Introduction
The intersection of privacy and international trade presents a fundamental dilemma in an era of global interconnectivity. This dilemma revolves around balancing the protection of individual privacy rights with the need to foster cross-border data flows, crucial for global trade and economic prosperity. The clash between “privacy-trade” poses the pivotal question: “Could the free flow of data across borders jeopardize our right to privacy? Conversely, will the imperative to shield personal data evolve into a trade barrier, restricting market access?”
The paper begins by analysing how data’s essential role in the economy raises significant privacy concerns and how the World Trade Organisation’s (“WTO”) General Agreement on Trade in Services, 1995 (“GATS”) creates a Privacy Framework. It then examines the contrasting approaches of the European Union (“EU”) and the United States (“US”). The EU emphasizes stringent data protection standards, while the US focuses on national security and maintaining open data flows, often through privacy-protected trade agreements.
The paper finally aims to craft a response for India, analysing the Digital Personal Data Protection Act, 2023 (“DPDPA“). India’s burgeoning digital economy and significant role in global data flows necessitate a strategy that preserves privacy rights while enabling international trade. The aim is to propose a balanced framework that integrates strong data protection measures, informed by the DPDPA, without impeding economic growth and trade efficiency, offering clear guidelines for navigating the privacy-trade landscape.
The Privacy-Trade Dilemma
Data is more than just the “new oil“. It is non-rivalrous, infinite, and pervasive. Contemporary economic prosperity is grounded in the bedrock of data. Data processing has become a coveted competitive advantage that corporations and nations seek; this is evident from the geopolitical struggles for data dominance involving 5G, TikTok, and Meta.
The modern trade relies heavily on cross-border data flows, but with Big Data come big privacy concerns. These concerns extend beyond digital services and now involve physical products. For instance, the Boeing 787 Dreamliner or the Mercedes S-Class, with their extensive lines of code, illustrate the importance of data flows for goods. Everyday items, from kitchen appliances to children’s toys, are seamlessly integrated into the digital landscape through the Internet of Things. This progression has intertwined data transfers with the trade of goods and services alike.
The challenges of data collection, utilization, and recycling in the domain of privacy have sparked attention among legislators, resulting in enactments of data protection laws like EU’s General Data Protection Regulation (“GDPR”) and India’s DPDPA. However, data protectionism in disguise of privacy carries a cost for all nations. GATS is the first attempt to tackle this dilemma.
GATS Privacy Framework
Through GATS, WTO members committed to providing fair treatment to foreign service providers in specific sectors by extending the reach of international trade regulation to services. Its provisions on privacy play a significant role in shaping how nations navigate the privacy-trade dilemma, making it important for this analysis.
GATS introduced a Privacy Framework with several exceptions outlined in Article XIV. These exceptions allow member states to take specific actions that would otherwise violate the treaty, provided they meet certain conditions. These actions include preserving public order, safeguarding human health, and preventing deceptive practices. Article XIV(c)(ii) specifically states that the Agreement should not prevent member states from adopting measures necessary to ensure compliance with laws related to protecting individuals’ privacy in the processing and dissemination of personal data.
Therefore, GATS did not just establish a privacy provision; it also set limits on its use. Like other exceptions, Article XIV aims to prevent potential misuse of exceptions. Article IV specifies that such measures should not result in arbitrary or unjustifiable discrimination between countries or act as disguised restrictions on trade in services. This universal restraint ensures that these exceptions do not become tools for hidden trade barriers among nations. Additionally, the privacy exception requires that any enacted measure be deemed “necessary” to protect data privacy.
Under GATS, whether a restriction qualifies as “necessary” hinges on a “reasonably available alternative” which refers to a measure that a member state can feasibly implement to achieve the same policy objective with fewer restrictions on international trade. This alternative must be practicable, effective, and impose minimal trade constraints. It is important to note that the limits of the Privacy Framework within GATS have never been tested. However, scholars argue that modern data privacy laws, particularly GDPR, may exceed the boundaries of the Privacy Framework. This contention arises from the argument that alternative measures, which are less restrictive of trade, may reasonably be available to accomplish the EU’s desired level of data protection.
Therefore, GATS tackles the dilemma by confining the privacy exception to an evaluation involving non-discrimination and examination of alternative measures to advance privacy protection that are less trade-restrictive. This is primarily done to increase cross-border trade flow.
Another key issue, within the Privacy Framework, is the effective integration of human rights principles in international trade law. WTO’s dispute resolution mechanism often functions on economic rationality, viewing privacy as a trade facilitator rather than a fundamental right. This trade-prioritization can deprioritize data privacy.
For example, the Agreement on Trade-Related Aspects of Intellectual Property Rights, 1994 (“TRIPS”), prioritizes economic interests over creators’ moral rights. Similarly, the GATS privacy exceptions are narrowly defined to prevent unnecessary trade barriers, reflecting a comparable emphasis on facilitating free trade. This parallel between TRIPS and GATS illustrates the challenge within the WTO framework: balancing trade interests with the protection of fundamental human rights like data privacy. While TRIPS demonstrates how economic considerations can overshadow moral and personal rights, GATS’ approach to privacy exceptions shows the difficulty of embedding human rights principles into trade agreements. Consequently, the balance between promoting international trade and safeguarding data privacy often requires support from human rights courts, which are better equipped to prioritize and enforce fundamental rights over trade imperatives.
GATS acknowledged privacy concerns but left individual nations to define their own responses. Clear roles for trade regulations and data protection frameworks are needed to establish boundaries to tackle the dilemma.
Adequacy: The EU Response
EU’s core concept revolves around granting government the authority to restrict cross-border data flows to nations not meeting its stringent “adequate” data protection standards. This idea has gained global acceptance but lacks a uniform definition of “adequacy” or a standardized procedure, resulting in diverse interpretations of the “adequacy” principle worldwide.
Obtaining an official “adequacy” determination from the EU is a multi-stage approval process involving negotiations and potential legal changes. Despite the worldwide adoption of data privacy laws that follow the EU model, only a few non-EU countries have achieved this status. Currently, just eight nations outside the EU are on the roster of countries with “adequate” data protection.
Let It Flow: The US Response
The US stance is driven by concerns that local data restrictions could impede its multinational corporations. Its approach centres on two fundamental principles.
Firstly, its perspective on data privacy is framed in the context of national security, unlike the EU’s human rights-centred approach. Secondly, it places importance on safeguarding cross-border data flows by seeking privacy safeguarded individual trade agreements such as the U.S.-Korea Free Trade Agreement and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership. These agreements typically feature clauses that allow for data transfers essential for business operations while providing mechanisms to address potential breaches related to national security. This approach differs from the EU’s model by prioritizing economic and security interests alongside privacy protections, rather than placing individual privacy rights at the forefront.
Looking ahead, the US is likely to continue to prioritize trade over privacy, possibly integrating privacy into trade arrangements while allowing nations flexibility in shaping their privacy framework. In order to address the conflicting approaches taken by any nation, the US proposes opt-in accountability mechanisms at the organizational level to again facilitate cross-border data flows.
Despite attempts at reconciliation between EU and US, issues arose from arrangements like “Safe Harbour”, which was intended to ensure that US companies complied with EU data protection standards when handling personal data. However, it was deemed inadequate following the “Schrems I” judgment, which found that it did not sufficiently protect EU citizens’ data from US surveillance practices.. Subsequently, “EU-US Privacy Shield” was established to replace Safe Harbour, aiming to provide stronger privacy safeguards. Nevertheless, it met a similar fate in the “Schrems II” case, where the Court of Justice of the European Union invalidated it on grounds that it still failed to offer adequate protection against US government access to personal data. Recently, “Transatlantic Data Framework” has been adopted to address these privacy concerns and facilitate secure data flows between the EU and US. Irrespective of its final outcome, it does not address the concerns of the Global South, notably India, which faces privacy-trade dilemma with an inadequate framework. Consequently, developing a tailored strategy for India address the dilemma becomes important.
Crafting India’s Response
India’s expanding digital economy, projected to reach $1 trillion by 2025, vast market size, and data generation capacity make it a crucial player in international trade law and its approach to data privacy directly affects the world economy.
Further, the impact of cross-border data flows on India’s trade volume is massive. Even a marginal 1% reduction in these data flows could potentially translate into a substantial loss of $696.71 million in international trade. This has to be balanced with the growing recognition of data privacy after the declaration of the right to privacy as a fundamental right in K.S. Puttaswamy v. UOI.
Delegating the Dilemma
Section 16 of DPDPA deals with processing personal data outside India. The Central Government holds the authority, through notification, to restrict the transfer of personal data by a Data Fiduciary for processing to specific countries or territories.
The DPDPA marks a departure from its predecessor drafts by shifting from a whitelist approach to something that appears less restrictive. Previously, data localization requirements were contingent on the nature of the personal data. Presently, instead of categorizing “sensitive” or “critical” data, the DPDPA deals with “personal data” without explicit provisions for data localization.
As of October 2024, the draft rules of DPDPA do not have any provision related to cross-border data flows under Section 16. This lack of specific guidelines creates a gap in the legislation, making it unclear how data transfers outside India should be managed. Therefore, the privacy-trade dilemma is effectively delayed and delegated to the central government. To address this delegation and understand its implications, an analysis of the DPDPA framework is essential.
The DPDPA has broadly five issues when analyzed in the context of privacy-trade dilemma.
Firstly, the degree of flexibility maybe interpreted as a virtual void in the primary legislation, essentially delegating the regulation. The absence of even guiding principles or a framework result in an extensive concentration of power with the government. Such a situation permits the government to modify or amend these rules relatively quickly at any given time, without any guiding base. While this flexibility initially appears beneficial for promoting business, a closer examination is necessary. This condition could introduce significant uncertainty and instability into the cross-border data flow ecosystem, which, in turn, could counter the objective of promoting ease of doing business.
Secondly, understanding India’s approach within the GATS Privacy framework, it becomes evident that any blacklisting strategy must conform to the criteria of “non-discrimination” and “necessity.” India’s compliance with these criteria is pivotal to avoid becoming a disguised trade barrier, which could lead to WTO disputes and restrict India’s market access. Should the DPDPA or the subsequent rules be tested in the WTO, it must not face the fate of GDPR as contemplated by scholars.
Thirdly, how India handles blacklisted nations lacking data protection frameworks, is important but currently inconclusive. Without offering these nations a chance to improve their data protection or engage in multilateral agreements, India’s actions may be seen as economic sanctions, akin to a trade embargo. This could disrupt data flows and have serious economic consequences.
Fourthly, India’s approach has consistently been rooted in policy-driven actions rather than independent trade/privacy considerations. For instance, it is still being determined whether the mandate for approvals on investments from entities based in countries sharing a land border with India is the response to allegations of user surveillance, a measure to address concerns about opportunistic acquisitions by entities in those select countries.
Lastly, the privacy-trade dilemma favours large corporations in global data commerce. Despite the internet’s promise to empower all, only wealthy entities can effectively globalize internet-related activities, leaving small and medium-sized enterprises (“SMEs”) at a disadvantage, particularly in India. Complex regulations and fragmented data standards exacerbate this issue, hindering SMEs and stifling competition. Large Western corporations, with ample resources, navigate these complexities more efficiently, gaining market power. Indian SMEs struggle with, and are defeated by, the privacy-trade compliance burdens.
Therefore, India should adopt a comprehensive strategy to effectively respond to the privacy-trade dilemma and address the challenges associated with DPDPA and within the framework of international trade law itself.
This strategy first includes amending DPDPA to incorporate essential guiding principles and a framework, providing legislative clarity to mitigate excessive flexibility. India should proactively align its blacklisting strategy with GATS Privacy framework’s criteria.
Secondly, adopting a strategy for the classification of blacklisted entities, incorporating a tiered system like “green,” “yellow,” and “red” lists, has the potential to augment precision and transparency. Drawing inspiration from the US, which has instituted sector-specific privacy legislation with input from specific ministries, India should contemplate the stratification of industries when assessing the blacklisting of jurisdictions. This stratification is conducive for a streamlined and effective approach.
Thirdly, the absence of a universally accepted consensus concerning the cross-border data flow presents an opportunity to India, to tailor digital trade provisions within their bilateral Free Trade Agreements. These provisions typically start with commitments to prioritize and safeguarding personal data. Next, they underscore the importance of granting citizens access to avenues of redress.
In early 2022, India signed a Comprehensive Economic Partnership Agreement with the UAE, which includes a chapter on digital trade. This chapter emphasizes the importance of cross-border data flows and acknowledges privacy concerns, committing both parties to promote data flows within their domestic data protection laws. In regional partnerships, despite concerns about unrestricted data flow in the Regional Comprehensive Economic Partnership, India continued negotiations. However, India’s decision not to sign the agreement was mainly due to tariff issues, with no specific mention of data flows in the government’s rationale. Negotiations often encounter challenges associated with sector-specific restrictions, which can indirectly impede data flows. Viable exceptions in this context include regulatory stipulations, the provision of remedial options for entities, and the maintenance of restrictions within proportionate bounds.
Fourthly, India can introduce mechanisms akin to the EU’s Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) to facilitate cross-border data flows with privacy protection. However, it is imperative that these mechanisms do not become burdensome or overly trade-restrictive. To achieve this balance, India can streamline the approval process for SCCs, making them less cumbersome for organizations while ensuring they still provide adequate protection. For BCRs, India can implement clear and practical procedures that organizations must follow, avoiding unnecessary bureaucratic hurdles. Further, the role of data protection authorities should focus on guidance and oversight rather than creating overly complex compliance requirements.
Lastly, for SMEs, a tiered data protection standard, like Singapore’s PDPA, and regional data localization options could ease compliances. This approach allows smaller businesses to maintain robust data protection practices without overwhelming regulations, potentially levelling the playing field in global trade.
Conclusion
The privacy-trade dilemma is fundamental in our interconnected world. This paper has explored the privacy-trade conflict through the lenses of GATS, the EU’s stringent data protection standards, and the US’s emphasis on maintaining open data flows. Each approach presents unique challenges and solutions, highlighting the complexity of integrating privacy concerns into cross-border data flows.
For India, the newly enacted DPDPA is a critical step toward addressing this dilemma. However, to effectively balance privacy-trade, India must refine the DPDPA to include clear guiding principles and frameworks that reduce excessive flexibility and proactively ensure compliance with international standards. Additionally, India should adopt a nuanced strategy for classifying blacklisted entities and consider mechanisms like SCCs and BCRs to facilitate cross-border data flows without being overly restrictive.
By integrating these measures, India can create a balanced framework that upholds strong data protection while fostering international trade. This approach will help India in securing its position in the global digital economy and ensure that both privacy rights and economic growth are effectively managed.
This blog is written by Arnav Mathur and Ananya Popli, 3rd Year B.A.LL.B student at NALSAR University of Law