By Pralok Gupta & Rupa Chanda
The government recently released another draft of the Personal Data Protection Bill for public comments. The new draft—titled the Digital Personal Data Protection Bill—is the latest in a series of attempts to set a legal framework for personal data over the past four and a half years. The first draft was presented in July 2018 and a final Bill was tabled in Parliament in December 2019. The government withdrew the Bill this August, following the report of the Joint Parliamentary Committee to which it had been referred.
The intended purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes. The Bill also sets the regulation for transfer of personal data outside India. Such transfers will be possible to only those countries or territories that are notified by the central government based on its assessment. Thus, it is akin to a data adequacy status that is to be provided by India to other countries for transferring personal data from India to those countries.
Though trade issues are not the primary consideration of this Bill, the cross-border data flow provisions in this Bill may have implications for the ongoing trade negotiations. Most trade partners in the ongoing negotiations are interested in free flow of data. This could be very well gauged from government reports in these countries, media reports, and their participation in the WTO plurilateral negotiations, the Joint Initiative on E-commerce.
Also Read: Pockets of weakness
For instance, the House of Lords report of the UK government on India-UK FTA mentioned that the UK government will pursue a comprehensive digital chapter to include commitments on free and trusted cross-border data flows and prevent unjustified data localisation. The European Commission website listed a digital trade chapter requiring unrestricted cross-border data flows in the context of India-EU FTA. With Australia, India has signed an Economic Cooperation and Trade Agreement (ECTA) in April this year without a digital chapter. However, Australia is keen to explore a digital services agreement with India under a Comprehensive Economic Cooperation Agreement (CECA). The CECA negotiations are likely to start soon once ECTA is ratified by the Australian Parliament.
Thus, free flow of data could be considered as a major interest area for India’s FTA partners in ongoing trade negotiations. If India notifies these countries as data secure, it is likely to help ongoing trade negotiations with them.
A related question is whether the provision to ease transfer of data affect India’s existing decision not to join plurilateral negotiations on e-commerce at the WTO. Will India now join the Joint Initiative on E-commerce? It is unlikely that this decision will be changed for two reasons. First, the Joint Initiative has 87 members at present. While it may be possible to notify a particular country in the context of FTA negotiations, this may neither be possible nor advisable to notify all members, which also include some neighbouring countries. Second, The Joint Initiative has several other provisions on which India has objections, apart from the cross-border transfer of data.
The exact contours of data transfer will depend upon the conditions of notification. In that sense, the draft Bill is different from the EU GDPR. At this stage, the Bill does not specify the criteria based on which a country will be assessed for notification. The EU GDPR, on the other hand, clearly spells out the conditions for providing data adequacy status to third countries. Also, the GDPR has a provision to provide adequacy status to any specific sector, while the draft DPDP bill has a comparable provision only for specific countries or territories, and not for specific sectors.
While complete free flow of data may not be in the interest of growing domestic digital economy in India, full restriction on data flow may prove to be detrimental for ongoing trade negotiations. The Bill could be considered as a balance between India’s digital economy requirements and trade negotiations needs by allowing transfer of data but subject to government notification.
The government has taken a commendable step by inviting public comments before it formulates the final version. In this context, there are a few areas where the lawmakers may like to bring further clarity and specificity. It may be a good idea to specify the details of the composition of the Data Protection Board and how enforcement would be ensured. Similarly, more clarity may be provided on the issue of business size and what would constitute “significant” size. While it is mentioned that this would depend on the volume of the data the businesses process, the criteria for what would be significant volume, how this would be interpreted across different kinds of data and sectors, may require attention.
The exemptions of certain businesses from adhering to the provisions of the Bill to reduce the burden of compliance is appreciable. However, in the absence of well-defined criteria, it may be a challenge to arrive at the basis for such exemptions.
In sum, the latest Bill attempts to address the concerns that had been raised by businesses and is potentially more favourable than the earlier one from an FTA negotiating strategy perspective. However, there are few details to be ironed out.
The authors are Respectively, associate professor, IIFT, and professor of economics, IIM Bangalore