India’s Personal Data Protection Bill should ease the restrictions on transfer of sensitive and critical personal data outside India so that businesses in India do not suffer, the Data Security Council of India (DSCI) and US-based Centre for Information Policy Leadership (CIPL) proposed in their report on cross-border data flows between India and the US. The report instead offered “less trade-restrictive” alternatives to the current provisions of the Bill. These include specific bilateral agreements between India and USA, and certifications that would require less oversight for such transfers.
DSCI is a trade body on data protection that was set up by NASSCOM. CIPL is a think tank housed within the American law firm Hunton Andrews Kurth LLP. It focusses on global privacy and security. This report, which also cites CIPL’s comments to the Joint Parliamentary Committee that is currently deliberating upon the PDP Bill, intends “to inform the Joint Parliamentary Committee’s review of the PDPB as well as Indian Government officials working on a potential future trade deal with the US”.
What does the Bill say about cross-border data flows?
Through Sections 34 and 35, the PDP Bill places significant restrictions on transfer of sensitive and critical personal data outside India.
For transfer of sensitive personal data, the transferring entity must have explicit consent of the user for such a transfer. In addition, the transfer has to be made under a Data Protection Authority-approved contract or intra-group scheme, or after getting permission from the central government to transfer the data to an entity. To approve a contract or intra-group scheme for such transfers, the DPA would have to ensure that the user’s rights are protected and liability for non-compliance is accounted for within the contract/intra-group scheme. When the central government allows such a transfer to an entity, it has to ensure that adequate protection is given to the data. Sensitive personal data includes 11 categories of data (such as health data, financial data, biometric data, etc.) and allows the central government to add more categories as it deems fit.
Transfer of critical personal data is allowed only in cases of provision of health or emergency services, or where the central government has concluded that transferring to a particular entity meets adequate data protection standards and will not undermine India’s security and strategic interests. Critical personal data has not been defined under the Bill.
The report has issues with three elements of Sections 33 and 34:
- Requirement to continually store a copy of sensitive personal data in India
- Obligation to obtain explicit consent to transfer sensitive personal data outside India
- Restrictions around as yet undefined critical personal data
Continuous storage of sensitive personal data in India will disrupt operation of fiduciaries, processors
CIPL and DSCI say that the local storage requirement for sensitive personal data would “severely disrupt” the operations of both data fiduciaries and processers as it would:
- Prohibit the use of technology that relies on distribution of data: This includes cloud computing, data analytics, and AI/ML (Machine Learning) operations. This would then undermine Indian organisations’ competitiveness compares to their global counterparts.
- Lead to creation of redundant storage systems: Cloud services tend to centralise data so that organisations can serve multiple markets without having separate and redundant storage systems in each jurisdiction. Local storage requirement would create redundant storage systems that “would raise costs, disrupt business processes and create information security risks”, as per the report.
- Prohibitive costs for local and foreign SMEs: The local storage requirement could “effectively act as a barrier to market access for SMEs and startups”. Foreign companies may ultimately stop serving Indian customers because of the prohibitively high costs of creating redundant storage systems.
- Compromise data security: Concentrating storage systems in India would create additional points of vulnerability and prevent portioning of sensitive data across global servers. Distributing servers across the world helps businesses preserve continuity of business in the face of hackers and natural disasters.
- Create complex conflict of laws situations: Local data storage requirement for sensitive personal data could come in conflict with other laws such as the GDPR, including holding data longer than necessary or using data for purposes other than the ones specified at the time of data collection.
Obligation to obtain explicit consent to transfer sensitive personal data outside India
The report calls this requirement to obtain explicit consent of the user along with transfer mechanisms such as “contracts, intra-group schemes and adequacy findings” “an outlier” among global data protection laws. For instance, under the GDPR, explicit consent is required only when a transfer cannot be made after the other country’s privacy laws have been found inadequate and the individual has been informed of the risks of transfer, as per the report. Canada, too, as per the report, decided against requiring consent for cross-border transfer of data.
The report lists the following problems with requirement of explicit consent:
- Consent does not give users additional protection: Requiring consent on top of a contract, intra-group scheme or adequacy finding does not necessarily give users additional protections because such mechanisms already “impose separate and clear obligations to protect the data”.
- Makes users think that there is something wrong/risky with cross-border transfers of data: The report calls such consent confusing as it could mislead people into thinking that there is “something inherently risky or wrong with such transfers”. This is problematic in a global digital economy where provision of multiple products and services is contingent upon cross-border data transfers.
- Too many consent requests for the user: This would increase the consent requests a user gets, thereby diluting the effectiveness of consent in situations where it would actually be meaningful.
- Unnecessary burden for data processors and fiduciaries: To implement mechanisms to seek consent for transfer of sensitive personal data, data fiduciaries and processors would have to bear substantial costs. It could also disrupt existing mechanisms that were put in place to comply with common approaches found in other global data protection laws.
- Not feasible to get consent for every transfer: This could be because the organisation does not have a direct relationship with the user whose data is being transferred, a common occurrence in provision of services related to fighting financial crime, as per the report.
Definitions in the Bill are not set in stone
The lack of predictability around what are sensitive and critical personal data is of concern to CIPL and DSCI.
- Definition of sensitive personal data may expand: The Bill allows the central government to add more categories of personal data to sensitive personal data, thereby creating uncertainty for Indian and global organisations.
- Critical personal data is not defined: This lack of definition creates “considerable uncertainty” as entities prepare to implement its rules.
- Critical personal data can be transferred outside only under exceptional circumstances: Critical personal data can currently be transferred only to deal with emergency services, or where such a transfer would not affect strategic and national security interests of India.
Recommendations by CIPL and DSCI
- Negotiate new bilateral, multilateral agreements for transfer of critical personal data: To prevent the economic cost of localisation of critical personal data, the report proposes that India should negotiate bilateral agreements such as Mutual Legal Assistance Treaties (MLAT) or data access agreements under US CLOUD Act or under specific agreements. This way, Indian law enforcement agencies would be able to get prompt access to crucial data necessary for investigations without compromising on the economic benefits that arise from cross-border data flows. For US, the report recommends the following options:
- Bilateral agreement with the US FTC: The report has proposed that the Indian Data Protection Authority (DPA) could enter a binding enforcement cooperation agreement with the US Federal Trade Commission (FTC) under the US SAFE WEB Act of 2006, or a memorandum of understanding.
- Multilateral agreement via APEC: The report has also warned that it is “highly unlikely” that the US will enter bilateral agreements such as the now struck down EU-US Privacy Shield, or the currently-under-reconsideration Swiss-US Privacy Shield. The US has instead been signalling its support for multilateral solutions such as the APEC CBPR (Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules).
- Include certifications in codes of practice: The Bill, under Section 50, does not specify if codes pf proactive include both codes of conduct and certification schemes. The report argues that including both would help the Indian law become interoperable with other global privacy regimes.
- Include codes of practice and certifications as mechanisms to permit transfer of sensitive personal data: The report proposes that such mechanisms should also be recognised along with intra-group schemes and contracts. This would help with data flows between India and the US and should be designed in such a way that they are “interoperable with certification schemes of third countries”. “Achieving such interoperability could involve considering the APEC CBPR, GDPR certifications and codes of conduct, or certain elements of the now defunct EU-US Privacy Shield Framework in building India’s own certifications,” the report states.
- Define a compliance period, scrap non-personal data: NASSCOM, DSCI on Personal Data Protection Bill
- #NAMA: DSCI’s Rama Vedashree on how the Personal Data Protection Bill affects cloud service providers
- #NAMA: PDP Bill needs to address issues around adequacy
US-UK Data Access Agreement, signed on Oct 3, is an executive agreement under CLOUD Act