(Sanghnomics is a weekly column that tracks down and demystifies the economic world view of Rashtriya Swayamsevak Sangh (RSS) and organisations inspired by its ideology.)
The Central Government has notified the much-awaited draft rules for the Digital Personal Data Protection (DPDP) Act 2023. This is a significant step towards ensuring the ‘Data Sovereignty’ of India.
The general focus of our debate in this context has been largely on the regulation of social media, whereas there are also several other important aspects that need to draw greater public attention so that the authorities concerned can implement a clear set of rules.
One of the most important issues pertaining to data privacy and data protection is the issue of ‘cross-border data transfer’. The DPPD Act elaborates on this in its Section 16:
“16. (1) The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. (2) Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on the transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.”
The draft rules have addressed ‘Processing of personal data outside India.’ According to Rule 14:
“Transfer to any country or territory outside India of personal data processed by a Data Fiduciary—
(a) within the territory of India; or
(b) outside the territory of India in connection with any activity related to the offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”
The provisions in the legislation, as well as the draft rules, have defined the scope for cross-border data transfer. However, there is a greater challenge of developing synergy with international cross-border data transfer regulations.
One of the most important of these regulations is the General Data Protection Regulation (GDPR). The GDPR is a key framework for governing cross-border data transfers for members of the European Union. According to Article 45 of the GDPR, data transfers to third countries are permissible only if the country has been recognised as providing an adequate level of data protection. The GDPR is considered to be the ‘gold standard’ when it comes to personal data protection laws, especially in the context of cross-border data transfers. There are some core principles that make the GDPR one of the best benchmarks in this domain. The DPPD Act has adhered to many of these and improved upon some. There are also other global trends that we need to take into account regarding ‘cross-border data transfer’ before we finalise the rules on it.
Privacy Shield and its Successor
The EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020, was a mechanism used to ensure that U.S. companies complied with EU privacy standards when transferring data across the Atlantic. Following this ruling, the European Commission proposed new mechanisms, such as the Trans-Atlantic Data Privacy Framework (EU Commission, 2023), to facilitate future data exchanges with the U.S.
Standard Contractual Clauses (SCCs)
Standard Contractual Clauses (SCCs) have emerged as a widely used mechanism for ensuring compliance with data protection requirements when transferring data to countries outside the EU. These clauses allow organisations to incorporate specific contractual commitments into their data transfer arrangements to ensure that data protection levels are maintained. They are used when the countries where data is transferred do not meet the standards of the GDPR.
China's Personal Information Protection Law (PIPL)
China's Personal Information Protection Law (PIPL), enacted in 2021, introduces new obligations for data handlers, including restrictions on cross-border data transfer. Similar to the GDPR, the PIPL requires data exporters to assess whether the recipient country’s data protection laws meet Chinese standards before transferring personal data abroad.
Emerging Trends
While finalising the draft rules on cross-border data transfer for India, we should also take into account emerging trends:
* Cloud Computing and Data Flows: The proliferation of cloud computing has significantly increased cross-border data transfers. Many organisations now depend on global cloud providers that store and process data across multiple jurisdictions. As cloud-based solutions become widespread, regulators are revisiting data transfer laws to adapt to these technologies while maintaining strong privacy protections.
* Artificial Intelligence and Data Ethics: The emergence of artificial intelligence (AI) and machine learning has led to the use of vast datasets for training algorithms across borders. This has raised concerns about the ethical implications of data use, particularly in the context of cross-border transfers. Regulatory frameworks must not only focus on data protection but also address the ethical considerations involved in using data for AI development.
* Global Data Governance Initiatives: International efforts are underway to create a consensus on data governance. Organisations such as the OECD and the UN are working on frameworks to standardise rules for cross-border data transfers, aiming to balance privacy rights with business needs. These initiatives could lead to the development of a unified global standard for data protection in the future.
Conclusion
India should finalise a framework keeping in mind that cross-border data transfers remain a complex and dynamic aspect of international law and regulation. While efforts to harmonise regulations continue, the future of cross-border data transfers will hinge on sustained international collaboration, technological advancements, and a balance between safeguarding privacy and fostering economic growth.
Earlier Sanghnomics columns can be read here.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
