Looking at the cross-border data flow regime in the DPDP Bill 2022 - Hindustan Times
close_game
close_game

Looking at the cross-border data flow regime in the DPDP Bill 2022

ByHindustan Times
Mar 29, 2023 05:26 PM IST

The article has been authored by Amar Patnaik, Member of Parliament, Rajya Sabha from Odisha.

According to a 2019 report of India's ministry of electronics and information technology, India's digital economy could reach $1 trillion by 2025. It acknowledged that this potential for growth could only be realized if the country created an environment with the right policies, platforms, and partnerships for the "borderless" nature of the digital world, in which "capital, innovation, data, and design capabilities flow to countries with the fewest pain points."

Section 17 of the new draft Digital Personal Data Protection Bill (DPDP) 2022 will allow businesses to store data in "trusted jurisdictions," which the central government will later specify on a "whitelist" based on their evaluation.
Section 17 of the new draft Digital Personal Data Protection Bill (DPDP) 2022 will allow businesses to store data in "trusted jurisdictions," which the central government will later specify on a "whitelist" based on their evaluation.

Section 17 of the new draft Digital Personal Data Protection Bill (DPDP) 2022 will allow businesses to store data in "trusted jurisdictions," which the central government will later specify on a "whitelist" based on their evaluation. On the surface, this provision has been well received by industry organizations and startups as it is a sharp U-turn from the stringent requirements for data localisation prescribed in the previous draft. However, this flexibility may also be seen as virtual absence of any regulation in the main Act and leaving the regulation to be prescribed by the central government under its inherent rule-making powers. The absence of not even some guiding principle or framework in the Act itself leaves too much power to the central government which can keep changing/amending these rules at any times with ease. This may make the cross-border data flow eco-system uncertain and unstable thus, proving counter-productive to ease-of-doing business as envisaged. Besides, other challenges remain.

Hindustan Times - your fastest source for breaking news! Read now.

While the flexibility in the provision in the draft bill might facilitate faster conclusion of negotiations for Free Trade Agreements (FTAs) and easier accommodation of bilateral concerns on the issue of cross-border data-flow which invariably features in all new FTAs now, it will all depend on the principals of adequacy and reciprocity. Currently, the bill may not inspire confidence not only within India but even with other geographies in the absence of an independent regulator (Data Protection Board) whose structure and composition has been left to be decided by the central government. Unrestricted government access to this foreign data could prove to be a big deterrent to free flow of data from other jurisdictions to India. For instance, in the case of the European Union (EU)-United States (US) privacy, the two countries had to come to a common ground for the US to be allowed to process the data from the EU after analysing their data protection framework. Further, if we talk about the General Data Protection Rules (GDPR) of the EU, Section 45 talks about data transfers on the basis of adequacy decisions where an independent Data Protection Authority in the country receiving the data of their citizens is a necessary requirement.

There is no legal clarity on the obligations of businesses whilst they will be in a cross-border data transaction, or the hygiene checks that an organization should adhere to before entering into one. Further, the entire process of choosing the “preferred” jurisdiction as per Section 17 of the DPDP 2022 is not clear with no pre-defined principles, thus creating ambiguity in the industry for drafting contractual agreements. This legal void will make it difficult for investors from other countries to feel confident about making investments in India. For instance, the European Standard Contractual Clauses are one example where a business has clearly defined standards that must be met while signing a contract. The presence and learnings from other international frameworks such as the Organization for Economic Co-operation and Development (OECD) and the US-Mexico-Canada Trade Agreement (USMCA) could also be a great learning for India in this regard.

Section 29 of the draft bill specifies that this law takes precedence over other laws in the case of a conflict. However, when it comes to the inter-sectoral laws of various regulatory bodies, such as SEBI, the Reserve Bank of India (RBI), or the broad cloud framework, this conflict is unavoidable. For example, when the RBI issued a data localisation policy in April 2018 requiring all payment system data to be stored in India, it raised concerns about how cross-border data transfers in FTAs would be treated differently in so far as banking/finance transaction data are concerned. Will it create a situation of conflict where, under one rule, the data will have to be stored locally and in the other, it could be stored it in other geographies? In such cases, who is supposed to settle the conflict and harmonise these laws as the draft bill does not address the concept of data mirroring either?

Finally, in the current global policy framework, "data"’ is considered as something that is simply "up for grabs" and "out there, ready to be mined." But, if each nation had its own legislation, such individual country-specific policies may result in regulatory arbitrage and confusion. Therefore, the overarching objective should be to establish a global institution or to use the World Trade Organization's (WTO) existing frameworks with enforcement authority over member states to establish a principle-based global order in cross-border data flow. India, as the current chairman of the G20 should take lead in this regard. India's data center market is anticipated to generate $4 billion in revenues by 2024. Over the next seven to eight years, India will need to increase the capacity of its data centers by at least 15 times in order to handle the growing volume of data even in the absence of strict data localization/ laws. We must not miss the opportunity of making data storage in India so lucrative-cost and efficiency wise – that we assume global leadership in this field as the lowest cost data storage capital of the world.

The article has been authored by Amar Patnaik, Member of Parliament, Rajya Sabha from Odisha.

SHARE THIS ARTICLE ON
Share this article
SHARE
Story Saved
Live Score
OPEN APP
Saved Articles
Following
My Reads
Sign out
New Delhi 0C
Friday, March 29, 2024
Start 14 Days Free Trial Subscribe Now
Follow Us On