With a population of more than 1 billion and counting, online retail in India is expected to grow more than 1,200 percent to $200 billion by 2026 according to the India Brand Equity Foundation, a trust established by the Department of Commerce, Ministry of Commerce and Industry and the Government of India. Of that online spending, cross-border shopping by Indians totaled $9.1 billion in 2016 and is expected to increase over 85 percent year-on-year in 2017. Along with this increase in spending inevitably comes an increase in the cross-border transfer of personal information. What does cross-border transfer look like in India now, and how will it be affected by India’s new data protection law?

Privacy protections in India now

The strongest legal protection provided to personal information in India is through Section 43-A and Section 72-A of the Information Technology Act (2000) and the IT Rules (2011). These discuss reasonable security practices and laws regulating the use and collection of personal data. The laws primarily regulate the processing of sensitive personal data or information (SPDI) which includes, among other things, financial information, medical information and sexual orientation. Non-SPDI is subject to very little regulation.

Further reducing these protections, the IT Rules only protect data collected at the first stage, i.e., when the data is collected from the individual to the entity doing the collection. Subsequent transfers from the original controller are not governed by the IT Rules. The Ministry of Communication and Information Technology released a press note in 2011 clarifying this and stating that the rules are only applicable to Indian body corporates.

It is worth noting that the IT rules do contain rules relating to the transfer of information. The rules limit the transfer of SPDI abroad to two specific cases: when necessary for the performance of a contract or where the provider of the information has consented to the transfer. The SPDI can only be transferred cross-border if the country ensures the same level of data protection as adhered to under the rules. Although these laws can sound quite restrictive, these laws can only be effective when backed up with enforcement, and India has next-to-no enforcement mechanisms. This allows for an almost free-flow of cross-border transfers of information and leaves the individuals whose data has been collected without recourse against any unauthorized disclosure of their information.

The privacy drive

On August 24, 2017, the Supreme Court in Puttaswamy v. Union of India (2017) declared that privacy was a fundamental right, and that the right to privacy was an intrinsic part of Article 21 of the Indian Constitution that protects life and liberty. Although the judges stated that the right was not absolute and could be curtailed through law in furtherance of legitimate state and national security interests, the ruling has had a large impact on the drive for further privacy protections in India. The same month, the Government of India appointed a committee of experts to assess data protection issues and to draft a new data protection law.

The committee, headed by former Supreme Court Justice B N Srikrishma, released a white paper in November 2017 and solicited public comment on what shape an Indian data protection law should take. The paper outlines and discusses the issues that a majority of the members of the committee feel would require incorporation into law, including, but not limited to, the construct of consent, the definition of personal information and data, data minimalism and enforcement. The paper also has a section on what cross-border transfers could like under a new data protection law.

Cross-border transfers

The objective of the white paper and the committee was to draft a data protection law that would ensure growth of the digital economy while keeping personal data of citizens secure and protected.

“The ability to move data rapidly and globally has been a key building block of the global economic order,” the committee wrote. Further establishing the importance of cross-border transfers, Prime Minister of India Narendra Modi recently spoke at the World Economic Forum in Switzerland and stated that “the flow of global data is creating that biggest opportunities and the greatest challenges.” It’s safe to say that with online retail continuing to grow, and a large emphasis being placed on the flow of global data, cross-border transfers are bound to increase. Figuring out the best method to facilitate these transfers is therefore an important task of the committee.

The paper identifies two main tests to help with the formation of laws related to cross-border data flow: the adequacy test and the comparable level of protection test for personal data. The committee discusses Article 45 of the EU GDPR as the provision that provides for an adequacy test for the transfer of personal data to a third country. This test provides that the personal data of EU subjects is not allowed to transfer to non-EU/non-EEA countries unless those countries are deemed to have an adequate level of data protection. This test is particularly beneficial because it allows for a smooth two-way flow of information. A challenge, however, is that this test would require a proactive Indian data protection authority that would need to actively monitor and enforce in accordance with developments in law and technology. In the absence of an adequacy standard, the burden would be placed on the data controller to ensure that the transfer is subject to a comparable level of protection as received in India.

It is yet to be seen what shape the data protection law will take, but the released information is pointing towards a law that will encourage cross-border data transfers. The committee writes that “if there are favourable laws facilitating cross-border data flows, it will greatly foster research, technology development and economic growth.”

When it comes to scope, the paper suggests that it is worth considering a law that would be applicable to any entity that processes data about Indian citizens, domestic and international. It will be interesting what those laws will look like in the populous, and privacy-driven India and who those laws will bind.