Open Access Research Article
FACILITATING CROSS-BORDER DATA SHARING: EVALUATING THE IMPLICATIONS AND CHALLENGES UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
Published Paper
Article Details
FACILITATING CROSS-BORDER DATA
SHARING: EVALUATING THE IMPLICATIONS AND CHALLENGES UNDER THE DIGITAL PERSONAL
DATA PROTECTION ACT, 2023
AUTHORED BY [1] -
ANAMIKA
CO-AUTHOR[2] -
DR. AMIT DHALL
Organisation: Amity Law School, Noida
ABSTRACT:
The
provided research paper delves into the realm of cross-border data transfer
within the framework of the Digital Personal Data Protection Act of 2023. It
underscores the concept of ‘Data Protection’ and highlights how the
proliferation of personal data collection, both by governmental bodies and
private enterprises, has surged alongside the expansion of the service
industry. The paper scrutinizes the ramifications of digitizing this data and
the attendant risks of potential misuse or loss. Furthermore, it elucidates the
pivotal provisions of the Act, emphasizing stringent prerequisites for
obtaining explicit consent from individuals prior to gathering their personal
data. It stresses the imperative to restrict such data usage exclusively to
predetermined objectives, averting indiscriminate or undisclosed processing.
The proposition of erecting a specialized regulatory entity, the Data
Protection Authority (DPA), is put forth, tasked with monitoring adherence to
regulations, addressing grievances, and imposing penalties for transgressions.
The DPA emerges as a linchpin of the Act’s enforcement apparatus, fostering
accountability and furnishing recourse mechanisms for individuals in scenarios
of data breaches or privacy infringements.
Additionally,
the paper delineates that a cross-border data protection statute entails
ensuring the secure transmission of electronic personal data across the globe.
Notably, India’s introduction of the Digital Personal Data Protection Act,
2023, particularly Section 16, envisages the processing of personal data beyond
national borders. The document delves into the Act’s provisions concerning
cross-border data sharing, encompassing conditions for lawful transfer,
mechanisms for safeguarding data integrity, and delineating the rights of individuals
within the domain of international data flows. By delving into these provisions
in depth, stakeholders can cultivate a more profound comprehension of their
entitlements and obligations regarding cross-border data sharing pursuant to
the Personal Data Protection Act of 2023. The regulation of cross-border
personal data flow emerges as a pivotal facet within contemporary data
protection legislation, reflecting an inherent tension between the imperative
for seamless internet and data exchange and governments’ legitimate mandate to
safeguard citizens’ privacy and forestall data misuse
Key
words: Data Protection, Data Protection Authority, Cross-Border, Data Flows
INTRODUCTION
Cross-border
data sharing refers to the transfer of personal data from one country to
another. In the context of The Digital Personal Data Protection Act, 2023, it
likely includes provisions regarding the conditions and mechanisms for such
transfers to ensure that personal data is adequately protected during and after
the transfer. This may involve requirements for data encryption, obtaining
consent from data subjects, establishing data transfer agreements, or ensuring
that the receiving country has comparable data protection laws. Cross-border
data sharing is a critical aspect of modern data management, facilitating the
transfer of personal information across national borders for various purposes
such as business operations, research, and international cooperation. The
Personal Data Protection Act of 2023 addresses the complexities and challenges
associated with cross-border data sharing by establishing comprehensive
guidelines and safeguards to protect individuals’ privacy and ensure the
responsible handling of their personal data.
Data
protection laws originating from the 1970s reflect concerns about the rise of
computer and communication technologies, capable of processing large volumes of
data remotely. While various national, regional, and international initiatives
have pursued different regulatory approaches, there is a considerable level of
consistency in the core principles they uphold. Cross-border data sharing,
essential for trade, internet-based services, and emerging technologies like
cloud computing, AI (artificial intelligence), and IoT (internet of thing),
depends on accessing data across multiple territories. Despite the economic and
social benefits of these technologies, data localization requirements,
mandating data storage within specific geographical areas, are increasingly
common globally. Legislative bodies worldwide are currently drafting or
revising data protection laws, often seeking to regulate cross-border data
transfers by imposing restrictions and data localization provisions.
Common
principles in data protection include the requirement for a valid reason for
processing personal data, obtained either through consent or another
justification that acknowledges competing private and public interests. Another
fundamental principle is the obligation to maintain the quality of personal
data being processed, ensuring accuracy, completeness, and currency. Compliance
with this principle benefits both data subjects and processors. Protecting data
is paramount, involving measures to prevent both intentional and unintentional
breaches, including physical, logical, and organizational safeguards. Addressing
the dual nature of the Internet as critical infrastructure and a source of
vulnerability is essential in implementing adequate data security measures.
Cross-border
data protection laws govern the secure movement of electronic personal data
across international borders. India’s Digital Personal Data Protection Act,
2023, under Section 16, addresses the processing of personal data outside
India.
According
to Section 16[3],
the Act states:
16.
(1) The Central Government may, by notification, restrict the transfer of
personal data by a Data Fiduciary for processing to such country or territory
outside India as may be so notified.
(2) Nothing contained in this section
shall restrict the applicability of any law for the time being in force in
India that provides for a higher degree of protection for or restriction on
transfer of personal data by a Data Fiduciary outside India in relation to any
personal data or Data Fiduciary or class thereof.
The
provision outlined in Section 16 of the Act allows for the cross-border
transfer of data, but the government reserves the right to restrict such
transfers through notification. This provision aims to strengthen the
application of Section 18(1)[4]
of the Act, which introduces stricter rules for the processing of personal data
and extends its territorial reach beyond India’s borders. Immediate action
should be taken to halt data transfers if they are being moved to a restricted
country. However, exemptions listed in the Act would allow IT/ITes companies to
continue operations with minimal disruption. Additionally, the Act clarifies
that if any existing Indian law imposes stricter regulations on transferring
personal data outside India, those regulations take precedence. For example,
the Reserve Bank of India mandates the storage of payment system data within
the country.
DATA PROTECTION BILL, 2022
The
bill also proposes the establishment of a dedicated regulatory authority, the
Data Protection Authority (DPA), tasked with overseeing compliance, handling
complaints, and enforcing penalties for violations. The DPA serves as a central
pillar of the bill’s enforcement mechanism, ensuring accountability and
providing redress mechanisms for individuals in cases of privacy infringements
or data breaches. Furthermore, the bill addresses the challenges posed by
cross-border data transfers, balancing the imperative of data protection with
the requirements of global data flows. It introduces measures to regulate the
transfer of personal data outside the country, including provisions for data
localization and adherence to international data protection standards. These
measures aim to enhance data sovereignty, protect against data breaches, and
promote trust in cross-border data transactions. Moreover,
the legislation establishes a series of entitlements for individuals, such as
the entitlement to access, correct, and delete their personal data, the right
to data portability, and the right to have their data erased. These
entitlements empower individuals to exert more control over their personal
information and to hold those responsible for managing such data accountable. Overall,
the Digital Personal Data Protection Bill of 2022 represents a critical
milestone in the journey towards ensuring the protection of personal data in
the digital realm. As it moves through the legislative process, stakeholders
from government, industry, civil society, and academia will engage in consultations
and deliberations to refine its provisions and address emerging challenges. By
fostering collaboration and dialogue, the bill aims to create a robust legal
framework that upholds individuals’ privacy rights, fosters innovation, and
promotes trust in the digital economy.
Background of the bill:
In
2019, the government amended the initial version of the Personal Data
Protection Bill based on suggestions from the Srikrishna committee report.
Subsequently, in December 2019, the PDP Bill 2019 was referred to a joint
Parliamentary committee for assessment.
Two
years later, in December 2021, the JPC issued its report along with a revised
edition of the data protection bill for 2021.
In
August 2022, Minister Ashwini Vaishnaw sanctioned the withdrawal of the draft
DPB 2021.
Following
this, in November 2022, Meity released the draft Digital Personal Data
Protection Bill 2022 for public feedback.
On
July 5, 2023, the Cabinet endorsed the DPDP bill to be presented during the
monsoon session of Parliament.
The
Union Cabinet’s approval of the Digital Personal Data Protection Bill, 2022 cleared
the path for its introduction in Parliament.
This
bill outlines protocols for storing personal data, ensuring breach-free data
processing, and upholding the right to privacy, as established in the 2017 K.S.
Puttaswamy vs. Union of India judgment. Justice BN Srikrishna drafted the
initial version of the bill, marking India’s inaugural domestic attempt to
legislate on data protection.
Timeline of drafting of the bill
The
drafting process of the bill began with the proposal of the Personal Data
Protection Bill in 2018 by the Justice Srikrishna Committee. Following subsequent revisions, the Lok Sabha introduced the Personal
Data Protection Bill, 2019, which was then referred to a Joint Parliamentary
Committee. Delays due to the COVID-19 pandemic led to the JPC submitting its
report on the PDP bill after two years in December 2021. In August 2022,
Minister Ashwini Vaishnaw permitted the withdrawal of the draft DPB 2021. In
November 2022, Meity released the draft Digital Personal Data Protection Bill
2022 for public input. On July 5, 2023, the Cabinet sanctioned the DPDP Bill to
be presented during the Monsoon Session of Parliament.. The necessity for
multiple revisions stems from the aim to establish a comprehensive law that
addresses the rights of data principals and the responsibilities of data
fiduciaries, while also aligning with the Supreme Court judgment in the
S.Puttaswamy vs. Union of India case in 2017[5].
Definitions under bill
Data principle: The term “data principle” pertains to the person from
whom data is collected. For minors (under 18 years), their parents or legal
guardians are regarded as their data principles.
·
Data fiduciary: A “data fiduciary” is an entity (such as an individual,
company, organization, or government) that determines how and why personal data
belonging to an individual is processed.
·
Personal data: Personal
data” encompasses any information that can be used to identify an individual.
·
Data processor: Person
who processes, personal data on behalf of data fiduciary
RIGHT TO PRIVACY AND PROTECTION
Privacy
refers to individuals’ or groups’ ability to keep themselves or their
information private, allowing them to selectively express themselves. It
intersects with security, encompassing appropriate information use and
protection, and can also relate to bodily integrity. Throughout history,
various notions of privacy have existed, with many cultures acknowledging the
right to keep personal aspects private. Laws and sometimes constitutions in
many countries protect individuals from unauthorized intrusions into their
privacy by governments, corporations, or individuals. As technology advances,
the discussion on privacy has expanded to include digital aspects. Most
countries consider digital privacy an extension of traditional privacy rights
and have enacted laws to safeguard digital privacy from both public and private
entities.
WHAT
IS RIGHT TO PRIVACY?
The
Right to Privacy entails maintaining solitude and keeping personal affairs and relationships
confidential. According to Black’s Law Dictionary[6],
it involves preventing secret surveillance and safeguarding an individual’s
information, categorized into physical, decisional, informational, and
dispositional aspects. While the concept of privacy has historical roots, its
recognition as a fundamental right is a modern development. Ancient Greek
society distinguished between the public sphere (Polis) and household affairs
(Oikos). In nineteenth-century America, common law principles and constitutional
protections emerged to safeguard privacy. The seminal Harvard Law Review
article “The Right to Privacy,” authored by Samuel D. Warren and Louis Brandeis
in 1890[7],
is credited with formally acknowledging the right to privacy and introducing a
new legal concept for privacy infringements. This article proposed remedies for
privacy violations by the press and was praised by legal scholar Roscoe Pound
for its significant contribution to legal jurisprudence.
The Acknowledgment on a Global Scale
of Privacy as a Fundamental Human Right:
The
Right to Privacy has gained international recognition as a fundamental human
right, forming the foundation for various other rights. It is enshrined in the
Universal Declaration of Human Rights (UDHR) of 1948[8]
and the International Covenant on Civil and Political Rights (ICCPR) of 1966[9].
Both documents, through Article 12 of the UDHR and Article 17 of the ICCPR,
offer legal safeguards against arbitrary intrusions into individuals’ privacy,
including their family life, correspondence, home, reputation, and honor. In
addition to these universal treaties, specialized conventions aimed at
protecting the rights of specific groups also acknowledge and uphold privacy
rights. For instance, Article 16 of the Convention on the Rights of the Child
(1989) [10]safeguards
children from unlawful invasions of their privacy, home, correspondence, family
life, and reputation. Likewise, Article 14 of the
International Convention on the Rights of All Migrant Workers and Their
Families (1990) safeguards migrant workers and their families against
unjustified intrusions into their privacy, residence, communications, dignity,
and reputation. Regional blocs have similarly recognized and ensured privacy
protection for their inhabitants. For instance, Article 8 of the European
Convention on Human Rights and Fundamental Freedoms[11]
grants European Union citizens the right to privacy and family life, with
certain limitations in the interest of national security, health, morals, and
the rights and freedoms of others. Similarly, Article 21 of the Arab Charter on
Human Rights (2004)[12]
protects individuals from arbitrary interference and attacks on their privacy,
family life, and correspondence. Moreover, Article 11 of the American
Convention on Human Rights[13]
ensures protection against arbitrary or abusive interference in private life,
family, home, correspondence, honor, or reputation.
Right to privacy
in different countries:
As
the volume of personal data grows in our increasingly data-centric world,
countries worldwide have developed their own legislation on data protection and
privacy. According to the United Nations Conference on Trade and Development
(UNCTAD), 137 out of 194 countries have enacted laws specifically addressing
privacy and data protection. Particularly in Asia and Africa, a significant
majority of countries—57% and 61%, respectively—have implemented privacy
protection statutes. These international data protection laws are generally
based on five key global privacy principles:
1. Notice:
Informing individuals about policies to safeguard their personal information.
2. Choice and
Consent: Allowing individuals the option to consent to the collection, storage,
use, or management of their personal information.
3. Access and
Participation: Ensuring that only authorized individuals access and utilize the
collected data within secure protocols.
4. Integrity
and Security: Implementing measures to secure data and prevent unauthorized
access.
5. Enforcement:
Ensuring alignment with regulations that enforce compliance with privacy and
data protection standards.
The
European Union pioneered data protection legislation with the enactment of the
General Data Protection Regulation (GDPR) in 2018. The GDPR serves as a model
for data and privacy laws worldwide, with countries adapting it to their
specific contexts. European data protection laws carry severe penalties and
substantial fines for data breaches.
In
the United States, while there is no federal data protection law, individual
states have enacted their own regulations, with California being a leader in
this regard. California’s Constitutional Amendment in 1972[14]
recognized privacy as an inalienable right, leading to the passage of laws such
as the California Consumer Privacy Act (CCPA) of 2020[15].
The CCPA empowers residents to control the collection and use of their personal
data and provides avenues for legal recourse in case of unauthorized access or
disclosure.
China
guarantees its citizens’ right to privacy and protection against unlawful
intrusion through its constitution. The Civil Code of 2021 and the Personal
Information Protection Law of 2021 regulate the processing of personal data in
China[16],
primarily focusing on governing private entities’ handling of personal data.
However, the law also grants the government extensive powers to utilize data
for monitoring and surveillance purposes.
Constituent
assembly on the right to privacy
Article
21 of the Indian Constitution[17]
is considered the cornerstone, guaranteeing the Right to Life and Personal Liberty
to all individuals within India, regardless of citizenship status. This
fundamental right encompasses various other rights essential for human
well-being, including the right to health, a clean environment, peaceful sleep,
livelihood, free legal aid, speedy trial, and privacy. Privacy has long been
regarded as an inherent aspect of the right to life and personal liberty. The Supreme
Court, in the case of Kharak Singh v. State of Uttar Pradesh (1963)[18],
emphasized that the right to life extends beyond mere existence and includes
the enjoyment of life’s essential aspects without continuous surveillance or
intrusion. Within Article 21, liberty denotes an individual’s autonomy and
control over their life, allowing them personal space free from undue
interference. The landmark judgment in Maneka Gandhi v. Union of India (1978)[19]
expanded the understanding of liberty, requiring any curtailment of liberty to
be procedurally fair, non-arbitrary, and reasonable. Subsequently, in K.S.
Puttaswamy v. Union of India (2017)[20],
the Supreme Court affirmed privacy as an integral component of the right to
life and personal liberty. However, like other fundamental rights, the right to
privacy is not absolute and can be restricted under certain circumstances. Such
restrictions may be justified in the interest of national security,
sovereignty, public order, decency, morality, contempt of court, or prevention
of offenses, as outlined in Article 19 of the Constitution[21].
Additionally, privacy may yield to other fundamental rights serving the public
interest, as seen in cases like Mr. X v. Hospital Z (1998)[22],
where privacy was outweighed by the right to health.
In
the Puttaswamy Judgement of 2017, Justice (Dr.) D. Y. Chandrachud introduced
the concept of proportionality as a test for evaluating the justification of
invading privacy. According to this test, any intrusion into privacy must be
balanced with the necessity for interference. The criteria for qualifying as an
exception to the right to privacy include: The interference must be authorized
by law, with a fair and reasonable legal procedure that is devoid of obvious
arbitrariness. The law should serve a legitimate and reasonable state interest
to justify the intrusion by the state.
The method, nature, and extent of the interference should be
proportional to the objectives, needs, and purposes intended to be achieved by
the law.
Right to
privacy and government surveillance
Government
surveillance involves the monitoring or observation of individuals for various
purposes such as crime prevention, maintaining law and order, and safeguarding
national interests. This surveillance can encompass activities like searches,
seizures, telephone tapping, message decryption, and email scrutiny,
facilitated by laws like the Information Technology Act, 2000 and the Indian
Telegraph Act, 1885. These laws empower governments to issue surveillance
orders based on grounds like public emergency, public safety, or threats to
public order and national security. Under Section 5 of the Indian Telegraph
Act, interception orders can be issued by central or state governments in
specific circumstances. Rule 419A of the Telegraph (Amendment) Rules, 2007[23]
grants authority to designated officials to issue interception orders in their
respective jurisdictions. Similarly, Section 69 of the Information Technology
Act, 2000 allows governments to issue orders for monitoring and intercepting
computer-based information. Agencies like the CBI, NIA, NCB, RAW, IB, and ED,
among others, are authorized to conduct surveillance under the IT Act and IT
Rules, 2009, based on orders from the Ministry of Home Affairs. However, there
are concerns about the potential misuse of surveillance powers by governments,
leading to excessive monitoring and suppression of dissenting voices. Instances
such as the Pegasus Spyware attacks and the Cambridge Analytical scandal have
raised alarm about infringements on individuals’ right to privacy through
government surveillance.
The
legality of surveillance provisions has been contested in various court cases,
including M.P. Sharma v. Satish Chandra (1954)[24],
Kharak Singh (1963), and Govind v. State of Madhya Pradesh (1975)[25],
raising concerns about privacy breaches. In M.P. Sharma (1954), the Supreme
Court ruled that search and seizure powers do not violate privacy rights
guaranteed by the Constitution, deeming them necessary for law enforcement.
However, in Kharak Singh (1963), while the court did not explicitly recognize
privacy rights, it found nocturnal surveillance to be a violation of the right
to life and liberty. Govind v. State of M.P. (1975) emphasized the need for
strict limitations on surveillance powers to safeguard privacy, urging their
use only for community security. PUCL v. Union of India (1997) saw the Supreme
Court ruling CBI’s telephonic interception powers, lacking procedural
safeguards, as privacy violations, affirming the right to phone conversations free
from intrusion. In 2012, Justice Puttaswamy challenged the Aadhar Scheme,
arguing that mandatory biometric data collection could lead to a surveillance
state, a concern upheld by the Supreme Court in 2017. The Court declared
privacy a fundamental right, emphasizing its protection in the digital age and
the need for lawful restrictions. Building on this, the Bombay High Court in
Vineet Kumar v. CBI (2019)[26]
annulled interception orders and ordered the destruction of intercepted
records, citing privacy violations.
Important judicial pronouncements on the
right to privacy in India
The
landmark case of Justice K.S. Puttaswamy (Retd.) v Union of India (2017) marked
a significant milestone in India’s judicial history by recognizing the right to
privacy as a fundamental right under Article 21 of the Constitution. This
decision paved the way for safeguarding other liberties in India, such as the
decriminalization of adultery in Joseph Shine v. Union of India (2018)[27]
and the legalization of consensual homosexual relationships in Navtej Singh
Johar v. Union of India (2018)[28].
The Supreme Court highlighted that privacy encompasses an individual’s natural
right to autonomy in making choices regarding core aspects of life, especially
crucial in the age of technological advancements characterized by widespread
dataveillance.
The
case originated when Justice Puttaswamy, a retired High Court Judge, challenged
the constitutionality of the Aadhaar Scheme of the Government of India in 2012.
The scheme, later backed by the Aadhaar Act of 2016, aimed to create a unique
identity for individuals through the collection of biometric data for efficient
delivery of welfare schemes. Justice Puttaswamy contended that mandatorily
collecting biometric data violates the right to privacy and democratic values,
potentially leading to a surveillance state. The Union of India and UIDAI
argued against privacy being a fundamental right, citing the M.P. Sharma case.
However, considering conflicting precedents and the importance of definitively settling
the matter, the Supreme Court referred the case to a Constitutional Bench of
nine judges. The nine-judge bench unanimously ruled that the right to privacy
is indeed a fundamental right under Articles 14[29],
19, and 21 of the Constitution, overruling the decisions in the M.P. Sharma and
Kharak Singh cases. This landmark judgment underscored the intrinsic connection
between privacy and the right to life and personal liberty, thus reinforcing
the foundational principles enshrined in Part III of the Constitution.
The
judgments delivered by various justices in the case of Justice K.S. Puttaswamy
(Retd.) v Union of India (2017) marked a significant shift in India’s judicial
landscape, particularly concerning the recognition and protection of the right
to privacy. Justice Chandrachud, along with Justices J.S. Kehar, Nazeer, and
Agarwal, overruled previous judgments in the M.P. Sharma and Kharak Singh
cases, emphasizing that the Constitution indeed protects an individual’s right
to privacy under Article 21. They highlighted that privacy is an inherent
aspect of life and personal liberty, essential for autonomy and decision-making
in personal matters.
Justice
Chelameshwar underscored the three key aspects of privacy: repose, sanctuary,
and intimate decisions, essential for individual liberty. He stressed the need
for stringent scrutiny of legislation restricting privacy rights to ensure a
balance between state interests and individual freedoms.
Similarly,
Justice Bobde highlighted the distributed nature of the right to privacy under
Part III of the Constitution, emphasizing its protection against state
intrusion and horizontal safeguarding between individuals. He emphasized
privacy as an essential condition for exercising liberty, subject to reasonable
restrictions.
Justice
Nariman emphasized the inalienable nature of the right to privacy, tracing it
to Article 21 and other liberties. He highlighted the multifaceted concept of
privacy and its evolving interpretation in light of technological advancements,
stressing its significance in protecting personal autonomy.
Justice
Sapre traced the right to privacy to Articles 21 and 19, as well as the
Preamble, underscoring its importance in a society governed by the rule of law.
He noted that while privacy is cherished, it is subject to restrictions
necessary for safeguarding broader societal interests.
Justice
Kaul viewed privacy through the lens of individual autonomy and
non-interference in personal life, stressing the need for laws balancing
privacy concerns with legitimate state interests. He emphasized the protection
of sexual autonomy as a facet of privacy, highlighting the importance of laws
serving the interests of all individuals, not just the majority.
IMPLICATIONS AND CHALLENGES UNDER THE DATA PROTECTION
ACT, 2023
IMPLICATIONS:
The
Digital Personal Data Protection Act, 2023, has far-reaching implications
across various sectors and stakeholders. It marks a significant change in how
personal data is collected, processed, and safeguarded by both governmental and
private entities. The Act imposes strict requirements for obtaining explicit
consent, defining the purposes for data usage, and ensuring data security,
thereby enhancing individual privacy rights and standards of accountability.
A
key implication is the establishment of the Data Protection Authority (DPA),
responsible for ensuring compliance, addressing complaints, and enforcing
penalties. The DPA plays a crucial role in upholding the Act, fostering
transparency, and providing avenues for redress for individuals affected by
data breaches or privacy infringements. However, the effectiveness of the DPA
depends on its resources, expertise, and independence, posing challenges in its
implementation and enforcement.
Furthermore,
the Act tackles the complexities of cross-border data transfer, recognizing the
importance of international data flows while safeguarding data security and
privacy. It lays out criteria for lawful transfer, mechanisms for data
protection, and the rights of individuals in international data exchanges.
Nevertheless, ensuring compliance across diverse jurisdictions presents
practical hurdles, necessitating international cooperation and alignment of
regulations.
Moreover,
the Act reflects the ongoing tension between promoting innovation and economic
growth through seamless data flows and safeguarding citizens’ privacy rights.
Striking a balance between these interests is crucial for fostering trust in
digital environments and ensuring sustainable progress. Overall, the
implications of the Digital Personal Data Protection Act, 2023, underscore the
significance of robust data governance frameworks, collaboration among
stakeholders, and continual adaptation to evolving technological and regulatory
landscapes.
CHALLENGES:
The
Digital Personal Data Protection Act of 2023 brings forth several obstacles
that require careful attention to ensure its successful implementation and
enforcement.
Firstly,
adhering to the stringent requirements of the Act poses a considerable
challenge for both governmental and private entities. Obtaining explicit
consent, defining data usage purposes, and guaranteeing data security demand
significant resources, expertise, and infrastructure. Small and medium-sized
enterprises (SMEs) might find it difficult to meet these demands, resulting in
compliance gaps and potential risks of data breaches or privacy infringements.
Secondly,
establishing and operating the Data Protection Authority (DPA) presents
challenges concerning its resources, expertise, and independence. Adequate
funding and staffing are vital for the DPA to effectively oversee compliance,
address complaints, and impose penalties. Additionally, ensuring the DPA’s
independence from political influence is crucial for maintaining public trust
and confidence in its regulatory actions.
Another
significant challenge pertains to the provisions concerning cross-border data
transfer under the Act. While enabling international data flows is crucial for
global business operations, ensuring compliance with data protection standards
across diverse jurisdictions prove intricate. Varying regulatory frameworks,
data localization requirements, and jurisdictional conflicts may impede smooth
data transfers and escalate compliance expenses for organizations.
Furthermore,
balancing the imperatives of fostering innovation and economic growth with
safeguarding citizens’ privacy rights poses a complex challenge. Achieving the
right equilibrium necessitates careful consideration of ethical, legal, and
societal ramifications. It involves advocating for responsible data practices,
enhancing transparency, and involving stakeholders in the policy formulation
process.
Lastly,
the rapid evolution of technology and the emergence of new privacy risks
present ongoing challenges for data protection regulation. Novel technologies
like artificial intelligence (AI), Internet of Things (IoT), and blockchain
introduce fresh intricacies in data handling, processing, and security.
Regulators must remain abreast of these developments and adapt regulatory
frameworks accordingly to effectively address emerging privacy risks.
CONCLUSION
It
can be concluded that, facilitating cross-border data sharing under the Digital
Personal Data Protection Act 2023 is vital for promoting global connectivity
and innovation. On one hand, enabling international data flows is essential for
global business operations, innovation, and economic growth. The Act
acknowledges the importance of cross-border data transfer by outlining
conditions for lawful transfer, mechanisms for data protection, and
individuals’ rights in international data exchanges. However, the complexities
of ensuring compliance with data protection standards across diverse
jurisdictions pose considerable challenges. Divergent regulatory frameworks,
data localization requirements, and jurisdictional conflicts may hinder
seamless data transfers and increase compliance costs for organizations.
Moreover, addressing concerns related to data security, privacy, and
accountability in cross-border data sharing requires international cooperation
and harmonization of regulations. The establishment of the Data Protection
Authority (DPA) is crucial in addressing these challenges by overseeing
compliance, handling complaints, and enforcing penalties. Adequate funding,
staffing, and independence of the DPA are essential for its effective
functioning and credibility in regulating cross-border data transfers.
Furthermore, balancing the imperatives of fostering innovation and economic
growth with protecting citizens’ privacy rights remains a key consideration.
Striking the right balance requires careful deliberation of ethical, legal, and
societal implications, promoting responsible data practices, and engaging
stakeholders in the policymaking process. Only through concerted action can we
create a robust data protection ecosystem that fosters trust, innovation, and
privacy rights in the digital age.
[1] LLB Student, Amity Law School,
Noida
[2] Asst. Professor(III), Amity Law
School, Noida
[3]
The Digital Personal Data Protection Act,2023 (Act 22 of 2023), s.16
[4]
The Digital Personal Data Protection Act,2023 (Act 22 of 2023), s.18(1)
[5]AIR (2017) 10 SCC 1
[6]The
right to privacy, according to Black’s Law Dictionary available at: https://law.dypvp.edu.in/blogs/international-perspective-of-right-to-privacy#:~:text=According%20to%20Black's%20Law%20Dictionary,in%20Puttaswamy%20Judgement%20in%202017 (Last visited on 4th Feb, 2024)
[7]
Harvard Law Review article “The Right to Privacy,” authored by Samuel D. Warren
and Louis Brandeis in 1890 available at:
https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html (Last visited on 4th Feb, 2024)
[8]
Universal Declaration of Human Rights (UDHR) of 1948 available at:
https://www.un.org/en/about-us/universal-declaration-of-human-rights (Last visited on 4th Feb, 2024)
[9]
International Covenant on Civil and Political Rights (ICCPR) of 1966 available
at: https://www.coe.int/en/web/compass/the-international-covenant-on-civil-and-political-rights (Last visited on 4th Feb, 2024)
[10]
Convention on the Rights of the Child (1989) Art. 16
[11]
European Convention on Human Rights and Fundamental Freedoms Art. 8.
[12]
The Arab Charter on Human Rights (2004) Art. 21
[14]
California’s Constitutional Amendment in 1972 available at: https://www.law.berkeley.edu/wp-content/uploads/2016/12/Kelso-Californias-Constitutional-Right-to-Privacy.pdf (Last visited on 5th Feb, 2024)
[15]
California Consumer Privacy Act (CCPA) of 2020 available at: https://oag.ca.gov/system/files/initiatives/pdfs/19-0017%20%28Consumer%20Privacy%20%29.pdf (Last visited on 5th Feb, 2024)
[16] The Civil Code of 2021 and the
Personal Information Protection Law of 2021
took effect on 1 January 2021 regulate the processing of
personal data in China available at: https://iclg.com/practice-areas/data-protection-laws-and-regulations/china#:~:text=Yes.,principles%20of%20personal%20information%20protection (Last visited on 5th Feb, 2024)
[17]
Indian Constitution (Art. 21)
[18] [1964] 1 SCR 332, AIR 1963 SC 1295
[19] 1978 AIR 597, 1978 SCR (2) 621
[20] AIR 2017 SC 4161
[21]The Indian Constitution (Art. 19)
[22] AIR 1999 SC 495, (1993) 3 SCO 296
[23]
The Telegraph (Amendment) Rules, 2007 (Rule 419A) available at; https://dot.gov.in/sites/default/files/march2007.pdf?download=1( last visited on 5th
Feb,2024)
[24] AIR 1954 SC 300
[25]AIR
1975 SC 1378, (1975) 2 SCC 148
[26] AIRONLINE 2019 BOM 1117, 2020 (1) ABR(CRI) 1
[27]
AIR 2018 SC 489
[28] AIR 2018 SC 4321
[29]
The Indian Constitution (Art. 14)
Article Information
FACILITATING CROSS-BORDER DATA SHARING: EVALUATING THE IMPLICATIONS AND CHALLENGES UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
Authors: ANAMIKA, DR. AMIT DHALL
- Journal IJLRA
- ISSN 2582-6433
- Published 2024/03/11
- Issue 7
About Journal
International Journal for Legal Research and Analysis
- Abbreviation IJLRA
- ISSN 2582-6433
- Access Open Access
- License CC 4.0
All research articles published in International Journal for Legal Research and Analysis are open access and available to read, download and share, subject to proper citation of the original work.
Disclaimer: The opinions expressed in this publication are those of the authors and do not necessarily reflect the views of International Journal for Legal Research and Analysis.