Recent press reports indicate that the upcoming draft of the Digital Personal Data Protection Bill 2022 (Data Bill) will allow for the transfer of personal data to other countries by default, unless specifically blacklisted. If adopted, this policy decision would reverse not just the approach contemplated in the last draft of the Data Bill but uproot the firmly anchored position that Indian policy would be country-agnostic.
When the Government blocked access to several hundred mobile apps in 2020-21, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, in response to a parliamentary question, reiterated this, stating “…There's no attempt by the government of India to selectively block apps based on the origin of the app..."
When taking any decisions that would restrict market access, India has always presented underlying policy objectives that are sought to be achieved. Be it allegations of user surveillance that led to the blocking of over 200 mobile apps in India, or the perceived risk of opportunistic acquisitions/takeovers, that led to the Government mandating approvals for investments from entities based in countries with a land-border with India via Press Note 3 of 2020. India has thus far stayed away from implementing any form of autonomous economic sanctions programme.
The ‘Whitelisting’ Approach
The last iteration of the Data Bill had adopted a diametrically opposite approach to the one on the anvil now. This involved ‘whitelisting’ countries after the Central Government conducted an “assessment of such factors as it may consider necessary.” While this approach is not bereft of its own shortcomings, it placed the onus of ensuring adequacy of data protection measures squarely on the Government. Though implicit, it is clear that this approach would require the Indian Government to undertake a multi-jurisdictional assessment to assess the adequacy of data protection measures in every jurisdiction where it permits a data transfer without approval.
Though the Indian Government notifying countries to which data exports could occur, without approvals appears reminiscent of the approach adopted by the General Data Protection Regulation (GDPR), it is distinctly different. Thus far, by statutory prescription the burden of assessing adequacy of safeguards in the data importing nation has been cast upon the data exporter. If the Indian government was to undertake the mammoth task of assessing the adequacy of data protection laws in other countries before permitting unencumbered data transfers, this would be a significant step in simplifying compliance for data driven business in India.
Secondary Data Transfers
As we have seen with the European Commission enforcing the GDPR, a government’s involvement in the assessment of data protection and in safeguards and enforcement of rights presents an opportunity to foster multilateral cooperation to develop frameworks for accountable inter-country data transfer. By taking up this mantle, India could play an instrumental role in bridging the asymmetry in cross-border data policy.
While this would be an arduous task for the Indian Government, without a multilateral framework agreement, Indian data exporting businesses would realistically have no ‘control’ over secondary transfers of data via whitelisted jurisdictions to blacklisted ones, to circumvent restrictions.
By the Government assuming the onus of assessing fitness of a country to import data from India, it eliminates the compliance nightmare caused by casting this burden upon a private data exporter by statutory prescription. With limited real-world control over the end-use of data, private entities cast contractual obligations for data protection upon data recipients. While theoretically enforceable, practical instances of enforcement of contractual data protection obligations are conspicuous by their absence.
‘Blacklisting’ Could Boomerang
A ‘blacklisting’ based approach on the other hand, would disrupt the ease of doing business in India in several ways:
Existing data flows would be interrupted, with a significant economic fallout arising out of disrupting existing global dependencies on Indian data centres and business process outsourcing units. Unilaterally blocking data transfers to a specific country, without prior government engagement for the development of bilateral data transfer frameworks, may evoke retaliatory measures.
If India was to proceed with this approach of blacklisting countries, it would need to set out clear parameters for blacklisting and apply these parameters in a non-discriminatory manner. A list of nations to which transfers are prohibited, can neither be implemented overnight nor be a static list.
To avoid classification as an economic sanction, it is critical that India affords blacklisted countries the opportunity to implement either a data protection regime, or enter into a multilateral framework to accord protections to exported data, in order to be whitelisted. The absence of such recourse would leave India no room to argue that this is not a policy-prescribed trade embargo.
The Challenge: Fettering Arbitrariness
Lastly, when considering how India regulates the cross-border flow of data, there is a broader, threshold question that must be addressed, which is what India seeks to achieve by regulating the cross-border flow of data and how this can be achieved in the least disruptive manner.
The current draft of the Data Bill states that the government would conduct an “assessment of such factors as it may consider necessary” and notify such countries or territories outside India to which the transfer of personal data would be permitted, in “accordance with such terms and conditions as may be specified.”
Admittedly, the parameters to be considered when determining the adequacy of safeguards for data transfers are dynamic, but overarching guardrails must be defined by legislation to prevent unfettered discretion or arbitrary use of delegated powers. Such arbitrariness would fracture confidence in India as a data processing destination by threatening global business that operate in India with regulatory uncertainty.
The current policy position therefore deserves reconsideration, since the law has left both the factors guiding government discretion as well as the procedure for the application of such discretion open ended. If the government intends to create a digitally empowered economy, it must satisfy investor expectations on transparency, predictability, and accountability in India. Those drafting the Data Bill must therefore reconsider delegating to the government, broad discretionary powers whilst relegating the task of defining key parameters to subordinate legislation.
Akash Karmakar is a technology and telecommunications lawyer and a partner with the Law Offices of Panag & Babu. Views are personal and do not represent the stand of this publication.