The provision in DPDPB 2022 regarding restrictions on Data Transfer outside India has evoked interesting reactions.
While some are rejoicing that Data Localization has been given a go by, some are stating that this is unacceptable to many countries such as the EU countries who may not consider the provisions of DPDPB 2022 as “Adequate” from their standards.
The entire discussions on Data Localization has been dismissed with a short section which states as follows:
17. Transfer of personal data outside India
The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
To be fair, the last word on how this provision will roll out after the rules are framed is not known. Given the general approach of India taking independent stand on many international decisions, I would be surprised if India surrenders to the EU in terms of accepting their conditions for transfer into India while forgoing the export of data from India to other countries.
At present, India is predominantly a Data Importing country and hence it may not matter much if other countries are not ready to take Indian data for processing in their countries.
The Bill however has correctly distinguished that Data Imported to India is data of foreign data principals and most of them come through a contractual processing channel where the Indian company will be only a “Data Processor” and there will be a Data Controller abroad. There could be a few Indian MNCs who may be an exception to this rule who may have data of foreign data principals processed in India.
The Bill however provides an exception to Indian Data Processors through Section 18 (1)(d) similar to the erstwhile Section 37 of PDPB 2019.
There is a view that this may not be acceptable to EU due to the Schrems Judgement which insisted that the importing country should provide an opportunity to the EU data subjects to exercise their rights against the Indian Data Processor leaving the EU based Data Controller. This judgement also frowned on the law enforcement agencies of the data importing country and its Government having access to the data even in times of exigencies.
The demand of the Schrems Judgement which later became part of the Standard Contractual Clauses are basically ultra vires the laws of the data importing country. Presently the SCC leaves it to the Data Controller to evaluate the laws of the destinationn country and take necessary steps to comply with the Schrems Judgment expectations.
Even if Indian companies would like to sign on the dotted line for their business, it is unlikely that the Indian law enforcement agencies would accept a situation where their demand for access to data is sought to be stone-walled by the Data Importer because of his contract with the Data Exporter.
However, there is a possibility that through this section, India may provide an innovative option to the Data Exporting countries to be able to remain in compliance with Schrems Judgement and also with the Indian law by drafting suitable conditions for mutual personal data transfer.
With such an instrument, India may be able to convince a group of countries in South East Asia and perhaps countries outside the EU control to form a “Data Union” of countries who will accept Indian leadership.
As a result this Section holds a key for working towards a global leadership of like minded countries where the regulations will be similar to what India proposes.
Instead of toeing the line of EU and surrendering its sovereignty, India may therefore opt to use this as an opportunity to get the globe turn to Indian solution the same way the US attempts on India not importing oil from Russia was effectively avoided by India.