Report calls for enabling responsible transfer of data from India to US

A report by Data Security Council of India (DSCI) and Centre for Information Policy Research has suggested measures for enabling accountable data transfers from India to the US in light of proposed Personal Data Protection Bill.

The report has also urged joint parliamentary committee, the government and other stakeholders to act to prevent "unnecessary barriers to data transfers that can hurt the Indian economy and digital transformation".

The report suggested India should enable certifications and codes of practice as transfer mechanisms when the proposed Personal Data Protection Bill (PDPB) is enforced. These be designed with interoperability in mind to ensure continued and responsible flow of data from India to the US, it recommended.

 

The proposed PDPB spells out a framework for handling personal data including its processing by public and private entities and will impact handling of Indian citizens' data by Indian and international companies.

It contains broad guidelines on collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model.

The PDPB has been referred to a joint select committee of both Houses of Parliament.

The DSCI-CIPL report highlighted the importance of ensuring continued flow of data between the US and India and outlined the relevant provisions of the PDPB that apply to data transfers outside of India. It evaluated the PDPB's transfer provisions in comparison with other global data protection regimes, and provided mechanisms to govern India-US data flows.

"Given that the PDPB is still under consideration, India has a real opportunity to shape the data flows landscape it wants to participate in for many years ahead...To ensure the continued and responsible flow of data from India to the US, India should enable certifications and codes of practice as transfer mechanisms within the PDPB and ensure that they are designed with interoperability in mind," it said.

The report also suggested that India should facilitate India-US data transfers by recognising the US as providing an adequate level of protection.

"A promising and feasible way of doing this is by recognising the APEC CBPR (Asia-Pacific Economic Cooperation Cross-Border Privacy Rules) as adequate for transfers by having regard to international agreements such as an India-US trade agreement or different forms of enforcement cooperation agreements between the US FTC and the Indian DPA (Data Protection Authority)," it said.

The report noted that the Joint Parliamentary Committee, the Indian government and other key stakeholders in India's privacy debate act to prevent "unnecessary barriers to data transfers that can hurt the Indian economy and digital transformation".

"Hundreds of billions of dollars in digital trade growth could depend on the difference between immediate action and delay, and immediate action as described herein would only improve, not undermine, effective data protection for Indians," it added.

Rama Vedashree, CEO of DSCI, said given the importance of US geography for India's tech industry - which is estimated to touch close to USD 100 billion this year - DSCI and CIPL have proposed potential mechanisms to facilitate data flows between the two countries.

"We hope the report recommendations inform the privacy discourse in India, and the concerned stakeholders, especially the Joint Parliamentary Committee, in its deliberations, and also MeitY and Ministry of Commerce as they work towards growing India's Digital economy and the Tech Sector," she added.