Considering India desires to foster a global image of a digital economy with a booming data services industry, GoI now has a task at hand to move fast to introduce a data protection framework which brings it at par with its partners in the international context. Data laws never can work in isolation in a domestic setting and require borrowing / interdependence with international counterparts.
Technology and data related legal changes are a global phenomenon. Strict data protection laws are seen in EU GDPR, California’s CCPA and China’s Personal Information Protection Law. Jurisdictions are getting fierce to protect privacy of data. Several jurisdictions across the world are simultaneously working towards incorporating the protections in these laws into their data flow structures to preserve commercial interests while operating within individual rights.
In the US, following a key vote in a congressional committee in July 2022, where America came close to approving a comprehensive federal data protection law – The American Data Privacy and Protection Act (ADPPA), the result has been dismal. The US Bill was a near full counterpart to EU GDPR, 2018 which has become a de facto global privacy standard. The US lawmakers were inspired by the privacy principles in Europe’s landmark data protection law, in adopting harmonized laws across a single jurisdiction.
ADPPA took on many of the EU GDPR’s principles regarding users’ rights over their data, such as access, correction, deletion and data portability. Only a few states, California, Virginia, Colorado, Connecticut and Utah, already have these rights. It mandated privacy officers for companies, considered ‘large data holders’ as established an oversight bureau in the Federal Trade Commission (FTC) that would be rival to leading data protection authorities in Ireland, France and the UK in terms of resources and responsibilities.
While the ADPPA’s momentum seemed unstoppable as it made rapid progress in US Congress, its final approval is facing challenges in the Senate, with a key senator expressing concerns about enforcement. India has faced the same with the PDP 2019. Similarly, in the EU, privacy groups have pointed out that one of the biggest criticisms of EU GDPR is that it is not adequately enforced, particularly against big tech companies, hence giving a leverage to large corporates. Another common complaint is that EU Member States have inadequate resources to ensure compliance, as do many US and Indian states, without a proper data ecosystem.
In line in with international practice, in May 2022, the UK government announced as part of its legislative proposals to come, that the UK’s data protection regime would be reformed through a Data Reform Bill. According to the UK government, some elements of the current data protection regime ‘created barriers, uncertainty and unnecessary burdens for businesses and consumers’. International data transfers remain an issue, which has been a matter of serious objections in the Indian PDP 2019. The UK Bill provides for a risk-based approach for organizations to assess the impact of making data international transfers when using mechanisms like Standard Contractual Clauses and also for the UK government when making so-called ‘Adequacy Decision’ (data and privacy compliance adequacy) assessments.
In March 2022, US President Joe Biden and the European Commission President Ursula von der Leyen jointly announced efforts towards creating a new EU-US data sharing system that will augment / replace the existing EU-US Privacy Shield. The arrangement highlighted the barriers to data collaboration which is still developing for other jurisdictions. These barriers were highlighted by recent judgements of the Court of Justice of the European Union which indicated the possibilities of US surveillance laws exposing EU citizen data, causing uncertainty in EU – US data transfers.
Any domestic law mandating blanket localization of all data neglecting equivalent safeguards for international data risks breaching EU data standards and other international data laws. Since the EU – UK data pact is under negotiations with EU officials in Washington, regulators await the final approval to the White House’s executive order, which will outline the changes to U.S. national security data collection practices making them EU compliant.
If the executive order gets sent, a six-month wait is anticipated while the European Commission translates the text into its own language, in time for the pending pact to get challenged, with a strong possibility of ending up backing the EU’s courts. The situation is almost like the Indian PDP 2019 which circulated through joint parliamentary sessions and the Supreme Court never to see the light of day.
In conclusion, the fate of US federal bill, the PDP 2019 and EU – US Data Privacy Pact remain uncertain, largely due to barriers caused by international security and enforcement issues.
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein. Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.