While data protection laws are, for the most part, domestically focussed, when personal data has to move across border they need to work well with each other. But before that can happen, countries need to agree on the principles of interoperability.

This is a link-enhanced version of an article that first appeared in the Mint. You can read the original here.

When Justice B.N. Srikrishna first introduced the concept of data localisation into the draft data protection law he proposed in 2018, I was not in favour of it. India is the outsourcing capital of the world and restrictions like these that would hamper the free flow of data across borders were bound to have a detrimental effect on the sector.

But the more I thought about it, it began to dawn on me that the approach he was proposing was not very different from how the global leader in data protection regulation approaches data transfers. Under the European General Data Protection Regulation (GDPR), personal data can be transferred to only those countries that the European Commission believes offer an “adequate” level of protection. This, if you think about it, is just another (albeit less in-your-face) way of saying that barring a few countries, all personal data must be localised in the EU.

The High European Bar

Europe’s approach has always been to set a high standard and insist that other countries level up if they want to continue to trade with Europe. Those that do not must go through a set of increasingly inconvenient hoops—special measures such as safe harbours, standard contractual clauses and binding corporate rules—if their companies want to continue to trade with Europe.

But not all countries believe they have to follow Europe’s lead. The EU includes some of the world’s most advanced nations. As a result, it approaches regulation from a place of privilege. While this might suit Europe, other countries have different trade-offs to address. Some need to prioritise development, while others may want to promote innovation. So the regulatory frameworks that these countries develop are oriented towards achieving these objectives, not aligning with Europe.

To be clear, there is nothing wrong with that. Every country should be free to make the trade-offs they believe are appropriate in their own particular context. So long as they conform to a set of common minimum standards that are essential to uphold the rule of law and basic human rights, no other country should have any say on what choices another sovereign country makes.

What all this implies is that, rather than aligning our cross-border data transfer regimes with the high bar set by the EU, all we should care about is finding a way to permit data to freely flow between countries that enforce a set of basic common data protection principles that we all agree are appropriate. This will ensure that personal data is accorded a base level of protection while still accounting for divergent national priorities.

Rolling Back Localisation

After that early draft proposed by Justice Srikrishna, the Indian government set about progressively diluting the cross-border data transfer obligations in the law. In 2019, it limited the restriction to sensitive and critical personal data, which a joint parliamentary committee further amended to only extend to those countries that offered an adequate level of data protection. In 2022, the previous draft was withdrawn and a new (radically simplified) Bill introduced. The Bill permitted the transfer of personal data to those countries that had been specifically notified, but by the time it was enacted into the Digital Personal Data Protection Act, 2023 (DPDP Act), even that had been changed to allow personal data transfers to all countries other than those notified. To date, there are no countries in this black list. As a result, there are no restriction on the transfer of data out of India.

Why then, one might ask, do we need to worry about cross-border data transfers? If India’s chosen approach is to permit personal data to be transferred anywhere, do we even need to bother about aligning our data protection regulations with those of other nations?

The trouble is that even though we may have decided on a liberal approach to international data transfers, other countries still need some assurance before they transfer their personal data to us. While they may not be asking for an assurance of adequacy in the way that Europe is; most would be satisfied with a certification that the privacy protections afforded in India are broadly in line with data protection principles that are commonly understood to be the norm around the world.

Global CBPR

One way to achieve this might be for India to join the Global Cross Border Privacy Rules Forum, a privacy framework that builds on the foundations of the Asia-Pacific Economic Council’s CBPR system and looks to extend it globally. The Global CBPR framework offers a cross-border data transfer mechanism that organisations can use to demonstrate compliance. Through a system of Accountability Agents and Privacy Recognition for Processors, it allows organisations to have their processes reviewed and certified as compliant.

At a recent workshop in Delhi, I learnt that India’s DPDP Act is almost entirely aligned with the Global CBPR principles, making it easy for any company that is already compliant with requirements of the new Indian law to get certified under the CBPR system.

As more and more countries join the Global CBPR framework, the interoperability that it offers between the different data protection regimes of the world could offer us a viable alternative to the European ‘adequacy’ approach. And as this coalition of like-minded nations grows, this approach of finding interoperability between various data protection regimes could become the basis for cross-border data flows around the world.