The Data Security Council of India (DSCI) and the Centre for Information Policy Research (CIPL) have jointly released a report on enabling responsible cross-border data transfers between India and the U.S. with regard to India’s proposed Personal Data Protection (PDP) Bill. The report, “Enabling Accountable Data Transfers from India to the United States,” is intended to inform the Joint Parliamentary Committee’s review of the PDP Bill and Indian Government officials working on a potential future trade deal with the U.S. It also highlights the importance of accountable data processing mechanisms to govern data flows between the countries.
The Report Aims to:
- Outline relevant provisions of the PDP Bill in Chapter VII (Restriction on Transfer of Personal Data Outside India) and section 50 on Codes of Practice that apply to transfers of data from India to the U.S.
- Evaluate the PDP Bill’s transfer provisions in light of established mechanisms for cross-border data transfers in other global data protection regimes
- Consider available options to govern India-U.S. data flows
According to the DSCI, the report suggested two practical options to enable data flows between India and the U.S. in line with the PDP Bill. These include:
Certifications and Codes of Practice: India can enable data flows to the U.S. by including certifications and codes of practice as data transfer mechanisms in the PDP Bill, which could become interoperable with other certification schemes and codes, including the APEC Cross-Border Privacy Rules (“CBPR”) and EU GDPR certifications and codes of conduct.
Adequacy Finding: India could facilitate transfers to the U.S. through the PDP Bill’s existing provision authorizing adequacy findings for data transfer purposes. Tools to facilitate such a finding could include an India-U.S. trade agreement specifying a commitment to recognize or elaborate upon relevant transfer mechanisms coupled with a formally binding cooperation agreement or MOU between the Indian Development Partnership Agreement (DPA) and the U.S. Federal Trade Commission (FTC).
The report was launched after a virtual roundtable discussion between the government officials of both the countries including Dr. Rajendra Kumar, Additional Secretary, Ministry of Electronics and Information Technology; Betsy Border, Counsel for International Consumer Protection, U.S. Federal Trade Commission; and James Sullivan, Deputy Assistant Secretary for Services Industry and Analysis U.S. Department of Commerce.
Rama Vedashree, CEO, DSCI, said, “Given the importance of U.S. geography for India’s tech industry, which is estimated to touch close to $100 billion this year, DSCI and CIPL have undertaken the development of this report to propose potential mechanisms to facilitate data flows between the two countries; it also analyses potential challenges in transferring data outside of India under the context of the PDP bill 2019. We hope the report recommendations inform the privacy discourse in India, and the concerned stakeholders, especially the Joint Parliamentary Committee, in its deliberations, and also MeitY and Ministry of Commerce as they work towards growing India’s digital economy and the tech sector.”
Markus Heyder, Vice President and Senior Policy Counselor, CIPL, said, “In finalizing the PDP bill, India has a real chance to shape the data flow landscape it wants to participate in for the coming years. To ensure continued and responsible flow of data between both India and the U.S., India should seek to enable certifications and codes of practice that can be made interoperable with other global accountability and transfer schemes. India should also think about making an adequacy finding for CBPR certified entities, whether that is via an India-U.S. trade agreement or other means. By addressing these issues, the joint Parliamentary Committee will prevent unnecessary barriers to data transfers for the Indian economy while ensuring effective data protection for its citizens.”