India: Best practices for cross-border data transfers.
In the age of digitisation and the internet, the importance of data has increased to a great extent. Subsequently, the need for comprehensive data protection laws has also been noted across several nations over the past few decades. The easy access to the
global market and improved communication due to the borderless nature of the internet plays a major role in the Big Data economy. The free flow of data has resulted in closer integration of the communities across the globe and technological advancements in the corporate entities.
In today’s data privacy driven world, safeguarding personal data is of utmost importance. Security of personal data and sensitive personal data holds and will continue to hold a significant place in business infrastructure, especially owing to the rise in the crossborder data transfers and digitisation of businesses.
Economic globalisation and the unprecedented growth in the rise of international trade and investments has led to widespread transfer and processing of personal data in bulk. Besides the apparent advantages introduced by the advancement of technology, digital development has also posed to be a threat for data privacy and protection of sensitive personal data.
On the national front, presently India has no specific data protection law to govern the collection, storage, processing, transfer, or cross-border transfer of data. In the backdrop of the foregoing, the corporate entities are bestowed with the inherent responsibility of safeguarding the data collected and processed by them.
Understanding cross-border data transfer in India :
In our day-to-day lives, we exchange and gather a huge amount of personal information; whether it is over websites, in the cyberspace, in the guise of cookies, and so on, thereby making our presence on the internet more comfortable and personalised. However, the majority of internet users are unaware of the risks
associated with submitting personal data over online platforms, providing consent for collection of data, and accepting cookies, etc.
As discussed hereinabove, one of the major concerns that have come to the forefront is the regulation and governance of the transfer of data across international borders. User data processing and transfer is often untapped and made in bulk, without the due consent of the data subject, i.e., the user.
Amid the growing concerns pertaining to cross-border data transfer, businesses often tend to store their user data within the jurisdiction it originated from. The said approach, known as data localisation, typically is a measure to encumber the transfer of data across borders, from one jurisdiction to other.
Since 2018, the data localisation measures in India has witnessed a dynamic change. With the recognition of the right to privacy as a fundamental right by the Supreme Court in the case of K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (‘the Puttaswamy Judgment’), the data localisation measures have been further strengthened. However, considering that the internet is built on the primary principal of swift and easy transfer of data, the approach of data localisation can affect the digital ecosystem in a number of ways. Subsequently, strict or absolute data localisation would also restrict the global reach of businesses, thereby limiting its opportunities.72
One of the pivotal aspects in both cross-border data transfer and data localisation is user consent. Consent plays an extremely fundamental role in gathering, storage, processing, and transfer of data. Businesses and corporate entities should mandatorily ensure that due and explicit consent is obtained from the data subject while collecting and transferring data.
Often, such consent is conditional and subject to withdrawal as per the will of the data subject. In the light of the lack of a data protection framework, obtaining consent from the data subject is a fundamental prerequisite to cross-border data transfer.
To facilitate free flow of data in order to expedite the growth of the data economy and global economic order, businesses should put in place explicit consent forms, which should be produced before a data subject prior to collection of data; be it online or in person. The small pop- ups asking for consent before enabling cookies on certain websites, or for agreeing to terms and conditions of an online platform, all are measures to obtain consent from users.
The businesses or corporate entities should also implement a method of withdrawal of user consent in the event the data subject wishes to retract their consent in the future. Furthermore, while obtaining consent, the data controller, i.e., the businesses or corporate entities herein, should also distinctly state the purpose for which the data is being collected, how the same shall be stored, whether such data would be subject to third-party transfer, whether the data would be subject to cross-border transfers, and so on.
India has witnessed rapid digitisation over the past few years and the journey from traditional money to ‘Digital India’ has been swift and widespread. In the light of digitisation, the exchange and processing of personal data has also increased, subsequently leading to the need of legal framework for data privacy73.
With the pronouncement of the Puttaswamy Judgment, the citizens have become more aware about their data and the same has fueled the need for data privacy. Therefore, in the present privacy driven age and the penetration of technology in even the farthest
areas of the country, India is in need of a data privacy regulation governing the several aspects of data.
In the year 2018, an advisory group of experts provided the first draft of the proposed regulation on data protection. Soon after, in 2019, the Personal Data Protection Bill, 2019 (‘the PDP Bill’), was tabled before the Indian Parliament. The PDP Bill became subject to several discussions, deliberations, and suggestions by the Government, citizens, and experts.
The PDP Bill was presented before a Joint Parliamentary Committee (‘JPC’) for the committee’s profound assessment and suggestions. In the last year, the JPC tendered the Report of the Joint Committee on the Personal Data Protection Bill, 2019, which had considerably changed the draft of the PDP Bill and renamed the PDP Bill as the Data Protection Bill, 2021 (‘the Bill’).
However, on 3 August 2022, the Government withdrew the Bill and stated that a more comprehensive legal framework is underway, and a new bill would be introduced in the near future. Even after the prolonged wait of three years, India does not have a
designated legal framework for data privacy yet.
Keeping in mind the present trends and developments, it is important to define and understand fundamental terms such as personal data, sensitive personal data, cross-border data transfer, and consent, etc. The PDP Bill and the Bill stipulated specific
provisions pertaining to cross-border transfer of data, consent from data subjects, concept of the right to be forgotten, and several other pivotal facets pertaining to data privacy. We can expect the potential new bill to cover the said aspects, as well as the processing and transfer of data.
The two tests for cross-border data transfer.
According to the industry standards and common business practices, there are five primary factors based on which cross-border data transfers are facilitated:
• adequacy;
• informed permission;
• contractual needs;
• interest of the data subject; and
• overriding legal purposes or direction of the State.
The two fundamental tests pertaining to the cross-border transfer of data is the test of adequacy and the comparable level of protection test.
