USIBC: Country-wise talks to pick trusted geographies slow
India could instead consider creating different parameters and rules for different countries. It could instead consider dealing with economic groupings such as the Organisation for Economic Cooperation and Development (OECD), utilize members of Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System, or another form of private sector data privacy certification that companies can join to demonstrate compliance with internationally recognized data privacy protections, he said.
“The DPDP Bill clearly shifted the debate from a very broad, regulatory heavy, and prescriptive regime to a narrow, more open, light-touch approach blending elements of GDPR, Singapore, and other markets,” Gullish said. USIBC has shared with the government its ideas to improve the bill, he said.
Also read | New Data Bill draft to allow storage in trusted nations
A lot of countries have been looking at the European model of General Data Protection Regulation (GDPR), and while there are many positives embedded within GDPR, the regulations have also hurt Europe’s innovation and competitiveness, and sometimes negatively impacted consumers, he said.
For example, many American local news, entertainment, and radio sites don’t connect to Europe because of GDPR.
Discover the stories of your interest
As a result, European companies and consumers lack access to and understanding of local information and market trends. “How can you figure out what’s trending, popular or selling in a market where you don’t have access to local information?” he questioned.
This impacts all sorts of companies including consumer products, fashion, tourism and other companies that would benefit from local information, he said.
Concerns with the bill
There are a lot of technical issues that still need to be worked out, he said.
Privacy regulation is highly technical, and the USIBC believes that an independent, technocratic regulator would be best able to develop these detailed rules, along with a clear public, multi-stakeholder approach to rulemaking.
Currently, there is a Data Protection Board that will manage grievances alongside a second yet-to-be defined regulatory body within the Government that would conduct other forms of clarification, rulemaking, FAQs, updates, etc.
“We welcome the overall approach to cross border data flows, but there are elements that could be enhanced to reduce potential regulatory burden,” he said.
First is the concept of a whitelist of countries where data storage and flows are permissible.
“India is a global market, and Indian digital companies are global, so managing the whitelist process could be quite complicated depending on how the concept is developed and implemented,” he said.
Alternatively, the Government could recognize commonplace private agreements covering data processing such as standard contractual clauses (SCC), binding corporate rules (BCR), and other grounds embedded into GDPR and widely utilised current contracts for data processing, outsourcing, and information technology (IT) enabled services (ITeS), including many Indian startups and large international Indian companies.
This approach could significantly streamline the transition to the DPDP, while minimizing costs, improving compliance, and benefiting the competitiveness of India’s IT sector, data-focused companies, and the vast Indian community of software-as-a-service (SaaS) providers, he said.
The Indian Government could also consider aligning with the recently endorsed Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses for Cross Border Data Flows that guide obligations for cross-border data transfers for controllers and processors, while ensuring adequate safeguards for the transferred data are held by the recipient party.
Lack of consistency
Also, consistency with other sector laws and regulations is critical as some dozen GoI ministries, regulators, and agencies have approved and put into force laws and regulations that govern personal data, cross border transfers of data, and requirements to localize personal and business data within the borders of India.
These overlapping rules cover financial data, health data, geospatial data, scientific data, and corporate data, among others, and create a complex, overlapping, and costly array of rules – all of which undermine ease of doing business goals set by the Government and the objectives of Digital India.
“Thus, we suggest clarity around how, and in which cases, the DPDP does or does not supersede these sector specific rules,” he said.
The bill should also include a clear timeframe—perhaps two to three years—which provides time to develop technical rules and plan for and implement changes, which might require time-consuming and extensive system and process updates, he said.
Impact on data centres
Data centers are foundational infrastructure, and there is always a need for data centers locally as companies, customers and users want easy, quick, and reliable access to data. For example, Singapore with some six million people has nearly 50 data centers versus a handful in most Indian cities. “Limiting cross-border data transfers isn’t a necessary or effective approach to promote investment into Indian data centers,” Gullish told ET.
Also read | Data centre companies call for reciprocity in data flow
India is a rapidly expanding consumer market, and investment into new data centers will naturally develop as the consumer demand for digital services increases and both foreign and domestic companies seek to minimize latency and provide the best customer experience.
“To achieve this, some of the IT infrastructure will have to physically be in India. The concern that there will be no data centers in India is overblown,” he said.
Success in attracting data centers should focus on favourable policies and cost-effectiveness, he added.
Allowing a greater flow of data across borders will promote India’s continued digital transformation and accelerate, not inhibit, the development of indigenous Indian IT services capacity, he opined.
“Our members strongly support cross border data flows, but that is also consistent with attracting data center investments. Light touch regulation, ease-of-doing business, and a green data ecosystem will be more effective than mandates, limits on data flows, and other requirements,” he explained.
For all the latest Technology News Click Here