At the recently held Sydney Dialogue 2021 on ‘Emerging and Critical Cyber Technologies’, India highlighted the need to develop international co-operation on standards and norms surrounding data governance and cross-border data flow. This remark comes on the heels of the unanimous adoption of the draft report of the Joint Committee on the Protection of the Personal Data Bill, 2019 by the Lok Sabha. The draft report has further proposed provisions on data localization norms to be followed by both, local and foreign entities. India is no stranger to data localization measures. In 2018, the Reserve Bank of India issued a Circular on the ‘Storage of Payment System Data’, essentially mandating payment system operators to store all the data relating to payment systems only in India. Such data localization norms not only restrict the free flow of data across borders but also warrant the storing and processing of data within the territorial limits of the country.
THE ECONOMIC COSTS AND TRADE IMPLICATIONS OF DATA LOCALIZATION
The cost of stringent implementation of data localization norms comes at a high price as it drastically affects the economy of the country reducing volume of trade and negatively impacting industries that rely heavily on data. As per the Information Technology and Innovation Report 2021, statistics reveal that restrictive cross border data flow decreases gross trade output by 7 %, reduces productivity by 2.9 % and inflates downstream prices by 1.5 % over a period of five years. Moreover, forced data localization norms push domestic companies to pay 30 to 60% more for their computing needs as demonstrated in a study conducted by the Leviathan Security Group. However, countries adopting such norms rationalize their necessity for safeguarding data privacy and cybersecurity. With the internet gaining prominence as a key enabler in facilitating international trade in the global digital economy, norms that barricade cross-border flow of data (such as data localization) also hinder trade and therefore qualify as trade barriers, warranting scrutiny under international trade law.
LEGALITY OF DATA LOCALIZATION UNDER GATS
The extant rules and jurisprudence on international trade law does not explicitly address data localization norms. However, the core principles of the General Agreement on Trade in Services (“GATS”) under the World Trade Organization (“WTO”) framework provides a pertinent case in point to treat data localization norms as a barrier to trade. Under Article I (2) of the GATS, trade in services includes “supply of a service from the territory of one Member into the territory of any other Member”. Since there is an absence of any requirement related to transfer of physical commodities, the foregoing definition of supply of service encapsulates trade in digital services. Inherently, cross-border supply of digital services involves the cross-border flow of data.
(i) Market Access Commitments and National Treatment under GATS
The normative legal principle provided under Article VI of GATS delineates the requirement for Members to administer trade in services in a reasonable, objective and impartial manner. Further, Article XVI (Market Access Commitments) and Article XVII (National Treatment) of GATS mandates Members “to not impose limitations on the number of service suppliers, total number of service operations or the total quantity of service output” and must ensure that “each Member shall accord to services and service suppliers of any other Member, treatment no less favorable than that it accords to its own like services and service suppliers.” In the context of market access commitments, Mitchell and Hepburn argue that the US Gambling case, which held “prohibition on the remote supply of gambling and betting services online is effectively a zero quota in breach of GATS arts XVI:2(a) and (c)”, could apply to data transfers. By virtue of this, prohibition on the transfer of any categories of data, as long as they correspond to the sectors in which the Member has given market access commitments shall be in violation of GATS. Similarly for national treatment under GATS, the introduction of data localization norms shall lead to the advancement and competitive presence of domestic service suppliers. Inevitably, this shall cost foreign service suppliers to pay a higher price for local infrastructure expenses, according to them less favorable treatment over domestic suppliers. Data localization norms when implemented against the foregoing core principles of GATS indicates the likelihood presence of the violation of free and fair cross- border supply of trade.
(ii) General and Security Exceptions under GATS
The legality of cross-border data restrictions under the GATS framework can possibly be construed to be valid if viewed through the lens of the general and security exceptions. Article XIV (General Exceptions) permits the Member to derogate from its obligations under certain circumstances such as public order, privacy of an individual, safety and prevention of fraudulent or deceptive trade practices. Neha Mishra opines that an evolved interpretation of these exceptions would encompass within their ambit different facets of digital privacy and cybersecurity. For instance, if informed consent of the data principal is to be compulsorily obtained then such a measure could be justified in furtherance of protecting individual privacy and shall therefore extend to domestic legislations pertaining to privacy in the virtual context.
The WTO jurisprudence stipulates a ‘weighing and balancing test’ to justify a Member’s deviation from its obligations. The test entails assessment of three factors – (1) significance of the measure in achieving the stated aim (public order or public policy); (2) the restrictive impact of the measure in the context of international trade and commerce and (3) identification of the least restrictive trade measure. Thus, a data localization measure would have to fulfill the test to avail the benefit of the exception. However, inconsistent applicability of data transfer restrictions by a Member under the ambit of Article XIV of GATS shall be treated as unjustifiable.
Another exception that could be availed of is Article XIV bis (Security Exception), the applicability of which provides that nothing under GATS shall be construed “to prevent any Member from taking any action which it considers necessary for the protection of its essential security interests” or “to prevent any Member from taking any action in pursuance of its obligations under the United Nations Charter for the maintenance of international peace and security.” Essential security interests under the exception are couched in broad language which allows room for wide interpretation. The exception is further underpinned by usage of the wording ‘action which it considers necessary’, however, its implementation shall only be limited to the grounds specified under Article XIV bis (1)(b). The circumstances under Article XIV bis (1)(b) of GATS, primarily ‘war or other emergency in international relations’ is nonetheless likely to be stretched for the purpose of advocating data localization norms. Members invoking general and security exceptions under GATS must abide by the principle of pacta sund servanda articulated under Article 26 of the Vienna Convention on the Law of Treaties as the principle is integral towards the interpretation of WTO Agreements.
THE WAY FORWARD: ESTABLISHING CONGRUITY BETWEEN INTERNATIONAL TRADE LAW AND DATA GOVERNANCE
The digital economy is directly related to data protection due to the trade of goods and services, besides the ubiquitous nature of cross border data flow necessitates eliminating the conflict of territorial laws of data protection. In our opinion, regulating data and the internet entails the adoption of a ‘polycentric’ approach. Segura Serrano argues that data regulation requires a mixed approach of prescriptive laws and self-regulatory codes, given the role played by the private sector. Against this backdrop, the WTO should embrace guidance from multi-lateral institutions while formulating a framework for data regulation. For instance, under the General Agreement on Tariffs and Trade (“GATT”), the structure pertaining to currency exchange and valuation was formulated in consultation with the International Monetary Fund. Additionally, as suggested by Mira Burri, the WTO law should incorporate ‘horizontal obligations’ for fostering free flow of data across borders for conducting business activities and forbid strict data localisation. As correctly pointed out by Neha Mishra, data flow restrictions create a non-tariff trade barrier resulting in restrictive trade flow across borders.
The role of the WTO to respond and formulate a comprehensive trade policy in a data-driven economy poses acute importance in light of the on-going negotiations based on the ‘Joint Initiative on E-commerce.’ Members of the foregoing initiative have emphasised the need to acknowledge cross-border flow of data as a critical element to eliminate digital divide. Furthermore, in the wake of the Covid-19 pandemic, harbouring digital inclusion is a proven ‘urgent necessity’ to encourage participation of smaller players in the global digital economy. The imperative twin critical objective of balancing trade with data governance is crucial to foster the growth of digital economies in the era of globalisation. While countries push for data localisation in a bid to govern data, little is known if such policy measures are actually effective in ensuring privacy and cybersecurity.
The WTO jurisprudence stipulates a ‘weighing and balancing test’ to justify a Member’s deviation from its obligations. The test entails assessment of three factors: (1) significance of the measure in achieving the stated aim (public order or public policy); (2) the restrictive impact of the measure in the context of international trade and commerce, and (3) identification of the least restrictive trade measure. Thus, a data localization measure would have to fulfill the test to avail the benefit of the exception. However, inconsistent applicability of data transfer restrictions by a Member under the ambit of Article XIV of GATS shall be treated as unjustifiable.