India’s Take on Cross-Border Data Transfer

India may soon notify a list of countries to which cross-border transfer of data would be barred. However, this also means that data flow would be unrestricted across all countries by default, unless it happens to be on this “negative list”, says the Minister of State for Electronics and IT, Rajeev Chandrasekhar. 

In an article published in the ET, the minister was quoted as saying that the federal government would retain the right to restrict some countries based on some criteria and those on this list would not be allowed to partake in cross border user data storage from the country. This is part of changes being brought in the draft Digital Personal Data Protection Bill, 2022. 

From a Whitelist to a Blacklist 

Earlier, the government had considered listing out trusted countries in the draft legislation whereby those desirous of using cross-border data transfer could explore options in this whitelist. However, now the logic has been turned on its head as the government is keen to set up a default mode for cross border data flow, barring the proposed blacklist of nations. 

This shift in stance appears to have been prompted by a section of the government’s view that argues in favor of free trade and commerce to attract foreign direct investments. “If companies want to explore cheaper data storage options, let them do so without the need for approvals and towards this a restricted list is a better approach,” says a senior official we spoke to. 

Much easier dealing with a smaller list

Industry experts also appeared to like this change in stance. Having a whitelist and then going through more than 200 plus names on it before getting started on actual comparison of schemes and costs isn’t exactly a smart way to do things, says the IT head of a retail chain based in Mumbai. 

So long as there are no possible disruptions to existing contracts, we believe the idea of having a single, perhaps smaller list of countries that cannot be considered for cross border data transfer and storage is a better idea, says the CTO of a Bangalore-based start-up that deals with huge amounts of user data for analytics and business growth. 

According to the existing draft of the law, clause 17 relates to personal data transfer outside India and reads, “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified”.

A need to foolproof and future-proof

Of course, this means any effort by the government needs to be fool-proofed and future-proofed in a manner that assessments are done on multiple parameters and these are then refreshed and renewed periodically. In fact, the recent Sebi consultation paper on ESG rating could be a case in point on how a one-time assessment could cause future challenges. 

While the government’s point of view is that the focus should be on “ease of doing business”, it also believes that some time in the future, there could be business consultants offering advice on countries in the blacklist or even sharing their expertise with prospective customers who are on the cusp of initiating cross-border data transfer. 

Maybe, this calls for a more detailed exploration that goes beyond geopolitical considerations. The logic being that the so-called friendly countries might witness data privacy issues, which are either based on political considerations or economic ones. “In spite of our best efforts, governments cannot really clamp down on enterprises that use unethical practices,” says a senior official in the IT Ministry.