scorecardresearch
Monday, May 29, 2023
Advertisement
Premium

Data Protection Bill: Govt plans to ease norms for cross-border flow of data

The current provision on cross-border data flows, as prescribed under Clause 17 of the draft data protection Bill, states that the Centre will notify countries or territories where personal data of Indian citizens can be transferred.

The proposal: Allow transfer to all except countries named on blacklist.The proposal: Allow transfer to all except countries named on blacklist.
Listen to this article
Data Protection Bill: Govt plans to ease norms for cross-border flow of data
x
00:00
1x 1.5x 1.8x

IN a move that could further liberalise conditions for data transfer, the proposed new law could allow global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted, The Indian Express has learnt.

Moreover, a provision on “deemed consent” in the draft Digital Personal Data Protection Bill, 2022, could also be reworded to make it stricter for private entities while allowing government departments to assume consent while processing personal data on grounds of national security and public interest. The Bill could also incorporate a provision to ensure it does not come in conflict with pre-existing regulations issued by other Departments or Ministries.

These are among the key changes the government is considering to the proposed data protection Bill after feedback received from a range of stakeholders. The Bill is a key pillar of an overarching framework of technology regulations the Centre is building which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000; Indian Telecommunication Bill, 2022; and a policy for non-personal data governance.

The current provision on cross-border data flows, as prescribed under Clause 17 of the draft data protection Bill, states that the Centre will notify countries or territories where personal data of Indian citizens can be transferred.

Sources said this is likely to be amended with the Bill allowing cross-border data flows to all geographies with an official blacklist — of countries where transfers would be restricted.

This change is seen as a move to ensure business continuity for enterprises and to place India as a crucial part of the global data transfer network – an important element of trade negotiations the country is currently exploring with key regions such as the European Union.

Explained

Consent: Higher bar for private

Private entities, officials said, may be excluded from ‘deemed consent’ provisions which allow for personal data processing for certain purposes without requiring fresh consent. Govt will still be allowed such processing.

“Instead of a white-list approach, the government is looking to follow an allowed-by-default model,” a senior official said. “So, if the government does not want data to be transferred to a particular region, it will mention that region in its blacklist.”

Advertisement

One concern, sources said, has been unchecked data transfers to China. In the last three years, the government had taken action against a number of platforms developed by China-based companies including ByteDance’s TikTok and Tencent’s PUBG. In the digital information sector, apps and websites believed to transfer data to China have been blocked and in other sectors, scrutiny has stepped up, especially over funds coming into India from Chinese entities.

For instance, in April 2020, the Department for Promotion of Industry and Internal Trade (DPIIT), by way of press note 3 of 2020, announced a critical change to the Consolidated Foreign Direct Investment Policy (FDI Policy). This called for prior approval of the government for FDI by any entity based in any country sharing a border with India. Earlier, FDI from entities based in Pakistan or Bangladesh were subject to government approval. This change was driven by an intent to stem any attempts by Chinese firms to take control of Indian firms which at the time were affected by Covid- related lockdowns.

Another key change that is expected in the final version of the Bill is to tighten the much-criticised provision of ‘deemed consent’ for how private entities can process personal data. “There were concerns over the misuse of this provision by private entities, so the government is considering changing the provision to exclude private entities,” the official said. However, government entities are expected to be allowed to process assuming deemed consent, as has been prescribed in the draft Bill.

Advertisement

Under Clause 8 of the original draft, a user is said to have given consent to the processing of her personal data if the same is considered necessary. What the provision essentially means is that if a user has voluntarily shared her data with an entity for a certain purpose, that entity can assume her consent for other adjacent purposes and does not have to seek fresh consent for it.

Also Read
Droupadi Murmu
New Parliament inauguration, PM Modi speech
chhattisgarh
india new parliament, facts about indias new parliament, india new parliament complex points, key highlights of new parliament india, unknown facts about india new parliament building, parliament building narendra modi, indian express, indian express parliament special

If other sectoral laws prescribe a higher standard of data protection on account of national security or other factors, then the data protection Bill will not supersede them, the official added. “So, if there are sectoral regulations related to, for instance, health where such data is subject to a certain degree of privacy, that regulation will prevail over the data protection Bill,” the official said.

First published on: 08-03-2023 at 04:00 IST
Latest Comment
Post Comment
Read Comments
Advertisement
Advertisement
Advertisement
Advertisement
close