“The EU is one of the economic blocs that has clearly positioned itself against data localization as an approach to free trade agreements,” he said.
Speaking at the Carnegie India’s Global Technology Summit co-hosted with the Ministry of External Affairs, he said the bill certainly does not go into the level of detail that GDPR does, but “a lot has also been left to sub-legislation and hence it isn’t easy to assess and judge” the bill just yet.
“There are some provisions of the bill where more clarity can be added. When it comes to principles, I don’t see a purpose imitation principle there, which I think is the core element of a data protection law. The strict purpose seems to be data collection. I didn’t see it clearly spelt out. On data retention, I have some questions for legal and business purposes. Transparency is only for consent, not for all the other grounds for processing which have been called ‘deemed consent’,” he said.
Melinda Claybaugh, Privacy Policy Director, Legislation at Facebook parent Meta said that there have been a lot of positive developments in the Draft Bill and said that this iteration focuses on a principles based approach to data protection without being overly prescriptive.
“There is a streamlining of concepts, particularly around the definition of personal data and removing of some of the categories of critical personal data, non personal data, which were very unclear in prior drafts and this draft framework is more in line with other international standards.”
Discover the stories of your interest
She said that there has been a helpful introduction of explanatory examples in the text of the law, which provides guidance. Claybaugh said that the Draft has simplified but leaves appropriate room for developing more specificity through secondary regulation, which she hoped would also be done through a consultative process to provide flexibility for future technological and innovative developments.
“With regard to data localization provisions in particular, this is a very positive development in terms of removing the local storage mandates. And I think there are a lot of questions that still need to be resolved around what this whitelisting approach will look like. I think we need to keep in mind that it will be important for businesses to have certainty about where the data will be able to flow and will be able to have that certainty sufficiently in advance of being expected to comply with the requirements of the law.”
She said that what is really important is making sure that the data is allowed to flow down so any restrictions placed on that ability to have data transferred internationally, need to be very carefully considered, and made transparent and clear with sufficient notice given to businesses.
On the question of the aspect of sovereignty, which is often raised when it comes to data localization, Claybaugh agreed that there is a lot of value to be extracted from data, especially when it comes to public policymaking processes. But she added that data does not need to be stored locally to achieve those goals.
Audrey Plonk, Head of Division, Digital Economy Policy, The Organization of Economic Cooperation and Development (OECD), too said that the OECD is interested in understanding more about the whitelisting provisions in particular – how that will work with other regimes, multilateral or other unilateral regimes.
“One thing I do worry a bit about is a whitelisting regimes you can have a lot of predictability in the sense that it’s kind of a blanket ability to transfer without much nuance,” she said. “So it might seem good on the front end because it might provide that sense of stability. But as time goes on, it may be difficult to unpack how those protections work if they’re not spelt out.”
She also flagged the focus on consent which comes with limitations of its own and said there could possibly be some further thinking needed about “potentially a bit of an over reliance on consent or how that will play out in practice.”