Introduction    

A few of the important elements of the recently updated data protection Bill include easing cross-border data flows, increasing penalties for data breaches and non-compliance, and enabling the government to exclude state institutions from the legislation for the sake of national security.   

Three months after the government retracted an earlier version that had drawn criticism from Big Tech and other segments of civil society, the new draft version was published on the 18th of November 2022. The updated draft, now known as The Digital Personal Data Protection Bill, 2022, includes clauses on “purpose limitations” for data collection, specific grounds for collecting and processing personal data, fines ranging from Rs 50 crore to Rs 500 crore, and a Data Protection Board acting as the adjudicating body to carry out Bill’s provisions.   

The draft is available for public comment until December 17; the final version is anticipated to be introduced during Parliament’s budget session the following year.   

In contrast to the contentious necessity of local storage of data inside India’s geography in the previous Bill, the latest draft makes major allowances for cross-border data transfers. The Central Government will notify areas in due time where Indians’ data may be transmitted, according to the new draft.  

Data Localisation   

Data protection laws often require controllers to satisfy special requirements when transferring personal data cross-border.   

For example, the General Data Protection Regulation (GDPR) requires organizations to ensure that transfers of personal data to a country or territory outside the EEA (third country) or an international organization comply with the conditions set out in Chapter 5 of the GDPR (Article 44, GDPR).    

Data localization or data residency laws mandate that information on a country’s inhabitants or citizens be gathered, processed, and/or maintained domestically, frequently before being transmitted overseas. Such information is often only shared after complying with regional privacy or data protection regulations, which may include notifying the user of the information’s intended purpose and gaining their agreement.   

The idea of data sovereignty, which limits some data kinds to those covered by the rules that apply to data subjects or processors, is the foundation for data localization. Data localization takes a step further by demanding that initial collection, processing, and storage occur inside the national boundaries, whereas data sovereignty may just require that records concerning a nation’s inhabitants or residents abide by its personal or financial data processing regulations. In rare situations, it may be necessary to erase data on a nation’s inhabitants or citizens from other systems before doing so in the country where the data subject resides.   

Data Localisation in Other Nations  

The General Data Protection Regulation (GDPR) of the European Union (EU), which sets restrictions on the free movement of data impacting all EU member states, is one of the most significant pieces of legislation on data flows.   

An “Adequacy Decision” process is part of the GDPR and it governs international transfers of personal data. So long as the European Commission has determined that the third country of data destination offers a sufficient level of privacy protection (there are presently 12 countries on the “adequate” list), personal data transfers to another country outside the European Union are permitted.  

The GDPR states that only when an acceptable degree of protection is provided or when safeguards are in place to ensure the level of protection is roughly similar to that now given inside the EU, can personal data transfers to another country outside the EU be made. These protections come in the form of certifications, binding corporate rules (BCRs), codes of conduct, standard contractual clauses (SCCs), and other legally binding documents.   

The GDPR permits data controllers to rely on specific derogations for cross-border data transfers in the event of a data transfer to a non-adequate country and the absence of safeguards. These exceptions can only be used in certain circumstances to send data to a foreign nation.  

When collecting personal information from a data subject, data controllers are required under the GDPR to inform them of any cross-border data transfers they plan to make and to provide the following information:  

1. whether the Commission has made an adequacy decision or not, or  
2. Referencing the necessary or adequate safeguards, how to receive a copy of them or the locations where they are available in the case of transfers based on derogations or appropriate precautions.  

If the data controller plans to use the personal data for a reason other than the one for which it was originally obtained, it is required to inform the data subject of that other purpose and any pertinent information before that further processing. The GDPR’s transparency requirements must typically be met by the data controller.  

China, on the other hand, mandates localization of all “essential data” about “vital information infrastructure.” In a similar vein, Russia mandates that all personal information about its inhabitants be kept domestically. Different strategies have been used by various nations. The US mandates that all defense-related data be kept domestically. Indonesia, on the other hand, mandates the localization of all information about governmental services.   

The New Provisions  

By dividing the data into several categories according to its nature, such as sensitive or critical, the earlier suggested regulations were said to better secure the residents’ personal information. Businesses were mandated to keep a copy of certain “sensitive personal data” of Indian individuals, such as financial and health information, in India under the previous Bill, and exporting vaguely defined “critical” personal data was forbidden. Additionally, the previous Bill gave the Central government the authority to designate any personal information as “critical personal data” that must be processed only in India. It was one of the most important complaints highlighted by tech businesses, with companies like Meta stating that it would affect its services in India.  

The government had been asked to approve the cross-border transmission of data by the Asia Internet Coalition, a lobbying organization that speaks for Meta, Google, Amazon, and several other internet companies. In a letter to the IT ministry earlier this year, they stated that cross-border transfer decisions should be free from executive or political involvement, and should ideally be minimally controlled. The organization had claimed that limiting cross-border data flows would likely lead to increased rates of company failure, hurdles for start-ups, and more expensive product offers from established market participants. In the end, the aforementioned regulations will have an impact on digital inclusion, Indian customers’ access to a genuinely global internet, and the caliber of services.   

The draft permits cross-border interactions of data with “certain notified countries and territories,” in a move that is seen as a win for tech companies.   

“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, following such terms and conditions as may be specified,” the draft says, without naming the countries.   

Users will have the right to update and erase the personal data that businesses have on them, and companies will be obligated to stop keeping user data if it no longer serves the commercial purpose for which it was gathered.   

Experts’ View   

Experts and analysts have noted that the Bill takes a rather accommodative stance on the need for data localization and allows data flow to specific international locations depending on specified predetermined evaluations. Instead of being forced to build extensive infrastructure in India for the storage and processing of personal data, this is expected to encourage country-to-country trade agreements and make it comparatively easy for multinational corporations to operate and process data with their present set-up.   

Conclusion    

By easing regulations and allowing cross-border data transfers, it would be interesting to see which countries the central government notifies and the rules it lays down for the transfer, storage, and processing of data. While it is certainly advantageous for the Multi-National Corporations carrying out businesses in India, eased data localization regulations should not mean that the personal data of citizens are exploited and safeguards should be placed, complying with principles of data protection, to ensure that the companies do not misuse the collected data.   

We at Tsaaro are conscious of the compliance, unavoidable risk of exploitation and misuse of operational, confidential data that comes along with such involvement and the importance of working with compliance for a firm to run properly. Get in touch with us at info@tsaaro.com If you want to run an audit of your consent practices, check out our Regulatory Compliance Service, and Schedule a call with our experts by clicking here.