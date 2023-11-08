“When you look at data transfer policies, what you want is predictability because it’s very challenging to change an architecture based on a particular sector or law that comes up or something like in this particular case of the DPDP act, a power that the government withholds to restrict data transfer to a particular country without any guardrails or without any mention of why that particular restriction would be made applicable. So, that’s the challenge in the current scenario,” Venkatesh Krishnamoorthy from BSA |The Software Alliance said discussing the provisions regulating cross-border data flows under the Digital Personal Data Protection Act (DPDP Act, 2023) at MediaNama’s annual conference PrivacyNama.

Under Section 16 of the DPDP Act, the government has the power to restrict personal data transfers to a country. “Would the transfer be restricted to a particular country based on privacy violation norms or personal data safeguard? Or would it be based on other considerations, say whether geopolitics or other security considerations?” Krishnamoorthy said, adding that these challenges cannot be addressed by the IT industry.

Intersections between cross-border data flows and AI:

“ If you restrict the amount of data an AI [artificial intelligence] system can take in, it’s going to be challenging to get accurate results. So, this is something, for example, in the healthcare space, we could see it play out. If you look at a particular data set, say, which is personal data or anonymized personal data, and the genetic base is quite limited to a particular geography or a country or a community, that particular result can only be applied in that area, maybe not even in that area,” Krishnamoorthy said, speaking about the impact cross-border data flow regulations can have on AI accuracy. Krishnamoorthy said that while he believes that there is a need for regulating high-risk AI, “cross-border data transfers will be critical for getting accurate results and making sure that what is being given to the user is useful to them.”

Vivek Abraham from Salesforce added to this by saying that language learning models like ChatGPT have a hive structure, just like how memory gets stored in a person’s brain. “there is no defined memory [space], there is no disk number, there’s no byte space or anything like that, that you can say, okay, here is where the outcome of of this AI is residing in this particular [location],” he explained. As such, he said, localizing this data can be a challenge. “The only other option is you stop bringing such products to India, or anywhere else which has such strict laws because it is an expensive proposition to run individual instances,” he mentioned.

This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.

How are companies reacting to the uncertainty surrounding cross-border data flows?

“I can tell you from a salesforce perspective, we are not really reacting as of now. We are waiting for things to fall as they were”, Vivek Abraham from Salesforce said. He explained that there is no confirmation on what the criteria for the blacklist would be, and whether it will be open to changes or just one plain list. “The sense that we have from various discussions and reports everywhere around the internet is that most of the G20 countries should be okay for us to transfer data to and it should not impact a lot of our business processes,” Abraham added.

Fellow speaker Bhavna Sharma from PricewaterhouseCoopers (PWC) agreed with Abraham’s outlook on waiting for the government to formulate rules and said that companies, “do not need to worry about because government is very much favoring the industry. They are not coming up with an unreasonable timeline that you have to add her in six months or you have to adhere in three months or so.”

How do companies currently store and segregate data?

Abraham said that this varies from company to company, depending on the risk appetite of the business. “I think if you’re a company or an Indian company with a low-risk appetite, and typically this would be companies closer to the government or in the public sector or storing seemingly sensitive data, they are already looking to move their data in the country in anticipation of the localization requirements,” he explained, adding that companies with a higher risk appetite try and play within the gaps of the legislation.

Speaking about Salesforce, Abraham said that it, “provide mechanisms to the companies to decide which law applies on which piece of data at the field level. So, for example, if there is a piece of data which is resident on a particular server, you can decide that, let’s say, CCPA [California Consumer Privacy Act] or GDPR [General Data Protection Regulation] or the DPDP applies on it, depending on where the data is and how it is being accessed.” He explained that if a company using Salesforce’s services brings in data from the EU, which does not pertain to any Indian citizens, it would ensure that the data complies with GDPR law.

Principles needed to regulate cross-border data flows:

Bhavna Sharma pointed out that the government takes a principle-based approach to regulating any tech-related sector. “So, they are clear that they have to take up the principle-based approach where they will be putting up the principles in the main act and they will be regulated by rules. A similar approach has been taken for cross-border data flows as well,” she said. Sharma mentioned that the DPDP Act already has seven principles and according to her, it needs to consider some principles as well—

Non-discriminatory treatment: First, she said that there should be no discrimination among the countries when the government is deciding whether they should be on the blacklist or not. “ There has to be well-defined rules [to ensure uniform treatment, including] criteria regarding consent mechanism, transparency, accountability and all other aspects specifically for cross-border data flows,” she said adding that there should be a focus on other countries’ law to ensure non-discrimination. To explain it further, she gave the example of Schrems II judgment in the EU. “What has happened there, the CGEU [Court of Justice of the European Union] has invalidated the privacy shield among EU and US. Why? Because US had certain surveillance programs that were not keeping the EU citizens’ data protective enough that was required as per the adequacy standard. And that is why it was invalidated. So, I would say that we have to have certain ground norms that has already been followed in the countries and [on their] basis that we have to set up our standards that are actually practical and can be easily operationalized,” she said.

Data responsibility: Sharma explained that data responsibility refers to the due diligence requirements that companies have to comply with. “We can see under IT rules, we have so many obligations as due diligence requirements on data fiduciary and intermediary. Similarly, we should have it [due diligence requirements] for data fiduciaries and significant data fiduciaries [under the DPDP Act] as well.”

Data localization: She went on to speak about data localization (which falls under the data responsibilities of companies) suggesting that while she isn’t in favor of it there should be partial data localization. “One first and foremost thing that we need to do for this, the Indian government should do, is categorization of data. That is, again, not there in the Act. Because for data localization, we have to have server located in India. If we are having this requirement in India, then it has to be only for very sensitive data, that is the critical data,” Sharma explained.

Data resilience: “We have to tell the industry regarding what may be the steps that have to be taken when there are technical failures, when there are cyber-attacks or any breaches that are occurring. For this, I would say that there has to be redundancy and backup plans. There have to be recovery plans. There has to be residency policies that have to be adopted by the industry,” Sharma said.

Finally, she mentioned that blacklisting would not be a one-time process and would instead keep on evolving based on circumstances. She further suggested that the rules for regulating cross-border data flows should come up on certain grounds based on which it would deny data transfers to certain regions/countries.

How do the exemptions for government under the act impact cross-border data flows?

Under the DPDP Act, 2023, the government can exempt processing (and seemingly transfers) for government ‘instrumentalities’, such as those in the interest of India’s sovereignty, integrity, security, foreign relations, and public order, or to prevent inciting a cognizable offense. When asked how cross-border data flows will be impacted by these exemptions, Sharma said that such powers are not a new thing. “The practice of surveillance power was there in India since 1885,” she said mentioning that the Telegraph Act, 1885; Section 69 of the IT Act, Unlawful Practices Act and the Prevention of Money Laundering Act, all give the government the same powers. “So, I have not seen that these laws have restricted any country to not to choose India as their point of destination [for data processing].”

Sharma added that in the past ten years many companies such as Oracle, Amazon Web Services (AWS), Salesforce and TCS have opened data centers in India. “There’s so many data centers open in the recent times in Mumbai and Pune and in many other states. So, we cannot say that these laws at any time restricted the private industry from opening their centers,” she said. She also mentioned that now that India has a privacy law in place, it will, “strengthen the already existing law, the whole mechanism of surveillance, it will give rights to the citizens now. Before we didn’t have very vocal rights, but now citizens have their rights regarding the surveillance and other things as well.”

How India can make itself an attractive data processing hub:

“I think one small recommendation that we’ve been making to not only the state governments and the Indian government here, but globally is that look, data will eventually flow to places where it is more efficient, more cost-effective for it to store. So, if India wants localization of data, you need to make it more cost-effective and more efficient to store it in [the] country,” Abraham suggested.

Also read:

STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!