On one hand, the proponents of privacy rights are pushing for stringent data protection measures, and on the other, businesses argue that the increased costs of data protection compliance may make them unviable...
Coinciding with the widespread global debate on data protection laws and citizens' privacy rights, a report titled "A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians" ("Report") authored by a Committee of Experts under the chairmanship of Justice B.N. Srikrishna, and the Personal Data Protection Bill of 2018 ("DraftBill") were submitted to the Government of India ("GOI") on 27 July 2018. The Draft Bill is quite comprehensive in its scope and places stringent obligations on businesses. In particular, it provides for measures relating to protecting the personal information of Indian citizens, the role and duties of data fiduciaries and data processors, rights of individuals, and penalties for violation of these data protection measures.
This note does not touch upon the general impact of the data protection under the Draft Bill on cross-border data flow and thereby impact on international trade and e-commerce. Rather, the note aims to test the provisions of the Draft Bill against India's obligations under the World Trade Organization ("WTO"). Specifically, the Draft Bill places certain restrictions on the cross-border flow of personal data:
Section 40(1) introduces requirements for storing a copy of all personal data generated through servers and data centers in India within India
Section 40(2) prohibits the cross-border flow of certain types of personal data which are to be categories as "critical personal data" by the Central Government per its discretion
Possible inconsistencies with WTO Rules
Generally speaking, the data localization requirements and prohibition on cross-border flow of critical personal data may be argued to be inconsistent with India's obligations under the WTO. Measures that regulate cross-border flows of personal data attract the provisions of the General Agreement on Trade in Services ("GATS"), which governs international trade in services. Obstructions to the flow of personal data across borders may have direct implications on Mode 1 (cross-border services) and Mode 2 (consumption abroad). These restrictions and/or prohibitions in the cross-border flow of data: (i) may run afoul India's market access commitments, and (ii) could violate the national treatment requirements set out under the GATS since foreign service suppliers may be provided less favorable treatment compared to domestic service providers.
Market access: Article XVI of the GATS provides that, interalia, where a country has made market access commitments in its GATS schedule, then that country is prohibited from imposing limitations, through any means, on the number of service suppliers, unless the country has included such limitations in its GATS schedule. Section 40 (1) and Section 40 (2) of the Draft Bill could violate the market access commitments made by India in its GATS schedule. This is because these "measures" in the context of any supply of services provided in India could, in effect, limit the number of suppliers of that service in the Indian market. In other words, these provisions of the Draft Bill could limit access of foreign firms to India's market by conditioning market access upon the local storage and processing of data. Such measures have the effect of restricting or prohibiting flow of cross-border service supply since they would require foreign firms to, inter alia, replicate data storage infrastructure which adds costs for additional data management and compliance requirements. However, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector.
National treatment: The national treatment rule under the GATS applies to all sectors where specific commitments have been undertaken. These commitments prohibit WTO members such as India from discriminating in favor of their domestic companies. Specifically, Article XVII of the GATS makes an obligation on countries to accord services and service suppliers of other countries "treatment no less favorable than that it accords to its own like services and service suppliers." Article XVII:2 of the GATS specifies that a country may accord foreign services or service suppliers different treatment to achieve this objective. Article XVII:3 of the GATS defines treatment as "less favorable" if it "modifies the conditions of competition in favor of services or service suppliers of the Member."
The national treatment obligation may come in the way of the data localization requirements under the Draft Bill. For instance, data localization requires foreign suppliers to duplicate infrastructure and supportservice in local markets. As a result, it could be argued that the foreign service suppliers are accorded less favorable treatment than the domestic service suppliers. Notably, even if the same conditions of localization apply to national suppliers of like services or are "formally identical", it may be argued that they are still designed in a manner to alter the conditions in favor of like domestic service suppliers since they may not have to incur additional costs in replicating the infrastructure and support-service costs.
Therefore, the possibility that such measures are viewed as "less favorable" under Article XVII of the GATS exists.
Again, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector. For example, data localization requirements imposed by the Reserve Bank of India dated 6 April 2018 to Indian banks and authorized e-payment systems may not violate India's commitments under the GATS. This is because India has made its commitments in financial services sectors subject to the requirements under its domestic laws through a horizontal exception. However, India has not provided for such a blanket exception in context of its commitments for other service sectors.
Possible arguments India may take
Should India formally adopt the data localization requirements, India could argue as follows in its defense:
First, the prohibition on cross-border flow of critical personal, data and more specifically, the data localization requirement does not limit the number of service suppliers. In other words, any numbers of service suppliers who comply with the above requirements may provide services in India.
Second, the data localization requirement in itself does not accord less favorable treatment to a foreign service supplier as the requirement applies to even Indian service suppliers. If an Indian service supplier hitherto did not store data locally, it would need to do so as well, and therefore, the measures as such do not accord less favorable treatment.
Third, India could also take recourse to the "privacy" exception under Article XIV(c) of the GATS arguing that the measures are necessary to secure the protection of the privacy of individuals and are not arbitrary or unjustifiable discrimination. The privacy exception is untested by the Dispute Settlement Body of the WTO, and it remains to be seen how wide or narrow this exception is interpreted.
Fourth, India could also argue that the measures were required to protect its "essential security interests" in accordance with Article XIV bis. Based on this provision, WTO members may take actions in derogation of their obligations if such actions are taken for reasons specified for national security reasons. The recent instances of invoking the national security exception by certain WTO Members coupled with the fact that misuse of certain type of data may indeed represent a threat to national security could give India ground to justify its action, even if they may be in derogation to its commitments under the GATS.
Conclusion: What happens next?
The Draft Bill has generated huge interest and debate among various stakeholders including businesses, academia, citizen interest groups, and think tanks. On one hand, the proponents of privacy rights are pushing for stringent data protection measures, and on the other, businesses argue that the increased costs of data protection compliance may make them unviable. Undoubtedly, the Bill is likely to undergo significant churning through debates and reviews and it remains to be seen how India draws a balance between these two competing interests.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.