The new Digital Personal Data Protection Bill 2022 (DPDPB 2022) has sought to remove data localisation norms and instead introduced the concept of data flows — a significant change that steers away from restricting the cross-border transfer of data across geographies. This is set to strengthen India’s ability to drive digital trade negotiations on a bilateral and multilateral level.
Enabling data transfers is a critical aspect for Indian start-ups to access cost-effective technology, data processing and storage solutions, where the option to store data across geographies is an important factor to minimise costs.
A liberal regulatory architecture towards data flows will also benefit the domestic data centre economy by making it more globally competitive.
While enabling cross-border data transfers is beneficial, it is more lucrative to enable the same with countries that share a positive relationship in trade, investments etc. Earlier this year, India signed an FTA with UAE that recognises the importance of the flow of information for facilitating trade while protecting personal data. And now, negotiations are going on with Australia, the UK and the EU on a possible bilateral trade agreement. Notifying these jurisdictions, along with the US, as trusted geographies will certainly help in achieving a bilateral treaty on digital trade, as part of the larger FTA.
The DPDPB 2022 sits well and enhances the Joint Declaration on privacy and the protection of personal data signed earlier this year by India, with the EU, Australia, Comoros, Japan, Mauritius, New Zealand, the Republic of Korea, Singapore, Sri Lanka - which aims to establish a trusted digital environment.
Additionally, the recent G20 Bali Leaders’ Declaration and domestic developments with DPDPB 2022 show that things have evolved, demonstrating increased commitment towards data flows. As India is gearing up for the G20 presidency next year, we could champion data free flow with trust to arrive at principles for protecting user data as part of a broader multilateral arrangement amongst the G20 nations.
As we move forward, it would be critical for the government to establish a standardised framework for data transfers, bringing coordination and cooperation among the nations. Our research on the cross-jurisdictional analysis of data protection regulations shows that there is potentially a principle-level congruence between India and other leading data protection regimes.
A principle-based framework is one of the best possible options that India could consider, which can fulfill the objectives of deploying safeguards to ensure security, privacy and data protection across the data lifecycle, while allowing data to flow freely across borders, thus creating a trusted environment. It proposes a systematic approach to cross-border data transfer mechanisms, where principles will be a prerequisite for various kinds of business-to-business data transfer chains. This framework suggests various principles across the data lifecycle, especially for the four key players — data fiduciaries, intermediaries, data processors and data centres, in addition to regulators/governments, so implementing a principle-based framework is seamless.
Rizvi is Founder, and Shekar is Programme Manager, at The Dialogue