About the author:
Karthika Rajmohan is a fourth-year student from Maharashtra National Law University, Mumbai. Nilay Shah is a fourth-year student from Maharashtra National Law University, Mumbai. Both share common interest in International Trade Law and Public Policy.
Introduction
The landmark judgment on the right to privacy passed by the Supreme Court in K.S. Puttuswamy v. Union of India provided a crucial impetus to privacy jurisprudence in India. This impact continued into the new Personal Data Protection Bill, 2019 (‘2019 Bill’) which was introduced in the Lok Sabha on December 11, 2019. Enacted to ‘protect the privacy of individuals with respect to their personal data’, the 2019 Bill has been the subject of much criticism. With the Bill now undergoing review by a Joint Parliamentary Committee, it is pertinent to talk about one of the more controversial measures introduced by it – ‘Data Localization’.
Chapter VII of the 2019 Bill deals with restrictions on the transfer of personal data outside the country. Section 33 makes a clarification to the 2018 Bill which mandated all sensitive personal data to be stored in the country. It makes a concession by stating that while ‘Critical Personal Data’ is to be processed only in India, ‘Sensitive Personal Data’ may be transferred out of the country, while a copy remains stored in India. While the parameters to define Sensitive Personal Data have been enumerated in Section 15 of the 2019 Bill, Critical Data is as yet undefined. This allows room for significant uncertainty to creep in, compounded by the fact that the only metric that governs the local storage of the data is what the Government chooses to define as Critical Personal Data, which will be afforded most protection. This position can be starkly contrasted with the General Data Protection Regulation (‘GDPR’), the European Union law on Data Protection and Privacy implemented in 2018. While the GDPR was enacted for similar purposes as the Personal Data Protection Bill, there is a marked distinction in the way data is treated. While data localization is mandated by the 2019 Bill, the GDPR allows for personal data to be transferred out of the EU under Article 45, as long as the jurisdiction to which the data is being transferred, provides an adequate level of data protection.
This post analyses the elements of local processing requirements and local storage through the perspective of International Trade Law, with a focus on World Trade Organization (‘WTO’) non-compliance and derogations of Articles XVI and XVII of the General Agreement on Trade in Services (‘GATS’). These provisions focus on market access commitments and national treatment commitments under the WTO respectively. This will be followed by juxtaposing data localization with the commitments to see whether it might violate a member state’s WTO obligations. Lastly, an evaluation of whether defenses under Article XIV can be claimed will be undertaken.
Background
Each member has a schedule of Specific Commitments as per Article XX of GATS. These schedules include terms, limitations and conditions on market access and conditions and qualifications on national treatment. The schedule forms the basis of the member’s obligations, i.e. if they have committed to unrestricted market access under Article XVI or national treatment under Article XVII, then they will be stopped from enacting measures that are prohibited by Articles XVI and XVII respectively. Commitments in the schedule are made based on a multiplicity of sectors and sub-sectors that range from computer and related service to financial services. To accommodate for technological developments and internet services GATS has also accepted that online delivery of any service falls within its scope. This implies that any entity that falls under any sector recognized by GATS that provides online services will be subject to the 2019 Bill’s data localization requirement.
If a member contends that India’s data localization measure is inconsistent with its WTO obligations, it is empowered to bring the case before a panel. Adjudication of such a case will go through the following stages – i) the panel will determine the sector and nature of obligation in the schedule based on the industry that is aggrieved by the measure. ii) the panel will then analyse whether the measure constitutes a market access and national treatment violation and iii) lastly, since it is highly likely that will India will claim general exceptions to defend itself, the panel will appreciate whether the context of the measure allows for such exceptions. Enumerated under Article XIV, these general exceptions relax WTO compliance so that members have the freedom to make laws on essential aspects of society such as public order, morality, health and privacy.
Since data localization measures will affect a multiplicity of industries, India is at risk of being inconsistent with its schedule. Therefore an analysis of how market access and national violations are constituted and the viability of claiming general exceptions will be analysed.
Market Access
Article XVI: 1 of GATS prevents any member from according treatment less favourable than that specified under their schedule. Any market access restrictions, as prescribed by GATS, can take the form of any/all of the six limitations exhaustively enumerated in Article XVI: 2 of GATS. Data localization most aptly constitutes a limitation as per Article XVI: 2(a) of GATS that prevents members from implementing measures in the form of numerical quotas that put limitations on the total number of service suppliers. The Appellate Body in US – Gambling clarified that numerical quotas under XVI: 2(a) also encompasses ‘zero quotas’, i.e., measures that take the form of a complete ban. The same can be seen here. The other limitations under Article XVI: 2 deal with value of transactions, quantity of service output, limitations on employees etc. that are not effectuated by section 34, which deals with data localization. Data localization impacts the number of foreign service suppliers who are able to access the market, and thus falls only under the ambit of the limitation under Article XVI: 2(a).
Data localization measures, such as those imposed by the 2019 Bill, require companies to store and process data using servers situated within the national borders of a country. Such measures could constitute a violation of market access commitments by restricting the entry of players, especially foreign ones in the market. This is because setting up and maintaining data centres is technologically and materially expensive, raising operational costs significantly. By requiring that all critical personal data be processed only in India, an effective ban on the transfer of data across borders is enacted. This impacts the pool of entities engaged with the processing of critical personal data, by forcing them to incur extra costs or to leave the market. Thus, data localization measures can be seen to be a limitation on market access as per Article XVI: 2(a) of GATS.
National Treatment
Article XVII of GATS places an obligation upon WTO Members to not discriminate between domestic and foreign services and service suppliers of any Member, subject to any limitations noted in the ‘Member’s Schedule of Specific Commitments’. ‘Formally identical or formally different treatment’, as mentioned under Article XVII: 3, is considered to be less favourable if it modifies the conditions of competition in favour of domestic services or service suppliers. In the given situation, the formally identical measure of requiring personal data to be processed in India will skew the conditions of competition in favour of domestic suppliers.
Foreign companies will have to incur the costs of shifting their data processing units and establishing the same in India, and further spend on updating and maintaining these systems regularly. This will increase their business and operational costs, by up to $5-6 million per data centre, also compromising their competitive edge. These compliances and extra costs will not have to be borne by their domestic counterparts, whose database servers are already located within India. This is because while Indian companies would have pre-existing infrastructure in the form of data centres, foreign companies set up in other countries would have to invest in all new data centres in India. Thus, such a measure that skews the conditions of competition in favour of domestic companies constitutes a violation of national treatment obligations.
Defenses under Article XIV (c) (ii)
Considering the fact that the provisions of the 2019 Bill might be WTO non-compliant, India may have to invoke the defense of Article XIV(c) of GATS. To fulfill the requirements of Article XIV (c) of GATS: firstly, the impugned measure must secure compliance with laws and regulations that are consistent with GATS; and secondly, there must be a necessity for the measure to do so. Both these tests need to be satisfied in order for the measure to claim the defence of Article XIV.
Compliance Test
Article XIV (c) (ii) asserts that Member states may violate their commitments under GATS if they do so in such a manner as is “necessary to secure compliance with laws or regulations” that provides “the protection of the privacy of individuals.” In the current scenario, as the measure of data localization prima facie prevents foreign surveillance by restricting data of people in the country from travelling to other jurisdictions, privacy can be seen to be protected on a face value analysis. Thus, the compliance test can be deemed to be satisfied.
Necessity Test
The three-factor Necessity Test, clarified in the Appellate Body Report of Korea Beef, determines the necessity of a measure by – (i) the importance of the societal interests and values that the measure is intended to protect; (ii) the “extent to which the challenged measure contributes to the realization of the ends pursued” by the measures”; and (iii) the trade impact of the challenged measure, including “whether a reasonably available WTO-consistent alternative measure” exists. The first prong of the test can be met by proving that the societal interest at stake is an important one. This is likely to be proved, as protecting the privacy of its citizens is indeed an important societal task. However, the latter two prongs might be a little tougher for India to establish. These prongs will be analaysed further.
Realization of Ends Pursued
While analysing the prong of realization of the ends pursued, the Appellate Body in Argentina- Financial Services expounded that the measure in question has to have a contribution to the objective pursued, and the greater this contribution to the protection of privacy, the easier it will be to prove this necessity. This is not a simple binary understanding, and the WTO Panel has to make a qualitative and quantitative assessment of the same. In the present case, the necessity of data localization by the 2019 Bill is not adequately met. Data localization measures do not necessarily ensure data protection and privacy. Such requirements merely mandate that data be stored within the borders of a country; however, the real determinant of efficient data protection is the way in which data is managed. Data localization alone by no means protects citizen’s information from being susceptible to breach. A measure such as this, which makes negligible effort to increase data security, cannot qualify as being necessary to protect the privacy of citizens – per the Appellate Body’s ruling – as it makes no real contribution to the ends pursued.
Data localization is also far more trade restrictive than needed, and the rigidity of the Bill is concerning. In some cases, data localization can even produce adverse effects. For instance, requiring companies to move their data servers and process the same within the territorial boundaries of one country makes data more susceptible to security compromises, malware and other attacks as these measures may tamper with the high-quality elaborate servers that companies already have in place, because the surface area of the data increases. Thus, it is highly doubtful that data localization measure can be proved to be necessary to fulfil the goal of privacy.
WTO Consistent Alternative
The third prong of the necessity test seeks to ascertain whether there exists an alternative to the impugned measure that would be consistent with commitments undertaken under the WTO, i.e. a less restrictive but equally effective alternative. This is in line with the common understanding of “necessity” within global jurisprudence, including within India’s own constitutional jurisprudence. There are a host of measures that are available that would not only be far more cost-efficient but would also reap the same benefits that India hopes to accrue.
The most viable alternative for India would be to encourage bilateral or plurilateral data transfer arrangements. An example of this can be found in the US-EU Privacy Shield which helps to ensure compliance with local laws, even when data is transferred outside of territorial jurisdiction. These Agreements would function along the lines of Article 15 in the GDPR, where data transfer to jurisdictions would be allowed, contingent upon data protection laws present there. This would ensure that not only is the privacy of Indian citizens not taken lightly, but also that the trade restrictiveness of the measure is nullified. Further, the overall digital ecosystem in India can be strengthened, instead of forcing companies to localize their servers. In light of the current economic crises, building local data centres will be a misallocation of resources and energies, which may force away potential investors, especially amongst the smaller players in the market. Instead, policies that focus on the overall development of the digital sphere will incentivise businesses to shift to India, thereby reaching the desired end goal of localization.
Conclusion
Data localization measures could be adjudged as being WTO inconsistent if brought before a WTO Panel. These measures not only go against India’s WTO obligations but will also negatively impact the economy, as the free flow of data is essential for trade in digital goods and services. India is an extremely data rich country, with hundreds of millions of active internet users, with numbers only set to grow. This makes India a lucrative target for big technology companies, with India being amongst their largest databases. Hamstringing this selling point would be devastating. As such, it would be in India’s best interest to amend these provisions and opt for more free-trade conducive alternatives before the 2019 Bill comes to life.