As the new Data Protection Bill has relaxed data localisation norms to bring in a notification-based process for data transfers, it is important that India forms a symbiosis with other countries through its notification of trusted geographies to ensure cross-data transfer based on reciprocity and trust.
India should ally with countries as ‘trusted partners’ that share similar values in terms of democracy, privacy and security principles, by notifying them under DPDPB (Digital Personal Data Protection Bill) 2022. Some of the non-exclusive obligations that could be fulfilled by countries to become a trusted partner include, amongst other things, providing the same level of data protection assured by Indian regulations, ensuring that Indian citizens’ data is stored safely and securely offshore, guarded against cyberattacks and national security threats, and provide the Indian government with simple and timely access to Indian citizens’ data stored offshore for law-enforcement purposes while following key principles at different stages of the process.
Reasonable compromise and reciprocity regarding trade and economic relations must be factored into the determination process, where both India and trusted partner countries mutually contribute to developing each other’s digital economy. It is more lucrative to enable data transfers with countries which share a positive bilateral trade relationship with India.
Technological developments have also led to the international distribution of production processes organised within the global value chain, where different countries specialise in different stages of the production process. India must also look to enable the free flow of data to countries with supply-chain and global value-chain dependents to ensure business continuity, provided that we share diplomatically positive relations with such countries.
It would be crucial to have both lateral-level coordination and multi-stakeholder involvement within the process of notification of countries.
There are various sectoral regulations which directly and indirectly apply to the handling of personal data. Besides, cross-border data transfers also create a contingency for bilateral trade relations and national security threats, which are technically handled by different ministries.
Therefore, there must be two levels of lateral-level coordination while determining which country the data could flow: (a) at the sectoral regulators’ level; and (b) at an inter-ministerial level to have consistency and consensus. It will also be important to have voices of civil society, industry, technical experts, researchers, international relations experts, etc., within the participatory approach while framing factors for notifying countries.
It will be important to consider green, amber, orange, and red lists for cross-border data transfers. The green list, showing countries with trusted data practices, would ideally involve government-to-government consensus through notification/adequacy. Recognising the slow pace of such processes, the use of standard contractual clauses, binding corporate rules, and certification mechanisms should also be considered.
Amber list countries could continue business-to-business data transfers, provided businesses adhere to government-approved certification mechanisms managed by self-regulatory bodies or industry associations. For the orange list countries, governments may impose principle-based contractual obligations provided that the credibility of standard contractual clauses and binding corporate rules is enhanced.
Finally, this would leave us with a small list of countries within the red list with substandard data practices that would face the highest data transfer restrictions.
Shekar is Programme Manager, and Rizvi is Founding Director, The Dialogue