By Uddhav Gupta
(2nd Year MNLU , Nagpur)
The DPDP Act establishes a framework which safeguards digital personal data in India. It clearly defines the rights of individuals regarding the obligations of data fiduciaries, and it also lays down requirements regarding breach notifications and data security. The Data Protection Board oversees any data breaches.
Cross-border data transfer refers to the movement of data across different countries; it's usually facilitated by global business operations. However, unregulated cross-border data has led to unlawful processing of personal data, unauthenticated surveillance, and privacy breaches. This Act, regulates and facilitates the movement of personal data across national boundaries while ensuring data security and protecting individuals' privacy.
Key Provisions of the DPDP Act:
The DPDP Act provides a framework that regulates cross-border data transfer. Section 16 provides the Central Government with the power to notify and identify specific countries to which the transfer of personal data from India is prohibited. It provides the government with power to control and regulate cross-border data transfer to ensure security and data protection. This Act also gives priority to the existing laws since if there is any law in India or any other country, then those laws will take precedence over the DPDP Act when data has to be transferred abroad.
Sector-specific regulators such as the Securities and Exchange Bureau of India (SEBI) and Reserve Bank of India (RBI) have the power to enforce data localization measures. It means that data that needs to be collected by entities under its jurisdiction will be stored within India, aligning with specific regulations. It makes sure that any important financial and personal data remains within India. As per the RBI guidelines, any data that is required to be processed abroad must be stored only in India after processing and must be deleted from foreign systems within one business day or 24 hours from the payment processing, whichever is earlier. Foreign banks do have the option to establish remote connections for transaction processing based on the consent of the data principal.
This Act isn’t just applied to entities within India but also to countries outside the country. Foreign companies that provide services and goods to individuals in India must comply with the Act, ensuring comprehensive data protection for Indian citizens regardless of the data processor's location. The Central Government also has the power to blacklist countries; in that case, data transfers to that country will be prohibited, so until a country isn’t explicitly banned by the country, personal data can be transferred. Let's take an example of a MNC that operates in India and needs to transfer some customer data to its other office in the UK. This is possible until the UK hasn't been explicitly banned by the Indian Government. However, in this situation, a loophole could arise that the UK-based office could send the personal data to a blacklisted country.
Section 17 of the Act allows exceptions to data transfers. For instance, in the case of legal enforcement, where data transfer is allowed for the purpose of detection, investigation, and prosecution of a crime. It makes sure that law enforcement agencies are able to access data across borders whenever it is necessary. Additionally, if a contractual obligation has to be fulfilled with a foreign entity, then personal data transfer is allowed, so a contract can proceed without any general restrictions if there is a requirement of any data transfer.
Role of the Data Protection Board to enable Cross-Border Data Transfer
The Data Protection Board was established under the DPDP Act, 2023. It ensures that data protection standards are met, and it also facilitates secure cross-border data transfer with the provisions of the DPDP Act. Its goal is to make sure that the countries that receive data from India maintain protection of the personal information of Indian citizens. It also has the task to ensure that data protection rights are upheld and it can address complaints. The organizations that fail to meet legal requirements for international data transfer can face enforcement actions by the DPB.
The DPB will also need to consider adequacy norms and international interoperability standards for cross-border transfer and align itself with safeguards such as Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR). It will need to make sure that its regulations are aligned with international interoperability standards, as it will ensure that India’s data protection requirements are compatible with other jurisdictions. SCCs are the pre-approved contractual agreements that outline the responsibilities of parties that are involved in cross-border data transfer and make sure that adequate protection is given for personal data. The DPB can update and review the SCC to ensure that it is compliant with India’s data protection standards.
BCRs refer to the internal policies that were adopted by MNCs to ensure that their data protection practices remain consistent across their various global operations. It is the role of the DPB to monitor the adherence to BCRs in order to ensure that it provides protection for personal data, and it needs to give approval to BCRs so that it can be used for data transfers within corporate groups and ensures that it is compliant with the DPDP Act.
Sectoral Localization Norms
As per the DPDP Act, if there is any other law that has stricter restrictions on data transfers, then it will take precedence over the DPDP Act, so some specific sectoral regulators have the power to impose additional requirements for data localization.
i. Companies Act, 2013:- Companies are required to maintain a backdrop of their books of account and other essential documents in electronic form within India. It is important for ensuring that financial data, which includes transaction record and financial statements, is stored domestically.
ii. Payment and Settlement Systems Act, 2007 :- RBI makes sure that end-to-end transaction details and payment or settlement information which is related to any transactions that take place in India should be stored and processed locally. It ensures that transaction data remains within the jurisdiction of the regulatory authorities of India.
iii. Aadhaar Regulations, 2021 :-It makes sure that all servers used for Aadhaar authentication and offline verification, as well as any associated personal data, need to be located within India. It provides a safeguard to any sensitive personal information that is tied to Aadhaar numbers, which are used for identity verification, and provides access to various services in India.
Cross-border Data Transfer in GDPR
GDPR is a data protection law which was enacted by the European Union and it came into effect on 25th May, 2018. It applies to all organizations that process the personal data of individuals within the EEA, regardless of the fact where the organization is based. The DPDP Act was inspired by the GDPR considering the fact that it mandates data minimization and allows consent management.
GDPR allows the transfer of personal data outside the EEA if certain conditions are met. Adequacy decision allows the transfer of data from the EU to third countries that have a comparable level of personal data protection as the EU. It has declared that a third country should declare an appropriate level of data protection. In this scenario, data will be transferred to a country without any other data protection. If there is an absence of an adequacy decision, then in that case data transfers can still occur using appropriate safeguards such as standard contractual clauses (SCCs) and binding corporate rules (BCRs).
If there is the absence of both adequate decisions and appropriate safeguards, then transfers can take place, which can happen based on specific circumstances, like when the data subject has given explicit consent, the transfer is vital for the performance of a contract or for the establishment, exercise, or defense of legal claims. It also emphasizes transparency, accountability, and the rights of data subjects, including the right to access, erasure, and rectify their data. For example, let us take the example of a German company that is trying to expand itself to Brazil, Uruguay, and Argentina. In this case, it will first check for an adequate decision. Uruguay and Argentina are considered to be adequate, so data would be transferred without any extra safeguard. However, Brazil doesn’t have any adequate decisions, so the country will need to implement various safeguards in order for cross-border data transfers to take place.
Suggestions for Improvement:
In order to enhance the applicability and effectiveness of the DPDP Act, these are some areas that require improvement.
Clear Guidelines for Blacklisting a Country
It is important to establish clear guidelines for blacklisted countries under the DPDP Act, as it will ensure stability and predictability for the businesses that are involved in cross-border data transfer. There should be transparent criteria for blacklisting, like the involvement in mass surveillance activities or non-compliance with international data protection standards. These guidelines should be accessible to the public and be subject to judicial review, as this will ensure that the decisions made are objective. In addition to this, there should be additional safeguard for a non-blacklisted country that it cannot transfer data to a blacklisted country. To address this, standard contractual clauses (SCC) can be made that explicitly prohibit data transfer to a blacklisted country. Regular compliance and audits should take place in order to ensure that these clauses are followed.
Harmonization with International Law
By harmonizing the DPDP Act with international data protection laws, compliance will become easier for foreign companies that face dual regulatory requirements. India should sign a Memorandum of Understanding (MoU) with its key trade partners, and it should recognize the data protection frameworks of other countries. For example, India has engaged in dialogues such as the India-EU Data Protection Dialogue to align itself with the GDPR. (Additionally, India has also participated in platforms like the Global Privacy Assembly and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. They promote similar data protection standards, which aims to achieve a smoother cross-border data transfer. The Data Protection Board (DPB) should establish a liaison office that assists businesses with understanding the differences between Indian data protection laws with those of different countries.) It should also resolve any conflicts that will arise due to dual regulatory requirements.
Coordination between DPB and Sectoral Regulators
Through the establishment of clear coordination and by delineation of responsibilities between the Data Protection Board (DPB) with sectoral regulators, it will help in preventing regulatory conflicts and simplify compliance for businesses. A committee which has representatives from the DPB and key sectoral regulators should be made. It would be responsible to make unified guidelines, resolve regulatory overlaps, and address any conflicts that may arise between general data protection regulations. Interagency meetings should be conducted regularly which discuss regulatory developments and potential conflicts which can arise.
Kommentare