After Mr Trump took over as President of USA, we have been anticipating some changes in the Data Protection regime specially related to HIPAA/HITECH Act and the EU-US Data transfer.
The DOGE activity will sooner or later catch up with the operations of Medicaid and Medicare programs which were the favourites during the Obama regime and this could affect some changes in the HIPAA/HITECH regulations. However, this has not happened and we are waiting for the NPRM to be finalized.
In the meantime, US and EU are under loggerheads politically and this could affect the EU-US data transfer regime which can have an impact on India also.
The trigger for this seems to have been noticed now in a decision to reconstitute the FTC’s five member bench with removal of two Democratic commissioners has left the Commission with two Republican nominees without representation from the minority parties.
The EU has been demanding in the past that US judicial system adopts itself to GDPR regulations and provide two guarantees namely
- The Law Enforcement agencies shall not have the power to seek the personal information of EU Citizens being processed in USA
- The EU Data Subjects shall have adequate judicial remedy in USA against the US based Data Controllers/Data Processors.
There was an uneasy truce on this aspect in the previous negotiations leading to the current EU-US Data Transfer Framework. This is likely to be disturbed by the recent developments particularly since the two removed commissioners are Democratic party representatives with a clout in the EU administration.
Soon this is likely to raise a demand for cancellation of the Data Transfer arrangement and consequential business disruptions.
India receives a lot of Data Processing business from EU through US Data Controllers. Now this could be affected if the EU-US data transfer agreement gets suspended or otherwise disrupted. It is interesting that at the same time, Indian DPDPA is also coming into operation. Will the Indian business take advantage of the EU-US differences and establish more direct business with the EU Data Controllers under GDPR is worth watching out.
Indian DPDPA is flexible and provides setting up of notified Data processing centers for processing EU data under a GDPR Contract by an Indian Data Processor with an exemption of DPDPA. (ITA 2000 however is not exempted). Hopefully, innovative data processors in India will take advantage of the notification of DPDPA to increase their business share with EU.
