India's Personal Data Protection Bill should ease the restrictions on transfer of sensitive and critical personal data outside India so that businesses in India do not suffer, the Data Security Council of India (DSCI) and US-based Centre for Information Policy Leadership (CIPL) proposed in their report on cross-border data flows between India and the US. The report instead offered "less trade-restrictive" alternatives to the current provisions of the Bill. These include specific bilateral agreements between India and USA, and certifications that would require less oversight for such transfers. DSCI is a trade body on data protection that was set up by NASSCOM. CIPL is a think tank housed within the American law firm Hunton Andrews Kurth LLP. It focusses on global privacy and security. This report, which also cites CIPL's comments to the Joint Parliamentary Committee that is currently deliberating upon the PDP Bill, intends "to inform the Joint Parliamentary Committee’s review of the PDPB as well as Indian Government officials working on a potential future trade deal with the US". What does the Bill say about cross-border data flows? Through Sections 34 and 35, the PDP Bill places significant restrictions on transfer of sensitive and critical personal data outside India. For transfer of sensitive personal data, the transferring entity must have explicit consent of the user for such a transfer. In addition, the transfer has to be made under a Data Protection Authority-approved contract or intra-group scheme, or after getting permission from the central government to transfer the data…
