This is part one of a three-part series on the impact of the Data Protection Bill on businesses. Read part two here and part three here.

In a nutshell

• Compliance delays are likely due to additional approvals

• Ease of doing business will heavily rely on the DPA’s independence

• ‘Sensitive personal data’ has a broad definition while ‘Critical personal data’ has not yet been defined- this is likely to cause uncertainty

Lack of knowledge and awareness, bogus websites, malicious apps and exploiting loopholes have contributed to the rise in data breaches and misuse over the years, leading to the introduction of the Personal Data Protection Bill, 2019 (PDP Bill). This Bill was then sent to a Joint Parliamentary Committee for review.  After visiting data centres and consulting regulatory bodies, service providers and other industry players, the Joint Parliamentary Committee revised many provisions of the PDP Bill and suggested a broader Data Protection Bill.

It proposed that the new laws be implemented with a phased approach (of 24 months), starting with the appointment of a Data Protection Authority (DPA) and other government officials. 

This Bill states that almost every startup and business operating across India will have to comply with these regulations, once implemented. Certain small startups may be exempted based on conditions specified in the Bill, while others that process data on a large scale will have to focus on setting up of adequate data infrastructure. 

Companies will have to make organisational changes for tight data security by focusing on principles such as privacy-by-design. These infrastructure have to keep the customers informed about data collection and processing as well as notify them in case of a breach. Businesses can be fined up to Rs 15 crore or 4% of their global turnover in the previous financial year if they’re found guilty of violating the new laws. 

Another key change that the JPC suggests is extra approvals from the Central Government for cross border transfer of data.

During a workshop on the impact of the Data Protection Bill, 2021, on Indian startups, we broke down the requirements of cross-border transfers of data and their possible implications.

Cross-border transfers — Sensitive Personal Data (SPD)

Sensitive personal data may be stored and processed abroad, but only with the explicit permission of the DPA and the central government. There are two conditions for cross-border transfers of SPD:

1. There must be explicit consent of the data principal

2. There will have to be a contract between the data fiduciary and the foreign data processor regulating the processing of such SPD. This contract for the transfer of data must be approved by the DPA after consulting the central government. Approval is based on the following parameters:

• Whether the country receiving the SPD has provisions for adequate protection of such data. 

• Such transfer of data should not hinder law enforcement.

• SPD cannot be further shared with international agencies unless it has been approved by the Indian government.

• The objective of the contract cannot go against state or public policy.

These four criteria are subjective, because there are terms like ‘adequate protection’, ‘state’ or ‘public policy’, which are not clearly defined. So it’s likely that the government can take its time with respect to approving contracts, which is likely to increase approval timelines.

Cross-border transfers — Critical Personal Data (CPD)

Critical personal data can be stored and processed in a data server located only in India. The two requirements of cross-border transfer of CPD are:

1. CPD should be strictly stored only in India

2. The central government, after consultation with the DPA, may allow transfer of data but only under three conditions:

• If it’s necessary for prompt action in case of health or other emergency services.

• The recipient country has to meet adequacy requirements of collection, processing and security.

• If the central government deems such a transfer is not going to interfere with strategic interests.

In a nutshell, getting SPD out of the country will be much easier than CPD. However, it still remains to be seen, what kind of data is treated as CPD, and this will have a major impact on data handling practices of startups

Implications of cross-border transfers

So what are the implications of these requirements for cross-border transfers?

1. IT/ITeS industries rely on processing foreign data in India. Waiting for government approval for intragroup transfers will interfere with their operations and hamper India’s export potential. 

2. Furthermore, geopolitical considerations may weigh in because of government interference with intra-group approvals. This could lead to disruptions in India’s trade agreement negotiations.

3. The fact that the central government can review confidential contracts is also a matter of concern, due to issues with intellectual property rights, trade secrets, proprietary information etc.

4. Unless the government uses technology-enabled processes for approval, the process will become onerous (as each contract for cross border data transfer is mandated to be specifically approved). Hence, ease of doing business will heavily rely on the DPA’s independence as well as the resources and capacity available to it.

5. Unlike the General Data Protection Regulation (GDPR), state and public policies and security adequacy requirements aren’t clearly defined.

One thing to be noted in the JPC report is the scope of power given to the central government. The PDP Bill 2019 originally said that the DPA will be bound by the directions of the central government on ‘questions of policy’ under Clause 86.

The JPC report has recommended that the DPA be bound by the directions of the central government in all cases (and not only on questions of policy). As far as practicable, the DPA shall be given a chance to express its views. This is a very broad clause and the specific impact of this will be clearer once the implementation kicks off. The suggestion, if taken, can effectively empower the government to overrule any decision of the DPA, which increases the risk of politics-based decision-making. 

The intent of the extra level of government approval for cross-border transfer of data might be to safeguard citizen data by making sure that data only goes to countries with similar levels of protection (akin to provisions in the GDPR).

To achieve this, the government should develop a detailed adequacy framework. It should also consider creating a positive/negative list of countries that have/don’t have adequate data protection so as to avoid requirements for bureaucratic approvals on every transfer. Furthermore, the DPA could also create a standard form contract for cross border transfer of data to avoid bureaucratic delays.

With research inputs from The Quantum Hub.