Contributed by Aditya Krishnan

Introduction: A comparison of the provisions of The Draft Bill and the 2023 Act in the context of the transfer of personal data abroad

The Indian Parliament passed the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “the Act”) in August 2023, with the purpose of regulating the collection, storage, processing, and transfer of personal data in the digital landscape. The Act is based, in significant part on the second version of the Digital Personal Data Protection Bill 2022 (hereafter referred to as the “Draft Bill, 2022”). However, it has some new provisions that are consequential for the questions this paper seeks to answer.

The introduction of the Draft Bill 2022 raised significant apprehension, particularly regarding Section 17, which granted the Government of India to whitelist territories for the transfer of personal data overseas. Section 17 of the draft contained a single sentence clause permitting the cross-border transfers of personal data to countries permitted by the Centre.

However, unlike the 2022 Draft Bill, Section 16 of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as “the Act”) allows the transfer of personal data to any unrestricted country. This varies from the whitelisting approach in the sense that the Government may only ‘restrict’ the transfer of personal data by the Data Fiduciary to any territory outside India by way of notification. A Data fiduciary in this context is defined under Section 1(i) of the Act, and refers to any person who alone or in conjunction with other persons determines the purpose and means of the processing of personal data. Coupled with this, subsection (2) provides that nothing contained within Section 16 would restrict the applicability of a law being in force in India that provides for a higher degree of protection /restriction on the transfer of data by a Data Fiduciary outside India.

Presently, India has numerous regulations with respect to localization in various sectors such as the securities market. Given the contentious nature of Section 17 of the Bill, and the lacunae in Section 16 of the current Act, the legislature by way of notifications could subsequently introduce safeguards that are clarificatory in nature and impose obligations on Data Fiduciaries to enable effective compliance by such data processors, with the provisions of the Act. Having said this, this note aims to analyse some of these safeguards that could potentially be incorporated to address issues regarding the transfer of personal data abroad, that have persisted through the erstwhile Acts, the draft Bill and the current Act.

Data Sovereignty vs an Open Approach: Which would yield better results in India’s context?

Regulators have struggled to find a balance between the requirements of data sovereignty and creating a market that allows the smooth flow of data globally. Countries such as China and Russia have legislation heavily leaning towards the former approach as seen by, for example, China’s ‘great firewall’ which extensively regulates and censors cross-order internet traffic. Adopting such an approach has implications with respect to innovation and competitiveness on a global scale, even for a country like China.

 The European Union’s General Data Protection Regulation (EUGDPR), on the other hand, leans towards a more open approach, allowing the transfer of data through standard contractual clauses allowing processors and controllers of data to facilitate the legal transfer of data to other countries. The EU hence analyses whether a third country offers an adequate level of data protection by determining whether its laws provide an identical standard of protection concerning existing legislation in the Union.

In the contemporary global socio-economic landscape, the significance of data, and consequently, advancements in fields such as Artificial Intelligence and Big Data, is increasingly being acknowledged as a pivotal factor. As a principal player in this scenario, India not only has a stake in these developments but also shoulders the onus of global leadership. Therefore, it becomes imperative for India to strike a balance in this context.

The enactment of Section 16(1) of the Act could potentially be evolved to emulate the EU’s adequate standard of protection test to assess data protection laws worldwide and develop a framework to determine whether the transfer of data can be allowed to a third country or not. Furthermore, Section 17 (of the erstwhile Bill) and Section 16 of the Act had the effect of bringing all aspects of compliance within the ambit of the Central Government. However, in systems such as the EU, these obligations are placed on the data fiduciary.  Within this framework, standard contractual clauses and binding corporate rules are established, and the data fiduciary is entrusted with addressing the concerns of the regulator. The onus of ensuring adherence, hence rests with the data fiduciary This could hence be another possible manner of looking at amending this section.

Specific consent for transferring data abroad and the classification of such data:

In contrast to earlier iterations of the Bill, the Act does not explicitly mandate obtaining the consent of a data principal prior to the international transfer of their data. This is a significant departure from previous requirements. Hence, such an issue, if not read into Sections 6 and 7 of the Act, could conflict with the position under the IT Act, 2000 which requires specific consent for all transfers of sensitive personal data. Till such clarification is provided, data fiduciaries could resort to viewing deemed consent clauses to ascertain whether the Data principal has provided his consent for the transfer of data abroad.

Secondly, concerning the classification of such personal data being transferred overseas, the 2022 Bill and the Act both did away with the categorisation of data as ‘sensitive’ and critical.’ Such an action can be viewed with respect to the consent the Data Principal has to give and the compliance required by the Data Fiduciary to classify such data. With regards to the former, in most instances, it is a regular occurrence that the Data Principal indiscriminately ticks yes to every click-box agreement (thereby consenting to the transfer of such data collected as may be the case). Secondly, from the perspective of the industry, doing away with such a classification would actually ease compliance costs and classification given the fact that such a categorisation of ‘sensitive’ and ‘critical’ data is hard to make. Hence while the removal of such provisions has certainly made cross-border data transfer efficient, the issue of a data principal providing making an assessment and providing informed consent still persists, and has to be addressed.

Delegated legislation and ‘a standard of a higher degree of protection under Section 16(2):

The legislature through the insertion of Section 16(2) of the Act has sought to widen the scope of delegated legislation concerning sensitive personal data in specific fields. This section offers only a minimum threshold of protection, giving flexibility to sectoral regulators in India to introduce stronger safeguards when needed. Administrative bodies such as the RBI could potentially define such trusted countries. However, an uncertainty in this regard is the standard of a ‘higher degree of protection’ on the transfer of personal data by a Data Fiduciary to a third country. for example, one might question whether a distinct set of recommendations, such as the EHR (Electronic Health Record )  Standards, which advocate for the elimination of patient-identifying data or anonymization, could be considered as a superior level of protection and thus limit transfers that do not adhere to these guidelines.

Remote access of Data:

Systems such as the EU recognise remotely accessing data through a Virtual Private Network (VPN) service to process data from abroad. When people access data through a VPN from a third country but the data is stored in EU nations, the same would amount to cross-border data processing. The DPDP Bill 2022 and the DPDPA 2023 currently do not have provisions that address this issue. However, issues arise as to whether remotely accessing data through a server in another country poses the same level of risk with respect to the transfer of data Furthermore, it is uncertain whether the threshold for remote access should be on par with that of transfer of data overseas, or whether the same must be lower.

Concluding remarks:

The flow of data across borders is a key factor in determining a country’s geopolitical power and assessing the value it brings to the global technology framework. If the primary objective of the Act was to ensure predictability and minimize disruption to businesses, then the shift from the restrictive language of the Draft to the more accommodating tone of Section 16 Act can be considered a successful outcome.

Given India’s breakneck speed of growth and the responsibility it bears with respect to global leadership, India needs to provide further safeguards under Section 16 to resolve inconsistencies and best serve its interests. Thus, a balance must be struck in the sense that adequate protection must be given to sensitive data by avoiding careless transfers while simultaneously ensuring that a whitelisting approach is not adopted, which could spoil diplomatic relations and restrict cross-border transfer of data. The vacancies within Section 16 offer an opportunity for the Government to engage in consultations with diverse stakeholders/regulators, enhancing the balance of interests compared to erstwhile legislation.