Allowing cross-border data flow, other than specified negative list of countries

IN a move that could further liberalise conditions for data transfer, the proposed new law could allow global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted.

Moreover, a provision on “deemed consent” in the draft Digital Personal Data Protection Bill, 2022, could also be reworded to make it stricter for private entities while allowing government departments to assume consent while processing personal data on grounds of national security and public interest. The Bill could also incorporate a provision to ensure it does not come in conflict with pre-existing regulations issued by other Departments or Ministries.

These are among the key changes the government is considering to the proposed data protection Bill after feedback received from a range of stakeholders. The Bill is a key pillar of an overarching framework of technology regulations the Centre is building which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000; Indian Telecommunication Bill, 2022; and a policy for non-personal data governance.

The current provision on cross-border data flows, as prescribed under Clause 17 of the draft data protection Bill, states that the Centre will notify countries or territories where personal data of Indian citizens can be transferred.

This is likely to be amended with the Bill allowing cross-border data flows to all geographies with an official blacklist — of countries where transfers would be restricted.

This change is seen as a move to ensure business continuity for enterprises and to place India as a crucial part of the global data transfer network – an important element of trade negotiations the country is currently exploring with key regions such as the European Union.

“Instead of a white-list approach, the government is looking to follow an allowed-by-default model,” a senior official said. “So, if the government does not want data to be transferred to a particular region, it will mention that region in its blacklist.”

One concern has been unchecked data transfers to China. In the last three years, the government had taken action against a number of platforms developed by China-based companies including ByteDance’s TikTok and Tencent’s PUBG. In the digital information sector, apps and websites believed to transfer data to China have been blocked and in other sectors, scrutiny has stepped up, especially over funds coming into India from Chinese entities.

For instance, in April 2020, the Department for Promotion of Industry and Internal Trade (DPIIT), by way of press note 3 of 2020, announced a critical change to the Consolidated Foreign Direct Investment Policy (FDI Policy). This called for prior approval of the government for FDI by any entity based in any country sharing a border with India. Earlier, FDI from entities based in Pakistan or Bangladesh were subject to government approval. This change was driven by an intent to stem any attempts by Chinese firms to take control of Indian firms which at the time were affected by Covid- related lockdowns.

Another key change that is expected in the final version of the Bill is to tighten the much-criticised provision of ‘deemed consent’ for how private entities can process personal data. “There were concerns over the misuse of this provision by private entities, so the government is considering changing the provision to exclude private entities,” the official said. However, government entities are expected to be allowed to process assuming deemed consent, as has been prescribed in the draft Bill.

Under Clause 8 of the original draft, a user is said to have given consent to the processing of her personal data if the same is considered necessary. What the provision essentially means is that if a user has voluntarily shared her data with an entity for a certain purpose, that entity can assume her consent for other adjacent purposes and does not have to seek fresh consent for it.

If other sectoral laws prescribe a higher standard of data protection on account of national security or other factors, then the data protection Bill will not supersede them, the official added. “So, if there are sectoral regulations related to, for instance, health where such data is subject to a certain degree of privacy, that regulation will prevail over the data protection Bill,” the official said. Indian Express