DSCI and CIPL have released a report on Enabling Accountable Data Transfers from India to the United States with regard to India’s proposed Personal Data Protection (PDP) Bill. The report highlights the importance of ensuring the continued flow of data between India and the US and provides accountable mechanisms to govern India-US data flows.
In light of the upcoming Indian Personal Data Protection Law, the report outlines the relevant provisions of the PDP bill that apply to data transfers outside of India. It also evaluates the PDP bill’s transfer provisions in comparison with other global data protection regimes. In order to govern India-US data flows, it recommends enabling certifications and codes of practice as transfer mechanisms when the PDP bill is enacted. Such mechanisms should be designed to be interoperable with certification schemes of third-party countries [e.g. APEC Cross-border Privacy Rules (CBPR)]. Furthermore, India could facilitate India-US data transfers by recognizing the US as providing an adequate level of protection. A promising and feasible way of doing this is by recognizing a certification scheme as adequate for transfers by having regard to international agreements such as an India-US trade agreement or different forms of enforcement cooperation agreements between the US FTC and the Indian DPA.
The report was launched along the side-lines of a virtual roundtable discussion with eminent speakers such as Dr Rajendra Kumar, Additional Secretary, Ministry of Electronics and Information Technology, Betsy Border, Counsel for International Consumer Protection, US Federal Trade Commission and James Sullivan, Deputy Assistant Secretary for Services Industry and Analysis US Department of Commerce, representing the government outlook on the topic. It was followed by an industry interaction with distinguished speakers such as Krishna Thiagarajan, Global Practice Head, Data & Analytics, Tech Mahindra; Manas Fuloria, Chief Executive Officer, Nagarro; Michael Rose, Public Policy, Privacy, Google; Nathan Coffey, Senior Vice President Privacy and Regional Data Privacy Officer for EMEA & India, Teleperformance; Srinivas Poosarla, VP and Head (Global), Privacy & Data Protection, Infosys; and Sunny Athwal, Chief Privacy Officer, HCL Technologies.
Rama Vedashree, CEO, DSCI, said, “Given the importance of US geography for India’s Tech Industry, which is estimated to touch close to USD 100 billion this year, DSCI and CIPL have undertaken the development of this report to propose potential mechanisms to facilitate data flows between the two countries; it also analyses potential challenges in transferring data outside of India under the context of the PDP bill 2019. We hope the report recommendations inform the privacy discourse in India, and the concerned stakeholders, especially the Joint Parliamentary Committee, in its deliberations, and also MeitY and Ministry of Commerce as they work towards growing India’s Digital economy and the Tech Sector.”
Markus Heyder, Vice President and Senior Policy Counselor, CIPL, said “In finalizing the PDP bill, India has a real chance to shape the data flow landscape it wants to participate in for the coming years. To ensure continued and responsible flow of data between both India and the US, India should seek to enable certifications and codes of practice that can be made interoperable with other global accountability and transfer schemes. India should also think about making an adequacy finding for CBPR certified entities, whether that is via an India-US trade agreement or other means. By addressing these issues, the joint Parliamentary Committee will prevent unnecessary barriers to data transfers for the Indian economy while ensuring effective data protection for its citizens.”