Nasscom neutral on India joining global Cross Border Privacy Rules forum

Industry body Nasscom has taken a neutral stand on whether India should join the global Cross Border Privacy Rules (CBPR) forum, saying the benefits need to be weighed against yet another compliance burden for the industry.

CBPR's establishment was spearheaded by the US' commerce department. Member countries include Canada, Japan, Korea, Philippines, Singapore, Taipei, and the US. The CBPR Forum has launched a multilateral enforcement arrangement called the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to facilitate cooperation on data protection and privacy enforcement between participating countries.

The CBPR framework aims to establish a certification-based system for both data controllers and processors, to ensure privacy and security of personal information.


CBPR is a voluntary, accountability-based certification framework that facilitates cross-border data transfers. The system aims to establish an international standard for data privacy.

Indian government departments, agencies and regulators, including the Department of Commerce, Reserve Bank of India, Securities and Exchange Board of India, Pension Fund Regulatory and Development Authority, International Financial Services Centres Authority, National Payments Corporation of India, and Open Network for Digital Commerce, participated in the discussions.

"Cross-border processing of personal data underpins digital trade, but it remains entangled in divergent national rules. Governments need to assess whether certifications truly bolster trust and whether cooperation will be substantive," Ashish Aggarwal, vice president and head of public policy, Nasscom, told ET. Nasscom is convening this evaluation in India.

Nasscom's forthcoming White Paper will further explore CBPR’s fit with India’s legal framework, enforcement architecture, and export competitiveness. Last year, IT companies such as Infosys, Tata Consultancy Services (TCS) and Genpact were a part of Nasscom’s consultation on CBPR.

Infosys, TCS, and the ministry of electronics and information technology (MeitY) did not respond to ET's requests for comment. Genpact declined to comment.

The CBPR framework promises to establish baseline interoperability across member countries while accepting that each government’s approach will vary by context and priority, like India's own Digital Personal Data Protection Act.

"CBPR hinges on voluntary business certification and ‘best-effort’ law-enforcement cooperation," Aggarwal said.

Nasscom and the Data Security Council of India, in collaboration with MeitY and the Ministry of External Affairs, had convened a technical workshop last September to examine the Global CBPR framework and its relevance for India.

The workshop had examined the value proposition of the CBPR framework in the context of international data transfers.