Alerts & Updates 10th Nov 2022

Digital Trade Clauses in FTAs and India’s Data Industrialization Goals: The Bilateral Way Forward

Authors

Sanjay Notani Partner | Mumbai
Akash Manwani Associate | Mumbai

Latest Thought Leadership

Alerts & Updates 27th May 2024

Trade Update – May 27, 2024

Read More
Articles 27th May 2024

Revamping India’s Insolvency Framework: Challenges, Trends, and Strategic Improvements

Read More
News & Media 27th May 2024

Cost inflation index for FY25 higher than last fiscal’s

Read More
Alerts & Updates 24th May 2024

SEBI issues a flurry of changes to tackle material price movement due to market rumours and to ensure a level playing field

Read More

  • India’s digital trade potential

    The incentivization for digitization coupled with pandemic-imposed necessity for adoption of digital tools has led to a manifold increase in quantity of data generation from India. A comprehensive data protection legislation is underway in India which will provide a specialized legal framework for data protection and information privacy. The data protection legislation will have rippling effects for the country, not only domestically but also from the perspective of international trade. Several products and services offered by organizations/entities today require processing of massive amounts of foreign data. At the same time, each activity in the journey of a dataset – like collecting, sharing, processing and protection takes place at various locations around the world, thus being subject to multiple regulations at a time. It is at this juncture, that digital trade clauses in Free Trade Agreements (FTAs) are increasingly being considered as a tool to reduce friction caused by domestic regulations pertaining to cross-border data flows.

    As of January 2022, India recorded over 658 million users of the internet[1]. In terms of mere potential, data converts to revenues, soft-power capabilities, and strategic influence. Based on a study conducted by the Internet and Mobile Association of India (IAMAI), a 1% decrease in international internet bandwidth could lead to a loss for India of about USD 696.71 million in total volume of goods traded[2]. Needless to mention, many prospects of monetizing this data are at the country’s disposal. Due to these prospects of data industrialization along with national security and local regulations-related issues, the domestic sectoral restrictions are imposed on cross-border data flow in India. As a matter of macro policy, India is taking gradual but effective steps towards cross-border data flow with adequate protections at a bilateral level.

    This article looks at India’s policy considerations and collateral events so far, to evaluate the rationale behind modern-day provisions in FTAs and India’s recent glocalized stance on cross-border data flow. On analysis, it appears that India’s data industrialization goals are represented better in bilateral agreements rather than multilateral arrangements. India might seek to engage multilaterally when adequate protections are brought in through its long-anticipated data protection legislation. Thus, for now, this article explores ways around India’s strict sectoral regime for optimum data sharing.

  • India’s premise for data localization

    India has a host of laws that mandate local physical storage, mirroring, and processing of data within domestic jurisdiction. Many reasons have been accorded for impositions of these restrictions. One of the major concerns is access to data for investigation and other operational purposes. Timely access to data becomes crucial for law enforcement agencies and regulators in cases of malpractice, data breaches as well as technological disruptions. Although data is collected in India, it is stored in data centers located outside the legal jurisdiction of India. In such situations, the regulators as well as law enforcement agencies rely on mutual legal assistance treaties (MLATs) to access the relevant data. MLATs assist in procuring the data but the contours of the same are limited to public/criminal laws. Its application for securing data for research/regulatory purposes is unknown and not tested.[3] Apart from being a cumbersome process, the effectiveness of MLAT also depends on bilateral relations between the consenting states.

    Now India is considering prospects of monetizing the data by easing localization norms in light of several inputs received from start-ups around the country[4]. With stakeholders within and outside pitching for globalization, India’s data protection bill is being seen as a measure to allow India to join the multilateral bandwagon with other states. There are indications that the anticipated data protection legislation will contain liberal provisions pertaining to data localization and cross-border flow of data.[5] Till the data protection legislation is enacted, the current applicable regulations updated from time to time and the bilateral agreements are the most preferred mode for recognizing cross-border data flow from India.  Given the applicable framework to work in sync with other countries, listed below are some  for it to work seamlessly to be part of the global trade with respect totechnology.

  • India’s sectoral regulations on data storage

    India achieves its localization mandate through strict sectoral restrictions on data transfers across borders. However, states globally are insistent[6], and policy institutes[7] are pitching for relaxations of data localization norms in the interest of commerciality, research, and social-good factors.  Bilateral treaties containing digital trade clauses – although aiming to balance the data localization norms – are only suggestive in nature and do not overlap with sectoral regulations. Considering this, some of the India’s domestic sectoral laws/rules/regulations which impose restrictions on international data transfers include the following:

    • In the insurance sector, as per Regulation 18 (ii) of the Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017[8], in cases where an Insurer outsources facilities to the service providers outside India, the Insurer shall ensure that terms of the agreement are in compliance with respective local regulations and that such laws/regulations do not impede the regulatory access and oversight of the Authority. It is envisaged that all original policyholder records continue to be maintained in India.
    • In the banking sector, as per a Notification[9] dated 06 April 2018 issued by the Reserve Bank of India (RBI) under the Payment and Settlement Systems Act, 2007, in respect of Storage of Payment System Data, it is specifically observed by the RBI that not all system providers store the payments data in India. Thus, to ensure better monitoring and unfettered supervisory access, RBI directed all system providers to ensure that the entire data relating to payment systems operated by system providers are stored in a system which is within the legal jurisdiction of India.
    • In the entertainment sector, for Broadcasting subscriber data, one of the conditions imposed in the Consolidated Foreign Direct Investment Policy 2020[10] was that the broadcasting company shall not transfer subscribers’ databases to any entity or a place outside the legal jurisdiction of India unless permitted by the relevant law.
    • For Company compliances, Proviso to Rule 3(5) of the Companies (Accounts) Rules 2014, provides that the back-up of the books of accounts and other books and papers of the company which are maintained in electronic mode (including at a place outside India) shall be stored in servers physically located within the legal jurisdiction of India.
    • The Securities and Exchange Board of India (SEBI) through its Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions[11] states that to ensure complete protection and seamless control over the critical systems at organizations, critical data relating to risk, audits and compliance shall be kept within the legal boundaries of India.

    Apart from the above,the National Data Sharing and Accessibility Policy (NDSAP) of 2012 mandates localization of all government data while permitting transfer of non-sensitive data for legitimate use[12]. The MeghRaj Initiative pertaining to data storage practices of government departments requires all empaneled cloud service providers to store all physical and online data in India[13]. These industry-specific regulations although clustered, provide adequate measures for the government and regulators to carry out their functions effectively. Some information/data not stored in India are then procured through MLATs.

  • India’s disengagement from consensus starved multilateral commitments

    As an extension of India’s insistence on data localization, it made an international remark by abstaining from participation in Japan’s Osaka Track of 2019.  Japan had proposed the “data free flow with trust” (DEFT) through a declaration made by the leaders of G20 in Osaka, Japan. In this declaration, the G20 leaders unveiled the Osaka Track to demonstrate commitment to promote international policy discussions and rulemaking on trade-related aspects of electronic commerce at World Trade Organization (WTO). The states committed that “we will engage in international policy discussions for harnessing the full potential of data and digital economy and increase efforts to engage with relevant international fora for that purpose.”[14]

    All major economies including US, Canada and Germany signed and opted the Osaka track with the exception of India, Indonesia and South Africa.  India maintained that the Osaka Track  is not based on the principles of multilateralism propagated by the WTO. A compromise text noting “critical role played by effective use of data, as an enabler of economic growth, development and social well-being” was later inserted in the official statement on insistence by India and South Africa. The main concern of these developing economies remained that the “policy space” for digital industrialization could be hampered[15].

    At a bilateral level however, India has been engaging with other countries with digital trade clauses in the FTAs. For instance, in February 2022, India signed a Comprehensive Economic Partnership Agreement (CEPA) with the United Arab Emirates (UAE). This agreement covered various service sectors like construction, tourism, nursing, finance and so on. While this agreement included digital trade clauses, some services which involved an online mode of service delivery were clauses pertaining to localization rules, data privacy of citizens, and mandatory local storage requirements[16]. The Agreement further provided that a legal framework for data protection ought to be formulated by each party in accordance with the principles laid down by international organizations. It is interesting to note that India is reiterating its stance at Osaka Track 2019 through subsequent agreements with other FTA partner countries. Finally, separate provisions have been envisaged in this agreement which would make it obligatory upon the parties to adequately publish information about remedies and business compliances. Thus, while India portrays openness towards digital trade, it has its own version of data-transfer clauses which again emphasize on localized-centric model. With the current set of sectoral regulations in the country, it is likely to benefit from such bilateral engagement with specific countries where it can retain its aspirations of data industrialization and derive benefits from cross-border data flow as well.

  • Modern data digital trade clauses in FTAs and exceptions to sectoral restrictions on cross-border data flow at bilateral level

    There exists an international data consensus deficiency on cross-border data flows at a multilateral level thus at a bilateral level, countries including India have an opportunity to tailor digital trade clauses in FTAs for cross-border data flows to suit their unique needs. Clauses pertaining to cross-border data flow articulate trust of binding parties towards fostering better trade relations. Most digital trade clauses start off with commitments from each party towards protection of personal information as a priority in digital economy. Considering that citizens/subjects are ultimate beneficiaries, it is the endeavor of Governments that citizens should have similar remedies, redressal and/or protections. At the same time, it is provided that awareness ought to be created and adequate information be circulated about such legal regimes pertaining to digital trade. Inability to have a similar set of regulations is a major reason behind not having an international consensus on data sharing policy. Thus, FTAs have varied kinds of clauses depending on inter alia, the practical nature of political structure, domestic sectoral regulations, and ability of a country to industrialize the data.

    The provisions in the FTAs may also provide for joint development of interoperable systems for protection of personal information by way of certifications or code of conduct. Availability of experts, cooperation in technical issues, inter-state reporting accessibility and sharing of information through joint projects may also find their place in FTAs. Considering the intrinsic value of data, each party in a bilateral FTA may also carve out exceptions to allowing cross-border data transfer where the purpose of such transfer is government procurement, achieving legitimate public policy and/or national security or strategic interest issue[17].

    One of the contentious issues while negotiating such agreements is the direct or indirect implementation of sector specific restrictions. The general apprehension while dealing with developing economies like India is maneuvering through sectoral regulations. The domestic sectoral restrictions of a state which are usually regulatory in nature could be used as an indirect tool to circumvent free flow of data[18]. In such discussions, plausible exceptions to sectoral restrictions that are usually carved out are as follows:

    • Sector specific clauses relevant for regulators to monitor/supervise may be allowed as an exception. Specialized regulators for different sectors like stock-markets, Insurance, Banking and so on are super-specialized and at-all-times adapting to changing needs. In such scenarios, the regulators are expected to engage with the market and monitor the activities of the entities. Thus, where the state is relaxing the mandate of local storage of data as a requirement, it may seek to have all-time access to the information on activities of the entities so that plug can be pulled off at any required time.
    • Adequate opportunity may be accorded to the entities to remediate Private sector entities investing in states which have been victims of regulatory activism ought to have enough redressal mechanisms. The party to an FTA in such a situation may not accept the sectoral-regulator being the final arbiter of decisions on data-related breaches. Thus, a provision in FTAs may be carved out to have more horizontal authorities to challenge and re-mediate the decision of the regulator.
    • The sector specific restrictions ought not to be overly restrictivee., to not attain more than one objective. Parties usually conduct thorough due diligence of domestic sectoral regulations to gauge plausible risks of restrictive data localization clauses. For instance, a sectoral data localization requirement so restrictive that it could lead to commercialization at the hands of the regulator itself by assisting domestic businesses could prove fatal for victim entity and/or state’s interests.

    Thus, the above clauses can be used with countries like India which has a strict localization policy.

    As per a study conducted by World Bank titled Regulating Personal Data: Data Models and Digital Services Trade[19] published in March 2021, it was observed that the party in a bilateral trade agreement having an open cross-border data flow arrangement, partial conditional model of a cross-border data flow arrangement or for that matter, conditional model for domestic data processing showcases a reliable and healthy trade structure in digital services trade agreements. Many of the FTAs/Agreements around the world like the UK-EU Trade and Cooperation Agreement, UK-Japan Comprehensive Economic Partnership Agreement, EU-Mexico Global Trade Agreement, UK-Chile Association Agreement, UK-Vietnam FTA have similar data transfer related provisions. At this point, a carefully worded report of the RBI dated 29 April 2022 is relevant wherein it was noted “The focus of bilateral trade agreements with these advanced countries should be bilateral technology-sharing and forging partnership/alliance in sectors where indigenous capabilities may be weak. As the global trade environment is becoming increasingly complex and prone to more disputes, rules, and provisions with regard to digitally enabled trade, data security issues and intellectual property rights should get adequate coverage in trade agreements.” Thus, careful formulation of the data transfer clauses is important which are in consonance with a state’s data localization/globalization policy. The importance of these provisions become even more apparent in the long run when data industrialization capabilities of state may expand.

  • Conclusion

    At an international level, unique heterogenous regulations, data consensus issues[20], stringent adequacy models are rather intrinsic in a proposition like cross-border data flows. Developed countries may propagate commitment to free flow of data with adequate protection, however the developing economies see it as a monotonous version of data protection. Data industrialization goals of developing economies is a long-drawn process. In India’s case, it is a two-pronged resolution that involves enacting an umbrella legislation for adequate data protection and fostering bilateral relations with FTA partner countries. India has a say in the room when it comes to negotiating bilateral trade agreements wherein the most optimum and efficient route can be chosen while not giving up on sectoral regulations and/or data industrialization goals. In any case, it is seen that success of such agreements is greater on a bilateral level than on a multilateral scale.

    We hope you have found this information useful. For any queries/clarifications please write to us at insights@elp-in.com or write to our authors:

    Sanjay Notani, Partner – Email – SanjayNotani@elp-in.com
    Akash Manwani, Associate – Email – AkashManwani@elp-in.com

  • References

    [1] https://datareportal.com/reports/digital-2022-india
    [2] https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf
    [3] https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
    [4] https://indianexpress.com/article/business/startups/as-start-ups-complain-govt-looks-to-ease-data-localisation-norms-8034036/
    [5] https://economictimes.indiatimes.com/tech/newsletters/morning-dispatch/draft-data-bill-may-relax-local-storage-rules-amazon-sues-consumer-protection-body/articleshow/94746089.cms?from=mdr
    [6] https://www.livemint.com/news/world/india-boycotts-osaka-track-at-g20-summit-1561897592466.html
    [7] https://nasscom.in/sites/default/files/20220509_Joint_Paper_Data_Transfers_NASSCOM.pdf
    [8] Notification F. No. IRDAI/Reg/5/142/2017
    [9] DPSS.CO.OD No. 2785/06.08.005/2017-2018
    [10] Consolidated FDI Policy Circular of 2020, DPIIT File Number 5(2)/2020-FDI Policy Dated the October 15, 2020
    [11] Circular No. SEBI/HO/MIRSD2/DOR/CIR/P/2020/221 dated 03 November 2020
    [12] https://dst.gov.in/national-data-sharing-and-accessibility-policy-0
    [13] https://www.meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf
    [14] https://www.mofa.go.jp/policy/economy/g20_summit/osaka19/pdf/special_event/en/special_event_01.pdf
    [15] https://www.indiaperspectives.gov.in/en_US/india-at-osaka-strong-and-balanced/
    [16] https://m.rbi.org.in/scripts/PublicationsView.aspx?id=21038
    [17] https://nasscom.in/sites/default/files/20220509_Joint_Paper_Data_Transfers_NASSCOM.pdf
    [18]  https://nasscom.in/sites/default/files/20220509_Joint_Paper_Data_Transfers_NASSCOM.pdf
    [19] https://openknowledge.worldbank.org/bitstream/handle/10986/35308/Regulating-Personal-Data-Data-Models-and-Digital-Services-Trade.pdf
    [20] https://www.business-standard.com/article/current-affairs/how-can-we-get-data-flowing-freely-among-nations-with-different-cyber-laws-122052100169_1.html

Disclaimer: The information contained in this document is intended for informational purposes only and does not constitute legal opinion or advice. This document is not intended to address the circumstances of any individual or corporate body. Readers should not act on the information provided herein without appropriate professional advice after a thorough examination of the facts and circumstances of a situation. There can be no assurance that the judicial/quasi-judicial authorities may not take a position contrary to the views mentioned herein