P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
Restrictions on Cross border transfer of data is one of the most controversial aspects of the data protection laws. Though the PDPB 2019 was criticized for its “Data Localization” aspects, it must be stated that PDPB 2019 was a gross dilution of the provisions of PDPB 2018 in respect of Data localization and even ignored the sectoral law of RBI. The media reports were motivated and was part of the conspiracy to dilute the restrictions.
For records, under PDPB 2019, non sensitive personal data could be freely transferred. Sensitive personal data could be transferred subject to a copy being held in India and explicit consent and Critical data alone was in the restricted category.
On the other hand GDPR imposes impossible conditions for transfer of personal data outside EU and is a draconian legislation in this respect forcing international data importers to contractually oppose the sovereign rights of their respective Governments. GDPR data transfer requirements to a non adequate country cannot be complied with except with an effective pseudonymization/de-identification plan.
However, the vested interests have painted as if PDPB 2019 was restrictive and this cannot be accepted.
As long as Data is considered an “Asset” and its value recognized, the Government has a duty to protect it’s plundering like what happened in the infamous CIBIL-TRANSUNION case.
Hence it is suggested that the New Data Protection Act of India reverts back to the PDPB 2018 version and impose the condition that
a) No Personal or Non Personal Data is transferred out of India except with the consent of the data principal or data owner and
b) A copy being held in data servers held in the geographical boundaries of India
c) Processing of Critical Data shall be undertaken and retained only within India
This does not adversely affect any ongoing data processing activity except that there could be additional storing cost.
Though this is an unpopular decision which would be opposed by Tech Companies and the US Government and was one reason for the withdrawal of the legislation and continues to be the Achilles heel for MeitY as regards Data Protection legislation, it is our sincere belief that India needs to put its foot down as a sovereign country and protect its interests.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.