Cross-border data flows are essential for sustaining the digital economy. However, governments often seek to restrict these flows due to concerns over privacy, user harm, surveillance, and the need for adequate protections for user data in certain jurisdictions.
Balancing these conflicting interests has led to the development of trusted mechanisms for cross-border data transfers. Two of the most prominent mechanisms are the enforcement of the extraterritorial application of the European Union’s General Data Protection Regulation (GDPR) and the Global Cross-Border Privacy Rules (CBPR) Forum, based on the Asia-Pacific Economic Cooperation (APEC) CBPR framework.
The Significance of the Global CBPR
When personal data crosses national borders, the key concern is ensuring that the receiving jurisdiction has robust privacy legislation to protect user data. The EU’s GDPR, for example, is an extraterritorial regulation that applies to all entities processing the data of EU citizens, regardless of their geographical location or operational base. Its extraterritorial application is enforced through the Data Privacy Framework, Standard Contractual Clauses, and Binding Corporate Rules.
In contrast, the Global CBPR is not a law with extraterritorial applicability but rather a standardisation mechanism that operates on a principles-first approach. The Global CBPR Framework (Framework) consists of two systems: the Global CBPR system, which certifies data fiduciaries, and the Global Privacy Recognition for Processors (PRP) system, which certifies data processors.
Organisations operating within a country can be certified under these systems once that country becomes a member of the Global CBPR Forum. To gain membership, countries must agree to the principles outlined in the Framework and demonstrate their enforceability within their jurisdictions. Once a country is a member, individual organisations can obtain CBPR or PRP certification through a Forum-recognised Accountability Agent, which is an entity (government, private, or not-for-profit) responsible for verifying and assisting applicants in complying with the CBPR system.
Governments often restrict cross-border data flows over privacy concerns, surveillance, and the need for adequate protection of user data in certain jurisdictions.
The Considerations for India
When evaluating whether participation in the Global CBPR Forum is necessary, it is crucial to analyse the domestic legal landscape and the potential economic benefits such participation may bring. Such involvement will be advantageous only if it does not require substantial alterations to the current regulatory regime concerning data protection and if obtaining certifications helps companies maintain a competitive edge.
As a major player in the global digital economy, India is highly interested in cross-border data flows. Nevertheless, during Japan’s G20 Presidency in 2019, India refrained from endorsing the Data Free Flows with Trust (DFFT) concept, arguing that it was “neither well understood nor comprehensive enough in the legislation of many countries.”
India’s cautious stance could be attributed to the absence of a personal data protection law at the time. However, with the enactment of the Digital Personal Data Protection Act 2023 (DPDP Act), the country now possesses a comprehensive regulatory framework for safeguarding personal data. The DPDP Act does not impose a blanket restriction on cross-border data transfers. Instead, it adopts a ‘negative list’ approach, empowering the central government to restrict data transfers to specific countries and territories outside India via notification. This indicates a preference for a policy that enables trusted cross-border data flows.
A mechanism like the Global CBPR Framework offers a flexible approach to establishing trusted cross-border data flows without increasing the compliance burden.
The Act also includes a saving clause in Section 16(2), which ensures that data localisation mandates, such as the RBI’s notification on Storage of Payment System Data, remain in force. While these measures aim to protect Indian citizens’ data, India’s data localisation requirements may present challenges for participation in the Global CBPR Forum. Nevertheless, paragraph 67 of the Framework permits proportionate restrictions on cross-border data transfers, allowing India to negotiate adequate domestic policy space within a global framework.
The PRP system further requires data processors to be directly accountable under the domestic privacy laws of member states. However, the DPDP Act does not prescribe direct accountability for data processors. Instead, data fiduciaries are required to hold the processors liable through contractual clauses. This indirect accountability structure for data processors should not be a hurdle, considering that processing obligations under the Act continue to apply to them.
The Economic Considerations
India’s strength in international trade lies primarily in its export services, particularly in the IT and computer services sectors. According to an April 2023 report by DBS Bank, India’s share in global computer services exports rose to approximately 11%. Furthermore, India’s total services exports grew from USD 325.44 billion in FY23 to USD 341.1 billion in FY24, marking a 4.85% year-on-year increase.
This highlights the resilience and growth of India’s services export sector. In this context, it is worth considering the competitive advantage and market trust that Indian IT companies might gain by accessing certification mechanisms such as the CBPR and PRP. The value of such certifications depends on the associated costs and the market access they provide.
The Global CBPR is not a law with extraterritorial applicability but a standardisation mechanism operating on a principles-first approach.
In terms of costs, companies already compliant with the DPDP Act would only need to cover the certification fees without the need for additional capital investment to meet the Global CBPR’s requirements. This is because the DPDP Act is more prescriptive and comprehensive than the baseline standards outlined in the Global CBPR Framework, which focuses on fostering trust through minimal data protection standards. Acquiring these certifications could also serve as a mark of appropriate privacy protection, positioning Indian companies as ‘trusted’ partners for organisations in jurisdictions outside India.
Obtaining a PRP certification could further benefit data processors serving foreign clients. Under Section 17(1)(d) of the DPDP Act, data processors handling personal data from individuals outside India are exempt from certain provisions. If PRP certification becomes available in India, it could make the country an even more attractive base for data processors. With lower operational costs and the ability to obtain PRP certification, these companies could demonstrate their competency to businesses from other Global CBPR member countries while remaining outside the scope of the DPDP Act. This may be useful in attracting Foreign Direct Investment to India’s data processing industry and promoting India as a friendly destination for data processors.
However, it is essential that the cost of acquiring CBPR or PRP certification remains affordable and the process streamlined. If the costs are too high, many start-ups and small to medium-sized enterprises (SMEs) within India’s IT sector may find it difficult to attain accreditation. In such a scenario, the CBPR mechanism could become a barrier to growth rather than a competitive advantage.
The Global CBPR Framework aims to introduce a level of interoperability across its members’ data protection regimes by establishing a minimum standard for privacy compliance across jurisdictions. India is still in the early stages of its data protection journey, with the DPDP Rules yet to be notified. Once they are, issues of compliance and enforceability will come to the fore. In this context, a mechanism like the Global CBPR Framework offers a flexible approach to establishing trusted cross-border data flows without increasing businesses’ compliance burden.
By Dr Jaijit Bhattacharya & Ritvik Rai
Jaijit and Ritvik are associated with the Centre for Digital Economy Policy (C-DEP) as its President and Policy Consultant, respectively.
feedbackvnd@cybermedia.co.in