Impact of Extraterritorial Applicability of PDP Bill, 2019 on Banking Sector

By Yamini Jain and Gaurav Karwa

Introduction

Deriving its essence from Article 3(2) of the General Data Protection Regulations (GDPR), Section 2(A) of the Personal Data Protection Bill, 2019 [PDPB] makes a provision of its extraterritorial application over data fiduciaries and data principals present beyond the territory of India. Section 2(A)(b) of PDPB makes an extraordinary provision pertaining to its applicability on all such data fiduciaries incorporated under the laws of India and brings all their foreign branches within its purview. In this light, understanding the impact of the extra-territorial application of the PDPB on multinational banks based in India that process sensitive personal data becomes particularly important. In this article, the authors aim to highlight various issues and problems arising out of extraterritorial application on multinational organizations and particularly those related to  the banking sector. The authors explain the distinct meaning of the extra-territorial application of the PDPB, whether such application is in conflict with other laws, and other major issues in data localization, cloud servers, etc.

Analysis of Extra-territorial Applicability

1. Definition of “business carried on in India”:

The meaning of the expression ‘business carried on in India’ remains ambiguous under the PDPB. It fishes out the applicability of PDPB to the personal data of foreign residents processed in India. It also provides certain necessary exemptions in order to promote data processing activities in India. For instance, the Central Government can exempt certain data processors from the law, where pursuant to contracts with offshore entities, data processors process data of individuals who are outside India.  

The definition of ‘personal data’, for instance, is not limited to Indian citizens/residents. It thereby indicates the legislative intent that seeks to provide an equivalent level of data protection to the personal data of foreigners that may enable it to achieve the status of ‘data adequacy’ from the European Union (EU). The EU has the power to determine if a country is providing adequate protection to data. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.

2. Conflict with other laws:

The wide scope of the provision pertaining to extra-territorial applicability may lead to a conflict of the laws under the PDPB with other prevalent data protection laws. For instance, in the event that data is processed by a processor on behalf of a data fiduciary located abroad which has its own data privacy laws in place, a conflict may arise in such a situation as to the applicability and jurisdiction of either jurisdiction. A similar conflict may arise when foreign service providers, say from the European Union (EU), outsource their work or otherwise transfer data to a processor in India that may bring it under the ambit of PDPB, thereby leading to a conflict between its applicability as against the GDPR

For instance, this may in all likelihood arise as a prevalent issue for overseas branches of any Financial Institution, whereby data pertaining to NRI accounts is processed by Indian data processors, bringing personal data of a foreign resident under the ambit of PDPB 2019 as against other foreign legislations like GDPR. One of the methods by which such conflict could be mitigated is  through amending the scope of PDPB to make it applicable to the extent of processing of personal data of Indian residents only, provided, appropriate security safeguards are established to ensure the protection of such data that is processed with foreign service providers. 

3. Regulatory Overlap:

The Reserve Bank of India (RBI) vide its notification on “Storage of Payment System Data” sought to establish an auditory mechanism to enable it to have an unfettered supervisory access over the payment data stored with system providers or third party vendors involved in payment ecosystems. The regulatory body mandated all the system providers to ensure that all the data relating to payments systems operated by them are stored in a system in India including full end-to-end transaction details or information processed as a part of the payment instruction. It, however, exempts the foreign leg of the transactions from its applicability. It was further clarified by the RBI that:

  • Any data processed overseas should be deleted from the systems abroad and retraced to India within one business day for storage, with regulatory access permissions to the companies;
  • For cross-border transactions, a copy of the domestic component could be stored abroad; etc.

However, the creation of a new Data Protection Authority (DPA) with extravagant powers under the PDPB and; the blanket imposition of its provisions without adequate consideration of its impact on the financial sector, may lead to a regulatory overlap with the existing financial regulators, including the RBI, SEBI, IRDAI, etc.

Wherefore, it would be essential to ensure that the operations of PDPB do not cause impediments on the functioning of the pre-established sectoral rules, a working group is established for harmonizing the authority of these bodies. Alternatively, Section 2 could also be amended to exclude the processing of personal data by regulated entities in terms of the relevant sectoral regulations. 

4. Data Localization and Cross-border data transfers:

Sections 33 and 34 of the PDPB 2019 mandate the storage of Sensitive Personal Data within Indian bounds, with the sole exception of obtaining explicit consent of the data principal and establishing adequate safeguards for the same, preconditioned on the storage of a copy of such data locally in India. Critical personal data cannot be transferred abroad except during a medical/health emergency or to such country/entity which the Central Government expressly deems permissible.

This should not be applicable for information that is processed by offshore branches of persons incorporated in India. Furthermore, it is unclear as to whether such sensitive personal information can be stored outside India as long as a copy of the same is maintained in India. This would be highly onerous and result in unnecessary operational costs. This provision will hinder the ability of global companies to transfer and process personal data across different jurisdictions.

For instance, various banking multinational companies have centralized data storage systems which may be hosted in foreign jurisdictions but may store personal data of Indian residents. Such companies would be forced to retain multiple copies of such information on account of the requirement under thr PDPB. Further, it would not be possible for such foreign companies to comply with the requirement of processing the critical personal data only in India since they would be bound by the data protection laws in the countries of the incorporation.

Furthermore, PDPB still does not provide any definition of what critical data is, nor does it provide any guidelines for the determination of what may be notified as critical data. This area needs further clarity so as to create business predictability from an operational standpoint. If a broad class of personal data is classified as critical personal data, this could lead to stringent data localization norms, thereby disrupting businesses. It must also be noted that data cannot easily be disaggregated, with only certain subsets of it stored locally, while other subsets can be freely stored anywhere.

5. Hindrance to International Business / Innovation:

Reluctance from foreign, multinational data fiduciaries to engage themselves in Indian businesses, owing to the aforementioned concerns, risks hampering innovation and growth for Indian companies and may impede their ability to operate internationally and may eventually degrade business standards in India.

6. Exemption to Outsourcing Activities:

The PDPB empowers the Central Government to exempt the processing of any personal data of data principals located abroad by data processors in India, if the same is contractually executed with a foreign entity. While the general jurisdictional principles necessitate compliance to Indian laws, certain exemptions of this nature may facilitate tjr smooth functioning of business activities, provided that no personal data of Indian data principals is involved in such processing. 

Recommendations made by various entities as regards the extra-territorial scope of the PDPB make a common suggestion of exempting foreign nationals from its applicability. Foreign entities that are explicitly involved in the provision of its services to Indian residents and that purposefully collect their personal data, shall be the limit to which the PDPB should extend, and no further, so as to ensure a harmonized regulation of entities under different jurisdictional laws.

Concluding Remarks

In light of the overweening issues associated with the extraterritorial applicability of the PDPB and the dangers it might pose to the smooth functioning of banking and financial operations of Indian entities overseas and vice versa, the government may consider amending the PDPB in tandem with the various sectoral guidelines. It might be beneficial to the financial industry if the Bill’s scope is limited to entities within the territory of India per the recommendations of several stakeholders. It is also suggested that PDPB be implemented in a phased manner so as to enable the complex banking industry to comply with its provisions efficiently.

114 Replies to “Impact of Extraterritorial Applicability of PDP Bill, 2019 on Banking Sector”

  1. I’m impressed, I need to say. Actually rarely do I encounter a weblog that’s both educative and entertaining, and let me let you know, you have got hit the nail on the head. Your thought is excellent; the problem is something that not sufficient people are talking intelligently about. I’m very blissful that I stumbled across this in my search for something relating to this.

  2. Hello! I’m at work surfing around your blog from my new iphone 4! Just wanted to say I love reading your blog and look forward to all your posts! Carry on the excellent work!

  3. Professional quality private proxies, Indefinite bandwidth, 1000 mb/s superspeed, 99,9 uptime, Neo consecutive IP’s, Not any use limits, A number of subnets, USA or even European union proxies – Obtain At this moment – DreamProxies.com

  4. European Union: Comparative Analysis: General Data Protection Regulation, 2016 And The Personal Data Protection Bill, 2019 The underlying principles of the PDP Bill are broadly similar to those in theGDPR. However, there are some differences between these two instruments. The table below examines whether compliance with the GDPR would automatically make an entity compliant with the PDP Bill in India as well. This analysis may be important to data fiduciaries

  5. I have seen plenty of useful things on your web site about computer systems. However, I’ve got the view that lap tops are still less than powerful adequately to be a good choice if you usually do jobs that require a lot of power, including video editing and enhancing. But for world-wide-web surfing, statement processing, and many other frequent computer functions they are fine, provided you don’t mind the little screen size. Thank you sharing your notions.

  6. This is really fascinating, You are an excessively professional blogger. I’ve joined your feed and look ahead to in search of more of your excellent post. Also, I’ve shared your site in my social networks!

  7. I’m extremely inspired together with your writing abilities and also with the layout in your weblog. Is that this a paid subject matter or did you modify it your self? Either way keep up the nice high quality writing, it抯 rare to see a nice blog like this one these days..

  8. Terrific work! This is the type of information that should be shared around the net. Shame on Google for not positioning this post higher! Come on over and visit my website . Thanks =)

  9. One other issue is that if you are in a predicament where you will not have a co-signer then you may really want to try to wear out all of your school funding options. You’ll find many grants and other free college funding that will supply you with money that can help with university expenses. Many thanks for the post.

  10. I have been exploring for a little bit for any high quality articles or blog posts on this sort of space . Exploring in Yahoo I at last stumbled upon this web site. Reading this information So i抦 happy to show that I’ve an incredibly good uncanny feeling I found out exactly what I needed. I most indubitably will make sure to don抰 forget this website and give it a glance regularly.

  11. I just couldn’t depart your website prior to suggesting that I actually enjoyed the standard information a person provide for your visitors? Is gonna be back often to check up on new posts

  12. I have noticed that in old digital cameras, exceptional detectors help to aim automatically. Those sensors involving some video cameras change in contrast, while others make use of a beam with infra-red (IR) light, specially in low lumination. Higher standards cameras from time to time use a blend of both methods and may have Face Priority AF where the dslr camera can ‘See’ a new face and focus only in that. Thanks for sharing your notions on this blog.

  13. Thanks for the tips shared on your blog. Another thing I would like to express is that weight loss is not exactly about going on a celebrity diet and trying to reduce as much weight as you can in a couple of weeks. The most effective way to lose weight naturally is by consuming it slowly and gradually and right after some basic recommendations which can provide help to make the most through your attempt to shed weight. You may understand and already be following some of these tips, nonetheless reinforcing awareness never affects.

  14. Pretty nice post. I just stumbled upon your blog and wanted to say that I have truly enjoyed surfing around your blog posts.

    In any case I’ll be subscribing to your feed and I hope you write again very soon!

  15. Hi there! This post couldn’t be written any better! Reading this post reminds me of my good old room mate! He always kept chatting about this. I will forward this post to him. Pretty sure he will have a good read. Many thanks for sharing!

  16. Thanks for your post made here. One thing I’d like to say is always that most professional job areas consider the Bachelors Degree as the entry level standard for an online education. Even though Associate College diplomas are a great way to get started on, completing your own Bachelors reveals many doors to various careers, there are numerous on-line Bachelor Diploma Programs available through institutions like The University of Phoenix, Intercontinental University Online and Kaplan. Another thing is that many brick and mortar institutions offer Online variants of their certifications but generally for a substantially higher cost than the providers that specialize in online qualification plans.

  17. Hey there, You’ve done a great job. I抣l certainly digg it and personally recommend to my friends. I’m confident they’ll be benefited from this website.

  18. I found your blog site on google and verify a number of of your early posts. Proceed to keep up the very good operate. I simply extra up your RSS feed to my MSN News Reader. In search of forward to reading more from you in a while!…

  19. Awsome article and right to the point. I am not sure if this is actually the best place to ask but do you guys have any ideea where to employ some professional writers? Thanks in advance 🙂

  20. Hi there! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same subjects? Thank you so much!

  21. wonderful points altogether, you just gained a brand new reader. What would you suggest in regards to your post that you made some days ago? Any positive?

  22. One important issue is that when you’re searching for a education loan you may find that you’ll want a cosigner. There are many conditions where this is true because you could find that you do not employ a past credit ranking so the loan provider will require that you have someone cosign the credit for you. Interesting post.

  23. Hi! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing months of hard work due to no data backup. Do you have any methods to stop hackers?

  24. Hello, i believe that i saw you visited my web site so i came to 搟go back the prefer?I am trying to in finding things to improve my web site!I guess its adequate to make use of some of your concepts!!

  25. Attractive element of content. I just stumbled upon your weblog and in accession capital to say that I get actually loved account your blog posts. Anyway I抣l be subscribing to your feeds and even I fulfillment you access constantly quickly.

  26. I抳e learn some good stuff here. Definitely price bookmarking for revisiting. I surprise how so much effort you set to create this sort of wonderful informative website.

  27. Excellent way oof explaining, and fastidious article
    to get facts about my presentation focus, which i am going to deliver inn academy.

  28. I have observed that in the world nowadays, video games will be the latest trend with children of all ages. Periodically it may be not possible to drag your kids away from the games. If you want the best of both worlds, there are various educational video games for kids. Good post.

  29. Thanks for another wonderful post. Where else may just anyone get that kind of info in such a perfect approach of writing? I have a presentation subsequent week, and I am at the search for such information.

  30. I used to be more than happy to search out this web-site.I wished to thanks for your time for this glorious learn!! I undoubtedly having fun with every little little bit of it and I’ve you bookmarked to take a look at new stuff you blog post.

  31. Things i have observed in terms of computer system memory is that often there are specific features such as SDRAM, DDR and many others, that must match up the technical specs of the mother board. If the computer’s motherboard is fairly current while there are no os issues, changing the memory space literally usually takes under one hour. It’s one of several easiest computer upgrade treatments one can picture. Thanks for expressing your ideas.

  32. I’ve been browsing online more than three hours lately, but I never discovered any interesting article like
    yours. It’s lovely price sufficient for me. Personally, if all site owners and bloggers made excellent content material as you probably did, the web shall be
    much more helpful than ever before.

  33. Hola! I’ve been reading your site for some time now and finally got the courage to
    go ahead and give you a shout out from Dallas Tx! Just wanted to say
    keep up the great job!

  34. Ahaa, its pleasant dialogue concerning this post at this
    place at this weblog, I have read all that, so at this
    time me also commenting at this place.

  35. I have been surfing online more than 4 hours today, yet I
    never found any interesting article like yours.
    It’s pretty worth enough for me. In my view, if
    all web owners and bloggers made good content as you did, the web will be much more useful than ever before.

  36. It’s the best time to make some plans for the future and it’s time to be happy.
    I have read this post and if I could I wish to suggest you some interesting things
    or suggestions. Perhaps you can write next articles referring to
    this article. I desire to read more things
    about it!

  37. I’ve been browsing online more than 3 hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. In my opinion, if all web owners and bloggers made good content as you did, the
    internet will be much more useful than ever before.

  38. It’s perfect time to make some plans for the future and it’s time to
    be happy. I’ve read this post and if I could I desire to suggest
    you few interesting things or suggestions. Perhaps
    you could write next articles referring to this article. I want to read even more things about it!

  39. It’s perfect time to make some plans for the future and it is
    time to be happy. I’ve read this post and
    if I could I wish to suggest you some interesting things or tips.
    Maybe you can write next articles referring to this article.

    I want to read more things about it!

  40. Hmm is anyone else having problems with the pictures on this blog loading?
    I’m trying to find out if its a problem on my end or if it’s the blog.
    Any responses would be greatly appreciated.

  41. It’s perfect time to make a few plans for the long run and it’s time to be happy.
    I’ve read this publish and if I may I desire to suggest you some attention-grabbing things or suggestions.
    Maybe you can write next articles regarding this article.
    I want to learn even more things approximately it!

  42. I’ll right away seize your rss as I can’t find your email subscription hyperlink or e-newsletter service.

    Do you have any? Please let me realize so that I may subscribe.
    Thanks.

  43. Hi, I do think this is an excellent site. I stumbledupon it 😉 I will come back yet again since i have saved as a favorite
    it. Money and freedom is the greatest way to change, may you be rich
    and continue to help others.

  44. I will right away clutch your rss feed as I can’t to find your email
    subscription link or newsletter service. Do you have any?
    Please let me recognise in order that I may just subscribe.
    Thanks.

  45. Ahaa, its good conversation on the topic of this article here at
    this website, I have read all that, so now me also commenting at this place.

  46. It is the best time to make a few plans for the long run and it’s time to be happy.
    I have read this post and if I may I desire to counsel you some interesting issues or suggestions.
    Perhaps you can write next articles regarding this article.
    I want to learn even more issues about it!

  47. I have been surfing online more than 4 hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. In my view, if all site owners and bloggers made good content
    as you did, the web will be a lot more useful than ever before.

  48. Woah! I’m really enjoying the template/theme of this website.

    It’s simple, yet effective. A lot of times it’s tough to get that “perfect balance” between superb usability and appearance.

    I must say that you’ve done a fantastic job with this.
    Additionally, the blog loads very quick for me on Safari.
    Superb Blog!

Leave a Reply