Key Takeaways:
- Whitelisting of countries for personal data transfers may imply that the remaining countries are blacklisted
- Indian government may adopt a two-tier approach when notifying countries for personal data transfers
- Indian regulators’ differing approaches to data localisation may conflict with the Indian government’s
- Unclear whether the Bill considers remote access of data to be a cross-border data flow
The whitelisting approach to cross-border data flows in the draft data protection law indicates that the government will provide a list of countries to which companies can transfer data to, remarked a speaker at the Cross Border Data Flows session at MediaNama‘s Reworking the Data Protection Bill event held on December 8th in New Delhi. For the remaining countries there appears to be a blanket prohibition on data transfers, they inferred.
Released last month, the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill), contains only one single-sentence provision on cross-border data flows. Section 17 states that cross-border transfers of personal data will be permitted to countries notified by the Centre. How these countries will be selected, or on what terms these transfers will be allowed, is yet to be prescribed.
Why it matters: India is a global destination for data processing. As a result, India’s position on cross-border data flows, which it will implement in the coming years, is going to shape what happens for data flows across the world, said Udbhav Tiwari of Mozilla speaking at MediaNama‘s Bangalore discussion on the Bill held on December 14th. Tiwari was joined by Nehaa Chaudhari of Ikigai Law for the session.
The DPDP Bill marks a significant departure from the three previous iterations of India’s privacy law, which instead proposed detailed provisions for cross-border transfers of ‘sensitive’ and ‘critical’ personal data. They also explicitly recommended data localisation of specific data types—a policy that drew the ire of companies and governments alike.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
How and when will countries be notified?
On what basis will countries be notified?: The Sensitive Personal Data or Information Rules, 2011, had a basic test to determine when transfers are allowed, in that they must be to countries where the level of data protection is the same as that of the data collector, observed a speaker. at the Delhi event. But, Section 17 doesn’t frame any such test they added.
Another speaker questioned how the word “trusted” will be interpreted when it comes to notifying countries. The government may be thinking of equivalence, they surmised. It would be helpful for practitioners to get clarity on these issues through codified guidances, they added.
The lack of guardrails describing the terms and conditions of notifying “trusted” countries is problematic, said another speaker.
Does whitelisting trusted countries imply blacklisting others?: The whitelisting approach indicates that the government will provide a list of countries to which companies can transfer data to, said a speaker at the Delhi event. For the remaining countries, there appears to be a blanket prohibition on data transfers, in their reading.
Section 17 doesn’t necessarily imply a blacklisting approach, argued Tiwari at the Bangalore event. The provision had been drafted as vaguely as possible to give the government as much leeway and discretion over frameworks for cross border data flows. Whatever framework it comes out with will not be a one-page document only whitelisting six countries. That would be crippling to India’s role in the global technology ecosystem and also impractical to reasonably enforce, he added.
Rules will most likely be enacted under the law a few years later, hypothesised Tiwari. The government will use an executive framework under them to define the criteria according to which cross border data flows can take place, he said. Whether these will contain references to data localisation is hard to say, he added.
Speaking at the same event, Chaudhari disagreed, arguing that a whitelisting approach implies de facto data localisation.
Notification process can cause “diplomatic chaos”: There are 200-230 countries in the world, and notification evaluations for each could end up being a long exercise, said a speaker at the Delhi event. The process could also result in some diplomatic chaos. If the government develops a positive list of countries, then it’s a mammoth exercise. If it develops a negative list, it’s suddenly calling out countries and telling them they don’t trust them.
When will the government notify ‘trusted’ countries?: A speaker at the Dehli event pondered if cross border data flows would be blocked if the government doesn’t come up with a list of notified countries the day the law is enacted. One interpretation is that it may notify countries so that the status quo of transfers doesn’t get hampered, they added.
The status quo for data flows is likely to prevail until the Indian government notifies countries, said Tiwari at the Bangalore event.
It’s unlikely that the government will enforce Section 17 on a date without having given thought to the list of whitelisted countries, said Chaudhari speaking at the same event. Until the section is notified into law, the status quo may prevail. Some data localisation requirements are already imposed by different sectoral regulators which might continue to operate.
Regulatory conflicts may complicate notification: Intersectoral coordination may also affect how countries are notified, added a speaker at the Delhi event. Different sectoral regulators like the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) have their own data storage provisions. Suppose the government says 180 countries are trusted for cross-border data transfers, how will the RBI justify that it does not allow certain data to be processed outside of India, they asked.
Will sensitive and critical personal data re-appear in future rules?: There is scope for subordinate legislation introducing concepts of sensitive and critical personal data, said a speaker at the Delhi event. The Indian government may look at certain sectors dealing with types of sensitive data. In that case, can the rules lead to a situation where the Indian government lets the RBI or health authority define trusted countries for their own purposes? It may not be that once one country is notified all kinds of data will flow freely between it and India. It could be much more complex.
Notification may follow a two-tiered approach: The government may whitelist certain countries where data can be transferred without additional security safeguards or technical measures, said a speaker. For countries that are not whitelisted, the data may be transferred according to terms that may be specified. These terms could be similar to the risk assessments private parties are already doing. This indicates that notification could be more of a two-tier approach.
National security may be considered while notifying countries: Some of these factors are relevant, said a speaker at the Delhi event responding to an audience question on whether the government will consider data transfers for law enforcement and national security while notifying countries. This requires going back to which of these are essential from a privacy and data protection perspective, they added.
India’s approach to cross border data flows is also tied up with its strategic interests and trade objectives, said Chaudhari speaking at the Bangalore event. “This is a huge bargaining chip when you’re negotiating international treaties that you don’t want to let go of,” she said. “The government has been concerned about how it will access data abroad for law enforcement purposes, in addition to the level of protection that Indian citizens’ or residents’ data will be subjected to abroad. They may take this into account when coming up with the white list.”
Security-related agreements with the United States under the CLOUD Act may not be relevant here, said Tiwari at the same event while responding to a question on whether India is now better positioned to negotiate agreements with the US under the law. The Act seeks to improve “procedures for both foreign and U.S. investigators in obtaining access to electronic information held by service providers”. The questions in the CLOUD case are on how the Indian police can request data in the US faster, argued Tiwari. That’s a distinct question from cross border data flows because it doesn’t deal with what the US can do with our data once it is in their territory.
Deemed consent could shape cross border data flows: There is no compulsory need to take a data principal’s consent before transferring data overseas, said Chaudhari at the Bangalore event. This is unlike previous versions of the bill that had these provisions. Under the draft law, it is likely that data fiduciaries may look at the deemed consent clauses and see if it can be reasonably expected that the principal has consented to overseas transfers too. Speaking at the same event, Tiwari recommended consent being one of the mechanisms according to which data collectors should be allowed to send data abroad under the forthcoming rules.
Does the law apply to breaches during cross border data flows?: Whether the draft law will be applicable to breaches during cross border data flows depends on different factors, explained Chaudhari at the Bangalore event. The processing activity could be taking place in India, for example. The Data Protection Board may exercise jurisdiction depending on the recipient country’s law. But, if a company is based in India and a breach has happened on its watch, it is likely that it’ll have to inform the Board.
What are the larger implications of Section 17?
Section 17 currently runs the risk of being redundant: The idea of Section 17 is that the Centre may notify certain countries that data can be sent to, indicating there is a baseline for data protection, said a speaker at the Delhi event. There are two ways of interpreting this. One, is that there is no obligation, as there is no separate prohibition in the current Bill saying that companies can’t send data abroad. If read it this way, then the Bill is simply saying that data fiduciaries can send data to countries that they anyway could have sent data to. This is a redundancy, as per legal interpretation—there is a principle of interpretation, which suggests that no redundant clause can be put into a statute. The question is how can the clause be saved from being redundant.
There are two ways of addressing this, the speaker explained. The first is that the Bill implies that there is in fact a blanket prohibition on sending data anywhere, then the provision makes sense. The second is that the Bill says the clause only applies when there are some sectoral prohibitions. This is a very narrow interpretation of what the clause is supposed to do. These are the only two ways in which a court can make sense of the clause.
Bill’s stance on remote data access is unclear: Accessing data remotely through a VPN service is also considered to be cross-border processing by some EU data protection regulators, said a speaker at the Delhi event. If someone is viewing this data from the US, but the data is physically stored here, then that is also cross-border processing. The speaker wasn’t sure about how this would be interpreted under the DPDP Bill.
There are questions with remote access where India can take the lead, said another speaker. For example, if data is remotely accessed vis-à-vis data actually going to a server in another country, does it present the same level of risk? Or should remote access have a lower threshold of data protection?
DPDP Bill need not impact adequacy with other countries: Adequacy is a two-pronged dialogue, said a speaker at the Delhi event in response to an audience question on how the bill deals with adequacy. One prong is the case of foreign data being processed in India. The question here is why should India want adequacy with the EU, they probed. Is it because India is unable to attract data processing customers with our current law? This doesn’t seem like a good enough reason, because India processes a lot of EU data, argued the speaker. So if looked at from the point of view of adequacy being impacted, there is no evidence that it is being broken.
Even when the EU looks at adequacy, it looks at what are the country’s laws, whether they provide a similar level of protection, and whether they’re a democratic society, among other things, the speaker continued. There’s another thing that they look at: which is how these laws are implemented.
NASSCOM studied Indian laws which enable access to foreign citizens’ data, explained the speaker. These were narrowed down to 40 laws, which had provisions for access to anyone’s data. Of these, three problematic laws were identified. First, the Criminal Code of Procedure (CrPC), because it doesn’t require a warrant to access information. Then there was the telecom law, and then the Joint Parliamentary Committee’s 2021 version of the data protection law due to its provisions on government access to data. Despite these laws, based on experience, there doesn’t seem to be a problem with adequacy, argued the speaker. The question of the government deciding that it wants to peer over a data processor processing Europeans’ data in India is a problem, they conceded. But, it’s one that should ideally be addressed not just for the foreign data, but for the country’s citizens too. Checks and balances are required for government access to data.
Another speaker added that looking towards the United Kingdom (UK) may help address adequacy concerns. Currently, the UK is trying to ease its own laws without losing adequacy with the EU. If that works, India’s benchmark need not be the GDPR, but could be the kind of laws being brought in by the UK.
Will the Bill open a Schrems II-like challenge?: Given that EU citizens’ data is processed in India, the GDPR does apply, said a speaker at the Delhi event responding to whether the law’s provisions on the Indian government’s access to data can pre-empt a Schrems-like privacy challenge to data transfers between India and the EU. This is reflected in the standard contractual clauses included in the contracts with the data processor.
The GDPR also allows the third country processing the data to ask for data for legitimate purposes, the speaker continued. What the industry in India does is keep security logs in escrow. When law enforcement agencies ask for access, they notify the data controller and provide access. This system works well. The idea that the “big daddy” Indian government will “willy-nilly” ask for data from a processor to snoop and surveil people has not been visibly borne out, the speaker argued. That’s what the EU also recognises.
Another speaker rebutted this argument, arguing that the DPDP Bill leaves scope for widened government access to data in the future, if not now.
The first speaker responded that this should be addressed at a horizontal level by better ring-fencing government access to data for all citizens. The kind of data processing in India is also different, they argued. It is mostly B2B, so in most cases, the data processors are not profiling the individual or selling goods and services to them. Data processors in India are simply processing the data that the external data controller has asked them to do. The associated harms of profiling are not applicable or relevant to that extent. Coming to Schrems II, the US had different standards of data protection for foreign citizens, it actually allows law enforcement agencies to access foreign citizens’ data with reduced safeguards, they argued. India doesn’t have different standards for different people. Whether these standards are good or bad is a matter of debate, but they are applied horizontally. So the Bill need not cause a Schrems II-like problem, they concluded.
Another speaker added that according to the DPDP Bill, if a US-based data fiduciary is processing the data of an Indian citizen for profiling or sale of goods and services, it is under the full force of the law. In such cases, it is necessary to consider when India’s laws may be incompatible with the laws of the country where the data is being processed.
Schrems-II challenge possible for transfers to most countries: Realistically, a hypothetical challenge to surveillance could play out in the United States, Australia, or any other country, said Tiwari at the Bangalore event. “There is no government in the world with a law that says the data of foreign citizens in its territory will follow a different legal process than what its own agencies follow. That is simply too much of a breach of sovereignty for any government to necessarily agree to,” he argued. A best-case scenario to avoid a challenge may be the executive agreement on cross-border data flows signed between the US and the EU, Tiwari noted. A new court is being set up under it where EU citizens can challenge US law enforcement agencies.
Can Schrems-II-like challenges be filed against private contracts?: Chaudhari was unsure of how to frame such a legal challenge as it would be against a private contract. “Right now, the recourse is that citizens can say the State acted in a particular way that led to a breach of the fundamental right to privacy. That’s the way the Puttaswamy judgment, and everything that flows from it is structured.” An argument, in this case, could be that because the State failed to safeguard citizens’ data from foreign surveillance, the fundamental right to privacy has been breached, she added. That issue is the same thing that Section 17 tries to address—by whitelisting countries the government has deemed safe.
Is Section 17 an improvement from past Bills and what could have been done differently?
Non-compliance is an unintended consequence of past regimes: Was classifying personal data into sensitive and critical really providing protection, or just adding another layer of protection, asked a speaker at the Delhi event. There are two ways of looking at it. The first is when a user consents to a data fiduciary transferring data outside. What capability do they have to make an assessment that ensures informed consent? The result is they randomly say yes or no to every transfer, said the speaker. The second perspective is from the industry’s perspective. Companies want to avoid non-compliance with the data protection law—but that would have been a huge unintended consequence of the data classification regime. They don’t know in which cases data is sensitive, and for critical data, they don’t know what the category actually is, explained the speaker. Removing these provisions has definitely eased the baseline of cross-border data flows, they believe.
Motivations for the provision unclear: One of the motivations here is probably leveraging India’s huge data sources, said a speaker at the Delhi event.
It’s curious as to why the government has dropped data localisation provisions, observed another speaker, especially after its statements on data being the new oil and batting for data sovereignty. These provisions have not been thrown out, rebutted another speaker, adding that the provision indicates data localisation is the starting point of Section 17.
In the EU, the data fiduciary enables compliance: Currently, Section 17 puts everything into one scheme: the Indian government will notify countries and that will be the way forward, said a speaker at the Delhi event. Another way of thinking about this issue is looking at the European Union’s (EU) approach.
Even when it regulates a data importer, the EU relies on standard contractual clauses, they explained. There are two broad themes within this. One is the country risk assessment, which the EU does not do, it leaves that to the data fiduciary to do. With the DPDP Bill, the Indian government has taken a view that it’ll do the country’s assessment. Second, is that it imposes obligations, including supervisory access, on the data importer. That could have been a nice way of thinking about it, they pondered. In this system, they have standard contractual clauses, binding corporate rules, and obligations are placed on the data fiduciary to address the regulator’s concerns. It is the data fiduciary who is responsible for enabling compliance with the law, they concluded.
India is a powerful global stakeholder, can balance interests: Cross-border data flows are about geopolitical power, and about the value a certain country brings to the global technology ecosystem, argued Tiwari at the Bangalore event. “In India’s case that value exists quite clearly,” he added. “It’s the reason that data localisation was opposed as strongly as it was by players because they knew this was not a country where they could choose to simply not comply.”
India needs to ensure that its positions on these issues are achievable and serve its interests as best as possible, Tiwari argued. “That does not mean letting data go anywhere, but neither does it mean coming up with a blacklist approach.” The draft law further presents an opportunity to develop rules that give India what it wants with regard to cross border data flows, he added. It also is a chance for the Indian government to cooperate with different stakeholders to form rules that balance interests better than previous versions of the laws did.
Note: The headline was updated on December 14th, 2022 at 2:58 PM for clarity; the article was updated with key takeaways on December 15th, 2022, at 6:14 PM; the article was updated with comments from the Bangalore event on December 17th, 2022, at 5:45 pm.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Read More
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2022
- DPDP Bill, 2022: Transfers Of Personal Data To Select Countries Will Be Allowed
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
- What Privacy Commitments Will Underlie Cross-Border Data Flows Between The EU And US?
- India’s Data Localisation Norms And IT Rules Are Significant Barriers To Digital Trade: US Government
- Data Protection Bill 2021: Summary Of Data Localisation Norms And Restrictions On Cross Border Data Transfers
