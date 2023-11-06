wordpress blog stats
What is the impact of sectoral regulation of cross border data flows on companies? #PrivacyNama2023

Experts discuss challenges posed by the dual regulation on cross-border data flows — one at the sectoral level and the other by the Digital Personal Data Protection Act.

Published

As per one of the provisions regulating cross-border data flows under the Digital Personal Data Protection Act (DPDP Act,2023), the Indian government has the power to restrict personal data transfers to a country. Further, it also says that any current laws in India that provide a higher degree of regulation on cross-border data flows will continue to be applicable alongside the Act. But how will these dual regulations affect businesses?

Arindrajit Basu, from the Center for Internet and Society, while moderating a session on such provisions during the 2023 edition of MediaNama’s annual conference PrivacyNama, pointed out: “We are in a phase now where we have very specific provision [on cross border data flows] in the data protection [law]. We are also in a phase where the various sectoral notifications that are equally important when considering compliance for businesses, such as the RBI [Reserve Bank of India] directive [on data localization], have been there for quite some time. So, I think it’s really time to both reflect and to think through what the existence of these provisions mean for businesses.” Basu was moderating the session on cross-border data flows and asked the session’s speakers about the challenges posed by the dual regulation on cross-border data flows — one at the sectoral level and one by the Digital Personal Data Protection Act.

Different regulators have different priorities:

Venkatesh Krishnamoorthy of BSA, The Software Alliance pointed out that sectors such as healthcare and finance have a hodgepodge of regulations. This uncertainty of regulation leaves companies with the challenge of creating a product that both “takes care of sensitive data, and also complies with all the regulations that [the product] fit[s] in. So, this is going to be a big realm of challenge,” he explained.

“Let’s be very clear that the overarching DPDP Act looks only at privacy, whereas the sectoral regulators’ understanding of privacy is going to be extremely different,” he said.  He gave the example of healthcare providers who may be concerned about cross-border flows of not just personal data but other kinds of data which they will define through DISHA [Digital Information Security in Healthcare Act] or any other healthcare regulations.

Fellow speaker at the conference, Vivek Abraham from Salesforce also highlighted the differing priorities of regulators saying that each of them has different powers and different sensitivities. “And I think all of this plays into how they [regulators] come up with certain regulations, right? I think it is important to understand that, look, there is a system out here where we are all trying to achieve the same objective,” Abraham shared.

He expressed that for regulators to effectively manage data flows they have to “work with industry, you have to work with the general society to ensure that you have a functioning, clean system, right? And unless you come down to that level, you’re always going to be in a situation where you are trying to play catch up.” 

Challenges posed by differing sectoral regulations:

Krishnamoorthy highlighted that the DPDP Act has two conflicting provisions. “[Section 17 on cross border data flows says] if there are higher restrictions already applicable in any other law, that will prevail. And 38 says, in case of conflict, this [the DPDP Act] will, so it is not entirely clear how this would pan out.”

However, he did point out that this act takes precedence when it comes to privacy issues. “I’m sure the rules might address them [the conflicting provisions], but I just wanted to flag that this is for privacy. The other regulators are not mandated to take care of privacy,” he added. 

You can watch the discussion here:

This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.

