Overview & Timeline of Activities

Transborder data flow facilitates business process streamlining, improves market access, and maintains business relevance in a fast-evolving business landscape. The maturing business and technological landscape, rapid globalization, increasing value of data and its exchange over e-borders, necessitates examining data policies, frameworks, practices and standards. However, the involvement of multiple countries on the one hand and privacy concerns of businesses and individuals on the other, while complexing the situation, also gives rise to constructive opportunities for their improved effectiveness in all spheres.

The need of the hour is to walk the fine balance between supporting and enabling global movement of data to facilitate commerce while, simultaneously, inspiring trust among individuals, industry and governments and enhancing their ability to control access to their data, even as economic value is generated out of such data collection and processing for all players. DSCI interacts with the European Union (EU), United States (US) and, International organizations in the Asia-Pacific (APAC) regions to analyze their respective data protection regimes and data flow frameworks, and facilitate relaxation of restrictions on cross-border data flows for mutual benefit. Among all the markets, Indian IT-BPM organizations have been striving to get access to the European market. The EU Data Protection Directive (Directive), through Article 25, sets out the criteria for assessing adequacy of data protection in a third country and where India is not considered as an ‘adequate’ country. The adequacy requirements lead to hesitation, inhibitions and impediments around data protection, which translates into significant top line revenue loss to Indian IT-BPM industry.

Despite ability and competence of Indian IT-BPM companies, earned by serving 70 plus countries, the adequacy requirements discriminates Indian industry against the nearshore destinations. Though EU allows legal instruments for data transfer, these have been criticized as complex and lengthy. Their inconsistent implementation and operationalization increases compliance cost and creates hurdles for the industry, thereby complicating the issue further.

Data adequacy requirements create hindrance in accessing the EU market, in the following ways:

DSCI along with the Department of Commerce (DoC), Government of India and Department of Electronics and Information Technology (DeitY), has been actively engaged with EU on the issue of market access and Adequacy Requirement for the Indian IT-BPM industry. Our team conducts regular response meetings, roundtables, prepares white papers and presentations for negotiations with various stakeholders.

  • Topline revenue growth is affected, as some sectors, and data types are not allowed to transfer information or additional significant conditions are imposed, before transferring information.
  • Cost of compliance and delay in business transactions, due to existing use of instruments, which are advocated by the EU as an option for data adequacy such as Model Contract and Binding Corporate Rules (BCR)
  • Restriction on flow of data to India, also deprives the EU companies to avail best-in-class services and become competitive, as was seen in case of other geographies. This closes reach of Indian industry to SME sector of the EU

International Safe Harbour Privacy Principles and EU-US Privacy Shield

The international Safe Harbour Privacy Principles enable some US companies to comply with privacy laws protecting European Union and Swiss citizens. Court of Justice of the European Union (EU), last year, invalidated EU-US Safe Harbour Framework. Lately, a new agreement called as EU-US ‘Privacy Shield’ has been formulated in addition to a comprehensive Privacy Regulation for the entire EU, enforceable from 2018. ‘Privacy Shield’, on the one hand could affect the way software companies conduct business in European markets, and on the other, Judicial Redress Act will allow citizens of European nations and other designated US allies to have privacy protections and rights similar to those of US citizens under the US Privacy Act of 1974. DSCI has been continuously engaging with Indian Industry, Department of Commerce, Ministry of Home Affairs, DeitY and foreign counterparts to evaluate the commitments made by the countries like US and EU to deliberate on a similar agreement for the Indian IT sector, especially with the status of India as designated country after the enactment of US Judicial Redress Act.

Switzerland data flow and Bilateral trade relations

Switzerland, as a federal state in Central Europe, being not part of European Union (EU) and European Economic Area (EEA) doesn’t participate directly with EU as other member states of EU. It has signed various bilateral agreements with EU as well as other geographies for conducting flawless trade. Switzerland has signed and is a member of European Free Trade Association (EFTA) for transborder data flows with the other EU countries. Bilateral and multilateral trade agreements are signed among two and more geographies/entities, respectively, for conducting businesses and trade in favorable manner. DSCI is engaging with various geographies like Switzerland, France, UK among others and associations like EFTA, FTA among others for sensitizing them on Indian data protection regime and model of Indian IT-BPM organizations. The objective is to raise the level of Indian outsourcing sector and businesses by getting into similar bilateral and multilateral trade agreements.

Engagement with DoC

  • Regional Comprehensive Economic Partnership (RCEP): Provided inputs around cross border data transfer issues, data localization, data protection and privacy issues
  • Negotiation between India EU Bilateral Trade and Investment Agreement (BTIA) on transborder data flows has been reinvigorated and negotiation has been started

Engagement with European Free Trade Association (EFTA)

Having representation from four European countries operates in parallel to and is linked to the European Union (EU). These members include Iceland, Liechtenstein, Norway and Switzerland. DSCI along with NASSCOM is working closely with the Department of Commerce and the EFTA secretariat to ensure a special status for the Indian IT-BPM industry in FTA negotiations. DSCI provided inputs to DoC to incorporate the data transfer issue in the on-going trade negotiations; Indian side sought the changes in the way EFTA countries manage the Standard Contractual Clauses (SCC) and the customized contracts

  • DSCI was part of the Expert Group appointed for India-EU Free Trade Agreement (FTA) Negotiations

India-EU Engagements

  • Discussion with high-level EU delegation visited India. Department of Commerce, Department of Electronics and IT, NASSCOM and DSCI - along with members of the industry participated
  • The EU appointed a consultant to study legal and enforcement regime, who made many favorable observations on the current state legal and enforcement regime. The consultant report recommended short term as well as long term solutions and explored the possibility of partial adequacy as a short term solution
  • An Expert Group was set up for the EU to find a solution for removal of market access barriers to Indian IT-BPM industry. The Indian delegation discussed all aspects including the possibility of India specific model contract that may address market access concerns
  • NASSCOM-DSCI survey on Data Protection Issues was released to validate opportunity cost

India-EU Engagements

  • EU 'adequacy' standard: India's Response Meeting
  • Whitepaper on EU Adequacy Assessment of India
  • Meetings with the European Commission officials and EU Parliamentarians
  • A non-paper was submitted in 2010, highlighting the issues of data transfer and market access issue
  • Rules under IT Act section 43 A and associated enforcement regime were conveyed to the EU, which qualify the legal requirement of privacy content and procedural mechanism. Indian constitution, court systems and nature of legal development also add strength to data protection regime of the country

India-US Engagements

  • Roundtable with US India Business Council (USIBC) on matters of privacy rules & data flow Interactions with global law firms specializing in Privacy Legislations- Hunton & Williams and Fulbright & Jaworski

India-EU Engagements