facilitate user consent (ICO) and France’s CNIL provide guidelines https://abdm.gov.in:8081/uploads/health_data_management_policy_455613409c.pdf
management. For instance, in Germany, the for consent management platforms (CMPs).
These guidelines cover technical and visual
5
Draft Health Data Management Policy,
“Telecommunications and Telemedia Data
aspects of cookie consent management on https://abdm.gov.in:8081/uploads/Draft_HDM_Policy_April2022_e38c82eee5.pdf
Protection Act” (TTDSG) provides the option
to utilize approved services called “Personal websites, aiming to ensure compliance with 6
Telecom Regulatory Authority of India (TRAI), Direction regarding implementation of Digital Consent
Information Management Services” (PIMS) for GDPR requirements and empower users to have Acquisition (DCA) under TCCCPR 2018,
consent management. Likewise, Brazil’s open control over their personal data. https://www.trai.gov.in/sites/default/files/PR_No.50of2023.pdf;
finance framework may require the participating These requirements may encompass TRAI, Direction under section 13, read with sub-clauses (i) and (v) or clause (b) or sub-section
financial institutions to offer clear and user- technical specifications aimed at promoting (1) or section 11, or the Telecom Regulatory Authority or India Act, 1997 (24 of 1997) regarding
friendly tools for consent management. interoperability among consent managers. implementation of Digital Consent Acquisition under Telecom Commercial Communications Customer
Furthermore, as an industry-wide practice, many By prescribing these technical standards, the Preference Regulations, 2018 (6 of 2018),
businesses have embraced the use of Consent DPDPA can ensure that consent managers https://www.trai.gov.in/sites/default/files/Direction_02062023.pdf
Management Platforms (CMPs), or platforms can effectively communicate and exchange
equipped with consent management capabilities consent-related information, facilitating
7
PIB, Know all about Account Aggregator Network- A Financial data-sharing system,
to efficiently handle and oversee the personal seamless and efficient consent management https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1753713
data of their customers. processes. This approach promotes consistency, 8
PIB, Know all about Account Aggregator Network- A Financial data-sharing system,
Therefore, it is recommended that the compatibility, and collaboration among consent https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1753713;
existing practices and operational models for managers, enhancing the overall effectiveness
and reliability of the consent management Niti Aayog, Draft Data Empowerment and Protection Architecture,
consent managers, such as utilizing consent
framework established by the DPDPA. https://www.niti.gov.in/sites/default/files/2023-03/Data-Empowerment-and-Protection-Architecture-
management platforms, be acknowledged
A-Secure-Consent-Based.pdf

62 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 63
9
RBI, Master Direction- Non-Banking Financial Company - Account Aggregator (Reserve Bank) 23
Digital Personal Data Protection Act 2023, Section 6(8), https://www.meity.gov.in/writereaddata/
Directions 2016, files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598 24
RBI, Master Direction- Non-Banking Financial Company - Account Aggregator (Reserve Bank)
10
PIB, Know all about Account Aggregator Network- A Financial data-sharing system, Directions 2016,
https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1753713 https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10598&Mode=0
11
ibid; 25
Draft Health Data Management Policy,
https://abdm.gov.in:8081/uploads/Draft_HDM_Policy_April2022_e38c82eee5.pdf
RBI, Directions regarding Registration and Operations of NBFC - Account Aggregators under section
45-IA of the Reserve Bank of India Act 1934, 26
RBI, Directions regarding Registration and Operations of NBFC - Account Aggregators under
https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142 section 45-IA of the Reserve Bank of India Act 1934,
https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142
12
National Digital Health Mission: Health Data Management Policy,
https://abdm.gov.in:8081/uploads/health_data_management_policy_455613409c.pdf 27
Office of the Privacy Commissioner of Canada, “Data at your Fingertips Biometrics and the
Challenges to Privacy”
13
Draft Health Data Management Policy,
https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/
https://abdm.gov.in:8081/uploads/Draft_HDM_Policy_April2022_e38c82eee5.pdf
28
Shuaib, Abdella et. al., “Secure decentralized electronic health records sharing system based on
14
ibid
blockchains,”
15
TRAI, Direction regarding implementation of Digital Consent Acquisition (DCA) under TCCCPR https://www.sciencedirect.com/science/article/pii/S1319157821001051
2018, 29
Interactive Advertising Bureau (IAB), The Transparency & Consent Framework (TCF) v2.2,
https://www.trai.gov.in/sites/default/files/PR_No.50of2023.pdf;
https://iabeurope.eu/transparency-consent-framework/
TRAI, Direction under section 13, read with sub-clauses (i) and (v) or clause (b) or sub-section 30
IAB, Transparency & Consent Framework (TCF) Policies,
(1) or section 11, or the Telecom Regulatory Authority or India Act, 1997 (24 of 1997) regarding
https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
implementation of Digital Consent Acquisition under Telecom Commercial Communications Customer
Preference Regulations 2018, 31
Managing Purposes and Legal Bases, IAB TCF Policies,
https://www.trai.gov.in/sites/default/files/Direction_02062023.pdf https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
16
The Hindu Business Line, “Pesky calls: Telcos to roll out platform to take consent of users in 2 32
Accountability, IAB TCF Policies,
months,” https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
https://www.thehindubusinessline.com/news/pesky-calls-telcos-to-roll-out-platform-to-take- 33
Policies for Vendors, Accountability, IAB TCF Policies,
consent-of-users-in-2-months/article66931113.ece
https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
17
Karnataka e-Sahamathi Framework, 34
IAB TCF Policies,
https://esahamathi.karnataka.gov.in/
https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/
18
Ministry of Electronics and Information Technology (MeitY), Electronic Consent Framework, 35
Information Commissioner’s Office, What methods can we use to provide privacy information?,
https://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-
19
Times of India, “Evolution and challenges of account aggregators in India,” informed/what-methods-can-we-use-to-provide-privacy-information/#how3;
https://timesofindia.indiatimes.com/blogs/kembai-speaks/evolution-and-challenges-of-account-
Niti Aayog, Draft Data Empowerment and Protection Architecture,
aggregators-in-india/
https://www.niti.gov.in/sites/default/files/2023-03/Data-Empowerment-and-Protection-Architecture-
20
RBI, Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions 2016, A-Secure-Consent-Based.pdf
https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=3142 36
Consent Management in Europe – an overview of the situation in Germany, France, Italy and the UK,
21
National Digital Health Mission: Health Data Management Policy, https://www.commandersact.com/en/consent-management-europe/
https://abdm.gov.in:8081/uploads/health_data_management_policy_455613409c.pdf
New German Telecommunications-Telemedia Data Protection Act,
22
Hyysalo, Hirvonsalo, et. al., “Consent Management Architecture for Secure Data Transactions,” https://www.gesetze-im-internet.de/ttdsg/TTDSG.pdf
https://www.scitepress.org/papers/2016/59413/59413.pdf

64 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 65
37
Deloitte, New German Telecommunications-Telemedia Data Protection Act,
https://www2.deloitte.com/dl/en/pages/legal/articles/telekommunikation-telemedien-datenschutz-
gesetz.html
38
Law to protect privacy in the digital world passed,
https://www.bmwk.de/Redaktion/DE/Pressemitteilungen/2021/05/20210528-gesetz-zum-schutz-
der-privatsphaere-in-der-digitalen-welt-beschlossen.html
39
CNIL, Cookies and other trackers: the CNIL publishes amending guidelines and its recommendation,
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies/lignes-directrices-modificatives-et-
recommandation
40
Open Finance Brazil,
https://www.bcb.gov.br/en/financialstability/open_finance;

Open Finance Brazil FAQ,

https://www.bcb.gov.br/en/about/faq
41
Osano, Consent Management Without the Complexity,
https://www.osano.com/solutions/consent-management-platform
42
ibid
43
Osano, Consent Management Without the Complexity,
https://www.osano.com/solutions/consent-management-platform
44
ClearCode, Single Consent Form- Piwik PRO Consent Manager,
https://clearcode.cc/blog/consent-management-platform/#the-iab%E2%80%99s-gdpr-transparency-
and-consent-framework
45
ClearCode, Consent Manager Admin Panel- Piwik PRO Consent Manager,
https://clearcode.cc/blog/consent-management-platform/#the-iab%E2%80%99s-gdpr-transparency-
and-consent-framework
46
Rantos, Drosatos et. al., “A Blockchain-Based Platform for Consent Management of Personal Data
Processing in the IoT Ecosystem,”
https://www.hindawi.com/journals/scn/2019/1431578/
47
ibid

66 | The Future of Data Protection in India: A Roadmap for Regulators Consent Managers: Best Practices and Frameworks | 67
 Section 3
TOOLS AND
MODALITIES FOR
CROSS-BORDER DATA
FLOWS: A PRIMER FOR
POLICYMAKERS
Executive Summary 70

1. Understanding the significance of international data transfers 71

2. DPDPA’s negative-listing approach: Analyzing potential impact 73

3. Jurisdiction-specific examination of data transfer frameworks 81

4. Recommendations 85

68 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 69
 1
Executive Summary UNDERSTANDING
THE SIGNIFICANCE OF
This section of the report seeks to analyze and explore the provisions of the Digital Personal
Data Protection Act 2023 (DPDPA) regarding the facilitation of cross-border data transfers.
INTERNATIONAL DATA
It also addresses possible implementation challenges and concerns that may arise from this
approach. Additionally, it examines the regulatory practices related to cross-border data
transfers worldwide. By referring to global practices from various jurisdictions, it evaluates the
TRANSFERS
existing framework proposed under the Act for cross-border data transfers. The purpose of this
section is to propose regulatory recommendations that can effectively and efficiently implement
In the digital era, the ability to access, utilize, and
the legal requirements necessary to facilitate cross-border data transfers.
transfer data across borders plays a crucial role The free flow of data
in driving economic growth. In every industry,
be it manufacturing, services, agriculture, or is also essential for
The first chapter provides a comprehensive data transfer and disregarding established tools
and mechanisms for data transfers.
retail, data is a fundamental resource, and its traditional industries
overview of the significance of international data seamless global circulation is vital. Whether
transfers and their role in promoting global trade Furthermore, the chapter presents a through direct means or by leveraging expansive like manufacturing,
and services. It highlights the importance of
facilitating cross-border data transfers in today’s
comprehensive overview of the mechanisms data infrastructure like cloud computing, the
interconnectedness of the world has facilitated
healthcare, education,
adopted globally for facilitating cross-border
interconnected world. It further delves into the data transfers. By considering international international economic engagement, enabling and finance, as they
approach taken by the DPDPA regarding cross- individuals, startups, and small businesses to
border data transfers.
practices and approaches, this section of the
partake in global market opportunities.1 often need to transfer
report aims to provide a broader perspective on
It argues that there are ambiguities in the the subject matter, allowing for a more informed Cross-border data transfers play a vital role information related
DPDPA pertaining to aspects such as the assessment of the limitations and concerns
associated with the negative listing approach.
in facilitating global trade and services. These to their tangible
requirements for lawful data transfers, the transfers enable businesses of all sizes to meet
safeguards for protecting personal data during The concluding chapter conducts an in-depth their basic needs, from internal communication goods and services.
transfers, or the conditions for cross-border data
sharing.
analysis of data transfer frameworks specific to to streamlining supply chains across different
locations. Small and medium-sized enterprises
Regardless of whether
different jurisdictions. By studying the practices
The second chapter focuses on a critical analysis of diverse jurisdictions, this analysis aims to can expand their reach and compete based a company conducts
on product quality rather than geographical
of the possible concerns surrounding the capture a comprehensive understanding of the
limitations, connecting with potential customers
direct online sales,
negative listing approach implemented by the global landscape regarding data transfers.
DPDPA regarding cross-border data transfers.
worldwide. data transfers across
The findings from this section contribute to
It scrutinizes the effectiveness of this approach the overall understanding of the regulatory borders are frequently
in ensuring the secure transfer of personal data
across borders. Key concerns addressed include
landscape and facilitate the development of
informed recommendations for regulatory
required to support
the lack of clarity in the regulatory process for
cross-border data flows, absence of guidelines
changes or improvements in the field of data their operations.2
transfers.
for notifying restricted countries for cross-border

70 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 71
The increasing importance of cross-border data flows over time

Post COVID-19
2
economic growth

DPDPA’S NEGATIVE-
Fourth Industrial
Revolution
Technologies

Cloud
Computing LISTING APPROACH:
Trade &
Commerce ANALYZING POTENTIAL
1990 2000 2010 2020 + IMPACT
Source: World Economic Forum, A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and Cooperation in the
New Data Economy3 Considering the escalating pace of global data

Under the Digital Personal Data Protection same will only be outlined in the future through
flows and the potential risks associated with When contrasted
national security, data breaches, and privacy
Act 2023 (DPDPA), Section 16 recognizes the delegated legislation. The Act fails to provide concerns, it is crucial for a country’s economic against earlier
significance of cross-border data transfers and
grants the Central Government the authority
clear guidelines regarding the countries which
are not eligible for data transfer. Additionally,
growth to prioritize the establishment of a
robust legal framework that governs cross-
iterations of data
to notify specific countries or territories outside it’s not clear whether any supplementary border data transfer. Such a framework serves protection laws in the
India to which a Data Fiduciary cannot transfer mechanisms will have to be adhered to ensure
personal data.4 secure transfers of personal data to non-
as a crucial foundation that enables the smooth
execution of various research and development
country, the DPDPA,
The Act seeks to set up a framework to
restricted countries. Addressing these aspects endeavors. Additionally, it plays a pivotal role in through Section
is crucial to streamline the data transfer process safeguarding intellectual property, upholding the
facilitate cross-border data transfers. It is,
however, important to highlight that the Act
and facilitate compliance for data fiduciaries. dignity of human rights, and guaranteeing the 16, takes a liberal
lacks clarity and the specificities of notifying
The succeeding chapters elaborate on these
ambiguities in-depth.
essential security of personal data. By providing
a structured and reliable system, a nation’s data
approach towards
import and export of certain goods from specific
countries, such as arms and related materials
restricted jurisdictions and the process for the
protection framework can foster innovation fromfacilitating cross-
Iraq, items originating from the Democratic
People’s Republic of Korea, and charcoal from
while ensuring that ethical considerations are
upheld, enabling progress in a responsible and
border data transfers.
Somalia, among others. 6

secure manner. Its implementation promotes a Thethis

Similarly, provision outlines
approach is demonstrated through
harmonious balance between the advancement
thethat data transfers
blacklisting approach implemented by
of knowledge and technology and the protection
the Financial Action Task Force (FATF). FATF
of fundamental human values.5 outside
identifies high-riskthe territory
jurisdictions of
with substantial
The idea of a list of restricted jurisdictions for India will be generally
deficiencies in countering money laundering,
terrorist financing, and proliferation financing.
transfers of personal data in the DPDPA is
novel. However, the notion of a negative list of permitted,
Subsequently, FATF urgesbarring
these jurisdictions
jurisdictions has been implemented as a policy
intervention in the context of trade restrictions
transfers to countries
to implement enhanced due diligence and
countermeasures to safeguard the international
outlined in Chapter 2 of the Foreign Trade which
financial systemare notified
from the as
risks of money
Policy issued by the Directorate General of laundering, terrorist financing, and proliferation
Foreign Trade (DGFT). The policy prohibits the restricted.
financing originating from those countries. 7

72 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 73
However, the lack of specific provisions or cross-border data transfers. Without clear natural persons in personal data processing.
guiding principles in the Act regarding cross- guidelines or a framework in place, businesses Furthermore, such a transfer can only occur if the Additionally, the
border data flows may create a sense of may struggle to establish efficient and compliant receiving State guarantees an adequate level of
regulatory uncertainty for entities required to processes for international data transfers, which protection for the privacy and fundamental rights negative list approach
comply with these obligations. This uncertainty could have unintended negative consequences. and freedoms of individuals in relation to the to cross-border
may eventually hinder the envisioned ease-of- processing of said data.10
doing business, as organizations would face
The subsequent paragraphs outline the concerns data transfers with
linked to the present framework of cross-border The DPDPA does not provide much clarity on
challenges in navigating the requirements for
data transfers as embraced by the DPDPA. the composition of the Data Protection Board. minimal guidance
The Central Government exercises control
over the composition and structure of the Data
around its execution
Section 16 and related ambiguities
Protection Board, raising concerns about the raises a number of
independence of the appointed board members,
who are entrusted with investigating issues concerns. Specifically,
of non-compliance with the Act. The DPDPA there is no clarity
provides limited insight into the functioning and
operational independence of the Data Protection surrounding whether
Board. To ensure independence, the Act could
take inspiration from institutions like the RBI and
any conditions or
SEBI in establishing the Data Protection Board.11 supplementary
Lack of clarity in the Absence of guidelines Non-recognition of
regulatory process for notifying restricted established tools and
Additionally, it is essential to emphasize the lack mechanisms will
of well-defined guidelines for notifying restricted
jurisdictions mechanisms for data
countries in the context of cross-border data be prescribed for
transfers
transfers. This ambiguity introduces significant transferring personal
uncertainty in the notification process and
gives rise to numerous concerns. The following data to non-restricted
2.1 Lack of clarity in the regulatory obtain their approval before sharing Personal
paragraphs provide a comprehensive exploration
of these concerns.
jurisdictions.
process Data with entities located outside of Saudi
Arabia.8 2.2 Absence of guidelines for notifying
Most jurisdictions worldwide establish established that fundamental and primary
the restricted jurisdictions
independent bodies or boards dedicated to data Similarly, in Malaysia, under the Personal legislative functions should be carried out by the
protection. For instance, in Saudi Arabia, Data Data Protection Act 2010 (PDPA), a data user Section 16 of the DPDPA addresses the transfer legislature itself and cannot be delegated to the
Fiduciaries may only store and process Personal may not transfer personal data to jurisdictions of personal data outside India. It grants authority executive.
Data outside Kingdom of Saudi Arabia after outside of Malaysia unless that jurisdiction has to the Central Government to notify specific
In the context of Indian law, there have been
obtaining written approval from the relevant been specified by the Minister. The Personal countries or territories to which a Data Fiduciary
notable instances where the courts have taken
“Regulatory Authority” and the Regulatory Data Protection Commissioner (Commissioner) cannot transfer personal data.12
a clear stance against excessive delegation,
Authority must coordinate with the National appointed under the PDPA is further considering
It is relevant to point out that this provision is considering it unconstitutional. For instance, in
Data Management Office (NDMO). The term issuing a guideline on the mechanism and
a limited one and bestows complete discretion the case of Gwalior Rayon Mills Mfg. (WVG) Co.
“Regulatory Authority” refers to an independent implementation of cross border data transfer and
on the Central Government to notify restricted Ltd. v. Assistant Commissioner of Sales Tax, the
governmental or public entity with regulatory has sought feedback on the important matters to
jurisdictions for data transfers. Supreme Court expressed its opinion that one of
responsibilities in a specific sector, as defined be considered in the proposed guideline.9
the well-established principles in Constitutional
by a legal instrument. In cases where Data The provisions of the DPDPA do not prescribe Law is that the authority granted to the
Further, in Algeria, the transfer of personal data
Fiduciaries are not subject to specific Regulatory guiding principles or outline a framework legislature to enact laws cannot be delegated to
by a data fiduciary to a foreign State is only
Authorities, the NDMO assumes the roles and based on which the determination of ineligible any other body or authority. This signifies that
permitted if authorized by the national authority
functions of these authorities. Therefore, Data countries shall be made under Section 16. This the legislature must retain the responsibility of
in accordance with the Law on protection of
Fiduciaries must coordinate with the NDMO and may arguably cross the threshold of excessive fulfilling its primary legislative function, rather
delegated legislation. In India, it is firmly than delegating it to external entities.13

74 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 75
Similarly, in the case of Ramesh Birch v. U.O.I, Lastly, the Procedural phase entails the creation
the Supreme Court emphasized that the It is crucial to of pertinent regulations and their submission to While undertaking
primary legislative function should generally
be performed directly by the legislature recognize that the
Parliament.17
the evaluation of
Similarly, the decision-making process of the
itself, without reliance on third parties or process of determining European Commission involves considering
countries for the
intermediaries. This further reinforces the idea
that the power and duty to legislate should the suitability of various criteria, such as commercial relations, negative list may not
data flow volume, privacy protection quality,
not be shifted to other entities but should be
exercised by the legislative body itself.14
a country for data political relationship, promotion of common be a hindrance in and
Additionally, the negative list approach to
transfer is both values, and shared objectives at an international
level. This approach can lead to arbitrary or
of itself, the lack of
cross-border data transfers with minimal lengthy and arduous. subjective decisions, creating obstacles to the clarity around the
guidance around its execution raises a
number of concerns. Specifically, there is no
free movement of data.18
process surrounding
clarity surrounding whether any conditions or come into play when personal data transferred
Therefore, a possible drawback of this approach
is that it would likely involve in-depth evaluation
the making of this
supplementary mechanisms will be prescribed to the United States is accessed by U.S. public
for transferring personal data to non-restricted authorities, specifically for purposes of criminal
and deliberation processes to determine the decision, as well
jurisdictions to which transfer of personal data
jurisdictions. The absence of explicit clarity law enforcement and national security.16
must be restricted. as around the
around execution of section 16 of the Act may
introduce uncertainty during the drafting of It is also important to note that the transfer
Further, it is important to highlight that the factors taken into
of personal data could face a sudden halt for
contractual agreements between data fiduciaries
and processors. This absence of clear guidelines business entities in the absence of clearly
negative listing approach in the Act does not
provide guidance on the process of adding or
consideration for
in the DPDPA creates uncertainty for foreign defined criteria for restricting transfers to a
jurisdiction and without a transition period for
removing countries from the list if they fail to restricting transfers
investors considering investments in India.
The existence of well-defined standards, like compliance. While a negative list approach to
uphold the aspects related to India’s national
security, nor does it address how privacy and
to a jurisdiction may
the European Standard Contractual Clauses data transfers is novel, one may assume that a
process similar to adequacy assessment may
security concerns would be addressed under this create business and
(SCC), provides confidence and clarity when strategy.
entering contracts. One of the main advantages be undertaken to notify a jurisdiction as being policy uncertainty.
of the European SCC is that these contain restricted for data transfers. Based on this A negative list approach is undoubtedly a
clauses regulating the transfer and processing assumption, a perusal of adequacy assessment step forward in terms of ensuring liberal data
approaches globally provides an insight into the transfers to promote innovation in the digital enabling transfer of personal data beyond the
of personal data which are deemed to be
extent of evaluation involved in this process. economy. The DPDPA itself is a principle- Indian territory, the provisions of the Act hamper
in compliance with the European General
For example, when evaluating the adequacy based legislation which forms the baseline the ability of organizations to undertake secure
Data Protection Regulation (GDPR). The Act
status of a third country, the United Kingdom for data protection regulation in the country. transfers of personal data to non-restricted
could also benefit from adopting insights
follows a four-phase approach: (1) Gatekeeping, However, it is parallelly important for the rules countries.
from international frameworks such as the
Organization for Economic Co-operation and (2) Assessment, (3) Recommendation, and (4) and regulations framed thereunder to ensure
Furthermore, there may be legitimate reasons
Development (OECD) and the US-Mexico- Procedural. that transfers of personal data to non-restricted
to transfer personal data outside India to a
Canada Trade Agreement (USMCA) to enhance jurisdictions are safe, secure, and consider
During the Gatekeeping phase, the UK considers jurisdiction on the negative list. A growing
its regulatory approach.15 existing mechanisms for data transfers that are
whether to initiate an adequacy assessment number of companies are increasingly
deployed across industry sectors.
for a particular country, taking into account establishing their Global Capability Centers
Further, DPDPA can also refer to the
European Commission’s recently approved policy factors that align with UK interests. In 2.3 Non-recognition of established tools (GCCs) in India.19 It is feasible that such
adequacy decision for the EU-U.S. Data the Assessment phase, information regarding and mechanisms for data transfers global organisations may, for a number of
the level of data protection in the target administrative reasons, have to transfer, for
Privacy Framework. This decision provides Across the globe, different jurisdictions employ
country is collected and analyzed, focusing instance, employee’s personal data outside
a comprehensive level of detail by explicitly diverse approaches to facilitate the safe and
on its data protection laws and practices. The India to a jurisdiction which may be on the
addressing the obligations arising from the efficient transfer of data across geographical
Recommendation phase involves providing negative list. To exonerate Data Fiduciaries from
EU-U.S. Data Privacy Framework. Additionally, borders. However, in its limited recognition of
a recommendation to the Secretary of State. unforeseen liabilities, it is important to also take
it outlines the limitations and safeguards that negative listing as the only viable mechanism for

76 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 77
into consideration these types of scenarios and covered by existing agreements, may be
supplement the negative listing approach with a It is crucial for a burdensome, particularly for small and medium- SCCs offer flexibility
recognition of established tools and mechanisms sized enterprises. Additionally, some jurisdictions
for international data transfers. comprehensive require the prior approval of Data Protection as parties have the
As detailed in the succeeding paragraphs, there and effective data Authorities for the use of standard contractual option to supplement
clauses, creating a bottleneck to their adoption.24
are valid reasons for jurisdictions to recognize protection framework them with additional
several valid legal routes for data transfers. The While contractual clauses may be accompanied
technical architecture within which data is being to incorporate a with some compliance costs and obligations clauses or integrate
shared may differ, along with the purposes of
data sharing, or the intended recipient of the
bouquet of legally which can impact small businesses and start-
ups,25 however, the advantages of employing
them into broader
data. All these factors necessitate the existence recognized measures contractual clauses as an effective data transfer commercial contracts,
of a multitude of mechanisms enabling data method largely outweigh the disadvantages
transfers, to ensure that organizations are best for facilitating secure associated with their use. The widespread if these provisions
placed to opt for the means which are least and compliant cross- adoption of these clauses across different do not contradict
onerous while ensuring compliance with the jurisdictions underscores their status as a
principles of the law. border data transfers. favored mechanism for data transfers. While the clauses directly
Contractual Clauses
some critics argue that contractual clauses may
present limited drawbacks, such as potential
or indirectly, and do
The use of contractual clauses was first
of personal data. These ASEAN MCCs can delays in negotiations or the heightened not compromise the
be incorporated into contractual agreements compliance costs and increased obligations,
prescribed by the General Data Protection
Regulation (GDPR). According to GDPR,
between data exporters and importers as a basis these issues are relatively minor compared to
rights of data subjects.
contractual clauses ensuring appropriate data
for allowing such transfers. The ASEAN MCCs
serve as a baseline set of contractual clauses
the protections and facilitation they offer for This flexibility allows
protection safeguards can be used as a ground cross-border data transfers.26
for data transfers from the EU to third countries.
applicable in all ASEAN Member States, aiming organizations to tailor
to provide flexibility while adhering to the In conclusion, it is imperative to point out
This includes model contract clauses – so-called
principles of the ASEAN Framework on Personal that as businesses continue to navigate the the clauses to their
standard contractual clauses (SCCs) – that
have been “pre-approved” by the European
Data Protection. Businesses have the option to complexities of data protection, these clauses
remain an indispensable tool for safeguarding
specific needs and
customize the MCCs to meet their specific needs,
Commission.
as long as the amendments align with the privacy, promoting international collaboration, incorporate them
Further, numerous organizations and third
countries are in the process of developing or
principles of the ASEAN Framework on Personal
Data Protection.22
and ensuring the secure exchange of information
across borders.
seamlessly into their
have already issued their own model contractual
The implementation of contractual clauses as Binding Corporate Rules
existing contractual
clauses. These clauses are based on aligned
principles that are also reflected in the SCCs of
a data transfer mechanism offers several key
Globally, Binding Corporate Rules (BCRs) frameworks.23
advantages. Firstly, SCCs are standardized and
the European Union.20 are seen as a comprehensive framework of
pre-approved by relevant regulatory authorities,
enforceable regulations designed to govern the
Apart from the European Union, several other making them readily available and easy to protection regulations.28 BCRs are particularly
processing of personal data. In the European
countries use contractual clauses as a viable adopt. Unlike other compliance mechanisms suited to multinational companies that want to
Union, these rules guarantee the implementation
method to transfer data. Brazil uses contractual that necessitate prior authorization from a regulate intra-group transfers on a worldwide
of adequate safeguards to protect the rights of
clauses as an adequate guarantee of compliance national data protection authority or incur higher basis to ensure compliance with requirements
data subjects when transferring personal data
with the principles and rights provided to the implementation costs, SCCs provide a cost- on the transfer of personal data outside the EEA.
between entities within a corporate group to
data principals by Brazilian General Personal effective and streamlined approach.
countries outside the European Economic Area
Data Protection Act (LGPD).21 In Singapore as well, the PDPC recognizes the
There exist some practical challenges that arise (EEA) that lack the necessary level of legal
requirement for adoption of BCRs in scenarios
Similarly, the ASEAN member states have in the implementation of SCCs. The requirement protection27. BCRs require approval from the
where the recipient of personal data is an entity
implemented Model Contractual Clauses to negotiate and execute separate agreements appropriate national data protection authority
which is related to the organization which is
(ASEAN MCCs) as standardized data protection with each data exporter and importer, especially to ensure compliance with the applicable data
transferring the personal data.29
clauses to facilitate the cross-border transfer for new categories of data or purposes not

78 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 79
BCRs serve as an effective data transfer documentation exists for those transfers.

3
mechanism due to several advantages they offer. Additionally, the data exporter must ensure
One key benefit is the considerable flexibility the existence of a legally binding document,
they provide to corporate groups, as updates to such as a contract or certification agreement,
BCRs typically do not require explicit approval between the certification body and the data

JURISDICTION-SPECIFIC
from data protection authorities. This flexibility importer. This document should outline the
reduces administrative burden and allows importer’s commitment to apply the certification
organizations to adapt their data protection criteria to all personal data transferred under
practices more efficiently.

While BCRs may not be the most appropriate

the certification. The use of certification should
be appropriately addressed in the agreements EXAMINATION OF DATA
TRANSFER FRAMEWORKS
between controllers and processors or in data
data transfer mechanism for smaller companies
sharing agreements, depending on the roles of
or for recipient companies which are outside the
the parties involved.32
corporate group, they provide a unique utility for
individual members of a corporate group.30 By The above stated tools for cross-border data
establishing a comprehensive set of rules, BCRs transfers are prevalent across jurisdictions
streamline the data transfer process within the globally. However, the DPDPA takes a limited In today’s interconnected world, the secure with the explicit consent of the individual, or
group and provide a more cohesive approach to approach to facilitating the safe and secure transfer of data across borders is crucial for transfers facilitated by a written agreement that
data protection.31 transfer of personal data outside the Indian global transactions. Recognizing this importance, obligates the data importer to adhere to Israeli
territory. Additionally, the law also disregards countries worldwide have established dedicated data protection laws to a significant extent.35
Certifications mechanisms to facilitate and optimize cross-
the risk-based approach implemented by Egypt
Article 46(2)(f) of GDPR prescribes approved statutes like GDPR for data transfers. This border data transfers. These mechanisms aim
certification mechanisms as a new tool to approach entails evaluating the level of risk to simplify the transfer process, boost efficiency, Egypt prioritizes the principle of adequacy to
transfer personal data to third countries in associated with transferring data to a third and address uncertainties that may arise during facilitate the transfer of data across borders.
the absence of an adequacy agreement. The country. Data fiduciaries assess the risks such exchanges. The examples that follow The Egyptian Personal Data Protection Law
European Data Protection Board had adopted involved before transferring data, even if the exemplify the diverse approaches adopted by No.151 of 2020 sets regulations on the transfer
guidelines on certification as a tool for transfers. receiving country provides adequate safeguards different countries, further underscoring the of personal data to foreign countries. According
The main purpose of these guidelines is to for data security. This approach enhances significance of these mechanisms in promoting to Article 14 of the law, the transfer of collected
provide clarification on the practical use of this accountability for data fiduciaries throughout the seamless cross-border data flows. or processed personal data to a foreign country
transfer tool. data transfer process.33 is prohibited unless that country ensures a level
Singapore
of personal data protection equal to or higher
The Guidelines provide clarity on the use of The existing mechanisms for cross-border The Personal Data Protection Act of 2012, than what is specified in the law. In addition,
certification as a means of demonstrating data transfer offer data fiduciaries a structured amended by the Personal Data Protection a relevant license or permit from the Centre is
appropriate safeguards for cross-border data framework to facilitate their data sharing (Amendment) Act 2020, includes restrictions required for such transfers. However, there are
transfers outside the European Economic Area activities. These mechanisms serve as valuable on offshore data transfers. These restrictions exceptions to this rule, primarily based on the
(EEA). Data exporters can rely on certification guidelines and references for data fiduciaries, mandate that organizations must ensure the consent of the data subject.
to verify that controllers or processors outside enabling them to navigate the complexities receiving organization outside of Singapore
the EEA offer sufficient protection against of transferring data across borders. Different Furthermore, the law allows a data fiduciary or
provides “comparable protection” in accordance
specific transfer risks. To ensure the validity jurisdictions around the world have implemented processor to grant access to personal data to
with the standards outlined in the Act.34
of the certification, the data exporter must a range of these mechanisms to govern data another controller or processor outside Egypt
confirm its status, coverage of the intended transfers. The third chapter provides a detailed Israel under certain conditions. These conditions
transfer, and whether it includes transit of data. exploration of the specific practices adopted by include having a conformity of work nature or
Cross-border data transfers are restricted,
It is also important to assess whether onward these jurisdictions. purpose between the controllers or processors
allowing them only under specific circumstances.
transfers are involved and whether adequate involved and a legitimate interest in the personal
These include transfers to European Union
data by either the controllers, processors, or the
(EU) Member States, transfers from an Israeli
data subject. It is also required that the level of
company to its foreign subsidiaries, transfers
legal and technical protection of the personal

80 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 81
data provided by the data fiduciary or processor However, these transfers must still meet • The recipient of the information is subject
abroad is not lower than the level of protection certain conditions. They should not compromise to a law, or binding scheme, that has the Countries worldwide
offered in Egypt.36 national security or the vital interests of Saudi effect of protecting the information in a
Arabia, and adequate guarantees must be in way that, overall, is at least substantially have implemented
Indonesia place to maintain the confidentiality of the similar to the way in which the APPs various mechanisms
Indonesia allows cross-border data transfers transferred personal data, meeting the standards protect the information
under certain conditions. The data fiduciary must set by the PDPL and the Executive Regulations. • There are mechanisms that the individual
and regulations
ensure that the receiving country provides an
equal or higher level of personal data protection
Furthermore, the transfer should involve only the
minimum amount of personal data necessary,
can access to take action to enforce that to facilitate cross-
protection of the law or binding scheme
than what is mandated by the Personal Data and approval from the competent authority, border data
as defined in the Executive Regulations, is Further, transfers of personal data to third
Protection (PDP) Law, known as the “Adequacy
of Protection” requirement. The PDP law is required.40 Personal data may be transferred countries are only permissible if there is a legal transfers. Examples
closely aligned with the European Union’s outside the jurisdiction, without meeting these basis for the processing/transfer and one of the
following applies:
from Israel, Egypt,
General Data Protection Regulation (GDPR).37 conditions, in scenarios of extreme necessity to
If the receiving country does not meet this preserve the life of a Data Subject or to prevent, • approved adequate/whitelisted Indonesia, Dubai,
adequacy standard, the data fiduciary must examine, and treat diseases.41 jurisdictions Australia, and Saudi
establish appropriate safeguards to ensure the
protection of personal data. If neither adequacy
In certain cases, the competent authority
may grant exemptions to the Data Controller,
• to holders of specific certifications or
followers of specific code of conduct
Arabia demonstrate
nor appropriate safeguards are present, the
data subject’s prior consent is required for the
allowing them to bypass these conditions. programs each approved by the relevant different approaches
The exemption can be granted if the transfer data protection and security authority
transfer.
does not jeopardize national security or the • approved standard contractual clauses
to governing such
Currently, the absence of a PDP Agency and vital interests of Saudi Arabia, if the competent
• binding corporate rules transfers, and
implementing regulations to the PDP Law authority, alone or jointly with other parties,
means that the standards set by the General determines that the personal data will receive an • derogations, such as consent, contract exemplify the diversity
Data Protection Regulations still largely apply acceptable level of protection outside of Saudi
Arabia, and if the personal data in question is
performance, necessity to establish,
exercise or defend legal claims.44
in policy approaches
in practice. This means that data exporters or
transferors have certain obligations, such as not classified as sensitive data.42
Dubai for the Indian data
ensuring the effectiveness of supervision by
relevant governmental institutions and providing
Australia According to Article 26 of DPL No. 5 of 2020
protection framework.
access to electronic systems and data when In Australia, the Privacy Act stipulates that the (“DPL”), the transfer of personal data outside
required for supervision and law enforcement transfer of personal information to organizations the DIFC is permitted if it is to a country or
purposes. The data exporter or transferor also outside the country is permitted only if the jurisdiction with adequate data protection with Israeli data protection laws. Egypt
needs to coordinate with the Directorate General entity has taken appropriate measures to ensure measures or if it complies with the provisions emphasizes the principle of adequacy, permitting
for Informatics Application (DITJEN APTIKA) that the overseas recipient adheres to the specified in Article 27 of the DPL. Article 27 data transfers to foreign countries that offer
within the Ministry of Communication and Australian Privacy Principles (APP) concerning outlines the conditions for such transfers, which an equal or higher level of data protection.
Informatics (MOCI) and submit certain reports to that personal information. This approach, known include the use of appropriate safeguards Indonesia’s data transfer approach is closely
them prior to the transfer.38 as the “Accountability Approach,” establishes a adopted by third countries, transfers conducted aligned with the GDPR.46
framework that holds APP entities responsible through SCCs, BCRs, certifications, and other
Saudi Arabia for ensuring that overseas recipients handle approved methods.45
Saudi Arabia generally prohibits data transfers
unless specific conditions are met, such
Under the Personal Data Protection Law (PDPL) individuals’ personal information in compliance
To summarise the various approaches as protecting life or vital interests, disease
in Saudi Arabia, personal data can be disclosed with the APPs. Consequently, the APP entity
discussed above, Israel restricts cross-border prevention, or obligations involving the
to an entity outside the territory for a limited set is held accountable if the overseas recipient
data transfers but allows them under specific country. However, transfers must comply with
of purposes; to perform a contractual obligation mishandles the information.43
circumstances, including transfers to EU Member strict conditions to maintain national security,
relating to the Kingdom, to serve the interests of States, transfers within an Israeli company’s
There is an exception for this general rule in confidentiality, and minimum necessary data,
the Kingdom, for performance of an obligation subsidiaries, transfers with consent, or transfers
scenarios where the APP entity reasonably subject to approval by the competent authority.
involving the Data Subject, or to fulfill purposes facilitated by written agreements complying
believes that: Dubai sets forth conditions for data transfer,
set out in the Regulation.39

82 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 83
requiring that such transfers may proceed
only if the importing country offers adequate The data protection
safeguards or if certain transfer mechanisms,
such as BCRs, SCCs, certifications, and regulatory framework
in India can explore
4
others, are utilized. Australia employs the
“Accountability Approach” to ensure overseas
recipients adhere to Australian Privacy additional aspects
Principles.
to enhance the
The DPDPA can get insights into the various
elements to consider and specific provisions that
facilitation of RECOMMENDATIONS
can be incorporated to streamline cross-border cross-border data
data transfers by referring to the approaches
employed by these countries. Different aspects transfers. This may
work for different countries, and the DPDPA include providing The preceding chapters shed light on the framework for cross-border data transfers under
the Digital Personal Data Protection Act 2023. It is clear that in a hyper-digitized world with
framework can refer to the same to gain insight
about the benefits and limitations of these clearer guidelines a focus on rapid, efficient transactions, communication, and information exchange, transfers of
data (including personal data) across national borders are inevitable.
approaches for data transfers. For example, the
DPDPA can examine Australia’s accountability
on the obligations of
principle, Egypt’s emphasis on adequacy and businesses engaged
consent, Indonesia’s requirements for adequate
protection and Saudi Arabia’s conditions for data
in such transfers, and Though the legislative approach of the Act
simplifies the process of data transfers when
and accessed by U.S. public authorities for
national security and criminal law enforcement
transfers outside the country. exploring various contrasted against earlier iterations. There reasons.47
By considering and incorporating the best mechanisms for data are nonetheless practical challenges that can
emerge as a result of this framework. Further, examination of different data transfer
practices and mechanisms observed in other
jurisdictions, the DPDPA can establish a transfers, such as In light of the same, we propose a few
mechanisms implemented by various
jurisdictions like Israel, Singapore, Australia, and
comprehensive framework that promotes
efficient and secure cross-border data transfers.
standard contractual recommendations below. others reveals that these countries have taken
proactive steps to establish comprehensive
This would provide clarity to businesses clauses, binding 1. Enhanced Regulatory Clarity and
frameworks for data transfers beyond their
Certainty
operating in India and create a conducive
environment for global trade and services,
corporate rules, jurisdictions. These mechanisms provide
In the context of negative listing, it is imperative detailed guidelines and requirements for such
enabling seamless data flows while ensuring certifications, and to create a sense of business and regulatory transfers. Referring to the manner of detailing
the protection of individuals’ privacy and data
rights. more. certainty. By doing so, data fiduciaries can have
a better understanding of the requirements and
in these mechanisms can be highly beneficial in
developing a specific set of criteria to enhance
expectations when engaging in such transfers, the negative listing approach.
which in turn allows for more efficient planning
We therefore recommend defining a definite
and decision-making.
set of criteria and outlining the process for
For example, the European Commission’s determination of countries to which transfer of
recently approved adequacy decision regarding personal data from India is restricted. In defining
the EU-U.S. Data Privacy Framework provides a the criteria, privacy and security considerations
comprehensive overview of all specific aspects. must hold paramount importance, along with
Within this decision, the Commission thoroughly safeguarding business and economic interests.
evaluates the obligations arising from the
Additionally, it is important that once countries
EU-U.S. Data Privacy Framework, along with
are notified as restricted for transfers of personal
the restrictions and protections in place when
data, there may be a mechanism for periodic
personal data is transferred to the United States

84 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 85
and systematic review of their status, however,
such review must not come at the expense of In outlining the
legal continuity of systems and processes for
process through
REFERENCES
data transfers. To ensure business continuity,
we also recommend an adequate transition which determination
period to be prescribed in consultation with the
industry when new territories or jurisdictions are of restricted countries
categorized as being ‘restricted’ for transfers of
is made, it will The Brookings Institution, “Regulating for a digital economy: Understanding the importance of cross-
1

personal data. border data flows in Asia,”

2. A Risk Based Approach for Data

become important https://www.brookings.edu/research/regulating-for-a-digital-economy-understanding-the-
importance-of-cross-border-data-flows-in-asia/
Transfers to balance two 2
U.S. Chamber of Commerce, “Business Without Borders: The Importance of Cross-Border Data
Data fiduciaries have a crucial responsibility competing interests; Transfers to Global Prosperity,”
to carefully evaluate the risks associated with
data transfers. Before engaging in any transfer first, ensuring agility https://www.huntonak.com/images/content/3/0/v3/3086/Business-without-Borders.pdf

in the process so as World Economic Forum, “A Roadmap for Cross-Border Data Flows: Future-Proofing Readiness and
3
of data, it is essential for them to conduct a
comprehensive assessment to identify potential Cooperation in the New Data Economy,”
risks and vulnerabilities. This assessment should to enable jurisdictions https://www3.weforum.org/docs/WEF_A_Roadmap_for_Cross_Border_Data_Flows_2020.pdf
consider factors such as the nature of the data
being transferred, the destination country’s data
to be notified when 4
Digital Personal Data Protection Act 2023 Section 16, https://www.meity.gov.in/writereaddata/files/
Digital%20Personal%20Data%20Protection%20Act%202023.pdf
protection laws and practices, and any potential warranted in the
threats to data security or privacy.48
5
Global Data Alliance, “Cross-Border Data Policy Index,”
interests of national https://globaldataalliance.org/resource/cross-border-data-policy-index/
A risk-based approach broadens the scope
of permitted transfers, allowing certain data security, and two, 6
Directorate General of Foreign Trade, Foreign Trade Policy 2023, General Provisions Regarding
transfers to proceed, even where the text of ensuring operational Imports and Exports,
https://content.dgft.gov.in/Website/dgftprod/4f665d2f-20cc-4887-ae6a-5ec912bc0d44/FTP2023_
the laws of the importing country do not satisfy
exporting country’s requirements, so long as stability for businesses Chapter02.pdf
certain conditions are met. This approach is
adopted by the European Data Protection Board
which engage in cross- 7
Financial Action Task Force, High-Risk Jurisdictions subject to a Call for Action - June 2023,
https://www.fatf-gafi.org/en/publications/High-risk-and-other-monitored-jurisdictions/Call-for-action-
(EDPB).49 border data transfers. June-2023.html
In furtherance of our above stated 8
IAPP, “How to prepare for Saudi Arabia’s Personal Data Protection Law,”
recommendation which places emphasis https://iapp.org/news/a/how-to-prepare-for-saudi-arabias-personal-data-protection-law/;
towards implementing international data
on privacy and security as the foremost
transfers. For instance, with the creation of
consideration for transfers of personal data, DLA Piper, Data Protection Laws of the World – Saudi Arabia,
categories of personal data, it may be possible
we recommend that India’s data protection https://www.dlapiperdataprotection.com/index.html?t=authority&c=SA
to craft a spectrum of eligibility for notified
framework must adopt a risk-based approach 9
Personal Data Protection Act 2010 Section 129, https://www.kkd.gov.my/pdf/Personal%20Data%20
jurisdictions. In effect, this would mean that
for data transfers by considering various Protection%20Act%202010.pdf;
while some jurisdictions may be deemed entirely
measures such as retaining a classification of
safe and trusted to transfer Indian residents’
personal data, specifically in the context of DLA Piper, Data Protection Laws of the World – Malaysia,
personal data to, other jurisdictions may not
sensitive personal data. Such classification will https://www.dlapiperdataprotection.com/index.html?t=transfer&c=MY
be deemed safe enough to transfer sensitive
then enable the creation of a graded approach 10
DLA Piper, Data Protection Laws of the World – Algeria,
personal data to.
https://www.dlapiperdataprotection.com/index.html?t=law&c=DZ
11
Hindustan Times, “Looking at the cross-border data flow regime in the DPDP Bill 2022,”
https://www.hindustantimes.com/ht-insight/economy/looking-at-the-cross-border-data-flow-regime-
in-the-dpdp-bill-2022-101680090578675.html

86 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 87
12
Digital Personal Data Protection Act 2023 Section 16, https://www.meity.gov.in/writereaddata/files/ 24
U.S. Chamber of Commerce, “Business Without Borders: The Importance of Cross-Border Data
Digital%20Personal%20Data%20Protection%20Act%202023.pdf Transfers to Global Prosperity,”
https://www.huntonak.com/images/content/3/0/v3/3086/Business-without-Borders.pdf
13
Gwalior Rayon Mills Mfg. (WVG) Co. Ltd. v. Assistant Commissioner of Sales Tax,
https://main.sci.gov.in/jonew/judis/6374.pdf 25
Information Technology and Innovation Foundation, “The Role and Value of Standard Contractual
Clauses in EU-U.S. Digital Trade,”
14
Ramesh Birch v. U.O.I,
https://itif.org/publications/2020/12/17/role-and-value-standard-contractual-clauses-eu-us-digital-
https://main.sci.gov.in/jonew/judis/7960.pdf
trade/
15
Office of the United States Trade Representative, Agreement between the United States of 26
U.S. Chamber of Commerce, “Business Without Borders: The Importance of Cross-Border Data
America, the United Mexican States, and Canada,
Transfers to Global Prosperity,”
https://ustr.gov/trade-agreements/free-trade-agreements/united-states-mexico-canada-agreement/
https://www.huntonak.com/images/content/3/0/v3/3086/Business-without-Borders.pdf
agreement-between;
27
European Commission, Binding Corporate Rules,
OECD, Recommendation of the Council concerning Guidelines Governing the Protection of Privacy
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/
and Transborder Flows of Personal Data,
binding-corporate-rules-bcr_en
https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188
28
General Data Protection Regulation, Article 47,
16
European Commission, EU-US Data Privacy Framework,
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
29
Personal Data Protection Commission (PDPC), Advisory Guidelines on Key Concepts in the PDPA,
17
U.K. DCMS and DSIT, International data transfers: building trust, delivering growth and firing up
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/the-transfer-limitation-
innovation,
obligation---ch-19-(270717).pdf
https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers/
international-data-transfers-building-trust-delivering-growth-and-firing-up-innovation 30
IAPP, “BCRs: ‘Best case route’ or ‘better call reinforcements’?,”
https://iapp.org/news/a/bcrs-best-case-route-or-better-call-reinforcements/
18
European Commission, Communication from the Commission to the European Parliament and the
Council, Exchanging and Protecting Personal Data in a Globalised World, 31
PWC, Binding Corporate Rules, The General Data Protection Regulation, https://www.pwc.com/m1/
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2017%3A7%3AFIN en/publications/documents/pwc-binding-corporate-rules-gdpr.pdf
19
Nasscom – Zinnov India GCC Trends Half Yearly Analysis, 32
European Data Protection Board, Guidelines 07/2022 on certification as a tool for transfers,
https://nasscom.in/knowledge-center/publications/nasscom-zinnov-india-gcc-trends-half-yearly- https://edpb.europa.eu/system/files/2023-02/edpb_guidelines_07-2022_on_certification_as_a_tool_
analysis for_transfers_v2_en_0.pdf;
20
European Commission, Standard contractual clauses for data transfers between EU and non-EU EDPB adopts guidelines on certification as a tool for transfers,
countries, https://edpb.europa.eu/news/news/2022/edpb-adopts-guidelines-certification-tool-transfers-and-art-
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/ 65-dispute-resolution_en
standard-contractual-clauses-scc_en 33
European Data Protection Law Review, A Risk-Based Approach to International Data Transfers,
21
General Personal Data Protection Act (LGPD), Article 35, https://edpl.lexxion.eu/data/article/17963/pdf/edpl_2021_04-010.pdf
https://iapp.org/resources/article/brazilian-data-protection-law-lgpd-english-translation/; 34
Personal Data Protection Act 2012, Section 26,
DLA Piper, Data Protection Laws of the World – Brazil, https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=P14-#pr13-;
https://www.dlapiperdataprotection.com/index.html?t=transfer&c=BR&c2=
PDPC, Advisory Guidelines on Key Concepts in the PDPA,
22
European Commission, Joint Guide to ASEAN Model Contractual Clauses and EU Standard https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/the-transfer-limitation-
Contractual Clauses, obligation---ch-19-(270717).pdf
https://commission.europa.eu/system/files/2023-05/%28Final%29%20Joint_Guide_to_ASEAN_MCC_ 35
Privacy Protection (Transfer of Data to Databases Abroad) Regulations,
and_EU_SCC.pdf
https://www.gov.il/BlobFolder/legalinfo/legislation/en/
23
European Commission, New Standard Contractual Clauses, PrivacyProtectionTransferofDataabroadRegulationsun.pdf;
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/
DLA Piper, Data Protection Laws of the World – Israel,
new-standard-contractual-clauses-questions-and-answers-overview_en
https://www.dlapiperdataprotection.com/index.html?t=transfer&c=IL

88 | The Future of Data Protection in India: A Roadmap for Regulators Tools and Modalities for Cross-Border Data Flows - A Primer for Policymakers | 89
36
DLA Piper, Data Protection Laws of the World – Egypt,
https://www.dlapiperdataprotection.com/index.html?t=transfer&c=EG
37
DLA Piper, Data Protection Laws of the World – Indonesia,
https://www.dlapiperdataprotection.com/index.html?t=law&c=ID CONCLUSION
38
ibid

Saudi Authority for Data Protection and Artificial Intelligence, ), Personal Data Protection Law,
39

Article 29(1), https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2- The first part of this report (Part 1) delved into three key regulatory dimensions of the data
23April2023-%20Reviewed-.pdf protection framework in India; personal data breaches, consent managers, and cross-border
data transfers. The research and analysis brought forth emphasizes that the Digital Personal
Saudi Authority for Data Protection and Artificial Intelligence, ), Personal Data Protection Law,
40
Data Protection Act 2023 may have set a baseline structure for regulating these aspects of data
Article 29(2), https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2- protection, however, delegated legislation through rules and notifications will establish the
23April2023-%20Reviewed-.pdf practical implementation standards.
Saudi Authority for Data Protection and Artificial Intelligence, ), Personal Data Protection Law,
41

Article 29(3), https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English%20V2-

23April2023-%20Reviewed-.pdf On personal data breaches, an examination operationalise the consent manager framework
of data protection laws and breach reporting established by the DPDPA 2023. Ensuring
42
DLA Piper, Data Protection Laws of the World – Saudi Arabia,
requirements across jurisdictions reveals that interoperability, accountability, and transparent
https://www.dlapiperdataprotection.com/index.html?t=transfer&c=SA&c2=
adopting a risk-based approach to personal functioning of consent managers will be key to
43
Office of the Australian Information Commissioner, Overseas data flows, data breach reporting and notification is the functioning of consent managers in tandem
https://www.oaic.gov.au/engage-with-us/submissions/privacy-act-review-issues-paper-submission/ crucial to ensuring a governance mechanism with existing platforms used by data fiduciaries
part-8-overseas-data-flows; which assures both effective compliance and to manage the consent lifecycle internally.
meaningful information sharing with regulators
Baker Mckenzie, International Data Transfer, Finally, the last section of this report on cross-
and data principals. Across jurisdictions, through
https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/asia-pacific/australia/topics/ border data transfers acknowledges the liberal
laws, guidance, and academic study, there is
international-data-transfer#:~:text=Yes.,overseas%20disclosures%20rather%20than%20transfers. approach to international data flows adopted
broader consensus that a risk-based approach
in the context of personal data breaches could under the DPDPA 2023. In a thriving digital
44
ibid
entail numerous interventions; defining personal economy that serves as a hub for provision of
45
Dubai International Financial Centre, Data Export & Sharing Handbook, digital services, ensuring secure and efficient
data breaches clearly, identifying a threshold
https://www.difc.ae/application/files/6316/6126/5296/DIFC-DP-GL-04_Rev.01_DIFC_DATA_ transfers of data is key to achieving economic
beyond which breaches are reportable/notifiable,
EXPORT_AND_SHARING_HANDBOOK.pdf; growth. However, there remains some key
adopting a phased approach to reporting data
breaches, and outlining the information to be elements of the cross-border data transfer
DLA Piper, Data Protection Laws of the World – Dubai,
shared with data principals or the concerned framework which will have to be clarified
https://www.dlapiperdataprotection.com/index.html?t=transfer&c=AE2
supervisory authority in a manner which aligns through rules and notifications for a practicable
46
DLA Piper, Data Protection Laws of the World – Indonesia, implementation of the Act. This includes
with the overarching regulatory intent.
https://www.dlapiperdataprotection.com/index.html?t=law&c=ID defining criteria and processes for notification
An evaluation of prevalent industry practices in of territories which are to be included in the list
47
European Commission, EU-US Data Privacy Framework,
consent management and existing frameworks of restricted jurisdictions, as well as ensuring a
https://ec.europa.eu/commission/presscorner/detail/en/qanda_23_3752
for consent managers across segments in India viable transition period after changes are made
48
European Data Protection Law Review, A Risk-Based Approach to International Data Transfers, sheds light on several key ambiguities that to such notified jurisdictions.
https://edpl.lexxion.eu/data/article/17963/pdf/edpl_2021_04-010.pdf delegated legislation will need to address to
49
IAPP, “EDPB’s data transfer recommendations adopt a risk-based approach with teeth,”
https://iapp.org/news/a/edpbs-data-transfer-recommendations-adopt-a-risk-based-approach-with-
teeth/

90 | The Future of Data Protection in India: A Roadmap for Regulators The Future of Data Protection in India: A Roadmap for Regulators | 91
 Data Security Council of India (DSCI) is a premier industry body on data protection in India, setup
by nasscom, committed to making the cyberspace safe, secure and trusted by establishing best
practices, standards and initiatives in cybersecurity and privacy. DSCI brings together governments
and their agencies, industry sectors including ITBPM, BFSI, telecom, industry associations, data
protection authorities and think-tanks for policy advocacy, thought leadership, capacity building
and outreach initiatives. For more info, please visit www.dsci.in

DATA SECURITY COUNCIL OF INDIA

Nasscom Campus, Fourth Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303

+91-120-4990253 | [email protected] | www.dsci.in

DSCI_Connect dsci.connect dsci.connect data-security-council-of-india dscivideo

All Rights Reserved © DSCI 2023

92 | The Future of Data Protection in India: A Roadmap for Regulators