Data Protection Standards For Cross Border Data Transfers In India: Suggestive Approaches And Way Forward
Global data flows have substantially risen in recent years, along with trade in digital services across borders. As per the Report published by the World Bank, in 2020, global internet traffic was estimated to be approximately three zettabytes which counts to one GB per day per person. This volume is expected to double fold itself in the coming years. Such a huge amount of data flow is...
Global data flows have substantially risen in recent years, along with trade in digital services across borders. As per the Report published by the World Bank, in 2020, global internet traffic was estimated to be approximately three zettabytes which counts to one GB per day per person. This volume is expected to double fold itself in the coming years. Such a huge amount of data flow is pushing the growth of International trade. Cross-border data flows facilitate trade in goods, enhancing productivity and reducing costs; it also serves as the primary means of transacting in digital services. Cross-border data flows, and international trade are interdependent, and cross-border data transfer is one of the key contributors to the exponential growth of international trade. In today’s world, electronic payment systems, internet-based advertising and retailing, and cloud computing have become integral parts of almost all businesses, irrespective of the sector they operate in. In fact, it is difficult to envision an international trade transaction that does not involve data transfer.
A well-formulated legal framework for cross-border data transfer is essential for the economic growth of any country and should be the top priority looking at the ever-increasing rate of global data flows and its potential misuse in terms of national security, data breaches, and privacy concerns. The aim of such a framework is to ensure that personal data is adequately protected during the transfer process and not subject to misuse or abuse.
Currently, there are several models for cross-border data transfers, including the European Union’s General Data Protection Regulations (GDPR), the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, and the United States (US) - European Union (EU) Privacy Shield Framework.
The GDPR is one of the most comprehensive frameworks for cross-border data transfers. It applies to all businesses that process the personal data of EU citizens, regardless of where the business is located. The GDPR requires businesses to obtain explicit consent from individuals before collecting their personal data and to provide clear information about how that data will be used. The APEC Privacy Framework is a voluntary framework that provides guidelines for protecting personal data in the Asia-Pacific region. It is based on nine privacy principles, including the collection limitation principle, the data quality principle, and the security safeguards principle. The US-EU Privacy Shield Framework is a framework that allows businesses to transfer personal data between the EU and the US. It is based on the principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse.
Despite these frameworks, there is still a need for a more comprehensive legislative framework for cross-border data transfers. This is because many countries do not have laws that adequately protect personal data, and there is a lack of consistency between different frameworks.
Such as in India, there is a lack of a comprehensive legislative framework for cross-border data transfer. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the Information Technology Act, 2000, require companies to obtain the individual’s consent before transferring their sensitive personal data. Additionally, the Reserve Bank of India has issued guidelines for the outsourcing of financial services that require companies to ensure that the outsourcing of services does not result in a compromise of customer data.
India will soon introduce the Digital Personal Data Protection Bill 2023 (DPDP Bill) before the parliament this year. Clause 17 of the DPDP Bill talks about the transfer of personal data outside India. It states that “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.” It appears that Central Government. may come up with certain rules under Clause 17 of the DPDP Bill, which lays down data protection standards that must be maintained by any country that intends to indulge in data transfer with India.
While framing the data protection standards under the rules, the following approaches and suggestions may be taken into consideration –
A mature approach to regulating the cross border data transfers:
Among the three models for regulating cross-border data transfers, namely, the open model, the conditional model, and the control model, India may consider adopting a mid-approach between the open model and the conditional model, which is neither too stringent nor too loose, aiming to build a maintain a balance between countries growth and data privacy. Efforts should be made to promote international trade while safeguarding data subjects’ rights and national security and not hindering innovations and the financial growth of the economy. The best example of a conditional model is the EU’s GDPR which majorly focuses on data subjects’ rights and safeguarding the privacy of the data subjects and, side by side, keeping mediocre compliances for the businesses. A similar approach is opted for by South Africa, Singapore, Japan, and various other countries in framing their cross-border data transfer regulations. Indian Government may also form their baselines in line with GDPR especially adopting their principles such as data localization with regard to cross-border data transfers and providing a comprehensive set of rights to the data subjects where they have full ownership and access to their data in every situation whatsoever and whenever. As India is a developing country aiming to become a five trillion-dollar economy by 2025, it won’t be possible without fostering international trade, so India must keep its cross-border data compliance requirements flexible and relaxed that prioritizing business needs over individual rights. The US has a slacken data privacy standards for cross borders data transfers and keeps its country more open for ease of doing business for the entities.
Collective actions by the stakeholders for developing a culture of ‘Data Free Flow with Trust’:
No matter how stringent or loose a regulatory framework may be for cross-border transfers, it is more dependent on the foreign countries involved in the transfer arrangements to make their responsibility and duty-bound themselves to take all relevant technical, administrative, or social measures that the data they collect from the other country is safe and protected, and they adhere to all the due diligence requirements of the other countries law. This responsible behavior of the foreign country may develop bricks of trust among the countries so that they can indulge in international trade more and more with each other without any fear of the data of their country being misused or compromised. For this, India may conduct engagement programmes with communities of stakeholders that may help in understanding their interests and the challenges they may face while cross-border data transfers. This approach will increase the potential of the other stakeholders while dealing with the protection of the data transferred and enable a broader, more open, and more inclusive environment for cross border data transfers between stakeholders.
A modern and updated consent mechanism in case of data transferred outside India:
The Rules must provide a stricter approach to the consent mechanism in case of cross-border data transfer rather than following the traditional method of taking consent from the data subjects. As India has a low digital literacy rate, it is a challenge to take the ‘actual consent’ of such digitally illiterate citizens who do not understand the terms and conditions, purpose, and type of data for which their consent is taken. The rules must provide what explicit consent means, and additional and separate consent must be taken in case the data is transferred outside India. The consent taken must be explicit, such as while ticking the consent checkbox; the terms and conditions and other relevant information regarding the data transfer must be in a text-to-speech format where the data subject is given the option to listen to the relevant information in their chosen language.
Time period for data breach notification:
Entrusting the business entities engaged in the cross border data transfers with a higher level of due diligence with regard to notification in case of any data breach. Once a determination of a data breach has been made by the business entity, it should immediately inform the Governments of the respective countries whose citizen’s data has been targeted and the data subjects whose personal data has been compromised as well so that instant measures can be taken from both ends. The term “immediately” implies that once the business entity has verified the existence of the breach or has reasonable certainty that it has occurred. In compliance with this, an electronic notification may be sent to the aggrieved data subjects clearly stating that a data breach has occurred and the appropriate measures to be taken further to protect their personal data or any other information in their online accounts.
Right to data portability:
One of the significant data subject rights in case of data transferred abroad is the right to data portability that ensures that the data subject can obtain, reuse, move, copy, or transfer its personal data from one internet infrastructure to another hassle-free. Especially when the personal data of the data subjects are shared with a foreign entity, the data subject should have the right to data portability and receive its personal data in a machine-readable and structured manner and can further transmit to another entity. Take an instance where a data subject has taken consultation from a hospital in Germany, and he now wants to move to a hospital in Australia. In such cases, the personal data shared by the data subjects in Germany must be provided to the data subjects in a well-structured manner so that such data can be further used by the data subject without any hindrance and fear of losing the data.
Additional due diligence requirements on the entities involved in cross-border data transfers-
Foreign entities indulging in cross-border data transfers must be obliged to adopt best practices for safeguarding the personal data of the data subjects. For this, requirements such as enhanced cyber security measures and infrastructure that protects against the misuse of data, easy complaint and grievance redressal mechanisms for the data subjects, conducting regular cyber security audits and data privacy impact assessments and risk assessments, regular monitoring and tracking of the different modus operandi of the bad actors for hampering the data privacy and taking immediate steps in case of risk detected. Foreign entities must adopt data protection by design and by default.
The future of global trade is highly dependent on how a country’s domestic regulations are framed and whether these regulations provide a wide scope for ease of doing business and lesser compliance requirements on the part of foreign countries. It won’t be a cakewalk for a country like India, which has the largest population in the world, to frame regulations for cross-border data transfers as they have to put at stake the data of such a huge population and simultaneously ensure the data subjects’ rights, protecting national security, and promoting the country’s economic growth. The above-laid-down suggestive approaches may help the central Government while framing the rules for cross-border data transfer under the DPDP Bill and act as a foundational guideline for the policymakers.
******************
Details of the Authors
- Bhavna Sharma
Present Position – Senior Legal Associate, Data Privacy and Cyber Security, PriceWaterhouseCooper Services Ltd.
Former Assistant Legal Manager, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India
Email – bhavnadu2017@gmail.com
Contact - 9717490199
- Dr. Dhawal Gupta
Present Position – Director, Public Policy, Chase India
Former Scientist E, Cyberlaw Division, Ministry of Electronics & Information Technology, Govt. of India
Email – dhawal.gupta@gmail.com
- Ajay Singh Chauhan
Present Position – Assistant Section Officer, Policy & Administration, Department of Fertilizer, Ministry of Chemical and Fertilizers, Govt. of India
Email – jaychauhan4444@gmail.com