‘Negative List’ For Cross-Border Data Transfer In Works: MoS IT

The Centre might notify a ‘negative list’ or a list of disapproved countries, with the government blocking cross-border data transfer to these countries. The government is set to include the change in the upcoming draft Digital Personal Data Protection Bill (DPDP Bill), 2022.

The Minister of State for Electronics and IT, Rajeev Chandrasekhar, told ET that cross-border data flow will be enabled to countries by default. However, the government would block that channel in case the receiving country is on the negative list.

It is prudent to note that the government had already created the idea of trusted geographies in the draft DPDP Bill. In the draft bill, a ‘whitelist’ of countries would have been identified, and the Centre would have allowed cross-border data transfer to these countries by default.

Under Chapter 4 of special provisions in the current draft of the draft DPDP Bill, clause 17 under “Transfer of personal data outside India”, reads, “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”

The Personal Data Protection Bill has also provided some exemptions to cross-border data transfer, including arbitrations, government interests, research purposes and more.

However, following the consultations on the matter, the consensus is for India to have a ‘default mode’ for cross-border data flow, with some countries on the negative list.

“The government will have the right to restrict certain geographies and will decide the criteria for restriction,” Chandrasekhar said. This allows the government to create a ‘blacklist’ of countries to restrict cross-border data transfer to those countries.

Industry experts think notifying a ‘restricted’ list of countries is a more practical approach. Further, data privacy consultants think that adopting the approach would be more business-friendly.

However, earlier this year, the likes of Jio, Airtel and Paytm opposed the government’s move to include cross-border data transfer in the draft DPDP Bill.

According to these companies, the transfer of data will mean that India’s law enforcement agencies will face difficulties in accessing the data of Indian citizens if it is processed by an overseas telco or a tech company based out of India.

The draft Digital Personal Data Protection Bill, 2022, introduced after the government scrapped the Data Protection Bill in August 2022, has come under intense scrutiny due to certain provisions that give the government huge oversight over certain aspects.

For one, the government has introduced the concept of ‘deemed consent’ in situations which include ‘national security’, without defining what national security meant. This could leave individuals vulnerable to government surveillance.

Industry bodies and experts have also sounded the alarm.

The Consumer Unity & Trust Society (CUTS) International stated late last year that the draft skipped the clause of ‘Right to Privacy’ in its preamble. Thereby, the Bill will provide unrestrained powers to the government since the data protection board will likely be directly in control of the government.

The draft has provided several clauses including the imposition of fines, the set of cross-border data flow, the reduction in compliance burden, the government’s liability in the event of data breaches and more.

Yet, in consensus, most experts, critics and industry bodies have called the Bill ‘vague’, since several parts of the draft Digital Personal Data Protection Bill carry the phrase ‘as may be prescribed’.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.