During the fourth round of talks on a free trade agreement (FTA) between India and the EU, scheduled for March, the EU may continue to seek unrestricted cross-border data flows, including storage. Based on the EU’s current negotiating text on digital trade, neither party may require data localisation for storage/processing, nor make cross-border data transfers contingent on localisation.
Unlike the previous iteration that restricted the transfer, processing, and storage of data overseas, the current draft of India’s Digital Personal Data Protection Bill (DPDP) allows it, albeit in pre-approved countries only. Also, unlike earlier, DPDP seeks to regulate only personal data — despite scant clarity over how it may be converted to its non-personal equivalent. In Europe, companies typically use workarounds to anonymise personal data to counter the restrictions under the General Data Protection Regulation (GDPR).
However, like the EU, India may want to regulate non-personal data through a separate law.
The EU experience
Under Article 20 of GDPR, an individual may obtain and transmit her personal data from one data controller to another; however, this right only applies to processed personal data, and only when she consents or contracts to such processing. Although this may include data generated by products and/or services, it does not cover continuous or real-time information, which becomes important when products are constantly connected via the Internet-of-Things (IoT).
In the absence of an international precedent, the EU came up with its own draft regulation on data sharing — data disclosure agreement (DDA) — a year ago. The DDA grants consumers and businesses the right to access data generated from the use of connected products and/or services, such as in the case of vehicles, consumer goods, and industrial machinery.
Further, it creates a user’s right to share such data with third parties, complementing GDPR’s Article 20.
It also amends the EU’s 1996 database directive, clarifying that the latter’s protections do not apply to databases from IoT products and/or services. At present, since the directive extends to machine-generated data, original equipment manufacturers, for example, can prevent third parties from accessing IoT-related information.
To avoid vendor lock-in, the DDA permits switching between cloud service providers (CSPs) and other data processing services. Government bodies can use data held by enterprises in times of exceptional need (such as a public emergency).
Limitations of the DDA
Article 27 of the DDA requires CSPs to prevent international transfers of, and foreign government access to non-personal data that might be in conflict with European law. This aims to protect commercially sensitive industrial information that is not covered by the GDPR.
In effect, the DDA restricts a company from transferring its own industrial data outside the EU, despite such data having no inherent right to privacy. Further, this restriction is greater than that imposed on personal data under GDPR.
It is unclear whether the DDA seeks to create a parallel regime. At present, most companies process mixed sets of personal and non-personal data, and ultimately apply GDPR safeguards to all such transfers.
The DDA imposes obligations on data holders, which in effect may require companies to share their proprietary information with competitors and EU government entities without discrimination. Once such information is shared, there is greater risk of data leaks and cybercrimes, especially since recipients may not bear a fiduciary responsibility to protect such data. Further, requiring companies to share valuable intellectual property with rivals may compromise R&D initiatives and deployment of new technology.
It is unclear how the DDA aims to protect trade secrets and other sensitive information.
There is no clarity either on data sharing requirements with public authorities in ‘exceptional’ circumstances. To ensure consistency with GDPR, it must be clarified whether Article 27 addresses governmental access alone or commercial transfers, too.
(The writer is a lawyer with S&R Associates, a law firm)