Introduction
The landmark decision in Justice K.S. Puttaswamy v. Union of India paved the way for protection of privacy including informational privacy by granting fundamental rights status to privacy rights. The Personal Data Protection Bill, 2019 (“PDPB”) aims to protect privacy by establishing a mechanism to regulate and control the processing of personal data. The PDPB has been modelled on the European Union’s General Data Protection Regulation (“GDPR) and borrows some of its key principles. (“GDPR”). However, there are unique differences between them, First, the PDPB classifies data into three different categories: personal data (includes all kinds of data), sensitive personal data (orientation, sexual data, financial data, etc.) (“SPD”) and critical personal data (assessed by the government) (“CPD”) whereas the GDPR classifies data into two categories: special categories of data (data revealing political opinion, religious belief, etc & data relating to criminal convictions) and personal data (information relating to the identification of a person). PDPB allows the processing of SPD outside India but mandates its storage in India. It restricts the transfer of CPD outside India, whereas GDPR enables transfer outside the EU on the attainment of ‘adequacy status’ under Article 45, GDPR.
One of the contentious issues in the PDPB pertains to data localization which hinders the cross-border data transfer and storage of SPD. Data Localization is a requirement which requires data to be stored within the national borders. Personal data is intertwined with digital trade which is inextricably linked to the economic growth of a country. Any restriction on cross-border transfer hampers international trade which consequently affects the growth of a country. The market access (“MA”) and the national treatment (“NT”) are considered to be the most basic tools for the liberalization of international trade-in service. Article XX of General Agreement on Trade in Service (“GATS”) mandates the WTO Members to inscribe their specific MA and NT commitments in their Schedules of Commitments (“SC”). GATS Article XVI:1 provides for minimum MA commitments guaranteed by a Member. It prevents a Member from providing less favorable treatment to the foreign services or service suppliers than what a Member has committed to in its SC. GATS Article XVI:2 provides a list of limitation measures on market access that a Member is prohibited from taking unless specifically provided in its service schedule. It contains an exhaustive list of forms of market access restrictions. NT requirement prohibits a Member from treating foreign service or service suppliers less favorably than the domestic service or service suppliers. A possible violation of NT can be assessed only when both the foreign and domestic service or service suppliers are ‘like’ and the measure modifies conditions of competition against the foreign services. The NT requirement creates a level playing field in the market. Against, this background, this piece dissects the consistency of PDPB with the GATS.
Demystifying PDP Bill: Is it restricting International Trade in Services
The consistency of the PDPB with India’s digital trade obligations must be assessed based on its commitments under its GATS SC. Since, many of the obligations under the GATS only apply to service sectors where Members have undertaken specific commitments, it is crucial to check whether India has taken the obligation under the specific commitments. It requires a three-step analysis. The first step to check India’s SC is to identify how digital services can be classified. The second step would be to determine the mode of supply, and the third step is to assess the commitments under the identified heads.
i. Classification of service
The classification of services is done based on the 1993 Scheduling Guidelines which, in turn, is based on the United Nations Provisional Central Product Classification. There are two possible classifications in which data transfer related services can be classified i.e. under telecommunication services (CPC 752) or computer and related services (CPC 844). One group of scholars such as Rolf H. Webber & Mira Burri classify it under CPC 844 as it is the computer database which gives vital element to this service.[1] The other group of scholars classifies it as telecommunication services as it involves network which facilitates the transmission of data, sends/receives electronic messages and manipulates information.[2] The classification of a service is based on component giving essential character to that service (here, 13). Telecommunication services include any transmission and reception of signals by electromagnetic waves. Considering that data transfer requires the transmission and reception of signals, which gives it an essential character, the authors opine that the data transfer services fall under the telecommunication service.
ii. Mode of Supply of Service
There are four modes of supply of services under GATS viz. cross-border trade, consumption abroad, commercial presence, and presence of a natural person. The supply of services from territory of one WTO Member to the territory of another WTO Member is the cross-border supply of service without the presence of service providers in the destination country (¶7.28). Therefore, the transfer of data from one country to another country falls under the first mode of supply of service i.e. cross-border trade as the transfer occurs without the presence of the service provider in the destination country. Under the PDPB, data localization hinders the transfer of data across the border i.e. it hinders the trade which may happen under Mode 1.
iii. Assessing the violation of Market Access and National Treatment
India has taken ‘none’ as a commitment in MA and NT against the cross-border supply of telecommunication services. When a Member inscribes ‘none’ in its SC, under Article XVI:1, it must provide ‘full market access’ without any conditions or qualifications, to services and service suppliers of other Members and Article XVI:2 provides specific types of limitations, and under Article XVII, it is prohibited from discriminating between the domestic service supplier and foreign service supplier (¶6.269-6.279).
A violation of Article XVI is determined by comparing the actual treatment accorded and the commitment accorded in the SC in the MA column (¶7.1353). The requirement of data localization is inconsistent with Article XVI(1) as India has taken ‘none’ as commitment due to which it cannot impose any kind of restriction on cross-border transfer of data. The assessment of violation of Article XVI is such that Article XVI:1 provides that a service cannot be given less favorable treatment than provided in the SC, whereas Article XVI:2 prohibits a Member from imposing the type of limitation mentioned under sub-provisions of Article XVI:2 until and unless such types of limitations are specifically mentioned by a Member in its SC (¶6.298). Article XVI:2(c) prohibits a Member from imposing limitations on the total number of services or total quantity of services, in the form of quota or economic needs test. A quantitative limitation (including a ‘zero quota’) encompasses within its ambit having characteristics of number (¶227). In US – Gambling, the Appellate Body held that prohibition on the supply of online gambling services constitutes a ‘zero quota’ under Article XVI:2(c) (¶251). In Mexico – Telecom, the Panel held that the routing requirement for international telecommunication constitutes a ‘zero quota’ under Article XVI(c) (¶7.85, 4.124). Similarly, based on the above-mentioned disputes, the requirement to store data within certain borders or prohibition on its transfer beyond territorial borders constitutes a ‘zero quota’ and hence violates Article XVI:2(c). (p. 7, p. 13). The data localization requirement goes against India’s commitments under GATS as India has neither taken ‘unbound’ commitment nor it has specifically incorporated restrictions on the number of service suppliers in its SC.
With respect to NT under Article XVII, a measure imparts less favorable treatment if it modifies the competitive conditions in favor of domestic services than like foreign services (¶6.103-6.104). Though PDPB mandates data localization requirements for both domestic and foreign service, there may be inherent disadvantages to the foreign service provides in terms of additional cost to meet data localization’s infrastructure requirements, however, Footnote 10 to Article XVII excludes such disadvantages from claiming the violation of Article XVII. Thus, the PDPB is not inconsistent with Article XVII.
Conclusion
The PDPB, specifically data localization being inconsistent with the MA requirement opens the gate for other countries to file disputes against India at the WTO. However, India can justify the PDPB by taking recourse to general exceptions under Article XIV:(c)(ii), GATS to justify such restrictions on the ground that data localization is necessary to protect privacy. The necessity of a measure to fulfill its objective is determined by weighing and balancing the objective’s importance, the measure’s contribution to the objective, and its trade restrictiveness (¶144). The only possible hurdle that India could face in justifying the PDBP is when the complainant Member offers alternatives such as ‘adequacy finding’ (similar to Article 45 of GDPR), which leads to the achievement of the objective with less trade restrictiveness.
[1] Rolf H. Webber & Mira Burri, Classification of Services in the Digital Economy (Springer 2013) 118.
[2] Ines Willemyns, ‘GATS Classification of Digital Services – Does ‘The Cloud’ Have a Silver Lining?’ (2019) 53 J. World Trade 59, 69; Rolf H. Webber & Mira Burri (n 15).
_____________________________
To make sure you do not miss out on regular updates from the Kluwer Regulating for Globalization Blog, please subscribe here.