Article 25 of the EU Data Protection Directive, governs trans-border data flows, and lays down the conditions for transfer of personal data of EU citizens outside EU/EEA. Under this, free flow of information can only take place with a ‘third country’ if its data protection regime is considered ‘adequate’ by the EU. Only a handful of countries have been considered as ‘adequate’ by the EU (India is not part of this list). For countries that do not qualify as ‘adequate’, the Directive provides alternative legal instruments for data transfer which includes Standard Contractual Clauses (SCCs) that is majorly used by the IT/BPO service providers in India to serve EU based clients.
These legal instruments together with the enforcement mechanisms across member countries put too much obligations on businesses. Such bureaucratic structures and procedures have been heavily criticized, as they are considered to be unfriendly to businesses esp. SME service providers, which create non-tariff trade barriers for transfer of information outside the EU, without necessarily improving data protection. The inconsistent implementation of the EU DPD in member countries further complicates the issue. A recent NASSCOM-DSCI survey on the data protection issues in EU validated that there is significant opportunity loss for the IT/BPO industry on the account of data transfer related issues as the EU clients are hesitant to offshore work to India because of stringent data protection requirements in the EU. Almost half of the companies surveyed had to establish their offices at near shore locations in the EU to overcome such concerns, adding to their costs of serving EU based clients.
NASSCOM and DSCI along with Department of Commerce (DoC) and Department of Electronics & Information Technology (DeitY), Government of India have been working on this trans-border data flow issue between EU and India. The issue has been made an important agenda item in the on-going negotiations between the EU and India for Free Trade Agreement. India is demanding ‘adequate’ status based on the strong data protection regime established in India post amendments were made to the Information Technology Act to include provisions for protection of sensitive personal information. In this regard, DSCI prepared a detailed white paper on adequacy assessment of India and submitted to government authorities in EU and India. Several rounds of negotiations / discussions have taken place at various levels regarding this issue. The EU last year sent a high level delegation to India to meet the concerned stakeholders including the industry to better understand industry’s concerns. Following this visit, the EU appointed a consultant to assess the different possibilities of easing transfer of data to India, who visited India earlier this year. The findings and recommendations of the consultant are yet not known to India. NASSCOM and DSCI, through DoC are continuously following up with the EU on the matter.
Proposed EU Data Protection Regulation
The European Commission proposed a comprehensive reform of EU DPD against the backdrop of technological progress and globalisation by unveiling the proposed ‘EU Data Protection Regulation’ in Jan’12. The world community including NASSCOM and DSCI welcomed EC’s vision to harmonize data protection laws in EU member states. Though, the proposed regulation does address some areas of concern, but some critical reforms especially with respect to international data flows have been left unaddressed. Overall, the proposed regulation tries to create a single EU market from a compliance viewpoint, but fails to address the imperative of free flow of information outside EU/EEA. The regulation still has lot of restrictions in place which will continue to act as non-tariff trade barriers, and make it difficult for businesses to explore outsourcing opportunities. The regulation is also very detailed and prescriptive leaving less space for businesses to assess risk and take decisions when transferring data outside EU/EEA. Though some bureaucratic requirements have been removed, new such requirements have been added. The ‘adequacy’ requirements have been made more complex and stringent. The proposed regulation brings the service providers directly under its purview, detailing their responsibilities which are more extensive than the present EU DPD. The regulation, if enacted, will further lead to opportunity loss for the Indian IT/BPO industry as it further increases the threshold for data transfer outside EU/EEA. The regulation will also significantly add to the compliance costs for the service providers. NASSCOM and DSCI prepared a detailed position paper on proposed regulation highlighting industry’s concerns and issues and also organized a seminar in Brussels in Oct’12 to educate the key EU policy makers on industry’s concerns. NASSCOM and DSCI are engaged with EU authorities, EU parliamentarians, think tanks, industry bodies and the US business representatives for more pragmatic data protection regime in EU that respects business innovations around data and data flows.