Lack of a legislation on data protection and an e-commerce policy has certain limitations in bilateral trade talks, said one of the two officials, requesting anonymity. “Our policies are evolving and we have to have policy space in the future and, therefore, can’t make binding commitments.”
However, deliberations will continue between the Union ministry of electronics and information technology, and the UK’s department for digital, culture, media and sport, and we may have an outcome, said a second official, also seeking anonymity.
Since January, India and the UK have completed two rounds of trade talks. After finalizing bilateral FTAs with the UAE and Australia, New Delhi has also started negotiations with a few other countries, including Canada.
“India does not have a comprehensive data protection legislation yet, and has proposed data localization. The draft law provides excessive powers to the government, including exemption to its agencies from the law (enforcement) and requires companies to provide non-personal data that they possess, without judicial oversight,” Pradeep S. Mehta, secretary-general, CUTS International, said.
Recently, a joint parliamentary committee on data protection suggested several modifications to the draft bill to widen the scope to cover both personal non-personal data, besides mandatory mirroring of all sensitive data locally. The panel also recommended a staggered implementation of the law, with a two-year transition period for complying with it. Besides, it said a statutory authority for regulating social media platforms along the lines of the Press Council of India must also be set up.
Kevin McCole, managing director, UK India Business Council, said British companies are looking for movement of non-personal data between the two countries to facilitate more investment into India. “If the UK and India can have an alignment of data regulations, it could improve trade relations and a strong investment chapter will also be a positive. This is one of our key asks when we made our submission to both governments,” McCole added.
Experts said there is a lot of ambiguity in the draft bill, and while a section of lawmakers is in favour of sharing data, others are against it.
“The 2019 data protection bill was focused on personal data but the joint parliamentary committee report seeks to expand the scope to include non-personal data. Keeping data within its boundaries gives India more negotiating power as it is a huge market for data. Companies that we work with are looking for data that could help them access the Indian market,” Hermin Bharucha, country director, India, at London and Partners, said.
“Besides, there are concerns over the cyber sovereignty of the country. Lawmakers fear misuse of data,” said Pavan Duggal, cyber law expert and advocate at the Supreme Court.
Queries to the spokespersons of ministry of electronics and information technology, British High Commission, and ministry of commerce and industry remained unanswered till press time.
A blog on UK India Business Council suggested cross-border data transfer allows innovation and job growth across sectors and helps businesses be resilient and productive while working remotely. Discussing the benefits, it said data sharing “improves access to global R&D and clinical testing data; and improves supply chain management by enabling access to innovative technologies and participation in the global supply chains”.
Alignment in data protection rules is all the more significant as remote work became a norm during the pandemic.
In an earlier interview, McCole said IP-rich digital services will increasingly dominate trading relationships between the two countries., and the UK would like to see the FTA include provisions supporting core features of a thriving digital environment with “cross-border data transfers, and personal information protection”.
The UK entered into a data adequacy agreement with the European Union post-Brexit. It allows personal data to flow freely between the European Economic Area (EEA) to the UK. As a result, businesses and organizations in the UK could continue to receive personal data from the EU and EEA without having to put additional arrangements in place.