Comprehensive general data protection legislation for India has been eagerly awaited since the Supreme Court declared privacy as a fundamental right in Justice K.S. Puttaswamy vs Union of India. In December the Joint Parliamentary Committee (“JPC”) presented its report on the Personal Data Protection Bill, 2019 (“2019 Bill”), after almost two years of deliberations. It proposed nearly 90 drafting and 90 substantive changes to the 2019 Bill and also proposed the draft of the Data Protection Bill, 2021 (“2021 Bill”). These changes include language which could affect the cross-border data flows both under approved “standard” contractual clauses, and under data adequacy decisions. Recent reports indicates that the 2021 Bill is being considered for further revision, and this should be a key area of focus.
Cross border data flows are of essence to modern international trade and commerce. Restrictions, or uncertainty, on these flows can impeded transactions (such as outsourcing) and investments (in data businesses). As a country which is a global locus for both, India needs to balance the needs of sovereignty with enabling business.
Localisation comes in several flavours, and certain forms are more easily complied with than others. For instance, “soft” localisation, such as requiring that copies of sensitive personal data be available within India, mainly means additional cost and infrastructure. “Hard” localisation however, such as the prohibition on export of undefined “critical” personal data under the 2021 Bill, can require re-architecting business processes or stop data flows entirely.
Under the 2019 Bill, sensitive personal data (which includes financial, health, and biometric data) could be sent outside India under a contract or intra-group scheme approved by the Data Protection Authority (“DPA”). This is a familiar mechanism internationally (such as under Europe’s GDPR) and significant volumes of cross border data flows are enabled under “standard” contractual clauses which data regulators approve.
The JPC however, has added an additional gate to this “channel” and required that no such contracts or intra-group schemes, be approved where the objective of the data transfer is against ‘public policy’ or ‘state policy’. In essence, this means that the DPA cannot prescribe or approve any “standard” clauses or schemes, and that it will need to look at the objective of each set of data transfers before approving them.
Alternatively, the DPA could indicate that a particular set of transfers, even where they were done under “standard” clauses, stand invalidated (retroactively) because they were found to violate public or state policy.
Either means an added element of uncertainty, and subjectivity. It also creates the spectre of “case-by-case” approval which may result in delays or post facto penalties which can create business disruption.
Another important way in which data transfers occur globally are between countries who have approved transfers between each other, such as the EU and Japan. This form of “data adequacy” decision, often taken reciprocally, and after much negotiation and evaluation, is a key enabler of corridors for international trade.
Here too, the JPC has recommended an additional condition by requiring that sensitive personal data, once transferred under this route, will not be “shared with any foreign government or agency” without approval. This is not only difficult to implement, but goes against the principle that data is being exported to a “trusted” jurisdiction, with adequate data protection measures.
It possible to have certain, predictable, and practical means to enable international data flows while maintaining sovereign control over data and the value it represents. One hopes that the next round of updates to the 2021 Bill will find a better balance than the current one.
Anubhuti Garg, Associate also contributed to the article.
the App to get 14 days of unlimited access to Mint Premium absolutely free!