The revised Data Protection Bill could allow the transfer of personal data to all countries other than those specified in a blacklist, The Indian Express reported on March 8. This will be a significant shift from the approach proposed in the Digital Personal Data Protection Bill 2022, released last November, which bars cross-border data transfers by default and only allows the transfer of personal data to countries that have been approved by the Indian government as part of a whitelist. Why does this matter: A blacklist approach, rather than a whitelist, will be a big win for businesses because it allows them to carry on their business as usual without additional compliance requirements (except for blacklisted countries). This change also marks a notable concession by the Indian government as businesses have repeatedly criticised multiple versions of the data protection bill for strict rules on cross-border data transfers and data localisation, and sought relaxations (such as a blacklist approach). How have the rules around cross-border data transfers evolved over the years: The restrictions on cross-border data transfers have been eased over the multiple iterations of the data protection bill: 2018: By far the strictest, the Personal Data Protection Bill 2018, required all companies to mandatorily store a copy of all personal data in India (data localisation mandate), allowing the transfer of such data abroad only under certain grounds like contractual agreements, approved by the central government or Data Protection Authority, etc. 2019 and 2021: The PDP Bill 2019 and Data Protection Bill 2021 both…
You must be logged in to post a comment Login