Data PrivacyNavigating The Privacy-Trade Dilemma: Crafting India’s Data Governance Strategy in a Globalized Digital Economy

INTRODUCTION

With the modern era of digital interconnectedness, the conflict between privacy and global commerce has become a central challenge. At its core, is the dilemma of balancing the preservation of human privacy rights against the economic necessity of promoting unfettered cross-border data flows. This dispute presents a relevant issue if the free flow of information between jurisdictions compromise individual privacy, or may a demand for rigorous protection of privacy constitute a covert trade barrier?

This blog explores this topic by looking at how dominance of data in the current economic systems provides the basis for privacy issues and how the General Agreement on Trade in Services, 1995 (hereinafter referred to as “GATS”) of the World Trade Organisation (“WTO”) has sought to address the same with a Privacy Framework. This blog subsequently examines the contrasting strategies of the European Union (“EU”) and the United States (“US”) before going on to discuss India’s changing response in its Digital Personal Data Protection Act, 2023 (“DPDPA”). In the end, the aim is to set out a harmonious and balanced model for India, one which maintains individual privacy without stifling the development potential of cross-border commerce.

THE PRIVACY-TRADE DILEMMA

Data is not only a precious asset, it is a keystone of the world economy. Its non-rivalrous and limitless character makes it essential to economic expansion and geostrategic policymaking. Digital services, artificial intelligence networks, and even physical commodities such as aircraft and cars depend on enormous amounts of real-time data. This has made data flows an integral part of goods and services trade. But in addition to this integration is increased scrutiny regarding how personal data is gathered, processed, and commercialized.

Regulatory actions in jurisdictions have translated into data protection regimes like the EU’s General Data Protection Regulation (“GDPR”) and the DPDPA of India. Such attempts at maintaining privacy, while sincere, have the potential to transform into data protectionism. The ensuing trade-offs between openness and privacy have rendered the privacy-trade problem a pressing issue for international legal and policy discussion.

THE GATS PRIVACY FRAMEWORK

GATS, a landmark in liberalizing trade in services, has sought to resolve the conflict between privacy and trade under a string of exceptions under Article IV. These permit WTO member countries to take necessary measures to protect public morals, public order, or privacy, provided they do not amount to arbitrary or unjustifiable discrimination or disguised trade restriction. Article XIV(c)(ii), in particular, justifies measures essential for the protection of individual privacy in connection with the processing of personal data.

This balancing mechanism implies that exceptions to privacy are not absolute. Steps must be convincingly “necessary” and proportionate, and steps must ensure that alternative, less trade-restrictive solutions are examined. This necessity test is essential in determining if national privacy legislation like the GDPR could be excessively broad and, therefore, could go beyond what is allowed by GATS.

Additional intricacy stems from the economic focus of the WTO model. Although the GATS Privacy Framework recognizes privacy, it frequently does so from the perspective of facilitating trade. Human rights implications, like privacy as an inalienable right, are on the sidelines. The WTO’s system of dispute resolution is inclined to favor economic reasons over human rights considerations, as can be seen in agreements such as TRIPS. This emphasizes the necessity for complementary procedures, like human rights courts, to maintain the integrity of privacy safeguards in international trade regulation.

THE EU’S ADEQUACY APPROACH

The EU strategy is based on the principle of “adequacy,” where data exports are banned to non-EU countries except where those nations provide a comparable level of protection for data. This model illustrates the EU determination to uphold data privacy as a human right. Nevertheless, the adequacy criteria are neither uniformly established nor enforced, creating a patchy and generally inaccessible process for nations to be recognized.

Although the EU model has shaped legislative changes around the world, adequacy status has only been awarded to a privileged handful of jurisdictions. The extended and secretive character of the process, combined with its extraterritorial reach, has engendered criticism of its impartiality and possible trade-restrictive impact.

THE US APPROACH

By way of contrast, the US takes a market-oriented approach in which data privacy is frequently secondary to economic and national security interests. Prioritizing corporate liberty and data portability, the US negotiates bilateral trade agreements that situate privacy concerns within larger commercial contexts. These are the U.S.-Korea Free Trade Agreement and the CPTPP, which prefer facilitating data flows while providing sparse redress mechanisms.

Efforts to harmonize these opposing positions with the EU have been contentious. The “Safe Harbour” and subsequently the “Privacy Shield” mechanisms were struck down by the European Court of Justice in the Schrems I and II cases, due to insufficient safeguard against US spying. The just-adopted “Transatlantic Data Framework” is meant to ease these tensions but continues to bypass fears of Global South nations such as India, whose frameworks remain to converge with either model.

CRAFTING INDIA’S RESPONSE

India’s digital growth narrative, which is expected to touch $1 trillion by the end of 2025, makes it a central player in the international data ecosystem. Disruption to cross-border data flows  by a fractional percentage has large economic implications. For example, a 1% decline in such flows would cost India more than $690 million in terms of trade volume. This fact needs to be weighed against India’s constitutional promise of privacy, in the wake of the historic Puttaswamy judgment that established it as a fundamental right.

DELEGATION AND THE DPDPA

Section 16 of the DPDPA grants the central government the power to regulate personal data transfers to certain jurisdictions. The legislation does not place strict data localisation mandates and eschews categorizing data as “sensitive” or “critical.” Although this strategy leaves room for regulation, it also opens the door to legal uncertainty by pushing the essential question of cross-border data flows into the future executive notifications.

Up to October 2024, no such regulations have been published under Section 16, leaving stakeholders and businesses in limbo. Though the temporary convenience of this loophole, it may compromise data security as well as trade efficiency in the long term.

ANALYZING THE DPDPA FRAMEWORK

The DPDPA, if considered by the perspective of the privacy-trade conundrum, gives rise to five key issues that are deserving of serious examination. To begin with, the Act’s built-in flexibility without any guiding framework or statutory precepts leads to an overpowering concentration of regulatory authority in the hands of the central government. This unpredictability erodes the stability of the legal landscape and can negatively impact India’s business environment. Second, India’s cross-border data flow approach needs to meet the necessity and non-discrimination norms under the GATS regime. Failure to meet these standards may subject India to WTO disputes and reduce its access to global markets. Thirdly, legislative silence on how India is to treat jurisdictions that are not up to its standards in data protection increases the possibility of arbitrary exclusions. Without openness in process or interaction mechanisms, such exclusions could be mistaken for trade protectionism or even similar to economic sanctions. Fourthly, India’s regulatory efforts in the digital space tend to look policy-led rather than being based on uniform legal or economic logic. For instance, the bans on foreign investments by border nations appear to be driven more by geopolitical considerations than by any articulated data privacy strategy. Lastly, the regulatory burden imposed by the privacy-trade framework disproportionately hurts Indian small and medium-sized enterprises (SMEs). While big multinational companies have the resources and infrastructure to conform to intricate data legislations, Indian SMEs are failing to achieve this, hence worsening their marginalisation in the digital international economy.

STRATEGIC WAY FORWARD

India needs to approach this challenge in a calibrated manner. The DPDPA needs to be amended so as to include guiding principles and a legislative framework that curbs excessive executive discretion. India’s blacklisting practice needs to strictly adhere to WTO norms to prevent being challenged as a trade barrier.

A multi-level categorization of jurisdictions, drawing on the “traffic light” analogy, could enhance accuracy and clarity. Sectoral stratification, as in the US approach, might also be useful in tailoring privacy responsibilities by industry.

In light of the lack of international consensus on data transfers, India must incorporate strong data protection provisions into its Free Trade Agreements. Such provisions need to be more than mere symbolic statements and have enforceable redress mechanisms, as found in the India-UAE CEPA.

India would also need to implement contractual frameworks such as SCCs and BCRs that are specific to its legal framework. These should be effective but not overly burdensome so as not to deter trade.

Finally, India needs to make level playing field available for SMEs. Implementing a tiered compliance model as well as providing regional data storage facilities can alleviate the compliance burden without sacrificing data privacy.

AMLEGALS REMARKS

The changing interface between privacy and global commerce requires a sophisticated and visionary legal approach. India has reached a crossroads where its national regulatory decisions will be able to have a substantial impact on its place in the global data economy. Although the DPDPA is an initial step, it leaves much scope for interpretative uncertainty and executive abuse. If India is to continue on its economic path while keeping constitutional values intact, it has to take a holistic, principle-based, and globally harmonized approach to dealing with cross-border data flows.

It will be necessary to integrate legislative transparency, WTO-compliant trade policy, sectoral risk stratification, and SME support systems. It is only through this balance that India can build a robust digital trade system equally respecting personal privacy and economic competitiveness.

~Team AMLEGALS (Assisted by Abhijeet Patra)

For any queries or feedback, feel free to reach out to laksha.bhavnani@amlegals.com or hiteashi.desai@amlegals.com