The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Data Security Council of India (“DSCI”) have published a report on Enabling Accountable Data Transfers from India to the United States under India’s Proposed Personal Data Protection Bill (the “Report”).
CIPL and DSCI put forward this joint Report to highlight the importance of continued flows of data between India and the U.S. following the expected passage of new comprehensive data protection legislation in India. The Report is intended to inform the Joint Parliamentary Committee’s review of the proposed Personal Data Protection Bill (No. 373 of 2019) (the “PDPB”), as well as Indian Government officials working on a potential future trade deal with the U.S.
Specifically, the Report:
- Outlines relevant provisions of the PDPB that apply to transfers of data outside of India;
- Evaluates the PDPB’s transfer provisions in light of established cross-border transfer mechanisms in other global data protection regimes and suggests clarifications;
- Sets forth available options for governing India-U.S. data flows.
The Report explores two viable options to enable India-U.S. data flows in line with the PDPB:
- Certifications and Codes of Practice: India can enable data flows to the U.S. by including certifications and codes of practice as data transfer mechanisms in the PDPB, which could become interoperable with other certification schemes and codes, including the APEC Cross-Border Privacy Rules (“CBPR”) and EU GDPR certifications and codes of conduct. Appropriate enforcement of such mechanisms could be facilitated via an enforcement cooperation arrangement between the Indian DPA and the U.S. Federal Trade Commission (“FTC”), along the lines of a bilateral enforcement cooperation agreement under the U.S. SAFE WEB Act of 2006 or through a Memorandum of Understanding.
- Adequacy Finding: India could facilitate transfers to the U.S. through the PDPB’s existing provision authorizing adequacy findings for data transfer purposes. Tools to facilitate such a finding could include an India-U.S. trade agreement specifying a commitment to recognize or elaborate upon relevant transfer mechanisms (e.g., the APEC CBPR or future Indian certifications or codes of practice) coupled with a formally binding cooperation agreement or MOU between the Indian DPA and the FTC.
The Report argues that given the PDPB is still under consideration, India has a real opportunity to shape the data flows landscape it wants to participate in for many years ahead. The Report further argues it is imperative that the Joint Parliamentary Committee, the Indian government and other key stakeholders in India’s privacy debate act to prevent unnecessary barriers to data transfers that can hurt the Indian economy and its digital transformation. The options to facilitate transfers outlined in the Report seek to preserve the unquestionable value of data to India’s modern digital economy and society as well as provide effective data protection for Indians as it updates its privacy regime.