Assessing the International Impact of the PIPL and the PDP Bill

By Anamika Kundu

The Personal Information Protection Law (PIPL), China’s version of the personal data protection bill, comes into effect on November 1, 2021. It will impact companies conducting business in China, especially with the new provisions on cross-border data which include approval and penalties, among others.[1] The PIPL distinguishes “personal information” from “sensitive personal information”. The former is defined as all kinds of data apart from anonymised information[2] whereas the latter is information that could harm the rights of people in case of leakage or illegal usage of the data.[3]

In this article, I attempt to draw a comparison between the Personal Data Protection (PDP) Bill, 2019, India’s proposed legislation on privacy, and the PIPL. While both legal texts draw inspiration from the European Union’s General Data Protection Regulation (GDPR), there are granular differences in each of these laws which will impact the business interests of multinational companies operating in both nations.

The PIPL

Foreign entities will be required to comply with the PIPL strictly due to the law’s extra-jurisdictional powers. According to Chapter 3 of the PIPL, if a ‘personal information processor’, which is the equivalent of a data processor in India[4], wishes to transfer data beyond the People’s Republic of China, it has to comply with one of the following conditions

  1. pass a security assessment set by the Cyberspace Administration of China[5],

The PIPL also requires user consent if his/her data is being transferred beyond the borders of China. Additionally, the recipient should inform the user about how his/her data will be used, in case its original purpose of transfer has changed. In contrast, India’s PDP Bill, 2019 does not stipulate such a requirement.[6] Further, prior approval of the government is mandatory if data is to be transferred to a foreign entity.[7] The need for explicit approval can pose a problem for companies in case there are extraterritorial disputes. International businesses will need to craft ways to comply with the PIPL in order to continue with their operations.

The PDP Bill, 2019

The PDP Bill, on the other hand, adopts a more liberal approach to cross-border data transfers. It makes a distinction between transfers of ‘sensitive personal data’ (‘SPD’), ‘critical data’, and ‘personal data’.[8] Personal data can be transferred outside India without any regulatory approval, while the transfer of SPD requires approval from the authorities.[9] Additionally, the contracts governing data transfers need to include provisions to effectively protect the rights of the ‘data principal’ and affix liability on the exporter for any harms caused.[10] Data principals are defined as “the natural person to whom the personal data relates”.[11] In case data transfers take place to another country/entity/international organisation, the SPD shall be protected and not prejudice the enforcement of laws by authorities in India. Critical data can only be transferred outside the country in case of a health emergency or to an international organisation, because the government believes that it will not affect the security of the state

India plans to adopt a more liberal approach. Violations of the PDP Bill’s provisions related to cross-border data transfer attract only monetary penalties. Whereas the PIPL includes a number of consequences for any violation of the cross-border data transfer provisions. These include limiting the amount of information shared with the personal information processor and reciprocal measures where a country has compromised data protection.[12] More generally, legal liability in the PIPL are wide-ranging and includes monetary penalties, suspension/termination of service provision, cancellation of licenses, publicised in credit files, etc.[13]

India’s legal stance on data protection must contrast with the PIPL. For instance, there is no clarity in the PIPL whether on completion of the mandatory security assessment, will a company be guaranteed a one-time approval for data transfer or a license for a particular time frame.[14] India must ensure that even if the PDP Bill does not go into such nuances, the regulations flowing from it give companies a clear understanding of how they have to change their methods of business. The Indian government can take ideas from the GDPR which protect data while allowing free flow. Under the GDPR, all kinds of data can be transferred across the border given that there exists adequate data protection infrastructure in the recipient country.[15] The country can take a comparatively pragmatic approach to ensure proper data protection even with cross border flow of data.

The Importance of Free Flow of Data

The PIPL will trigger debates on the approaches countries take to regulate their digital economy. Data is an important competitive factor in today’s world, depending on who creates it, owns it, those it is shared with, and the rule-making bodies.[16] The digital transformation has introduced data as a new form of capital. It has the potential to create large rents, trigger international rivalry and raise negative externalities that require regulation.[17]

The free flow of data is the foundation of the internet as we know it today. While it is crucial for increased productivity, opportunities to facilitate globalization, and ensure the freedom of expression, there is a need for novel ways of conceptualising legal-regulatory principles that facilitate secure cross-border flows. There must be safeguards as governments and organisations can misuse the free flow of data.[18] A trust-based approach includes but is not limited to establishing digital corridors and facilitation of data flow in critical sectors such as healthcare.[19] To ensure free flow of data, national law enforcement agencies need to trust that they can access domestic information contained in other countries.[20] The G20 in 2019 outlined various principles to bolser crossborder Data Free Flow with Trust.[21] In future the G20 could focus on creating standards and controls which increase trust and encourage cross-border data sharing.[22]

The Chinese approach sees data as something which belongs to the State. It views data security as a collective right to be safeguarded.[23] Thus, any claim of national security can override agreements between service providers and consumers.[24] As long as personal data is seen as a “national resource” where territorial sovereignty can be exercised, there will be mistrust between countries due to rivalry on other fronts.[25] Multiple economic models have showcased how the flow of data is crucial for a sustainable modern economy, with international trade sending off consumer data across borders. It allows for smaller businesses in remote parts of the world to reach out to larger markets.[26]

Even with the understanding that the internet is becoming increasingly important to society and the global economy, there is little substantive progress in creating a framework to solve internet policy conflicts. This is due to the natural problem of sovereign countries having access to a global medium i.e. the internet. There is a dearth of progress because countries have different priorities and values. This leads to the lack of resolution of any policy dispute as there exists no common dialogue.[27] More than 70 countries have come out with laws that mandate data localisation.[28] This highlights the failure of inculcating trust among countries with regard to protecting personal data by foreign companies.[29] From a cost perspective, data localisation policies require service providers to establish additional host facilities to physically store information. Since not all countries have such built-in infrastructure, entities have to undertake additional costs to conduct business.[30]

The PDP Bill attempts to strike a balance between trust and control. On one hand, it allows the transfer of certain data outside the country. On the other, there are strict restrictions for other categories of data. It is time for India to decide whether it wishes to take a trust-based or control-based approach. A balancing act could replicate risks of the Chinese playbook which has the potential to create uncertainty for businesses.

It is important to address the absence of trust and digital divides that bolster digital sovereignty in the international community. Going forward, member States of the G20 need to build a language of trust while deciding regulatory standards and exchange of technologies, along with undertaking knowledge and capacity building to improve access.[31]

Inputs from Mohit Chawdhry and Vaishnavi Prasad.

[1] Josh Ye, With new privacy law, China could reshape cross-border data rules similar to Europe’s GDPR, South China Morning Post, (August, 30, 2021), available at: https://www.scmp.com/tech/big-tech/article/3146873/new-privacy-law-china-could-reshape-cross-border-data-rules-similar [last accessed on September 28, 2021].

[2] Article 4, The Personal Information Protection Law, 2021 [China].

[3] Article 28, The Personal Information Protection Law, 2021 [China].

[4] Clause 3(15),The Personal Data Protection Bill, 2019 [India], “data processor” means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary.

[5] Article 38 and 40, The Personal Information Protection Law, 2021 [China].

[6] Clause 39, The Personal Data Protection Bill, 2019 [India].

[7] Clause 41, The Personal Data Protection Bill, 2019 [India].

[8] Clause 2 (28), The Personal Data Protection Bill, 2019 [India] “personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling

(36) “sensitive personal data” means such personal data, which may, reveal, be related to, or constitute — (i) financial data;

(ii) health data;

(iii) official identifier;

(iv) sex life;

(v) sexual orientation;

(vi) biometric data;

(vii) genetic data;

(viii) transgender status;

(ix) intersex status;

(x) caste or tribe;

(xi) religious or political belief or affiliation; or

(xii) any other data categorised as sensitive personal data under section 15.

Section 33, Explanation. — For the purposes of sub-section (2), the expression “critical personal data” means such personal data as may be notified by the Central Government to be the critical personal data.

[9] Clause 33, The Personal Data Protection Bill, 2019 [India].

[10] Rahul Sharma, Contemporizing Data Protection Legislation, Observer Research Foundation, (February 01, 2021), available at: https://www.orfonline.org/expert-speak/contemporising-data-protection-legislation/ [last accessed on September 28, 2021].

[11] Clause 2(14), The Personal Data Protection Bill, 2019 [India].

[12] Sectio​​n 42 and 43, The Personal Information Protection Law, 2021 [China].

[13] Article 66 and 67, The Personal Information Protection Law, 2021 [China].

[14] Yiming “Ben” Hu, China’s Personal Information Protection Law and Its Global Impact, The Diplomat, (August 31, 2021), available at: https://thediplomat.com/2021/08/chinas-personal-information-protection-law-and-its-global-impact/ [last accessed on September 28, 2021].

[15] Manya Gupta and Sunanda Tewari, Tipping the Scale: Weighing the Personal Data Protection Bill, 2019 against EU’s GDPR, Firstpost, (December 18, 2019), available at https://www.firstpost.com/tech/news-analysis/tipping-the-scale-weighing-personal-data-protection-bill-2019-against-eus-gdpr-7796161.html [last accessed on September 28, 2021].

[16] Samm Sacks, Addressing the data security risks of US-China Technology Entanglement, Brookings Edu, available at: https://www.brookings.edu/wp-content/uploads/2020/11/Samm-Sacks.pdf , pg 1. [last accessed on September 28, 2021].

[17] Ciuriak Consulting Inc., The State Also Rises: The Role of State in the Age of Data, (September 10, 2020), available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3663387, pg. 8 [last accessed on September 28, 2021].

[18] Ibid.

[19] Mohit Chowdhry, A digital agenda for India’s G20 Presidency, (June 01, 2021), available at: https://www.orfonline.org/expert-speak/a-digital-agenda-for-indias-g20-presidency/ [last accessed on September 28, 2021].

[20] Nigel Cory et. al., Principles and Policies for “Data Free Flow with Trust”, Information Technology and Innovation Foundation, (May 2019), available at: https://itif.org/sites/default/files/2019-principles-policies.pdf, pg 2, [last accessed on September 28, 2021].

[21] World Economic Forum, White Paper on Data Free Flow with Trust, (June 10, 2020), available at: https://www.weforum.org/whitepapers/data-free-flow-with-trust-dfft-paths-towards-free-and-trusted-data-flows [last accessed on September 28, 2021].

[22] Mohit Chawdhry, India’s G20 Presidency: Promoting Trust and Inclusivity in a Digital World, (May 2021), available at: https://static1.squarespace.com/static/5bcef7b429f2cc38df3862f5/t/60a450248fd43071e6134065/1621381159550/Report_Issue_008--Indias_G20_Presidency.pdf [last accessed on September 28, 2021].

[23] Milton Mueller, China’s Data Security Initiative: Still Stuck in the Sovereignty Box, Internet Governance Project, (September 16, 2020), available at: ​​https://www.internetgovernance.org/2020/09/16/chinas-data-security-initiative-still-stuck-in-the-sovereignty-box/ [last accessed on September 28, 2021].

[24] Ibid.

[25] Ibid.

[26] Ibid.

[27] Nigel Cory et. al., Principles and Policies for “Data Free Flow with Trust”, Information Technology and Innovation Foundation, (May 2019), available at: https://itif.org/sites/default/files/2019-principles-policies.pdf, pg. 3, [last accessed on September 28, 2021].

[28] Supra, note 22.

[29] Internet Society, Internet Way of Networking Use Case: Data Localization, (September 30, 2020), available at: https://internetsociety.org/resources/doc/2020/internet-impact-assessment-toolkit/use-case-data-localization/#_ftn3 [last accessed on September 28, 2021].

[30] Ibid.

[31] Supra, note 22.