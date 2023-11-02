“There was a joint statement at the leaders meeting of India and the leaders of the EU in 2021 that has made clear that the EU and India will work on enhancing convergence between our regulatory framework,” Bruno Gencarelli, Head of the European Commission’s International Affairs and Data Flows unit said discussing the provisions for cross border data flows under the digital personal data protection Act (DPDP, 2023) at MediaNama’s annual PrivacyNama conference. He mentioned that India was also a signatory to the EU Indo-Pacific joint declaration on privacy and the protection of personal data in February 2022 that highlights, “the scope of data protection laws and the overarching data protection laws, the role of data protection authorities, [and] the transfer mechanism.”

Gencarelli also spoke about how the EU has submitted during the legislative process of the DPDP Act and has observed the outcome of the process with interest. He observed that for the moment, India has chosen to exempt incoming data from most data protection rules containing the Act. Further, he said that the act, “closes certain possibilities in terms of using certain instruments on the EU data protection laws, may open others. That’s why we are very much looking forward to further developments.”

Need for a wider range of data transfer methods to be allowed under the DPDP law:

“Our experience is that to be really adapted to the diversity of the digital economy, the diversity of destination, the diversity of business models, a modern data protection regime should have a broad toolbox in terms of transfer methods,” Gencarelli said. He gave the example of model contract clauses and said that those are the number one transfer mechanism used by EU-based companies/ foreign companies exporting data from the EU.

“More and more jurisdictions are adopting that instrument, including many in different regions of the world, Latin America, but also the Asia-Pacific area including, for instance, what the ASEAN Association,” he said. Gencarelli also added that multiple countries adopting model contract clauses leads to the possibility of “bridging these different approaches to facilitate the lives of companies active in multiple jurisdictions.”

“Companies find variances in jurisdictions or variances in regulatory structures also very difficult to manage. What may be sensitive in India may not be sensitive in the EU and vice versa. And that’s very difficult to manage when you have a global system when you have customers that span across different countries. And suddenly, when you go across one border, the rules completely change,” Vivek Abraham from Salesforce, said at the conference, adding to Gencarelli’s argument about the need for the need for similar regulations across jurisdictions. “You cannot pass down all these costs to the end consumer. And essentially, that becomes a burden to everyone. It impedes innovation. It impedes a lot of other things which are desirable in the ecosystem, and not necessarily a good outcome for anybody involved,” he mentioned.

EU’s stance on data localization:

“Data localization has never been part of the DNA of EU data protection laws. We have al[ways], I’m not saying that it’s always easy, but we have always believed that we can both protect data and be open to flows,” Gencarelli said. “And we are reconfirming that with a very strong commitment in our approach to digital trade chapters in our FTA [free trade agreement], which this approach tries to sort of mark that dividing line between, on the one hand, genuine data protection laws where the regulatory autonomy of each party should be respected.”

Speaking on behalf of Salesforce, Abraham made a similar argument. “The simplistic view is, coming from Salesforce, is that we don’t like any localization restrictions. We would like everything to be free-flowing. And from our perspective, that is the ideal state in terms of cybersecurity, legal restrictions, anything,” Abraham added. He explained that localization is not required to achieve cybersecurity objectives, “there are incidents on air-gapped systems as well. There are incidents on distributed systems as well. You cannot really prove one way is better than the other. It all boils down to the implementation at the end of the day.”

Gencarelli pointed out that at the current stage, the EU is the only region to fully prohibit data localization in its trade agreements. “Growing the dividing line between genuine data protection and unjustified obstacles to digital trade. This was very important,” he explained. He said that discussions on data localization are currently taking place in Geneva in the framework of the World Trade Organization (WTO). “This is a very important and not a very important international conversation, and an area where there is a clear need for international standards and an area where we are certainly looking forward to deepen[ing] our partnership with our international partners,” he added.

Advice on the future of cross-border data flows:

“There are many mechanisms, the EU ways, SECs [European Security Certification Framework], BCRs [Binding Corporate Rules], and other adequate level[s] of protection towards already in EU. Or there are APEC [Asia-Pacific Economic Corporation]CBPR [Cross Border Privacy Rules] kind of certification mechanisms as well. So, those are suggestions that we give to governments across the world to adopt. So, promote cross-border data transfers through legislations. Use, leverage these mechanisms wherever is there,” Venkatesh Krishnamoorthy from BSA | The Software Alliance said during the conference when asked to give recommendations to governments in India, the US, and the EU on regulating cross-border data flows.

“I think we [different countries] have different models. There’s no one size fits all models, but I think there is increasing understanding that we need common rules of the day on responsible use of that [set of rules],” Gencarelli suggested. He also pointed to the need of having a strong regulator for cross border data flows, stating that such a regulator could, “concentrate on what really matters, which is equipping stakeholders, businesses with compliance tools.”

