.svg)
Three months after withdrawing a bill that sought to impose restrictions on cross-border transfers of personal data, the Indian government has had a rethink, publishing a new bill with fewer localisation requirements.
On Friday (November 18), India’s Ministry of Electronics and Information Technology (MeitY) published the latest version of its Digital Personal Data Protection Bill.
Unlike in previous versions, the bill makes clear that personal data may be transferred to jurisdictions outside India for the purpose of “processing”, if a jurisdiction is so designated by the central government.
The bill also applies extraterritorially to the processing of personal data outside India “if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals within the territory of India”.
The bill defines the act of “processing” data as an “automated operation or set of operations” that may include collection, recording, storage, retrieval, indexing and use, among other examples.
The bill also proposes the establishment of a Data Protection Board of India by the central government, which would determine cases of non-compliance and impose penalties accordingly.
Dr Gabriela Zanfir-Fortuna, vice president of global privacy at the Future of Privacy Forum, a US-based think tank, said the latest bill is similar to the EU’s General Data Protection Regulation (GDPR).
“The bill operates with the concepts of Fiduciary for Controller and Principal for Data Subject,” said Zanfi-Fortuna.
“And it defines personal data in relation to identifiability ‘by or in relation to such data’, so quite broadly and similar to the GDPR.”
Zanfir-Fortuna also pointed out that, unlike many data protection laws, the bill provides a clear definition of “harms” that can be inflicted on data principals and sanctions against them.
These include: bodily harm; distortion or theft of identity; harassment; and prevention of lawful gain or causation of significant loss.
Finally, the scope of the bill is limited to digitised and online personal data only, while non-automated processing and “offline personal data” are specifically excluded. Digitised personal data in files older than 100 years are also excluded.
Evolution of the bill
In 2019, when the first draft of the Personal Data Protection Bill was published, Chapter VII outlined two prohibitions on the processing of personal data outside India.
“Critical” personal data was to be processed only in India, while “sensitive” personal data could be transferred outside India for processing, but only when “explicit consent” was given by the data principal.
Additionally, the 2019 bill maintained that “sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India”.
After the 2019 bill was published, it faced strong opposition from both local and multinational technology companies, which described its provisions as “onerous” and said it would endanger the ease of doing business in India.
When the bill was updated by a Joint Parliamentary Committee (JPC) in 2021, concerns among tech and software companies remained, which have only grown stronger as further amendments were added.
For example, the JPC recommended that “mirror copies” of sensitive personal data already held by foreign entities should be “mandatorily” brought back to India.
In January 2022, the Asia Internet Coalition (AIC), a lobby group that represents Meta, Google, Amazon and other bigtechs, wrote to MeitY and the JPC to express its concerns.
“Robust cross-border data flows are essential for the success of any emerging economy in this era of globalisation — all of which will be hampered due to restrictive data localisation requirements under the Data Protection Bill 2021,” said the AIC.
“Cross-border transfer decisions should be free from executive or political interference, and should ideally be minimally regulated.
“Conditions for privacy safeguarding cross-border data flows must be based on established legal principles, and technical feasibilities/requirements.”
The AIC argued that increasing the role of the central government in cross-border transfer decisions would undermine confidence in the country’s regulators, and would increase the risk and cost of doing business in India.
“Placing restrictions on cross-border data flows is likely to result in higher business failure rates, introduce barriers for start-ups, and lead to more expensive product offerings from existing market players,” said the AIC.
“Ultimately, [this] will affect digital inclusion and the ability of Indian consumers to access a truly global internet and quality of services.”
The AIC urged the MeitY to reconsider the bill’s provisions on cross-border transfers.
“Instead of mandating explicit consent from individuals for cross-border transfers, alternate options like requiring a company to demonstrate to an independent third-party certifier the robustness of its privacy practices (including security) can be implemented,” said the AIC.
“After certification, cross-border transfers need not require consent.”
In effect, the AIC’s suggestions on cross-border transfers have been adopted in the latest draft of the bill.
However, as noted by Zanfir-Fortuna, the bill still contains checks and balances that may disappoint the most ardent data libertarians.
“The lawful grounds for processing are not ideal, with notice, consent and deemed consent playing central role,” she said.
Th MeitY is now inviting feedback on the draft Bill until December 17, which can be submitted via the Innovate India government website.
