India will seek ‘adequacy’ status with EU’s General Data Protection Regulation (GDPR) after it passes its own Personal Data Protection Bill, reports the Economic Times. If granted the adequacy status, it will mean that EU and India recognise each others’ privacy protection regulations along with reducing compliance burden in cross-border data transfers and help the outsourcing and technology industry in attracting clients from Europe, according to the report.
EU has granted adequacy status to 14 countries so far
Article 45 of the GDPR has a provision that allows transfers of personal data to countries outside the Europe if these countries are found to ensure an adequate level of data protection. The adoption of an adequacy decision involves:
- a proposal from the European Commission
- an opinion of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
According to the GDPR, the Commission’s adequacy decision could be limited to specific territories or to more specific sectors within a country. It also envisages that the European Commission would review its adequacy decisions at least every four years. It is also worth noting that adequacy status can be repealed, amended or suspended without retro-active effect.
Japan and the EU commission signed a similar deal in January this year that allowed for the free flow of personal data between the two economies on the basis of strong protection guarantees. Apart from Japan, the EU has agreed to a similar arrangement with 13 other countries: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).
But where is India’s data protection bill?
India can only approach the EU for an adequacy status, once it has its own data protection law in place. When Ravi Shankar Prasad was inducted into the Union Cabinet in the second term of PM Modi’s government, he had said that “In IT, we will try to quickly get the data protection bill to the Parliament”. But the bill wasn’t introduced in the Parliament’s just concluded Budget Session.
In fact, he informed Rajya Sabha on July 25 that the submissions made to the Justice Srikrishna committee – as part of a public consultation – will not be made public. He said submissions made by any entity are “confidential” and meant for examination by the Committee. However, technocrat and former UIDAI CEO Nandan Nilekani, seems to know about the status of the data protection bill. He said that the bill was in the the “draft mode” and will take a general view that data localisation policy can be managed by individual regulators.