Personal data protection bill allows data flow from India to Singapore
IIndia has waited many years for its general data protection legislation. This key legislation will regulate the data of more than 1.4 billion people, impact businesses ranging from convenience stores to conglomerates, and create what could be India’s most powerful regulator. International data flows, including in the prolific India-Singapore economic corridor, will need to comply.
The report of Judge Srikrishna’s Committee, prepared after extensive consultation, was an important step in the right direction in the development of such legislation. The data protection bill proposed by the commission, a little worse for usury, was finally presented to the Lok Sabha in December 2019 as the personal data protection bill, 2019 (draft law 2019). This was referred to a Joint Parliamentary Committee (JPC) for consideration. The JPC, during its two-year tenure, has been extremely large and active, conducting over 78 sessions.
As its tenure coincided with several high-profile data breaches and major geopolitical developments in the data privacy space, the JPC had the unique opportunity to balance the interests of various stakeholders.
The eagerly awaited committee report was tabled in Parliament on December 16, 2021. It proposed nearly 90 draftings and 90 substantive changes to the 2019 bill and proposed the 2021 data protection bill (2021 law).
The committee expanded the 2019 bill to cover non-personal data, which it defines as all data other than personal data. The obligation to report any “accidental disclosure, acquisition or loss of access” to all of this data is clearly very onerous. In addition, regulating personal and non-personal data, which are fundamentally different in nature, through the same legislation will likely prove difficult.
Bill 2021 also proposes to prohibit entities from sharing or transferring personal data in the course of commercial transactions, except where permitted. This can be problematic if interpreted as requiring key data controllers to grant new consents to each entity receiving data, even where broader consents exist.
The JPC recommended that all data protection officers be key executives, which can reduce an already scarce labor pool, and that social media platforms be treated like publishers and be held accountable. have local operations, which could make their exploitation all the more difficult.
The JPC also recommended broadening the definition of harm to include “psychological manipulation which undermines the autonomy of the individual”. This can result in several types of targeted advertising falling into this category and may narrow it down.
Data trustees can no longer deny data portability, even if it reveals trade secrets, and should allow it where possible. Data trustees will also be required to demonstrate the fairness of the algorithms or processing methods. This raises the specter of algorithmic disclosure.
The changes to Bill 2021, which propose strict conditions for cross-border transfers of sensitive personal data, are of paramount importance for international trade. This will include all financial, health and biometric data, official identifiers, religious or political beliefs or affiliations. Transfers of sensitive data are not permitted if they violate public or state policy. This requirement can create a need for case-by-case approval from the Data Protection Authority (DPA) and can cause delays and significant disruption to business. Restricting the sharing of transferred data with foreign governments or agencies may result in difficult locating of all sensitive personal data.
Fortunately, the 2021 bill continues to provide for a “green channel” allowing transfers when the central government, after consulting the DPA, has authorized transfers to a particular country on the basis that the data will be subject to adequate protection. But now it also includes the express requirement that sensitive data cannot be shared with any government or foreign agency unless approved by the central government.
The JPC recommended a phased implementation of the 2021 bill, suggesting a maximum timeframe of 24 months to implement all of the bill’s provisions. Establishing a data equivalency and sharing agreement between India and Singapore, allowing the free and fair flow of data on a predictable and reasonable basis will be an important goal if Bill 2021 is enacted under its law. current form.
Arun S Prabhu is a partner and responsible for TMT at Cyril Amarchand Mangaldas. Senior Partner Anirban Mohapatra, Senior Consultant Molshree Shrivastava and Partner Arpita Sengupta also contributed to this article
Cyril Amarchand Mangaldas
Peninsula Rooms, Peninsula Business Park
Bombay 400 013, India
Phone. : +91 22 2496 4455
Email: [email protected]