[Vaibhav is a student at Dharmashastra National Law University, Jabalpur.]
It is often said that “data is the oil of the 21st century”, reflecting its importance in this complex world. Data explosion is the story of the 21st century, and it is expected to reach 180 zettabytes by 2025. Data is also becoming a crucial part of our economic structure, complemented by the rapid expansion in machine learning, automation, and artificial intelligence. The global digital economy will reach 16.5 trillion USD dollars and capture 17% of global GDP by 2028. India is set to become a 1 trillion USD digital economy by 2028, driven by its digital initiates, unique innovations like the Unified Payment Interface, and a large consumer base.
This boom in the digital economy brought attention to data protection for securing sensitive information. Almost 137 countries around the globe have adopted national data protection laws in their countries. The KS Puttaswamy judgment of 2017 led to the foundation of the privacy regime in India by declaring the “right to privacy” part of the fundamental right under Article 21. India adopted its most comprehensive digital digital personal data protection act in 2023, based on major regulatory developments like the EU’s General Data Protection Regulation (GDPR). India recently came up with its draft digital data protection rules, providing the regulatory framework for digital data protection. Rule 12 (4) and Rule 14 of the draft propose certain restrictions for cross-border data sharing, which are subject to government restrictions. The proposed draft rules have again sparked the debate between “data localization v/s ease of doing business”.
This article analyses the draft data protection rules, especially focusing on the compliance requirements for cross-border data sharing, and how it can complicate business operations, and suggests the changes required in provisions of the notified draft. The article concludes that there is a need to be certain defined criteria for free transfer of data across borders
Understanding the Draft Digital Data Protection Rules on Cross-border Data Transfer
Since India adopted its national law on digital data protection in 2023, there has been anticipation for a comprehensive regulatory framework to facilitate the implementation of legislation. While the rules provide some clarity over its implementation, they lack clarity on compliance requirements for cross-border data transfer. In this section, we will understand the compliance requirements for significant data fiduciaries (SDFs) on cross-border data transfers and how the government has changed its approach to imposing larger restrictions over cross-border data transfers in the notified draft rules.
Digital Personal Data Protection Act 2023 on cross-border data transfer
The recently released rules could be seen as a departure from the earlier position on cross-border data transfer. The sub-section 1 of the Digital Personal Data Protection Act 2023 (DPDP Act) provided for the free transfer of data to any geographical unit except to those countries which are listed as "blacklisted countries" expressly declared by the government. While sub-section 2 of the statute provides for the requirement that if any sectoral regulator has provided a higher degree of protection or restriction on the cross-border transfer of data by any data fiduciary, such sectoral regulation will prevail over the DPDP Act. The statute provided these two specific restrictions over the free transferability of the data across borders.
The draft rules on cross-border data transfer
Rule 14 and Rule 12 (4) of the recently released draft rules restrict the cross-border transfer of data by bringing some possible data localization requirements. The rules put certain requirements on SDFs over the transferability of certain classes of personal data and traffic data. Rule 12(4) empowers the government to set up a committee that will specify what “certain class of data” would be subject to restriction. While Rule 14 provides the measures to ensure that data does not get transferred to a foreign state or entity. The rules do not clarify what these “certain classes of data” would be, thus increasing the challenges of compliance for SDFs.
The stance on cross-border transfer was not very clear in the DPDP Act. However, provision Section 16(2) still seems clearer as compared to the rules. The recent released draft rules on cross-border transfer have made it much more government-centric.
Cross-Border Data Sharing: A Challenge for Business Operations
The lack of clarity over the classification of data which will be subject to restriction under rules 12 and 14 of the draft, poses several challenges for business operations. This would increase the compliance burden for the business, could disrupt the businesses of companies relying on third parties, and potentially conflict with the requirements of the foreign law. The challenges that will be faced by the businesses after these requirements are explained below.
Increase in cost of compliance
There is no clarity over what kind of data will be subject to restrictions imposed by rules 12 and 14. This would require the segregation of data into sensitive and non-sensitive personal data by the business. This would certainly mean that the cost compliance for the businesses would go high, as it would require additional auditing, operational, and regulatory complexities, ultimately hampering the cause of “ease of doing business”.
Lack of clarity over “classes of data”
As explained earlier there would be certain “classes of data” whose transferability would be subject to the recommendations of a government-formed committee. There is no clarity over which type of data would be subject to restriction. This would give excess power to the government, with a vast scope of authority, to regulate the free transferability of the data.
Challenges for third-party relied business
Third-party vendors have large numbers of sensitive data which is transferred to facilitate the enterprises involved in cloud service providing, outsourcing firms, etc. This would ultimately increase the compliance burden over the third party thus limiting its outsourced operations. Constraining these firms from using those tools which have servers outside India, would also lead to disruptions in operations leading to inefficient delivery of services to consumers. This will create impediments to the successful operations of consumer-based business operations.
Potential clash with foreign law
Data fiduciaries may also have to face certain challenges in reconciling with the obligations under foreign laws. Certain foreign laws mandate the sharing of such data as per their policy regulations. The US law as per its recent Reforming Intelligence and Securing America Act (RISAA) mandates its companies to share the data of foreign countries with its intelligence agencies. This has escalated the long-standing legal battle between the US and EU over cross-border data sharing and resulted in the collapse of the US-EU privacy shield in Maximillian Schrem’s judgment. The Indian regulation could also find itself in a similar trajectory, potentially leading to a legal battle and hampering diplomatic ties.
Global Practices over Transferability of Data across Borders
EU’s GDPR
Adequate transfer
The EU’s data protection regime GDPR allows the free transferability of data across the border subject to “adequate decision” as mentioned in Article 45 of GDPR. The “adequacy decision” allows the transfer of data across borders provided that the country or international organization ensures an adequate level of protection for personal data and, to data subjects’ rights and freedoms.
Standard contractual clauses (SCC)
The European Union also provides SCC as a medium for the cross-border transferability of data for those countries that do not have the same level of data protection as the EU. The SCCs are pre-approved legal contracts that ensure the data that is transferred to another country also compiles with the protection level of EU’s GDPR.
United Kingdom
After BREXIT, the UK has adopted its mechanism for cross-border data transfer in the form of an International Data Transfer Agreement (IDTA) under UK’s GDPR. The IDTA is a legal contract that requires the data importer country to meet the EU’s GDPR equivalent protection standards.
United States
Unlike any other jurisdiction, the US does not provide any single framework for cross-border data transferability, instead, it adopts the sectoral approach. The US governs the data transfer regime through various federal laws like the Graham-Leach Bliley Act and the HIPAA Privacy Rule. The US approach to data transfer is not very restrictive rather it provides a smooth transfer of data, allowing businesses to easily transfer data without facing any legal hurdles.
These are some practices followed worldwide for the cross-border transfer of data transferability while also ensuring the protection of personal data.
Way Forward for India
There is a lack of clarity over the “classes of data” which would be restricted and this would create confusion as there is no clarity over what are restrictions. The more sustainable approach here would have been if India had adopted the sectoral-specific approach as mentioned in Section 16(2) of the DPDP Act, to override the general permissions of cross-border data transfer. This would have allowed the businesses to segregate the data according to the sector-specific categories. There is also confusion among the stakeholders regarding the possible interaction of localization requirements under sectoral laws mentioned in Section 16(2) of the DPDP Act and SDF restrictions over the transferability of cross-border data. The government needs to create a flexible balance between them so that different views may not be taken under different applicable legislations.
India should also learn from the best global practices that would be suitable for the Indian landscape. The EU’s “adequate transfer” is more stringent in its approach to promoting “data localization”, where non-compliance with safety standards leads businesses to risk. While the US’s approach is more business-friendly promoting smooth transferability of data. India should take reference from these practices and implement a balanced approach that should be business-friendly while also not compromising personal data. This increases the responsibility of the committee proposed under the draft rules to take these situations into account while levying any restrictions.
Conclusion
Indian data protection regime is at a very nascent stage and requires answers to some regulatory gaps. There is a lack of clarity over the data transfer that comes with the proposed draft rules and it requires thorough consultation before implementation. The draft rules have been notified to bring more clarity for implementing the DPDP act but it has brought some burning questions before the stakeholders. This has sparked the debate over its impact on “ease of doing business”. The larger restrictions create larger impediments to business operations. The proposed draft rules have shifted towards “Data localization” which will bring larger scrutiny and compliance for SDFs. This is marked as a departure from the earlier scheme of the act which provided clear criteria for data transfer. Thus, there is a need to provide certain criteria for the transfer of data ensuring the protection of personal data as well as smooth business operations.
Comments