Attention JPC on PDPB: India has to revert to 2018 version of Data Localization

In the PDPA version 2018, India had provided that a copy of all personal data has to be kept in India before it can be transferred out of the country. At the same time the transfer of sensitive and critical data was not allowed. Standard Contractual Clauses and Binding Corporate Rules were to be used along with consent for transfer of data outside India.

However succumbing to the pressure from vested business interests, the 2019 version of the Act has now allowed transfer of Non sensitive data without keeping a copy in India and sensitive data after keeping a copy in India.

The recent developments in the Court of Justice of EU invalidating the US Privacy shield and also expressed serious reservations on Standard Contract clauses and Binding Corporate Rules as alternatives to “Adequacy” decision of the EU Commission, it would be impossible for EU to transfer any personal data to US on the basis of the existing mechanisms such as the Privacy Shield, the Standard Contractual Clauses or Binding Corporate Rules.

The “Explicit Consent” of the data subject is the only possible method of transfer of personal data outside EU. We can therefore say that EU has now slipped into a very strict data localization norm much harsher than what PDPA 2018 comtemplated.

It is therefore time for the Joint Parliamentary Committee to also introduce similar data localization measures that

a) Without keeping a local copy, personal data cannot be transferred out of India

b) Explicit Consent would be mandatory even when a local copy is maintained.

c) Critical personal data will not be transferable even with explicit consent except for derogation such as medical emergency, fraud investigations, national security or an approval of the process by the DPA.

I hope the JPC takes note of this.

JPC should also note that in the emerging EU-US tussle, US companies will impose impossible and unreasonable conditions in their contracts on the Indian data processors and a mechanism should be built into our PDPA to protect the local data processors from such unconscionable contractual clauses.


Refer Earlier Articles

EU Privacy -EDPB Clarifications

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.