DP Bill 2021 needs TRAI intervention before it can be enacted by Parliament

Tech industry body ITU-APT has written to the Telecom Regulatory Authority of India that the Data Protection (DP) Bill of 2021 does not contain provisions that prevent government access to data of foreign nationals stored in India. The association, which has global tech companies including Facebook as its members, argues that the present draft of the DP Bill will hamper users’ rights and could prevent cloud service providers and other entities from locating their servers in India.

The Indian regulator, on the other hand, has observed that DP legislation, when passed, would encourage companies to invest in data centres within India. The draft DP Bill 2021 lays out certain provisions on localisation for data. For instance, ‘critical personal data’ (a term that is yet to be defined) cannot leave except in very limited circumstances, such as health and emergency services or where the Central government allows such transfer.

Risk of overriding other jurisdictions
The association contends that the draft DP 2021 currently does not expressly consider the case where personal data may be located in India due to localisation requirements but could be subject to the laws of the country in which such data originated. Further, the DP Bill 2021 also does not address the possibility of government access to such data in a way that overrides the protections provided to personal data in other jurisdictions.

“The direct implication of the above is that the DP Bill 2021 does not contain provisions that prevent government access to data of foreign nationals stored in India,” said the association.

The absence of this protection, according to the association, can result in a scenario where the protections provided to personal data in other jurisdictions are overridden, potentially affecting user rights as well as companies’ compliance with domestic laws of other jurisdictions. This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).

“We believe that this issue should be urgently raised by the TRAI before relevant fora, specifically the Ministry of Electronics and Information Technology (MEITY), before the DP Bill 2021 is enacted by the Parliament of India.” said the association.

ITU-APT is the Geneva based International Telecommunications Union’s Association of India. Its membership includes major tech organisations such as Facebook (Meta), Qualcomm, OneWeb and Telesat.

Limiting cross border flow
Facebook (Meta) has been one of the most prominent opponents of countries globally moving towards data localisation with the company making statements as recently as February that If European regulators move to restrict the transfer of European users’ data across the Atlantic to Menlo Park (California), Meta would “likely be unable to offer…Facebook and Instagram in Europe”.

After passing its data protection bill 2021, India will join the likes of European Union who are overhauling legislation governing cross-border data flows as well. The Hindu BusinessLine