In his continued interaction with the US business, Mr Narendra Modi, PM of India met about 40 US global CEOs in which a discussion has emerged about the new Data Protection law that India is contemplating.
The US businessmen have raised the issue of “Data Localization” which has been one of the contentious issues. Mr Modi appears to have provided a diplomatic answer that Data belongs to the Data Subjects and law will balance the interests of the individual and that of the business trying to commercialize the personal data.
Indian law provides ample provisions to enable cross border transfer of data. When the information is not sensitive or critical, it can be transferred though a working copy has to be maintained in India. In the case of sensitive personal information, other than those declared as “Critical” can be transferred subject to Standard Contractual Clauses, Explicit Consent, Adequacy of laws, Intra Group schemes approved by DPA, besides health emergencies etc.
The Cross border transfer rules of India are not much different from GDPR but is stated differently. While the GDPR says, data can be transferred subject to ……, Indian law says that data cannot be transferred unless……..
The issue behind this controversy is “Data Sovereignty” and there is need for US business to understand that Mr Modi stands as much for India as Mr Trump stands for US when it comes to the sovereign rights of the country.
In the process of the discussions, a point that has cropped up is the distinction between “Personal Data” and “Business Data”. Naavi has in the past highlighted the issue of how GDPR enthusiasts often consider Business E Mail as personal data and try to mount penal charges on the users of business e-mail for digital marketing purposes. The discussions in the US was perhaps centered around the “Transaction Data” related to an individual regarding the e-commerce transaction which the US business wants to exploit for commercial gains. Whether this is to be treated as “Business Data” or “Evolved Personal Data” in which the business has an intellectual property right and whether an individual can provide consent for the use and transfer of such data for a consideration are matters of further debate.
It must be noted that the Big Data industry which deals with “Anonymized” data has no problems with the Indian PDPA since such data is out of regulatory ambit. It is only in case of identifiable data of business transactions of an individual that needs to be recognized as a “Disputed Data Territory”.
A proper legal clarification on such data is perhaps possible to be issued when the next set of regulations on “Data Governance Framework” is considered in India. US business may therefore wait for this legislation to take shape before raising their voice which was so meek when it came to opposing the provisions of EU-GDPR but have become vocal while opposing Indian-PDPA.
Naavi has held that there is solution for this issue also which is feasible as a commercial business proposition both under the current ITA 2000/8 and the forthcoming PDPA. The problem is that the so called “innovative” start up entrepreneurs are too busy replicating business already ideas already in the market rather than investing in new ideas. We therefore have to wait a while until the start up entrepreneurs and the VCs mature in their thinking and be prepared to develop a business which has no precedence.