The ongoing discussion on Linked in has brought a query which I thought could be answered in greater detail here.
Query:
“I would really love to hear your thoughts on why India is adapting the path of “data should not be transferred to certain countries, which is completely a different approach from GDPR wherein they have taken a positive approach of transferring data to the listed countries who has adequate safeguards”. Do you think this is the right approach?”
The provision under Section 16 of DPDPA 2023 states that
“the Government may by notification restrict the transfer of data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.
It goes on to further state
“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.“
Under the draft rules proposed, it is stated that “transfer of personal data within India or outside shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”
The minister has made a statement publicly that the Meity will form a committee which from time to time review the requirements and suggest what restrictions should be applied and under what context.
The provisions read together is flexible and will cover the provisions of EU GDPR under article 45 as well as 46,47,48 and 49.
The Committee can take a decision like “Biometric data will not be transferred to any country including USA or EU Countries” and ignore the claim that in that country there is a stringent data protection law. On the other hand Committee may allow transfer of data for a social media company handling non-sensitive information to most countries. Committee can also decide that a particular Data Fiduciary is in defence sector and it shall not transfer data anywhere even within the country and the data centres of the company shall reside in premise.
Thus We have taken a fair and flexible approach. EU approach cannot be called “Positive” just because they give 11 countries out of 193 plus UN members, the status of adequacy and consider other 182 countries as “Prohibited countries”. Even GDPR adequacy has a restricted sectoral permissions within the adequacy countries. EU thinks that it has the right to decide what are “Adequate Security Safeguards” and suggests that other countries should follow its norms. India thinks that it is a sovereign country and we decide which processing outside the company is safe and should be allowed and which should be prohibited.
From the practical perspective, instead of hardcoding a list of countries, the committee reserves the right to make decisions from time to time.
Let us hope that the Committee will do its duty properly and if so it would be a better proposition than what GDPR proposes. It also gives us an opportunity to create our own “Data union/Trusted Counties for data transfer” as Naavi had proposed to MeitY during the JPC discussions on PDPB.
Naavi
