How India can pave the road for effortless yet secured cross-border data flows

With the release of the Digital Personal Data Protection Bill 2022, businesses and data-industry experts have been talking about the facilitation of cross-border data flows (CBDF) and how the government will seek to enable them.

To take the discussion forward, the Quantum Hub (TQH Consulting) hosted the discussion “Cross Border Data Flows: The Way Ahead for India”, in partnership with YourStory, to understand how the proposed legislation could shape the flow of data to and from India and what it could mean for the industry.

Roundtable highlights

Setting the context of the discussion, Peter Swire, Professor at Georgia Institute of Technology and a key architect of the EU-US Privacy Shield, highlighted that while the bill seeks to ease cross-border data flows than its predecessor, there is a lack of legal clarity on obligations on businesses before and after the transfer is made. He also expressed his qualms regarding the proposed whitelisting process and suggested that regulatory uncertainty is likely to deter strategic investments in the field. He further added that due to a lack of legal clarity, it is going to be challenging for companies looking to invest and operate in India.

Citing the example of the European Union, Peter said, “India can have something like Europe – Standard Contractual Clauses. If a country has standards that have to be met, then a company would promise by contract that it would follow the Indian high standards and would comply with the Indian law.”

Adding to the conversation, Jay Gullish, Director - Policy Advocacy and Digital Economy, The U.S-India Business Council, said, “In addition to the whitelist, you need things such as private contracts and standard clauses and binding corporate rules, and others.” He further highlighted that six months ago, the global economy was convinced that India would lean towards stricter data regulation. In this regard, the shift to welcome cross-border data flow is widely appreciated by the industry.

Speaking on the interpretation of the law, Ashish Agarwal, Policy Head, NASSCOM, argued that the clause pertaining to CBDF doesn't explicitly state that it would be eased. Instead, it is believed that there would be no enforced data localisation. In this regard, he suggested that there is a need to redraft the pertinent clause to provide more clarity on the same.

Adding to that, Sreenidhi Srinivasan, Partner, Ikigai Law, pointed out that RBI’s payments data localisation mandate, for instance, states that all payments system data must be maintained in India. But, how will provisions like this be viewed in conjunction with the new bill? Answering that question, Sreenidhi said that she hasn’t ruled out the possibility of data categorisation being brought in. She pointed out that ‘critical personal data’ was subject to stringent data localisation norms in the PDP Bill, 2019 and a similar mandate based on the categorisation of data may be part of this Bill too.

The Bill’s impact on industry and trade

Mansi Kedia, Senior Fellow, Indian Council for Research on International Economic Relations (ICRIER), highlighted the importance of CBDF for trade and suggested that as the number of data-led businesses in the world is rising, this number will only go up. She also argued that several businesses in India think that data laws don’t impact them till they evaluate closely. She said that the communications and the financial services sectors among others are those that are most affected by CBDF regulations.

Jay suggested the move to ease CBDF is likely to benefit India’s startup community which already comprises many ITes and SaaS enterprises. On the other hand, Sreenidhi said that in the new bill, there were no explicit storage or mirroring requirements for CBDF which comes bearing positive connotations for the industry. She also said that the bill in its present form is very open-ended and it seems like a conscious effort. This ambiguity has a flipside, as the industry was unsure of where to look to form strategic data partnerships.

“We do hope that those rules are also made sort of pursuant to public consultation, and are published in the way we've seen with other laws under the IT act. Currently, this law is sort of open-ended,” added Sreenidhi.

During this discussion, all panelists agreed that the law enforcement angle for data sharing is also crucial and must be factored in to ease CBDF. Under the present mutual legal assistance treaty (MLAT) process, sharing of law enforcement data takes anywhere from three months to 10 years.

Learning from global experiences

While citing the examples of regulations in the US and Europe, Ashish pointed out that learnings from global experiences must be taken into account for framing CBDF regulation as it can help the government implement the law at scale. “Moreover, it would ensure that we don’t have incompatibility with international laws,” added Ashish. Stating that timeliness is of essence, he further suggested that there is a need to bring in the law as early as possible and that we must start by negotiating with a few countries. He also suggested that BCR and standard contractual clauses could be a way to fast-track the process as well.

Speaking on the bill, Jay alternatively suggested that the anticipated whitelisting process for enabling CBDF could take considerable time, a case in point being the UK-US Data Access Agreement. Instead of taking a country-by-country approach, Jay suggested that economic groupings have already worked on similar agreements, and India could consider dealing with them such as the OECD and USMCA.

While learning from global experiences can help Indian lawmakers build a regulation that aligns with global standards and benefits businesses in growth, experts highlight some deterrents to CBDF. Highlighting those restrictions, Peter said, “The government’s access to data in India could be a big deterrent for free data flows. Tensions would exist.” To make his case, Peter touched upon the issue of the EU-US privacy shield.

On the same point, Jay argued that in the commercial realm, there is a system of resilience that prevails in protecting data. Every breach makes companies smarter and more prepared. However, he also emphasised the fact that there continues to remain a lot of room for regulatory conversation amongst states. Speaking on other deterrents, Jay points out that the current draft of the DPDP suggests the formation of two entities - a Data protection Board of India and another unnamed legal entity that would seemingly be part of the ministry itself. “If we circle back to Europe, independent DPAs are a requirement for data adequacy. This could potentially be detrimental to our data-sharing agreements,” added Jay.

The path towards free cross-border data flows

Mansi said that even if India doesn’t sign any multilateral agreement, it is essential that they should still participate in the discussions and be a part of the ecosystem. . Mansi also added that the objective of the policy should be very clear to policymakers. If India wants to become a data hub, strict and heightened data regulations would prove to be significantly detrimental to the country’s growth.

Adding to that, Ashish further suggested that we need to also look at how this law would work in concurrence with the Telecom Bill and the new IT Act as they can have provisions on government access to data. In his take, Ashish raised a pertinent concern that since data in India is also sectorally regulated, we must make sure that all grounds are covered so that we don’t have a fractured framework.

Sreenidhi suggested that owing to the vast headroom, the government must ensure that proper public consultation is carried out for rulemaking as well. However, the discussion highlights all panelists unanimously concurred that the bill signals a positive outlook for the industry. However, how CBDF would play out largely be determined through details that are yet to be ascertained.