by Anirudh Tyagi 31 January 2021
The Data Protection Bill, 2019 (DPB, 2019), which presently is undergoing a scrutinized reading from the joint parliamentary committee, is the first law in India that vows to protect and guard citizens’ data. In pursuit of the same, the bill provides for the data localization of the “critical personal data,” a term left undefined in the bill. While the bill has been much debated in the public realm, and a lot of material is available for the reader to refer to, only a minuscule concern has been shown to its antagonistic ignorance towards the WTO regulations on free trade. A lot of criticism has been meted out to the bill by contrasting its structure with that of the European General Data Protection Regulation (GDPR). But a whole crux of the bill’s possible ramifications on international free trade-and consequently deprecation of the Indian economy-has manifestly been obviated. Thus, the author here undertakes two major contentions- firstly, how does the DPB, 2019 violates the WTO regulations? Secondly, how does the GDPR manage to process and protect Europeans’ data while retaining the data localization at the same time? The author also suggests certain changes to be considered by the stakeholders and the government before implementing the Act.
The bill of 2018, a predecessor to the present one, had classified data as the “sensitive personal data” and the “critical personal data.” It mandated both to be stored within the country only. This process of storing data that was produced in the country within the country is called data localization. The DPB, 2019 concedes by allowing sensitive personal data to be stored outside the country, but the critical personal data must be stored in the country only. Moreover, while the former is defined, the latter remained undefined in both bills.
General Agreement on Trade in Services and the DPB, 2019
The WTO’s General Agreement on Trade in Services (GATS), India is a signatory, provides for the Market Access and the national treatment commitments. The specific commitments of each member are provided under Article XX. If a member state is committed to the market access under Article XVI or the national treatment under Article XVII, then it must abide by the provisions of the respective articles to concede such trade liberties to the foreign traders. The schedule on Specific Commitments provides for a commitment on the computer and related services. Data comes under the ambit of this commitment. In its progress report to the U.N. on the “Work Program on Electronic Commerce,” WTO included every kind of electronic delivery of services within its jurisdiction. This clearly means that India’s data localization shall be subjected to the GATS regulations and therefore allegedly violative of Article XX.
Article XVI prohibits member s from implementing restrictions in numerical quotas that might deprecate the free flow of services. Data localization of critical personal data essentially affects its market access to foreign service providers. The DPB, 2019 generalizes every kind of critical personal data, and the foreign providers are completely banned from accessing it. Nevertheless, this prima facie goes against the market accessibility commitments.
Article XVII prohibits member states from discriminating against domestic or foreign service suppliers or tendentiously making the market more favourable for the domestic suppliers. Any infrastructural edge to domestic suppliers shall also constitute discrimination. Data localization allows domestic suppliers to access data freely, while the foreign suppliers have to establish new data units in India to access the same. These foreign companies have to incur a mammoth cost- reportedly in millions- to open such units in India. This manifestly violates Article XVII as it “modifies the conditions of competition in favour of services or service suppliers” of the domestic suppliers.
The Suggestive GDPR Solution and Defences to Violation
GDPR serves the same purpose for Europeans as DPB, 2019 serves for Indians. However, the data localization principles are different, making GDPR comply with the tests of accessibility of GATS. Unlike DPB, 2019, Article 45 of GDPR allows cross border transition of personal data to those countries where similar, or at least adequate, level of protection measures is available. In this manner, GDPR does not discriminate between suppliers and keenly give data access to all and contributes to the free cross border trade. The availability of adequate data protection levels must be assessed following GDPR so that citizens’ privacy does not get compromised.
Even if India violates the GATS provisions, such action’s intensity is actually the thing that matters. GATS itself provides for the extent of violation under Article XIV. The article provides for a threefold benchmark to assess such violations by any member state. These are:
- The compliance with the laws that protect the privacy of citizens;
- The necessity to do such in the larger interest and the reasonability in doing so.
Data localization is a byproduct of the DPB, 2019, that protects the citizens’ data and is an essential law on the subject. Data localization has been done to ‘comply’ with DPB, 2019, and that is why it qualifies the compliance test of Article XIV. The necessity test, however, is much intricate and indulging. Its subsets are dissevered as:
- The necessity to protect public morals or to maintain public order;
- The extent to which the challenged measure contributes to the realization of the ends pursued;
- To see if there is an alternative available.
The public order and morals have to be satisfied by the data localization. The test could easily be disposed of. The ‘extent of the realization of the ends pursued’ is the most difficult thing to establish. Data localization in no way contributes to privacy; it just stores data within the country. Moreover, there is no such evidence suggesting that data stored outside the country is prone to be unsafe if a similar protection level is available.
The alternative mechanisms are also available, and doubt on their sufficiency and efficiency could not be backed with tangible proof. The GDPR allows, under Article 15, cross-border transfer of data maintaining that a similar wall of privacy is available on the other side of the border. The U.S. also allows the transfer of data to the European Union. There has not been a single incident where the nations have complained of any vulnerability to data transferred to the other nation. Even if there is so, the transfer could be stopped accusing the other of not properly maintaining the firewall for data protection. Hence, a particular alternative exists, and its compliance could be meted out to protect data and further the trade.
Conclusion
The judgment of the Supreme Court in Puttaswamy held privacy to be a fundamental right of the citizen. Data protection is an essential job for the governments to make the nations survive the invisible theft of data. To further the same, the Indian govt. Provided for data localization under its draft DPB, 2019. The provisions prohibiting cross-border data transfer are violating the WTO clauses that India is bound to acknowledge. The blanket of localization is antithetical to India’s trade interests with different nations. It is consequently antithetical to India’s economy. The government should make changes in the DPB, 2019 to allow the cross-border transfer of data through bilateral or multilateral negotiations or by adding a generalized clause as done by the GDPR.