Personal data protection Bill may lead to UK, EU data adequacy deals

Under the new draft DPRP bill put out for public consultation, the government has proposed free cross-border flow of data with "friendly" nations, significantly easing its earlier stance

India may find it easier to derive data secure status by negotiating data adequacy agreements with the UK and the European Union (EU) once the digital personal data protection (DPDP) Bill is passed in Parliament.

Under the new draft DPDP Bill put out on Friday for public consultation, the government has proposed free cross-border flow of data with ‘friendly’ nations, significantly easing its earlier stance on data localisation.

India being the largest hub of data outsourcing business, owing to growth of the information technology (IT) and business process outsourcing sectors, handles big amounts of sensitive and personal information of people around the world. Even without data adequacy agreements, Indian companies process a lot of sensitive data from the EU and the UK by including standard contractual clauses in their agreements between the two parties in line with the General Data Protection Regulation (GDPR) requirement, data secure status is expected to bring in more business for Indian IT and IT-enabled services companies.

Data secure status was a key demand of India when it was negotiating the India-EU trade deal before it fell through in 2013. However, the EU had refused to give the status to India pointing out no data protection law in India, which was one of the key reasons why the trade deal could not be sealed. Both sides have resumed negotiations for a trade deal after almost a gap of nine years.

Pralok Gupta, associate professor at the Centre for WTO Studies of the Indian Institute of Foreign Trade, said although the draft DPDP Bill is a step forward in terms of easing cross-border data flow requirements, the exact contours of data transfer will depend upon the requirements to be mentioned in the government notification allowing data transfer to specific countries.

“In the context of current free trade agreement (FTA) negotiations, if India’s FTA partners are notified as countries to which the transfer of personal data can happen from India, it will help these negotiations as cross-border data flow is a major demand by many FTA partners in these negotiations,” he added.

In a recent survey of stakeholders by the UK’s Department for International Trade, respondents raised concern about the barriers to trade brought about by data localisation requirements in India, and the differing standards with regards to data protection and data security.

The European Parliament in a recent report on EU-India future trade and investment cooperation asked both parties to consider providing “interoperable data flows” between the jurisdictions in total compliance with the GDPR on the basis of an assessment. It also invited India to align its Data Protection Bill with the highest internationally recognised standards on data protection and privacy rules.

An industry expert said the negotiations with the UK and the EU for data adequacy agreements have to be done outside FTA deals, although they will be important elements in the digital trade chapters of the trade deals.

“A data adequacy agreement with the UK will pave the way for a similar deal with the EU as the UK’s GDPR is closely aligned with that of the EU’s. The differences between India’s DPDP and the EU’s GDPR could be bridged later while notifying the rules,” the official added.

Rupa Chanda, an expert in services trade, said a data adequacy deal with the EU will be much more difficult to negotiate than the UK as they would seek the Indian law to be fully aligned with GDPR.

“Since the financial data is a big chunk of the outsourcing business, the data localisation norms by the Reserve Bank of India may also be problematic while negotiating these agreements, even under a liberalised cross-border data flow regime,” added Chanda.