(1) The sensitive personal data may only be transferred outside
India for the purpose of processing, when explicit consent is
given by the data principal for such transfer, and where—
(a) the transfer is made pursuant to a contract or intra-group
scheme approved by the Authority in consultation with the Central
Government:
Provided that such contract or intra-group scheme shall not be
approved, if the object of such transfer is against public policy or
State policy and unless it makes the provisions for—
(i) effective protection of the rights of the data principal
under this Act, including in relation to further transfer to any
other person; and
(ii) liability of the data fiduciary for harm caused due to
non-compliance of the provisions of such contract or intra-group
scheme by such transfer; (***)
(b) the Central Government, after consultation with the
Authority, has allowed the transfer to a country or, such entity or
class of (***) entities in a country or, an international
organisation on the basis of its finding that–
(i) such sensitive personal data shall be subject to an
adequate level of protection, having regard to the applicable
laws and international agreements; (***)
(ii) such transfer shall not prejudicially affect the
enforcement of relevant laws by authorities with appropriate
jurisdiction; and
(iii) such sensitive personal data shall not be shared with any
foreign government or agency unless such sharing is approved by
the Central Government:
Provided that any finding under this clause shall be reviewed
periodically in such manner as may be prescribed; or
(c) the Authority, in consultation with the Central Government,
has allowed transfer of any sensitive personal data or class of
sensitive personal data necessary for any specific purpose.
Explanation.- For the purposes of this sub-section, an act is said
to be against “public policy” or “State policy”, if the said act
promotes the breach of any law or is not in consonance with any
public policy or State policy in this regard or has a tendency to
harm the interest of the State or its citizens.
(2) Notwithstanding anything contained in sub-section (2) of
section 33, any critical personal data may be transferred outside
India, only where such transfer is—
(a) to a person or entity engaged in the provision of health
services or emergency services where such transfer is necessary
for prompt action under section 12; or
(b) to a country or, any entity or class of (***) entities in a
country or, to an international organisation, where the Central
Government has deemed such transfer to be permissible under
clause (b) of sub-section (1) and where such transfer in the
opinion of the Central Government does not prejudicially affect
the security and strategic interests of the State.
(3) Any transfer under clause (a) of sub-section (2) shall be
(***) informed to the Authority within such period as may be
specified by regulations.