The authors are Piyush Kumar Choubey and Ashutosh Anand, B.A.LL.B. student at the National University of Study and Research in Law, Ranchi.
Data in the modern era has become as invaluable as oil and gold. Due to its extensive use, protecting data becomes indispensable to maintain the integrity and confidentiality of sensitive information. In the contemporary world, data protection rights are legal rights that individuals own over their personal data. These rights are designed to protect individuals’ privacy, give them control over their personal information, and determine to what extent such data can be shared with third parties.
Individuals execute a myriad of things in the digital sphere, which in turn, leaves behind multitudinous digital footprints. These digital footprints or personal data, which may be in the form of, inter alia, search history, passwords, user preferences, search queries, and payment details, are thereafter stored in the databases for the easement of users in future. However, these databases also contribute to a major concern of “infringement of data privacy”, thereby making it of utmost importance to regulate the cross-border data transfer regime. Cross-border data transfer means transfer of personal data from one jurisdiction to another.
Taking into consideration the unstoppable expansion of the Indian digital sphere that holds tremendous influence over the world due to its vast population, economic potential and giant global market, this article seeks to compare the regulation of cross-border data transfer in the European Union (“EU”) and India with special reference to the Standard Contractual Clauses in the General Data Protection Regulation (“GDPR”) and the Indian Digital Personal Data Protection Bill, 2022 (“DPDP Bill”). Moreover, the article also puts forth certain recommendations to strengthen the current data transfer regime in India.
DPDP Bill and Data Transfer in India
The Supreme Court of India, in the landmark Justice K.S. Puttaswamy v. Union of India case, broadened the scope of Article 21 of the Indian Constitution and declared the right to privacy as a fundamental right. Thenceforth, a comprehensive general data protection legislation in India has been eagerly awaited. The Joint Parliamentary Committee, in December 2021, after a two-year long deliberation, carried its report on the Personal Data Protection Bill, 2019 (“2019 Bill”), which, with further amendments, took the form of the draft of the Data Protection Bill, 2021 (“2021 Bill”). The language used in these amendments could have had an impact on how cross-border data flows are handled both under the authorised “standard” contractual terms and data adequacy determinations. However, the Government of India in August 2022 withdrew the 2021 Bill for revision after facing several backlashes from the stakeholders.
Eventually, in 2022, merely three months after the withdrawal, a draft of the new DPDP Bill, 2022 was published seeking public consultation. The draft lays down its purpose “… to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes ...”
Section 17 of the DPDP Bill bestows disproportionate powers to the Indian Central Government and provides for cross-border data transfer with countries and territories which the Central Government may notify after assessing factors which it deems necessary (“whitelisted countries”). Hence, the aforesaid section insinuates a barricade on data transfer with the countries which are not whitelisted (“blacklisted countries”). The complication that the DPDP Bill poses is that it fails to provide any other provision related to cross-border data transfer which could clarify how these countries will be whitelisted and on what terms the transfer would be allowed, thereby failing to achieve the very essential ingredient of cross-border data transfer regulation (i.e., terms of transfer). Furthermore, Section 18 of the DPDP Bill acts as an exception to Section 17 of the same.
Standard Contractual Clauses
The EU’s General Data Protection Regulation which replaced the Data Protection Directive (Directive 95/46/EC), (“Directive”) allows for the free transit of personal data within the EU, and also, internationally to non-EU countries as long as those countries offer an “equal” level of protection that is “sufficient” to that offered by the EU. Prior to GDPR, the EU dealt with cross-border data transfer through its Directive and other mechanisms. For instance, the EU-US Safe Harbour framework (the “Safe Harbour framework”) was a set of rules or principles that the US firms receiving data from the EU had to abide by. The European Commission acknowledged the sufficiency of the Safe Harbour framework in an order dated July 26, 2000, however, the same was later invalidated by the European Court of Justice in 2015 due to protection deficiencies.
At present, under Article 46 of the GDPR, the EU has incorporated a new set of model clauses known as the Standard Contractual Clauses (“SCCs”) to secure the data which leaves the EU and going to jurisdictions that do not have an adequacy decision, and therefore may not afford the same level of security to personal data. The SCCs cover obligations such as data security, limited processing purposes, individual rights, and cooperation with data protection authorities. In some cases, supplementary measures may be required to address potential risks to the transferred data. Data protection authorities have the power to review and monitor SCCs' compliance and can suspend or prohibit transfers if necessary.
Through contractual obligations, SCCs provide data protection at the level mandated by the GDPR. Although SCCs cannot be changed, it is permissible for the controller or processor to include extra protection in addition to and in line with the SCCs to make a more comprehensive contract. Therefore, the SCCs function as a “foundation” upon which entities can adjust their security controls and related privacy settings to meet the requirements of the GDPR.
Strengthening Data Transfer Regime in India
The DPDP Bill on the other hand only permits data transfer with notified countries and entirely blocks data transfer with non-whitelisted countries. People advocating the aforementioned may argue that it will ultimately help in personal data protection and privacy; that a blockade on non-whitelisted countries has a strong and valid reason, i.e., those countries are inferior in comparison to whitelisted countries when it comes to proper data transfer regulations in consonance with adequate international standards.
Further, they may argue that personal data protection should be given utmost primacy over other factors such as business interests, as it will only be the strong security protocols that will safeguard sensitive information from unauthorised access and breaches. Furthermore, it would grant the individuals control over their personal data, and provide their informed consent for its transfer, and also imply that companies will be obliged to inform individuals about the purpose and recipients of data transfer. Such measures may also likely lead to greater transparency and accountability measures for companies and organisations, as they will have to maintain detailed records of data transfers, demonstrate compliance with regulations, and provide detailed account of how personal data is being handled.
However, such a blanket ban on non-whitelisted countries in relation to cross-border data transfer would be violative of Indian interests, considering the vast business opportunities it possesses. Strict data transfer norms may create barriers for businesses that rely on seamless international data flows, leading to delays and increased costs. Further, this indiscriminate ban would compel companies to localise databases, resulting in increased functional and data storage costs.
Another impediment that this stringent data transfer regime poses is reduced innovation and collaboration between various organisations, considering the fact that advancements and breakthroughs in research and technology requires the free flow of data across borders. Stricter data norms would also mean reduced choices and limited access of digital services and products, as companies would be coerced to store data within specific jurisdictions in compliance with the regulations, which will eventually lead to localised services that may not be available to users of other regions.
Furthermore, complications may be faced in the domain of cross-border investigations and law enforcement efforts, as it becomes difficult to obtain access to data for investigative purposes when it is stored within specific jurisdictions with stringent norms. It will, sooner or later, lead to impediments in combating terrorism, cybercrime, and other transnational crimes.
Therefore, in relation to the aforementioned points, there arises a need to strike a right balance between personal data protection and business interests, which will require a clear dialogue and collaboration between regulators, businesses, and individuals. It will involve careful assessment of potential risks and benefits, taking into consideration the specific context and needs of different sectors, while also promoting a privacy-conscious culture that respects rights of individuals and supporting innovation and economic growth.
In light of the same, Indian lawmakers should take inspiration from the EU, and devise certain model contractual clauses to be incorporated by the companies for easement of data transfer based in jurisdictions which do not provide adequate protection to personal data, i.e., the non-whitelisted jurisdictions. These model contractual clauses will not only assist in safeguarding personal data, but also help in securing business opportunities and other aforementioned factors, therefore balancing both the elements.
Moreover, these model contractual clauses should be in conformity with international standards to provide uniformity in cross-border data transfer. For instance, a company registered or operating in the jurisdiction of inadequate data protection legislation would have to incorporate the model contractual clauses, which cannot be altered or modified, thereby safeguarding the personal data of an Indian citizen with adequate international standards.
Globalisation and digitisation have highlighted some major concerns regarding data privacy, one such being the regulation of cross-border data transfer. With the condition where, by virtue of Section 17 of the DPDP Bill, the Indian government possesses comprehensive and inordinate control of ‘whitelisting’ the process of cross-border data transfer, a pertinent threat to freedom of choice looms over.
Therefore, to remove this crucial vulnerability, wherein companies have the liberty to transfer data at their desired location with the same level of safeguards which will prevail in India, a desperate and plausible solution takes shape in the form of the adoption of procedures followed in the EU. The aforesaid would, then, also result in an increment of autonomy, choice, and the interconnected factor of economic and societal growth of the world’s most populous country, which can also have a considerable influence.