The Digital Personal Data Protection Bill, 2022 And The GDPR: Cross Border Data Flow

A. WHAT DOES CROSS-BORDER DATA FLOW MEAN?

Cross-border data flow refers to the movement of personal or sensitive data from one country to another, either through physical transfer of storage media or through electronic transmission over the internet or other network. This can include the transfer of data for business purposes, such as when a company operates in multiple countries, or for other reasons, such as when a person travels with their data-enabled devices.

The cross-border flow of data can raise legal, privacy, and security concerns, as different countries may have different regulations and protections for data, and the transfer of data across borders may increase the risk of unauthorized access or mis-usage. As a result, many countries have implemented laws and policies to regulate cross-border data flows, including restrictions on what types of data can be transferred, under what circumstances, and with what level of protection.

B. IMPORTANCE OF CROSS-BORDER DATA FLOW IN CONTEMPORARY WORLD

Cross-border data flow is increasingly important in today’s globalized world, where information and commerce are often conducted across borders. Some of the key benefits and importance of cross-border data flow include:

· Facilitation of international business: Cross-border data flow is crucial for the functioning of international trade and commerce. Companies can use data to make informed decisions, manage supply chains, and communicate with customers and partners around the world.

· Advancement of technology: The flow of data across borders is also important for the development and implementation of new technologies, such as cloud computing, artificial intelligence, and the Internet of Things. These technologies rely on the ability to transfer data between countries to operate effectively.

· Improvement of public health and safety: Cross-border data flow can play a crucial role in improving public health and safety by enabling the sharing of important health and safety information between countries. For example, data on infectious diseases can be quickly shared between countries to help contain outbreaks and prevent their spread.

· Protection of individual rights and freedoms: Cross-border data flow can also help protect individual rights and freedoms by enabling people to access information and resources from around the world. For example, individuals can use the internet to access information on health, education, and political issues, and to participate in online forums and discussions.

C. Cross-Border Data Flow: GDPR Perspective

The General Data Protection Regulation (GDPR) is a comprehensive privacy regulation implemented by the European Union (EU) in May 2018. It sets out specific requirements for the cross-border flow of personal data, which is defined as any information relating to an identified or identifiable natural person.

Under the GDPR, cross-border transfers of personal data are only allowed if there are adequate safeguards in place to protect the privacy and rights of individuals. Adequacy can be ensured through several mechanisms, including adequacy decisions, standard contractual clauses, binding corporate rules, and derogations.

· Adequacy Decisions: Adequacy decisions are issued by the European Commission and are a formal determination that a third country or international organization provides an adequate level of protection for personal data. To date, the Commission has issued adequacy decisions for a number of countries and territories, including Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.

· Standard Contractual Clauses: Standard contractual clauses, also known as model contracts, are pre-drafted clauses that can be used to transfer personal data from the EU to a third country. Organizations can use standard contractual clauses to ensure that adequate protection is provided for personal data transferred outside of the EU.

· Binding Corporate Rules: Binding Corporate Rules (BCRs) are internal policies and procedures that a company can adopt to govern the transfer of personal data within its corporate group. BCRs must be approved by EU data protection authorities, and they provide a way for organizations to ensure the protection of personal data as it is transferred from one entity to another within the same corporate group.

· Derogations: In limited circumstances, personal data may be transferred from the EU to a third country without adequacy safeguards, such as with the explicit consent of the data subject, for the protection of important public interests, or for the establishment, exercise, or defence of legal claims.

The GDPR also requires that organizations taking part in cross-border data transfers implement appropriate technical and organizational measures to ensure the security of personal data. These measures may include encryption, access controls, and regular security audits, among others.

Additionally, the GDPR requires organizations to appoint a representative in the EU if they are processing personal data on behalf of data subjects in the EU, but are not established in the EU. This representative serves as a point of contact for EU data protection authorities and data subjects, and can help ensure that the organization is in compliance with the GDPR.

D. The Indian Vision for Cross-Border Data Flow?

The Digital Personal Data Protection Bill, 2022 is a proposed bill in India that seeks to regulate the collection, storage, and use of personal data by organizations operating in India. The bill sets out specific requirements for cross-border data flow, which is defined as the transfer of personal data from India to a foreign country or territory.

Under the proposed bill, cross-border data flows are subject to a number of restrictions and requirements, including:

· Prior Authorization: Organizations must obtain prior authorization from the data protection authority before transferring personal data outside of India. This authorization is based on an assessment of several factors, including the level of protection for personal data in the receiving country, the purpose for which the data is being transferred, and the rights and freedoms of the data subject.

· Data Localization: The bill requires organizations to store certain categories of personal data within India. This includes critical personal data, which is defined as data that is necessary for the sovereignty, security, and strategic interests of India. Organizations must also maintain a copy of all personal data transferred outside of India.

· Security Measures: Organizations must implement appropriate technical and organizational measures to ensure the security of personal data during cross-border data flows. This includes measures such as encryption, access controls, and regular security audits, among others.

· Notice and Consent: Organizations must provide notice to data subjects before transferring their personal data outside of India. Data subjects must also provide their

explicit consent for the transfer, unless the transfer is necessary for the performance of a contract or for the fulfillment of a legal obligation.

· Data Access and Correction: The bill requires organizations to provide data subjects with access to their personal data and to allow them to correct any inaccuracies. This includes personal data that has been transferred outside of India, and organizations must put in place appropriate mechanisms to ensure that data subjects can exercise these rights, regardless of where their personal data is stored.

· Data Retention: Organizations must retain personal data only for as long as necessary to fulfill the purpose for which it was collected. This includes personal data that has been transferred outside of India, and organizations must put in place appropriate mechanisms to ensure that personal data is deleted in a timely manner when it is no longer needed.

In summary, the Digital Personal Data Protection Bill, 2022 sets out strict requirements for cross-border data flows, and organizations must take care to ensure that they are in compliance with these requirements. Organizations must obtain prior authorization for cross-border data flows, store certain categories of personal data within India, implement appropriate security measures, provide notice and obtain consent from data subjects, provide data access and correction, and retain personal data only for as long as necessary. By doing so, organizations can help ensure the protection of personal data, while also enabling the continued flow of information and commerce across borders.

The Privacy updates are straightforward once you understand them. Once they become ingrained in your behavior, they will aid in defending you from frequent scam tactics. Get in touch with us at info@tsaaro.com.Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.