Transborder data flow is the norm in today’s globalised and interconnected world and yields great social as well as economic benefits. Can the EU and India find a common language to ensure the protection of basic rights when processing personal data?
The explosive use of technology is transforming our economies and societies. The total amount of data in the world is expected to reach 175 zettabytes in 2025. Data flows and information already generate more economic value than traditional trade in global goods. The increased adoption of cloud computing and the Internet of Things has made it easier to access and process data. At the same time, it has added to the jurisdictional complexity of data governance, as transborder data flows become indispensable for international trade, competitiveness and innovation.
But the easy access and sheer volume of data have increased its vulnerability and raised concerns about data protection. Personal data may be used for unauthorised behavioural targeting, identity theft or other malicious cyber activities, such as location tracing and profiling. The long arm of law enforcement and extraterritorial reach of intelligence-related activities are also potential problems.
In response, states have introduced measures to limit transborder data transfers and support data localisation. However, these may hinder the growth of the global digital economy and prevent nations from maximising the benefits of data-driven technologies like blockchain and artificial intelligence.
Building EU-India Cooperation
One of the priorities of the Portuguese presidency of the EU is to strengthen dialogue and cooperation with India in the political, economic and commercial fields. Closer cooperation between the EU and India is mutually beneficial as both countries are important players in setting standards and shaping digital policy. Transborder data flows are vital for India’s exports of services and the EU is one of the key markets for India’s ICT-enabled services. A recent study found that a 1 percent drop in transborder data flows could translate into a $696.71 million hit to India’s total trade. Hence, digital trade and both the European and Indian economies would benefit from compatibility-enhancing adjustments to these two important economic regions’ data protection frameworks.
The EU’s landmark General Data Protection Regulation (GDPR) made it a global frontrunner in data protection. In an effort to be a leader in the data economy, the EU is now enhancing its capabilities to fulfil its strategic interests with regard to further facilitating international data flows. For example, the Commission is planning to create a European analytical framework for measuring data flows which will serve to better understand data patterns and centres of gravity. This will, in turn, help to drive investments aimed at overcoming possible infrastructure gaps preventing data flows.
India, on the other hand, is making headlines with its flagship biometric digital identity management system (Aadhaar), is working on a comprehensive e-commerce policy and has published a draft Personal Data Protection Bill (PDPB) with hopes of adoption in early 2021. Since the recent Supreme Court decision on Puttaswamy, which upheld privacy as a fundamental right in India, personal data protection has received a lot of attention in public debates. The long awaited PDPB has the potential to address some concerns related to Aadhaar such as identity theft, identification without consent, correlation of identities across domains, illegal tracking and surveillance. However, while both the GDPR and the PDPB propose comprehensive data governance frameworks with extraterritorial application, there are still concerns (see also here and here) that the draft PDPB may feature elements leaning towards protectionist and authoritarian data policies.
In contrast to the EU, India has emphasized the challenges developing countries face in regulating digital trade and data and expressed its doubts about the global “data free flow with trust” concept introduced by Japan’s Prime Minister Shinzo Abe in 2019. Consequently, India has not signed the G20 Osaka Declaration.
Understanding EU-India Data Flows
The EU has established a regime for transfer of personal data to recipients in third-party countries or to international organisations and foresees that such transfers may only be carried out in full compliance with the EU regulation. The approach to third country transfers is based on a “decision of adequacy” by the European Commission, made to ensure an adequate level of protection for the personal data. To enter such an agreement, a country’s domestic legislation as well as international commitments are assessed, and many parties, including representatives of the EU member states, must approve the adequacy decision. As India is not one of the secure countries listed by the EU, international transfers must be based on other grounds.
In the absence of an adequacy decision, transfers of personal data between India and EU may be based on the existence of “appropriate safeguards”, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. These safeguards can be included in an individual contract or in Standard Contractual Clauses (SCCs), which are either standard contractual clauses adopted by the Commission or adopted by a supervisory authority and approved by the Commission, or private clauses subject to authorisation by the competent supervisory authority. An example of such an agreement is the recently invalidated EU-US Privacy Shield which facilitated the transfer of personal data to the US for commercial purposes. The EU Court of Justice has also ruled that SCCs do not, per se, present lawful or unlawful grounds for data transfer, leaving it to data controllers or operators to ensure that the data subject is afforded a level of protection essentially equivalent to that guaranteed by the GDPR. Failing that, the operators must suspend the data transfer. However, the EU’s interest in building data spaces for storing and processing data from other countries and regions means it is now showing more flexibility. The recent EU Data Strategy points out that, with the aim of having an open but assertive international data approach based on its values and strategic interests, the free and safe flow of data with third countries should be ensured, subject to limited exceptions and restrictions such as public security.
In India, only sensitive data is subject to PDPB data transfer restrictions. Copies of sensitive personal data may only be transferred outside of India if the data subject provides explicit consent and the transfer is made pursuant to a contract or intra-group scheme approved by the Data Protection Authority (DPA). As in the EU, the government can designate a country or a class of entities within a country as providing adequate protection. Alternatively, the DPA can specifically authorise the transfer. There are also a number of narrow exemptions, such as for preventing, investigating or prosecuting crime; enforcing legal rights and obtaining legal advice; and journalistic purposes. Furthermore, the PDPB mandates that the data controller shall have its policies and the conduct of its processing of personal data audited annually by a third party data auditor approved by the DPA. This requirement adds a layer of complexity for organisations operating in India and external organisations with data subjects in India.
Uneasy Relationship with Data
While the GDPR and PDPB 2019 feature a significant degree of convergence in many aspects, such as the compatible use of basic terminology and basic principles for lawful processing, there are a number of differences that may pose operational challenges to transborder data flows between the two regions.
One topic of concern is the divergence in their data localisation policies. Under GDPR, localisation of data is generally not required. According to the draft PDPB, sensitive personal data has to be stored in the country but can be processed extraterritorially, subject to certain conditions. For instance, such data can be processed outside the country with the explicit consent of the individuals concerned or under contractual clauses that have been approved by the DPA. In that case, a copy of the data may be transferred outside India for processing.
However, there is also the requirement for mirroring sensitive data in India, which adds further complexity. This would require the implementation of technical standards for the “mirroring” and also include the costly setup of additional infrastructure. Furthermore, the PDPB mandates that all “critical personal data” must be stored and processed in India, except under emergency circumstances or where the government has approved the transfer, taking into account India’s security and strategic interests. However, there is no clarity on the definition of such critical data in PDPB, as what constitutes critical data shall be defined by the Central Government from time to time.
Another serious difference lies in the role of public authorities. The PDPB significantly boosts the powers of the state by giving the central government the authority to define the data protection policy, to add or remove requirements and to exercise control over the operations of the DPA. The PDPB also lists a number of reasons – such as in the interest of the sovereignty and integrity of India, the security of the state, maintaining friendly relations with foreign states and maintaining public order which would justify the Central Government’s decision to exempt itself or any government agency from any or all provisions of the PDPB.
Looking for Solutions
The PDPB is one recent example of how the GDPR framework is being used as a model outside of the EU. Currently, no official discussions on the EU’s adequacy criteria have been initiated. At the same time, the EU-Japan agreement illustrates how certain inconsistencies, e.g. definitions, can be reconciled through negotiations and supplementary agreements.
The EU-India framework should focus on building a common baseline and furthering bilateral discussions. International organisations such as the World Trade Organisation may also offer neutral ground, adjusting the baseline of the main actors’ viewpoints. However, this may be challenging given India’s position in the G20 discussions on free data flows. In the long run, the regions could initiate talks on a separate bilateral agreement. A bilateral agreement could be based on SCCs which offer grounds for transferring personal data to and from India for commercial purposes. In that regard, the European Commission is encouraged to expand its work to bring the existing set of SCCs in line with the GDPR and to draft additional SCCs that cover new transfer scenarios.
Another option would be to move ahead with the development of certification schemes, despite these still being under discussion. The GDPR proposes that accredited certification bodies could support transfers of personal data to third-party countries or international organisations by assessing and approving organisations for compliance with data protection provisions by design and by default and certifying they have appropriate technical and organisational measures to ensure data security.
All in all, regulatory differences between countries cannot and should not be fully eradicated. While the EU will continue to promote the European model around the world and is open to working with trusted partners sharing the same standards and values, many countries may not be ready to adopt the GDPR regime just yet. Therefore, an interim solution would be the development of interoperable frameworks that facilitate mapping of requirements across borders and create mechanisms to reduce regulatory overload, developing bilateral discussions and implementing other mechanisms for cooperation such as certification.
About the Author
Anna-Maria Osula is an Advisor of Cyber Diplomacy at the Estonian Ministry of Foreign Affairs and a Senior Researcher at Tallinn University of Technology, Centre for Digital Forensics and Cyber Security.