Skip to main content

Legal Capsule: Data Privacy & Protection: Analysing Srikrishna Committee Report against India’s WTO Obligations by Economic Laws Practice


Coinciding with the widespread global debate on data protection laws and citizens' privacy rights, a report titled "A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians" ("Report") authored by a Committee of Experts under the chairmanship of Justice B.N. Srikrishna, and the Personal Data Protection Bill of 2018 ("Draft Bill") were submitted to the Government of India ("GOI") on 27 July 2018. The Draft Bill is quite comprehensive in its scope and places stringent obligations on businesses. In particular, it provides for measures relating to protecting the personal information of Indian citizens, the role and duties of data fiduciaries and data processors, rights of individuals, and penalties for violation of these data protection measures. 

This note does not touch upon the general impact of the data protection under the Draft Bill on cross-border data flow and thereby impact on international trade and e-commerce. Rather, the note aims to test the provisions of the Draft Bill against India's obligations under the World Trade Organisation ("WTO"). Specifically, the Draft Bill places certain restrictions on the cross-border flow of personal data: 
  • Section 40(1) introduces requirements for storing a copy of all personal data generated through servers and data centres in India within India
  • Section 40(2) prohibits the cross-border flow of certain types of personal data which are to be categories as "critical personal data" by the Central Government per its discretion
Possible inconsistencies with WTO Rules

Generally speaking, the data localization requirements and prohibition on cross-border flow of critical personal data may be argued to be inconsistent with India's obligations under the WTO.Measures that regulate cross-border flows of personal data attract the provisions of the General Agreement on Trade in Services ("GATS"), which governs international trade in services. Obstructions to the flow of personal data across borders may have direct implications on Mode 1 (cross-border services) and Mode 2 (consumption abroad). These restrictions and/or prohibitions in the cross-border flow of data: (i) may run afoul India’s market access commitments, and (ii) could violate the national treatment requirements set out under the GATS since foreign service suppliers may be provided less favourable treatment compared to domestic service providers. 
  • Market access: Article XVI of the GATS provides that, inter alia, where a country has made market access commitments in its GATS schedule, then that country is prohibited from imposing limitations, through any means, on the number of service suppliers, unless the country has included such limitation in its GATS schedule. Section 40 (1) and Section 40 (2) of the Draft Bill could violate the market access commitments made by India in its GATS schedule. This is because these "measures" in the context of any supply of services provided in India could, in effect, limit the number of suppliers of that service in the Indian market. In other words, these provisions of the Draft Bill could limit access of foreign firms to India’s market by conditioning market access upon the local storage and processing of data. Such measures have the effect of restricting or prohibiting flow of cross-border services supply since they would require foreign firms to, inter alia, replicate data storage infrastructure which adds costs for additional data management and compliance requirements. However, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector.   
  • National treatment: The national treatment rule under the GATS applies to all sectors where specific commitments have been undertaken. These commitments prohibit WTO members such as India from discriminating in favour of their domestic companies. Specifically, Article XVII of the GATS makes an obligation on countries to accord services and service suppliers of other countries “treatment no less favourable than that it accords to its own like services and services suppliers.” Article XVII:2 of the GATS specifies that a country may accord foreign services or service suppliers different treatment to achieve this objective. Article XVII:3 of the GATS defines treatment as “less favourable” if it “modifies the conditions of competition in favour of services or service suppliers of the Member.”

    The national treatment obligation may come in the way of the data localization requirements under the Draft Bill. For instance, data localization requires foreign suppliers to duplicate infrastructure and support-service in local markets. As a result, it could be argued that the foreign service suppliers are accorded less favourable treatment than the domestic service suppliers. Notably, even if the same conditions of localization apply to national suppliers of like services or are “formally identical”, it may be argued that they are still designed in a manner to alter the conditions in favour of like domestic service suppliers since they may not have to incur additional costs in replicating the infrastructure and support-service costs.  Therefore, the possibility that such measures are viewed as “less favourable” under Article XVII of the GATS exists. 

    Again, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector. For example, data localization requirements imposed by the Reserve Bank of India dated 6 April 2018 to Indian banks and authorized e-payment systems may not violate India’s commitments at under the GATS. This is because India has made its commitments in financial services sectors subject to the requirements under its domestic laws through a horizontal exception. However, India has not provided for such a blanket exception in context of its commitments for other service sectors. 
Possible arguments India may take

Should Indian formally adopt the data localization requirements, India could argue as follows in its defense:
  • First, the prohibition on cross-border flow of critical personal data and more specifically the data localization requirement does not limit the number of service suppliers. In other words, any number of service supplier who complies with the above requirements may provide services in India;
  • Second, the data localization requirement in itself do not accord less favourable treatment to a foreign service supplier as the requirement applies to even Indian service suppliers. If an Indian service supplier hitherto did not store data locally, it would need to do so as well and therefore, the measures as such do not accord less favourable treatment.
  • Third, India could also take recourse to the “privacy” exception under Article XIV(c) of the GATS arguing that the measures are necessary to secure the protection of the privacy of individuals and are not arbitrary or unjustifiable discrimination.The privacy exception is untested by the Dispute Settlement Body of the WTO, and it remains to be seen how wide, or narrow this exception is interpreted. 
  • Fourth, India could also argue that the measures were required to protect its “essential security interests” in accordance with Article XIV bis. Based on this provision, WTO members may take actions in derogation of their obligations if such actions are taken for reasons specified for national security reasons. The recent instances of invoking the national security exception by certain WTO Members coupled with the fact that misuse of certain type of data may indeed represent a threat to national security could give India ground to justify its action, even if they may be in derogation to its commitments under the GATS. 
Conclusion: What happens next?

The Draft Bill has generated huge interest and debate among various stakeholders including businesses, academia, citizen interest groups and think tanks. At one hand, the proponents of privacy rights are pushing for stringent data protection measures and on the other, the business argue that the increased costs of data protection compliance may make businesses unviable. Undoubtedly, the Bill is likely to undergo significant churning through debates and reviews and it remains to be seen how India draws a balance between these two competing interests. 

Popular posts from this blog

VC Interview: Shailendra Singh of Sequoia Capital India

In a recent interview to Venture Intelligence, Shailendra Singh discussed some of the firm’s newer investments in the early stage segment including in the online payments space, the progress at a few existing portfolio companies and the active role the firm is playing in helping its portfolio companies scale and succeed in India and globally. Prior to joining the firm in 2006, Singh was a strategy consultant at Bain & Company in New York and before that, an entrepreneur in the digital media industry.

Venture Intelligence: How does Sequoia go about identifying potential early stage investments in India? Is there anything different you are doing today than, say, a couple of years back?

Shailendra Singh: There is a lot more focus on technology investing and early stage investing. In general, as you might remember a few years ago, we were doing primarily growth investing but in the past 18-odd months, we have had a very strong focus on early stage and that’s continuing. In terms of how…

KPMG Tops League Table for Financial Advisor to Private Equity Transactions in H1 2018

The transaction advisory unit of KPMG claimed the top position in the Venture Intelligence League Table for Transaction Advisor to Private Equity deals in the first half of 2018, advising deals worth $1.7 Billion. KPMG acted as the financial advisor to NHAI in the $1.5 Billion investment by Macquarie to operate 9 highway projects under the toll-operate-transfer (TOT) model. Ernst &  Young (which advised the $730 million asset sale by Indiabulls Real Estate to Blackstone) and Kotak (which advised the Vishal Megamart - Partners Group deal) accounted for the second and third spots respectively.
The Venture Intelligence League Tables, the first such initiative exclusively tracking transactions involving India-based companies, are based on value of PE and M&A transactions advised by Transaction and Legal Advisory firms.
Arpwood Capital (which advised the $760 million investment by Temasek in the $2.1 Billion Schneider Electric buyout of L&;T Electrical and Automation business) …

"Leveraged stock purchase led Arvind Rao to go astray": Forbes India

Forbes India has an article on the series of events leading to the recent controversial exit of Arvind Rao, Co-founder & CEO of listed Mobile VAS firm OnMobile.

On November 23, 2010, Arvind Rao, the 53-year-old co-founder and CEO of OnMobile, bought approximately 6 lakh shares of his company from the open market, representing a little over 1 percent of the company’s total shares....At Rs 277 a share, he had to pony up nearly Rs 16.5 crore to acquire them....So he went ahead and borrowed money to buy the shares, thinking nothing of the interest it entailed or the fact that he’d need to put up nearly half his existing shareholding as collateral...OnMobile’s shares continued to fall from those levels, while Rao’s interest payments ballooned.

...Motivated by OnMobile’s growth all these years, he had never paid much attention to his salary, most of which went towards the monthly rental on his sea-facing apartment in Mumbai and his BMW 7-Series, both paid directly by the company. He reque…