How will the cross-border flow provisions of Personal Data Protection Bill impact Indian startups?
Government approval for cross-border data transfer could create an unnecessary bottleneck for startups and can affect the ease of doing business in the country.
In mid-December, the Joint Parliamentary Committee (JPC) reviewing the Personal Data Protection (PDP) Bill, 2021 – the country’s first of its kind – tabled its report in the parliament.
The Bill focuses on the protection of personal and non-personal data of individuals and establishes a Data Protection Authority. It was referred to the Joint Committee for further scrutiny on the demand of opposition members.
During the two years that the JPC reviewed the Bill, there were reportedly 100 drafting changes that were proposed with clause-by-clause discussions and comparisons.
Data localisation
Data localisation is the practice of storing data on any device that is physically present within the borders of the country where the data is generated. As of now, most of this data – both financial and personal information – is either partly or wholly stored outside India.
Citing reasons of national security, speedy redressal of cases, and data sovereignty, the JPC retained the data localisation mandate in the Bill. The JPC further suggested that India gradually exploit the mandate and incentivise investments to build a data storage ecosystem.
Specifically, all sensitive and critical personal data must be stored in India and can only be transferred outside India – for processing – under certain conditions and with the approval of the DPA as well as the Indian government.
The JPC has gone further and said that the Central government should take steps to ensure ‘that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner.’
Concerns around data localisation norms for India’s startups
Given the somewhat strict nature of data localisation requirements in the PDP Bill, there is a chance that the ability of large foreign tech firms to transfer and process Indian data outside the country will be reduced, thereby also reducing the network effects they enjoy.
State-of-the-art technologies like cloud computing services and data analytics – upon which the local businesses rely – depend on rapid and seamless movement of data across borders and with such strict data localisation provisions, the efficacy of these technologies might be impacted.
Such provisions could lead to a competitive disadvantage for the local tech firms in the interim as there would be a loss in efficiency and increased costs in setting up local infrastructure.
There is also the added uncertainty with respect to the ambiguity in definitions of sensitive and critical personal data and the layer of approvals for the transfer of data, which could lead to confusion. However, in the long term, as these local tech firms become more adept and their capabilities improve, the costs will come down and could lead to a level playing field.
Government approval for cross-border data transfer could create an unnecessary bottleneck for startups and can affect the ease of doing business in the country.
If the government has a technology-enabled methodology for approval then it might be a seamless process but otherwise, it becomes very cumbersome and onerous and will hurt ease of doing business in the country. This will depend on how much capacity, resources, and independence the DPA has.
Speaking during a panel discussion on the Data Protection Bill hosted by MediaNama, Sijo Kuruvilla George, the Executive Director of ADIF, said:
“The DPA will probably play as significant role as RBI does in the economy right. Because data is going to be one of the biggest tools so to speak, be it market dominance, be it competition. So that is the kind of significance DPA as an organisation is going to get.
Over a period of time, the trust and faith in the DPA, not just by people in the country, but also by global counterparts also, will be one of the biggest significant factors.”
Financial data
The inclusion of financial data in the definition of sensitive personal data and the very broad nature of the definition of financial data is a potential problem for industry layers that store basic financial information.
Information such as a bank account number (which is included in the definition of financial data), is independently less likely to cause harm to the Data Principal – the person to whom the personal data relates to – as opposed to a bank account number in combination with a password used for authenticating transactions.
For example, with the advent of the usage of mobile phone numbers as primary means to enable digital payments, they are often used in lieu of bank account numbers as the identifiers for mobile wallets. Similarly, the Unified Payments Interface (UPI) has made peer-to-peer financial transfers easily accessible through the use of Virtual Payment Addresses (VPAs), which sometimes merely consist of mobile phone numbers with shortcodes as suffixes.
This makes it difficult for a third party to cause harm to the Data Principal merely by possessing the VPA. Harm, is typically caused with the misappropriation of authentication information alongside login information and not one independent of the other.
Therefore, the PDP Bill in its current construct would cause inconvenience to those entities who store even basic financial information like payment identifiers as they would have to technically comply with the stringent provisions of the PDP Bill to the extent of standards prescribed for sensitive personal data, merely because they possess each other’s payment identifiers.
Regulatory confusion
On May 4, 2018, the Reserve Bank of India (RBI) issued a notification asking all payment system operators to ensure that ‘data related to payment systems operated by them are stored only inside the country within a period of 6 months. The scope of the notification is extremely broad and covers end-to-end transaction details, information collected, carried and processed as part of the message, and the payment instruction. It also states that the data of a foreign leg of a transaction can be stored in the foreign country.
However, there is ambiguity as to what might constitute the "foreign leg of a transaction" and is being interpreted independently by lawyers in India. RBI recently imposed restrictions on Mastercard from onboarding new domestic customers due to non-compliance with the provision.
However, the bigger issue is how will this fit in with data localisation requirements under the PDP Bill, given that the Bill has its own provisions for cross-border flow of financial data.
Recently, the RBI released a note seeking exemption from the PDP Bill. The note states that RBI has regular dealings in 'financial data’ and the data retention period in the Bill does not align with RBI circulars for data storage.
In the note, the RBI also cited the Bank of England to be in exemption from the UK Data Protection Act, 2018 and the GDPR. It is also pertinent to note that Clause 97 of the PDP Bill provides an overriding clause that states that the PDP Bill will have overriding effect over any law which is inconsistent with it (unless provided otherwise in the PDP Bill).
It remains to be seen whether RBI provisions are exempted by the PDP Bill, or if Clause 97 is cited to establish the primacy of the PDP Bill.
With research inputs from The Quantum Hub.