Skip to main content

Legal Capsule: Data Privacy & Protection: Analysing Srikrishna Committee Report against India’s WTO Obligations by Economic Laws Practice

Coinciding with the widespread global debate on data protection laws and citizens' privacy rights, a report titled "A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians" ("Report") authored by a Committee of Experts under the chairmanship of Justice B.N. Srikrishna, and the Personal Data Protection Bill of 2018 ("Draft Bill") were submitted to the Government of India ("GOI") on 27 July 2018. The Draft Bill is quite comprehensive in its scope and places stringent obligations on businesses. In particular, it provides for measures relating to protecting the personal information of Indian citizens, the role and duties of data fiduciaries and data processors, rights of individuals, and penalties for violation of these data protection measures. 

This note does not touch upon the general impact of the data protection under the Draft Bill on cross-border data flow and thereby impact on international trade and e-commerce. Rather, the note aims to test the provisions of the Draft Bill against India's obligations under the World Trade Organisation ("WTO"). Specifically, the Draft Bill places certain restrictions on the cross-border flow of personal data: 
  • Section 40(1) introduces requirements for storing a copy of all personal data generated through servers and data centres in India within India
  • Section 40(2) prohibits the cross-border flow of certain types of personal data which are to be categories as "critical personal data" by the Central Government per its discretion
Possible inconsistencies with WTO Rules

Generally speaking, the data localization requirements and prohibition on cross-border flow of critical personal data may be argued to be inconsistent with India's obligations under the WTO.Measures that regulate cross-border flows of personal data attract the provisions of the General Agreement on Trade in Services ("GATS"), which governs international trade in services. Obstructions to the flow of personal data across borders may have direct implications on Mode 1 (cross-border services) and Mode 2 (consumption abroad). These restrictions and/or prohibitions in the cross-border flow of data: (i) may run afoul India’s market access commitments, and (ii) could violate the national treatment requirements set out under the GATS since foreign service suppliers may be provided less favourable treatment compared to domestic service providers. 
  • Market access: Article XVI of the GATS provides that, inter alia, where a country has made market access commitments in its GATS schedule, then that country is prohibited from imposing limitations, through any means, on the number of service suppliers, unless the country has included such limitation in its GATS schedule. Section 40 (1) and Section 40 (2) of the Draft Bill could violate the market access commitments made by India in its GATS schedule. This is because these "measures" in the context of any supply of services provided in India could, in effect, limit the number of suppliers of that service in the Indian market. In other words, these provisions of the Draft Bill could limit access of foreign firms to India’s market by conditioning market access upon the local storage and processing of data. Such measures have the effect of restricting or prohibiting flow of cross-border services supply since they would require foreign firms to, inter alia, replicate data storage infrastructure which adds costs for additional data management and compliance requirements. However, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector.   
  • National treatment: The national treatment rule under the GATS applies to all sectors where specific commitments have been undertaken. These commitments prohibit WTO members such as India from discriminating in favour of their domestic companies. Specifically, Article XVII of the GATS makes an obligation on countries to accord services and service suppliers of other countries “treatment no less favourable than that it accords to its own like services and services suppliers.” Article XVII:2 of the GATS specifies that a country may accord foreign services or service suppliers different treatment to achieve this objective. Article XVII:3 of the GATS defines treatment as “less favourable” if it “modifies the conditions of competition in favour of services or service suppliers of the Member.”

    The national treatment obligation may come in the way of the data localization requirements under the Draft Bill. For instance, data localization requires foreign suppliers to duplicate infrastructure and support-service in local markets. As a result, it could be argued that the foreign service suppliers are accorded less favourable treatment than the domestic service suppliers. Notably, even if the same conditions of localization apply to national suppliers of like services or are “formally identical”, it may be argued that they are still designed in a manner to alter the conditions in favour of like domestic service suppliers since they may not have to incur additional costs in replicating the infrastructure and support-service costs.  Therefore, the possibility that such measures are viewed as “less favourable” under Article XVII of the GATS exists. 

    Again, this analysis has to be made on a case-wise basis after assessing the commitments made by India under the relevant service sector. For example, data localization requirements imposed by the Reserve Bank of India dated 6 April 2018 to Indian banks and authorized e-payment systems may not violate India’s commitments at under the GATS. This is because India has made its commitments in financial services sectors subject to the requirements under its domestic laws through a horizontal exception. However, India has not provided for such a blanket exception in context of its commitments for other service sectors. 
Possible arguments India may take

Should Indian formally adopt the data localization requirements, India could argue as follows in its defense:
  • First, the prohibition on cross-border flow of critical personal data and more specifically the data localization requirement does not limit the number of service suppliers. In other words, any number of service supplier who complies with the above requirements may provide services in India;
  • Second, the data localization requirement in itself do not accord less favourable treatment to a foreign service supplier as the requirement applies to even Indian service suppliers. If an Indian service supplier hitherto did not store data locally, it would need to do so as well and therefore, the measures as such do not accord less favourable treatment.
  • Third, India could also take recourse to the “privacy” exception under Article XIV(c) of the GATS arguing that the measures are necessary to secure the protection of the privacy of individuals and are not arbitrary or unjustifiable discrimination.The privacy exception is untested by the Dispute Settlement Body of the WTO, and it remains to be seen how wide, or narrow this exception is interpreted. 
  • Fourth, India could also argue that the measures were required to protect its “essential security interests” in accordance with Article XIV bis. Based on this provision, WTO members may take actions in derogation of their obligations if such actions are taken for reasons specified for national security reasons. The recent instances of invoking the national security exception by certain WTO Members coupled with the fact that misuse of certain type of data may indeed represent a threat to national security could give India ground to justify its action, even if they may be in derogation to its commitments under the GATS. 
Conclusion: What happens next?

The Draft Bill has generated huge interest and debate among various stakeholders including businesses, academia, citizen interest groups and think tanks. At one hand, the proponents of privacy rights are pushing for stringent data protection measures and on the other, the business argue that the increased costs of data protection compliance may make businesses unviable. Undoubtedly, the Bill is likely to undergo significant churning through debates and reviews and it remains to be seen how India draws a balance between these two competing interests. 

Popular posts from this blog

VC Interview: Shailendra Singh of Sequoia Capital India

In a recent interview to Venture Intelligence, Shailendra Singh discussed some of the firm’s newer investments in the early stage segment including in the online payments space, the progress at a few existing portfolio companies and the active role the firm is playing in helping its portfolio companies scale and succeed in India and globally. Prior to joining the firm in 2006, Singh was a strategy consultant at Bain & Company in New York and before that, an entrepreneur in the digital media industry.

Venture Intelligence: How does Sequoia go about identifying potential early stage investments in India? Is there anything different you are doing today than, say, a couple of years back?

Shailendra Singh: There is a lot more focus on technology investing and early stage investing. In general, as you might remember a few years ago, we were doing primarily growth investing but in the past 18-odd months, we have had a very strong focus on early stage and that’s continuing. In terms of how…

PE investments in 2018 crosses $33-B to set new all-time high

Big Ticket investments in consumer apps Swiggy & Byju’s dominates year-end activity, even as investments in Core Sectors slow down
Private Equity (PE) investments in India rose to their highest ever figure of $33.1 billion in 2018 (across 720 transactions), according to data from Venture Intelligence (, a research service focused on private company financials, transactions and their valuations. While PE investments have already surpassed the previous high - $24.3 Billion across 734 deals in 2017 - in the first nine months of 2018, the mega investments in Consumer Internet & Mobile startups such as Swiggy and Byjus towards the year-end, helped the 2018 total vault by 36% year-on-year. (Note: These figures include Venture Capital investments, but exclude PE investments in Real Estate.) The year witnessed 81 PE investments worth $100 million or more (accounting for 77% of the total investment value during the period), compared to 47 such transac…

ChrysCapital and Sequoia Capital India grab two awards at APEX’19 PE-VC Awards

Mumbai, India, Feb 27, 2019: ChrysCapital and Sequoia Capital bagged two awards each as part of the “Awards for Private Equity Excellence” (APEX)event organized by Venture Intelligence. 

ChrysCapital bagged the Private Equity Fund Raise of 2018 Award (Closed $850 M Fund VIII within 4 months of launch) and the Private Equity Investor of 2018 Award (for its Exits from LiquidHub with 4x in dollar terms (within 4 years of its $53-M investment), AU Small Finance Bank with 11.5x return,  Torrent Pharma with 2.95x, City Union Bank with 2.83x, L&T Infotech with 2.56x)

Sequoia Capital India won the Early Stage VCInvestor(the firm registered 10x+ exits in Byjus Classes and SCIOInspire) and VC Fund Raise of 2018 (the firm closed an almost $700-M Fund VI).

Award Winners at APEX'19 PE-VC Awards

The event opened with a Fireside Chat with Kiran Reddy, CEO of SPI Group interviewed by his long time friend and colleague Vineeth Vijayraghavan.

Snapshots of the Awards Ceremony: (L-R) Gopal Srinivasan, …