(Vikram Jeet Singh, Kalindhi Bhatia & Prashant Daga)
This privacy week we will walk you through the different facets of the Indian privacy framework in a pint-sized format. Given that today is India's republic day, analyzing the cross-border data transfer mechanisms seems befitting. Unlike its predecessors, the new draft Digital Personal Data Protection Bill, 2022 is not modelled on the GDPR. It offers a 'white-list' cross border data mechanism. Simply said, the government will identify the countries to which personal data can be transferred from India. While this looks like a straightforward approach, this may pose business continuity concerns pending government notifications. Personal data transfers may come to a standstill until the government notifies a country fit for data transfers. From a practical perspective, the implementation of this mechanism will effectively require concerned officials to evaluate surveillance laws of each country before giving the green light for data transfers. A black-list mechanism, similar to that for foreign investments, where except for specified prohibited countries, and subject to sectoral conditions, investments are permitted from all countries, would ease the burden and allow government to stipulate red flags that makes a country unsafe for personal data.
Relying solely on an assessment-based mechanism for cross-border transfers may negatively impact businesses and operation of internet platforms. In this regard, it may be worth taking the GDPR route. Additional grounds in line with global practices could be specified, such as standard contractual clauses that impose necessary data protection safeguards, data protection board approved intra group transfer schemes, submit certifications to demonstrate compliance with principals of data protection, etc. Since a number of operational elements of the draft law have been reserved for subordinate legislation, we hope the alternative facilities to transfer data is provided under these.