By Yamini Jain and Gaurav Karwa
Deriving its essence from Article 3(2) of the General Data Protection Regulations (GDPR), Section 2(A) of the Personal Data Protection Bill, 2019 [PDPB] makes a provision of its extraterritorial application over data fiduciaries and data principals present beyond the territory of India. Section 2(A)(b) of PDPB makes an extraordinary provision pertaining to its applicability on all such data fiduciaries incorporated under the laws of India and brings all their foreign branches within its purview. In this light, understanding the impact of the extra-territorial application of the PDPB on multinational banks based in India that process sensitive personal data becomes particularly important. In this article, the authors aim to highlight various issues and problems arising out of extraterritorial application on multinational organizations and particularly those related to the banking sector. The authors explain the distinct meaning of the extra-territorial application of the PDPB, whether such application is in conflict with other laws, and other major issues in data localization, cloud servers, etc.
Analysis of Extra-territorial Applicability
1. Definition of “business carried on in India”:
The meaning of the expression ‘business carried on in India’ remains ambiguous under the PDPB. It fishes out the applicability of PDPB to the personal data of foreign residents processed in India. It also provides certain necessary exemptions in order to promote data processing activities in India. For instance, the Central Government can exempt certain data processors from the law, where pursuant to contracts with offshore entities, data processors process data of individuals who are outside India.
The definition of ‘personal data’, for instance, is not limited to Indian citizens/residents. It thereby indicates the legislative intent that seeks to provide an equivalent level of data protection to the personal data of foreigners that may enable it to achieve the status of ‘data adequacy’ from the European Union (EU). The EU has the power to determine if a country is providing adequate protection to data. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data.
2. Conflict with other laws:
The wide scope of the provision pertaining to extra-territorial applicability may lead to a conflict of the laws under the PDPB with other prevalent data protection laws. For instance, in the event that data is processed by a processor on behalf of a data fiduciary located abroad which has its own data privacy laws in place, a conflict may arise in such a situation as to the applicability and jurisdiction of either jurisdiction. A similar conflict may arise when foreign service providers, say from the European Union (EU), outsource their work or otherwise transfer data to a processor in India that may bring it under the ambit of PDPB, thereby leading to a conflict between its applicability as against the GDPR.
For instance, this may in all likelihood arise as a prevalent issue for overseas branches of any Financial Institution, whereby data pertaining to NRI accounts is processed by Indian data processors, bringing personal data of a foreign resident under the ambit of PDPB 2019 as against other foreign legislations like GDPR. One of the methods by which such conflict could be mitigated is through amending the scope of PDPB to make it applicable to the extent of processing of personal data of Indian residents only, provided, appropriate security safeguards are established to ensure the protection of such data that is processed with foreign service providers.
3. Regulatory Overlap:
The Reserve Bank of India (RBI) vide its notification on “Storage of Payment System Data” sought to establish an auditory mechanism to enable it to have an unfettered supervisory access over the payment data stored with system providers or third party vendors involved in payment ecosystems. The regulatory body mandated all the system providers to ensure that all the data relating to payments systems operated by them are stored in a system in India including full end-to-end transaction details or information processed as a part of the payment instruction. It, however, exempts the foreign leg of the transactions from its applicability. It was further clarified by the RBI that:
- Any data processed overseas should be deleted from the systems abroad and retraced to India within one business day for storage, with regulatory access permissions to the companies;
- For cross-border transactions, a copy of the domestic component could be stored abroad; etc.
However, the creation of a new Data Protection Authority (DPA) with extravagant powers under the PDPB and; the blanket imposition of its provisions without adequate consideration of its impact on the financial sector, may lead to a regulatory overlap with the existing financial regulators, including the RBI, SEBI, IRDAI, etc.
Wherefore, it would be essential to ensure that the operations of PDPB do not cause impediments on the functioning of the pre-established sectoral rules, a working group is established for harmonizing the authority of these bodies. Alternatively, Section 2 could also be amended to exclude the processing of personal data by regulated entities in terms of the relevant sectoral regulations.
4. Data Localization and Cross-border data transfers:
Sections 33 and 34 of the PDPB 2019 mandate the storage of Sensitive Personal Data within Indian bounds, with the sole exception of obtaining explicit consent of the data principal and establishing adequate safeguards for the same, preconditioned on the storage of a copy of such data locally in India. Critical personal data cannot be transferred abroad except during a medical/health emergency or to such country/entity which the Central Government expressly deems permissible.
This should not be applicable for information that is processed by offshore branches of persons incorporated in India. Furthermore, it is unclear as to whether such sensitive personal information can be stored outside India as long as a copy of the same is maintained in India. This would be highly onerous and result in unnecessary operational costs. This provision will hinder the ability of global companies to transfer and process personal data across different jurisdictions.
For instance, various banking multinational companies have centralized data storage systems which may be hosted in foreign jurisdictions but may store personal data of Indian residents. Such companies would be forced to retain multiple copies of such information on account of the requirement under thr PDPB. Further, it would not be possible for such foreign companies to comply with the requirement of processing the critical personal data only in India since they would be bound by the data protection laws in the countries of the incorporation.
Furthermore, PDPB still does not provide any definition of what critical data is, nor does it provide any guidelines for the determination of what may be notified as critical data. This area needs further clarity so as to create business predictability from an operational standpoint. If a broad class of personal data is classified as critical personal data, this could lead to stringent data localization norms, thereby disrupting businesses. It must also be noted that data cannot easily be disaggregated, with only certain subsets of it stored locally, while other subsets can be freely stored anywhere.
5. Hindrance to International Business / Innovation:
Reluctance from foreign, multinational data fiduciaries to engage themselves in Indian businesses, owing to the aforementioned concerns, risks hampering innovation and growth for Indian companies and may impede their ability to operate internationally and may eventually degrade business standards in India.
6. Exemption to Outsourcing Activities:
The PDPB empowers the Central Government to exempt the processing of any personal data of data principals located abroad by data processors in India, if the same is contractually executed with a foreign entity. While the general jurisdictional principles necessitate compliance to Indian laws, certain exemptions of this nature may facilitate tjr smooth functioning of business activities, provided that no personal data of Indian data principals is involved in such processing.
Recommendations made by various entities as regards the extra-territorial scope of the PDPB make a common suggestion of exempting foreign nationals from its applicability. Foreign entities that are explicitly involved in the provision of its services to Indian residents and that purposefully collect their personal data, shall be the limit to which the PDPB should extend, and no further, so as to ensure a harmonized regulation of entities under different jurisdictional laws.
In light of the overweening issues associated with the extraterritorial applicability of the PDPB and the dangers it might pose to the smooth functioning of banking and financial operations of Indian entities overseas and vice versa, the government may consider amending the PDPB in tandem with the various sectoral guidelines. It might be beneficial to the financial industry if the Bill’s scope is limited to entities within the territory of India per the recommendations of several stakeholders. It is also suggested that PDPB be implemented in a phased manner so as to enable the complex banking industry to comply with its provisions efficiently.