Introduction
Data is an invaluable asset. It ranges from a country’s population statistics, the private data of an individual, to the government’s confidential information. It is immensely powerful in the modern times but also the most vulnerable. Sometimes data is like a child that goes to a friend’s house and needs constant safeguard throughout the way and at the friend’s place as well. The question arises whether the data is too sensitive or the neighbourhood suspicious. Data is the ‘modern-day gold’. Without efficient safeguards, it can fall prey to cyberattacks operated and driven by sophisticated AI software. Cyber-attacks and the resultant crime not only extract confidential data but also poses a severe threat to the privacy of individuals or organisations. Modern-day crimes have evolved as digitalised offences impacting the digital world and violating a safe cyber space. This is where data privacy frameworks come to the rescue.
The Puttaswamy Judgement in 2017 laid down the foundation stone for privacy consciousness, expanding its scope to the digital realm as well. The digital realm however is not limited to geographical limitations but expands beyond borders where countries engage in transfer of data, known as cross-border data transfer. Cross-border transfer of data refers to the transmission of data across the territorial borders, i.e., the transfer of data from one jurisdiction to another. The Digital Personal Data Protection Act, 2023 (“DPDPA”), the data privacy legal framework of India, under its Section 16 addresses the subject of cross-border transfer of data. Its sub-section 1 provides for the transfer of data to any geographical territory except to the countries specifically notified by the central government within the ‘blacklist’ category. Blacklist countries are prohibited from the to and fro transmission of data. This section entails an open-ended approach owing to the country’s ambitious stance in fostering a balance between data privacy and economic growth as well as sector-specific flexibility under section 16(2). However, there are certain lacunas in DPDPA with respect to cross-border data transfer that need to be addressed.
Beyond Borders: The High Stakes of India’s Cross-Border Data Transfer Policies
What India is experiencing today is the digital era of “data colonialism”, i.e., “the unfettered transfer of data from India” to the West and other countries, posing severe risks to, not only the privacy of the citizens, but also to the security of the nation. The global nature of the internet facilitates the sharing of data across borders, stimulating the widespread increase of malicious AI-generated content particularly deepfakes, therefore, infringing the personal security and dignity of the individuals.
Section 16(1) of DPDPA provides for blacklisting the countries that pose a threat to the national security or privacy of the individuals. The rationale behind this is that techno-defence entities, private enterprises and social media platforms positioned in different countries are capable of causing data breaches. Data privacy shall not be a mere weapon to threaten countries by targeting their intelligence and cyber-surveillance system. At the same time, it must be ensured that data privacy does not turn into a diplomacy stunt. For instance, revisiting the events of June 2020, where The New York Times chronicled how India suddenly banned the Chinese apps citing threat to national security and sovereignty, raises suspicion that the sudden realisation emerged during the recent border skirmishes. It is hard to believe that only Chinese apps were pose such problems, hinting at expedience. Hence, there must exist a bias-free and non-partial mechanism that prioritises data privacy and security and provides for a free-flow of data that is protected by adequate legislations and frameworks.
Moreover, the pivotal role played by India in the global market makes it imperative for the government to strike the correct chord in order to balance the cross-border data transfer and India’s economic aspirations. With India having a potential of becoming a trillion-dollar digital economy by 2025, it is important to prevent data breaches, for a statistical report by the Reserve Bank of India claims that data breaches on an average cost the Indian Economy around 2.18 million dollars in the year 2023-24. Amidst speculations that India is set to achieve the 5 trillion dollar mark by 2025, there is a crucial need to foster international trade and economy, necessitating flexibility for the ease of business entities. An analysis by the Indian Council for Research on International Economic Relations (ICRIER) revealed that “a mere 1% decrease in cross-border data flows can potentially result in a loss of 696.71 million US dollars in trade for India. Therefore, stringent restrictions on data flows can also severely impact India’s trade prospects.” Thus, the open-ended approach of DPDPA with regard to cross-border data transfer can be attributed to India’s economic need and strategy.
Guarding the Data Bubble: A Call for Enhanced Cross-Border Protocols
The new tech phrase ‘Data Sovereignty’ is associated with creating guardrails over the domestic data that is subject to laws of the country where it is generated, while preventing its sanctity and privacy from being endangered by foreign countries and organisations. Protecting and policing the country online is as crucial as doing so offline. This involves ensuring safety throughout cross-border data transfers. However, Section 16 of the Act itself fails to specify a proper mechanism or procedure to protect data privacy which is further aggravated by the persistent delay in implementation of the Act, despite numerous claims by the government to notify the rules worsens the case.
A significant loophole that needs to be addressed is how it shall be ensured that the data transferred to a notified whitelist country is not subsequently transferred to a blacklist country, thus preventing scope of deepfakes, data thefts or scams using personal data. The absence of particular restrictions, criteria or parameters in place to categorise countries as whitelist or blacklist jeopardises the safety of data. This might result in data landing in a dangerous territory. The security of data from thereon will be a lost cause. Such checks are required to keep the processed data safe and it is apposite to see how the government will work out this issue.
Furthermore, the head of Public Policy at Nasscom, Ashish Agarwal remarks, “roughly some 200 countries have to be evaluated based on a criteria, which can be long winded, how can one do that assessment” indicating how vexatious the process of whitelisting can be. A much more convenient modus operandi would be to ‘blacklist’ countries on a case-by-case basis. What is pertinent to observe is that the list needs to be updated periodically. In addition to this, Rajeev Chandrasekhar, Minister of State (MoS) – Electronics and Information Technology, had stated that the central government is working on a ‘negative list’ or a list of disapproved countries which will be notified soon. As a result of the notified negative list, data flow across borders will be permissible ‘by default’ unless the country comes within a negative list. The aforementioned statement came in March 2023 following which no list has come into picture, highlighting the lack of due attention and accountability on part of the concerned authorities.
Additionally, DPDPA, in its current form, does not specify the criteria for determining the permissibility of data transfer and the procedure of how countries will be blacklisted. This requires additional frameworks in association with the existing legislation. For instance, the General Data Protection Regulations (“GDPR”) of the European Union follows three distinct mechanisms for the facilitation of data outside the EU. It sets out mechanisms for evaluating the permissibility of data flow across borders. Article 45, 46 and 47 of GDPR deals with the aforementioned mechanisms, which are, “Adequacy Decisions (pre-approved countries), Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs)”. Under DPDPA, there is no specifically mentioned obligation on the central government to provide parameters of adequacy or other such mechanisms with respect to SCCs and BCRs by which data transfers may be permitted or regulated. Therefore, additional compliance requirements, mutual agreements and conditions, as well as contractual clauses must be formulated to protect the precious data bubble.
Moreover, a critical view shall reveal that the authority to blacklist a country rest on the whim of the union government, i.e., giving the central government a free hand in handling such matters, and there exists a significant possibility that they might be biased to their political agendas. Further, DPDPA under its Section 16(2) allows for the precedence of sector-specific rules. This means sectors providing a higher degree of protection and restriction on data transfer will get precedence over DPDPA. Therefore, it becomes imperative to acknowledge that all data cannot be kept secret for the sake of privacy given the requirements of a specific sector. Nevertheless, the Act’s enforcement and its subsequent outcomes remains a lingering question which might result in the Act losing its effectiveness.
Hence, the issue regarding an efficient and a robust legal framework to facilitation of cross-border data transfer has become a necessity that needs to be taken under consideration by the legislature. Data, ‘the new oil’ , must be guarded without compromising the economic advancement because the persistent delay in the implementation of the Act and several loopholes in its cross-border data transfer mechanism raises concerns of leaving ‘this new oil’ susceptible to threats and breaches.
Conclusion: The Way Forward
The risks posed to the cross-border data transfer resonates with viral diseases that cause epidemics among countries, it is up to governments to create a digital vaccine. The existing framework addressing cross-border data transfer should be revisited in order to eradicate the gray areas, like the mere likeliness of the notification of a ‘negative list’ and the absence of due parameters and flaws in the process of facilitating transmission of data beyond borders and many more. There is a need to protect data and to frame definite mechanisms with additional requirements to prevent data breaches owing to gaps in the current framework, thus, safeguarding the national security and the fundamental right to privacy of individuals.
Hence, the tech regime in India requires some potential steps to safeguard digital data and its undisturbed right to flow without any malicious or illicit activities since “privacy is not an option, and it shouldn’t be the price we accept for just getting on the internet”. The question lingers, is data safe during and post its transmission under the current framework? Hopefully, the government has the answer. Therefore, legislations shall aim at regulating the data in its transmission across borders, while criminalising the intent and act of deceiving or harming people through cybercrimes or any other malicious manner, protecting their right to informational privacy.
This blog is written by Mahek Sangwan and Sayed Kirdar Husain, Student – Rajiv Gandhi National University of Law, Punjab