Economic Times carries an interesting article on the “Shape of Things to Come” as the MeitY continues to work on the modified PDPB 2019, stating that “Reworked Personal Data Bill may relax rules on data localization”
The article quotes the MoS, IT, Mr Rajeev Chandrashekar as saying
“Cross-border flow of data will, … be permitted as long as the government is able to access the data legally and such data of citizens is safe even if it is stored in cloud architecture“
The interpretation of ET is that the Government may change the provision regarding the “Critical Information” being necessarily stored in India.
The PDPB 2019 had already diluted the PDPB 2018 provision of cross border data transfer and removed the need for keeping even a copy of the personal data transferred out of India as long as it is not “Sensitive”. Sensitive personal data was also freely transferable subject to a copy being retained in India and necessary consent from the data principal. No data has so far been declared as “Critical Data”.
Hence there is nothing to dilute the PDPB 2019 version in this regard as it is already diluted to the core.
As against this GDPR has been strengthening its Data Localization policy and recently even the US bent down to EU and agreed to change its Judicial System to accommodate the interest of EU GDPR. It has agreed to set up a Judicial authority that can be approached by the EU Citizens whose data is processed in USA. It can be expected that this special court will even recognize the supremacy of the EU jurisdiction over such data processed in USA.
Rajeev Chandrashekar has at present not made a statement that indicates such abject surrender of the country’s interest to foreign powers and allow a “Data Colonisation” by EU through GDPR.
If we restrict our interpretation to the words that have been quoted, it only means that the Cloud Operators need to satisfy that Indian Law Enforcement will not be denied access to data when required with the pretext that they are not subject to Indian Privacy laws. This point is also coming up directly for discussion in the Supreme Court in the Whats App Privacy Policy case and Government cannot take different stands in the draft law and the Court.
EDPB wants Indian Data importers to commit through their contractual agreement that they will not let Indian law enforcement to enforce their rights whether they are the Police or ED or CBI. Most Indian Companies have been quietly signing off contracts with their business vendors to ensure that their businesses are preserved.
In other words, most of the Indian companies are being forced to be more loyal to EU than India. Neither Press nor the Government is aware of this development.
I challenge the MeitY to conduct a survey of data processing contracts entered into by the Indian data processors in the last 3 months and check if they have agreed to revise their SLA s to meet the EDPB guidelines. This will reveal how Indian Companies are quietly ceding data territory to foreign powers for the business they are signing. Most companies are also signing off on indemnities for data breach liabilities far in excess of their own financial capabilities pushing India to “Potential Insolvency”.
If hackers target foreign companies having data processing contracts with India and huge data breaches happen, it would be many Indian companies who will have to foot the bill.
Has information security auditors factored in this incidence of “Foreign Data breach Risk” on Indian Companies?
In my opinion these are questions which every body is afraid to ask.
We therefore conclude that
“Given the security situation in the Country, there is no way India can give into the desires of the EU GDPR to convert India into a Data Colony of EU. This is a national security issue and MeitY has to work within this framework of National Security”.
In the last two months, we have written the following 23 articles indicating what should be the “Shape of Things to Come”.
In these articles we have tried to comment on what “right” has to be protected? how we should define “data”? how we should classify “critical personal data” and how we should approach the “Data Localization” issue.
One of the suggestions made is that Data Protection by law should protect the Right to Security of a citizen of India, retain the need for consent and maintenance of copy of all personal data, processing and storing of Critical Personal data only in India etc.
We have also suggested defining of Critical personal data as
Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.
I wish MeitY tries to take into account the views expressed in the series of articles presented at Naavi.org before finalizing its recommendations.
We are waiting for the draft to be released by the Government to make a section by section comment and take on record the areas where there could be need for changes.
Naavi