- Government approval for cross-border data transfer creates an unnecessary bottleneck, can affect the ease of doing business in India
- Excessive power to the government has weakened adequacy
- Data localisation requirements could lead to reciprocal actions and fragmentation of the internet
- There is a lack of clarity in transfer rules for non-personal data
- Exempting certain companies through notifications can lead to data abuse and creates uncertainty
Speaking at MediaNama’s Decoding India’s Data Protection Bill event held on January 19, Prasanto Roy, Public Policy Advisor; Ashish Aggarwal, VP & Head of Public Policy at NASSCOM; Jyotsna Jayaram, Partner at Trilegal; Rahul Sharma, Founder of The Perspective and Grade Ace; Sijo Kuruvilla George, Executive Director at ADIF; and Nikhil Pahwa, Founder and Editor of MediaNama discussed the provisions related to cross-border data transfer and data localisation, and criticised the provisions for being too restrictive, burdensome, and lacking clarity, while recommending measures to address some of these issues.
This discussion was organised with support from Google, Flipkart, Meta, and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.
Issues around the approval of cross-border data transfers
1. Government approval for each transfer creates an unnecessary bottleneck: “The government has clearly said that central government and DPA can reject the data transfer if it is not in the public policy or state policy, which means that they’re looking to approve each and every kind of transfer. Why would DPA want to do that? Why would a central government want to approve each kind of intergroup scheme also, just the scale and size of this would create a very unnecessary bottleneck for everybody,” Aggarwal said.
2. Not clear when DPA has to consult the government for approving data transfers: According to clause 34 cross-border transfers made pursuant to a contract or intra-group scheme can be approved by the DPA in consultation with the government, but it is not clear when the DPA has to go through this consultation, Roy remarked. Do they have to do it for each contract, Roy asked.
3. Concerning that government can view all confidential contracts: It’s concerning that confidential contracts are not just reviewed by the DPA but also the government, Roy said.
“In the absence of any sort of clarity, I would sort of not try and preempt that this means that each organisation specific contract needs to be submitted. Because like you pointed out, that’s disastrous. It has commercial and confidential information, it has various other aspects that technically do not even need to be examined for the purposes of a cross border transfer.” – Jyotsna Jayaram
4. Ease of doing business depends on capacity, resources, and independence of DPA: George said that if the government has a technology-enabled methodology for approval then it might be a seamless process but otherwise it becomes very cumbersome and onerous and will hurt ease of doing business in the country. This will depend on how much capacity, resources, and independence the DPA has, George said.
“The DPA will probably play as significant role as RBI does in the economy right. Because data is going to be one of the biggest tools so to speak, be it market dominance, be it competition. So that is the kind of significance DPA as an organisation is going to get. So over a period of time, the trust and faith in the DPA, not just by people in the country, but also by global counterparts also, will be one of the biggest significant factors.” – Sijo George
5. Denying contract approval on grounds of state and public policy is subjective and broad: The latest version of the Bill says that transfer-based contract or intra-group scheme will be rejected if it is against public policy or state policy. Commenting on this, Jayaram said that it brings a lot of subjectivity and is misplaced because there is no sort of benchmark to see what this is going to be contained under. Meanwhile, Sharma explained that the clause makes sense when looking at it from the context of how the government previously banned apps from China because of being against State policy.
“I just fear that if they don’t like the look of your contract, or what you want to do, it could just be against state policy.” – Jyotsna Jayaram
- Model contracts: “Model contracts seem to be the most sort of seamless option, because you put a template out there, it’s non-negotiable and everybody just folds it into practice,” Jayaram said. Currently, the Bill just says the DPA will issue a code of practice in relation to cross-border data transfer and doesn’t really throw light on how that will generate model templates, Jayram explained. But if it wants to emulate the GDPR, which it appears to be trying to do because intragroup schemes and contracts are equivalents of GDPR’s BCRs and SCCs, then it should provide model contracts, Jayaram said.
“The way that GDPR does it is BCRs are in fact internal policies that organizations can develop and then submit it to the authority which is still not the government in that sense, to be able to sort of just have it approved. And the other option is SCCs, which is a model contract, and those provisions are non-negotiable, and that’s published by the Data Protection Authority.” – Jyotsna Jayaram
- Have consultations for the codes of practice: Hope that we have consultations with the DPA in framing the codes of practice that come in and the guidance that follows in terms of how each of these compliance requirements needs to be met, Jayaram said.
- Negative list of countries: Instead of making every contract liable to scrutiny for whether it is against state or public policy, Aggarwal and Pahwa recommended restricting transfers to particular countries by having a negative list. “In a 200 world country if your problem is 150 countries then you have some other problem beyond data. If it is 10 countries you have a problem with, blacklist them or negative list them and go on and build adequacy with your large trading partners,” Aggarwal said.
- Strong, independent DPA: There should be committee effort and a political resolve on the part of the government and administration to strengthen the DPA.
“All of our anxieties will be tied to how we see [the DPA] functioning, so even specific to this particular case of actually taking approvals for each and everything. The nomenclature that they develop, the standard operating procedure developed will determine how complex and complex it’s going to be.” – Sijo George
- Do away with central government consultation: Jayaram recommended that the requirement for DPA to consult central government should not be there because transfer tools have guardrails that are already embedded in them.
How does the Bill affect adequacy?
1. Excessive power to the government has weakened adequacy: Aggarwal pointed out that by allowing the state to process data for any purpose without consent under clause 12 and by allowing the government to exempt any agency under clause 35, the Bill has weakened adequacy. The earlier version at least required that the processing be specific, lawful, and clear, but this has been removed, Aggarwal said.
2. Can we satisfy the Schrems II requirement? According to the Schrems II ruling, every data that comes from the EU to India needs to undergo a transfer impact assessment. Jayaram asked if we can demonstrate that all of the essential guarantees are actually upheld to satisfy the requirements of EU standards. “I was hoping that an omnibus legislation of sorts would enable us to be able to make a demonstration, but it may not actually be so,” Jayaram remarked.
3. What is the essential equivalence being granted when it comes to adequacy: Citing the example of the EU, Sharma explained that even though it has GDPR that is applicable to all member states when it comes to the processing of certain data with respect to national security, each country has its own laws. “In that context, in that varying degree, what essentially is an essential equal or an adequacy which is being guaranteed,” Sharma asked.
“India and EU in their last joint statement, which was released earlier in July or June 2020, expressed their desire to conclude or have a dialogue on reciprocal adequacy, wherein in India recognizes EU as adequate, and EU recognizes India as adequate […] So the provisions for adequacy needs to be spelled out, like what do we actually mean when we talk about adequacy? What is the government actually looking at?” – Rahul Sharma
4. Data localisation by itself does not affect adequacy: Sharma explained that data localisation alone does not impede the adequacy decision by the European Union because the EU itself has many data localisation requirements. “What they’re concerned about is how the data which has been transferred to India, through the data exporters in EU, how is that protected under legal provisions? And whether the citizens will have a right to recourse? What will [happen] if a data breach happens? What are the liabilities that can be associated? Does the country have an independent functioning DPA? And how is that enforced?” Sharma elaborated.
5. Bill is dividing up the internet based on geographic boundaries: The Bill is not looking at cross-border data flows as a global value chain and is instead dividing up data and the internet based on geographical boundaries, Jayaram opined. “On the one hand, they want data to be in India for the purposes that they’ve been citing time and again. And on the other hand, they’re saying if it has to go out of India and these are what we believe are the guardrails that need to be in place,” Jayaram said.
- Find a balance: The government can find a balance between data protection and national interest without it affecting cross border data flows, Aggarwal opined.
- More extensive deliberation and consolations: “The JPC has done a good job, it has expanded the scope, it has reinvented a lot of things. It has also opened a Pandora’s box, a lot of issues. And we are still trying to address the problems of the past, but not exactly looking at how do we make a law for the future. And that I think requires more extensive and deliberate consultation. And I hope that the government sort of takes that into account,” Sharma said.
- Look at data localisation and cross-border data flow separately: We should look at data localization separately from cross border transfers and for the latter there can be several other frameworks that enable the free flow of data, which would still allow for digital innovation or to be able to contribute to the global value chain, Jayaram said.
“Even India as a country, like I’ve been saying the footprint that we have, or the place that we have in the global ecosystem is something that can definitely be changed if we move into some more, whether it’s bilateral, multilateral or other alternative parallels through which a free flow of data can actually be mediated.” – Jyotsna Jayaram
Ramifications of data localisation
“So if you look at the first part of the JPC [report]. I think the fact that it’s basically saying bring the data home, even like the data which is already gone, it makes it very difficult to take that first part of the JPC report seriously on that count. Similarly, something like you know, storing data in India would encourage more data centers in India, it’s clearly like missing the woods for the trees, and therefore, you can’t really build an argument out of that.” – Ashish Aggarwal
1. Data localisation could lead to reciprocal action and fragmenting of the Internet: Roy wondered if the data localisation mandate will result in reciprocal action from other jurisdictions and fragmenting of the internet as we know it. He gave the example of how RBI tested the waters with financial data and asked if we can now expect that level of hard data localisation in every sector.
“What we’ve seen in payments is the way it’s structured, that data has to be stored only in India, data has to be deleted after T plus 24. A number of card companies have been banned because of differences of view about when exactly data has been deleted and so on. So effectively the only way for them to operate is actually more processing on soil in India. And that is probably the direction we’re going to see across all sectors where this applies to sensitive personal data and/or critical personal data.” – Prasanto Roy
2. By focusing on data localisation, focus on transfer tools and adequacy have been neglected: From an industry perspective, we want to highlight that the Bill assumes storage of data in India is going to be the solution for data protection, Aggarwal said. And because of this, we miss the focus on transfer tools and strengthening adequacy, which would have served the dual goals of privacy protection and better cross-border data flow, Aggarwal explained.
- Implement a data governance strategy for the nation: “What we lack in strategy, I think we are trying to implement through laws. So I think the first step would be towards defining and laying down a data governance strategy for the nation,” Sharma said. If we have the base document right, then what different sectoral regulators do will be more coherent, he added.
“Right now, it seems like it’s very ad hoc and we are trying to address some problems that we face through legal provisions, some through different means. There is no structured flow of coherency in policymaking. So having a national security strategy, having a data governance strategy at the national level, and then combining different aspects to it, I think that will be a very [helpful].” – Sharma
- Consider alternatives proposed in the consultation process: Jayaram pointed out that earlier in the consultation process there were a fair amount of alternatives proposed to data localisation, mechanisms like the APEC Cross-Border Privacy Rules (CBPR) that provided privacy safeguards as well as allowed us to derive economic benefits of data.
- Trim down data localisation: Jayaram recommended that the government trim down on specific data sets that it wants retained in India rather than have all data localised.
Classification of personal data needs more clarity
1. No clarity on what is sensitive and critical personal data: The Bill is very expansive and there is no certainty on what sensitive personal data really is because the government can notify additional data sets as sensitive data sets and we also still don’t know what critical personal data is, Jayaram said.
“From a compliance perspective a lot of it is still up in the air, there’s a lot to navigate. Even just isolating these datasets [sensitive and critical] from others are capabilities that everybody needs to build in.” – Jayaram
2. We have mixed up sensitive and important personal data: “We have mixed up sensitive with important, so official identifier is not sensitive, financial information is important, but not sensitive,” Aggarwal remarked. All health data is not sensitive, patient ID, for example, Aggarwal added. This has brought about an additional burden on cross-border data transfers, Aggarwal said.
3. Rules for non-personal data and personal data that is not sensitive or critical are unclear: What are the requirements of transfer of personal data that are not classified as sensitive or critical, Sharma asked. Other global laws all talk about the transfer of personal data in general not specific types of data, Sharma said. Furthermore, the JPC has brought non-personal data under this Bill, so what transfer rules and conditions apply to this category of data, Sharma asked.
4. What if mapping data becomes sensitive or critical personal data? While mapping data of services like Google Earth and Google Maps are right now not under sensitive personal data, what if at some point they become part of sensitive or critical personal data, Pahwa asked.
“There is a fair amount of personal [location] data which is collected for personalization. Examples like, you parked here last time or you visited this place two years ago last etc. So, therefore, if you strip that PII, then it becomes NPD, which will also be governed, but if you don’t strip the PII it is possibly sensitive or critical personal data. So I understand there is significant concern among the mapping providers.” – Prashanto Roy
- Clarification on rules for non-personal data and other personal data: Government needs to clarify what are the cross-border transfer rules that apply to other personal data and to non-personal data, Sharma suggested.
“[Clause 34] may sees as a great fit, but it leaves a lot of questions unanswered, and you know that is something that we need to look forward, and we need to have more clarity on what are the conditions for transfer of personal data, who can make rules for that? What are the conditions for transfer of non-personal data? Can the state governments or the central government sign agreements with other agencies or foreign governments for transfer of certain data?” – Rahul Sharma
- Reconcile provisions of Data Protection Bill with other sector-specific regulations: Jayaram explained that as part of the geospatial guidelines there is already some data that requires localization if it is above a certain accuracy threshold or if it contains sensitive attributes. “So I think this is a great example of how we have to reconcile what the Data Protection Act is going to bring in and these other restrictions that exist,” she said. “Given that every sector is in some form or the other being regulated, it’s really important to see how we’re going to be able to read all of this together. I think geospatial, telecom, all of that is something that has to be read together, when you look at the framework and what an organization really can do with their data flows,” Jayaram added.
Why exemptions to certain companies might pose a problem?
1. Exemptions to companies under clause 37 can result in mushrooming of the data abuse industry: According to clause 37, the government can exempt certain classes of data processors who are getting data from outside the country for processing such as IT-BPM services companies who are working under a contractual agreement with any data controller outside. This is because these companies work under a contractual agreement with the data controller outside and the contract specifies the need for protecting data, what actions will be there if the data is breached and so on, Sharma explained. “But a flip side to that is if the contracts are exempted, then we might see a sort of mushrooming of certain kinds of processing which might not be legal under Indian processing laws. However, the IT-BPM services companies may be required to perform those services under the guise of legitimate contracts. And that could result in mushrooming of a data abuse industry,” Sharma said.
“The honorable prime minister talked about India becoming a data powerhouse. But we should also take care that India does not become a hub for global data abuse through processing.” – Rahul Sharma
2. Exemptions hurt Indian exports and adequacy: Aggarwal said that there is no need for such exemptions because there should not be any differential treatment when it comes to processing foreign data. “It is doing these two things. One you’re hurting Indian exporting by not carving out these exemptions up front, and second you are potentially undermining the adequacy also because you are creating a space for exemption which can be also viewed from the fact that the foreign data may not enjoy the protection which it supposedly should,” Aggarwal explained.
3. Issuing exemptions through notifications result in lack of long term clarity and stability: Because the exemptions that the government can issue under clause 34 will come through notifications, there is no longer term policy clarity or stability, Aggarwal points out.
- Come up with clear exemption policy upfront: Instead of case-by-case exemptions, Aggarwal suggested that we come up with a clear policy on what will be exempted upfront. He gave the following examples:
“For example, if you’re processing foreign data, and it includes biometric data, and if the parent law allows it, then why would you restrict that in the Indian law right, so that has to be provided upfront. Similarly, the fact that state exemptions they shouldn’t apply to the processing of foreign data in India. Provision requiring sharing of foreign NPD to the government, that shouldn’t apply. Continued storage requirement of SPD, that provision as far as processing of foreign data in India shouldn’t apply. Similarly, Indian data processors should not be required to get the DPA or the central government approval, if they are transferring the data back to the parent or the data controller overseas” – Ashish Aggarwal
- A Complete Guide To The Data Protection Bill, 2021
- Data Protection Bill 2021: Summary Of Data Localisation Norms And Restrictions On Cross Border Data Transfers
- Data Protection Bill: Restrictions On Cross-Border Data Transfer Will Hurt Indian Start-Ups That Depend On Global Tools #NAMA
- Data Protection Bill: How Should The DPA Be Set Up And What Functions Should It Have #NAMA
- Data Protection Bill 2021: How Government Access To Data Is Carved Out Of Fiduciary Obligations
What changes do you want in the Data Protection Bill from a company’s perspective? Do leave a comment.