The Indo-Pacific Economic Framework for Prosperity (‘IPEF’) is a new economic framework between 13 (thirteen) Asian countries and the United States, sharing a commitment to free, open, fair and a prosperous Indo-Pacific that has the potential to achieve sustained and inclusive economic growth[1]. It rests on four pillars viz. (a) improvement of transparency, diversity, security and sustainability in supply chains; (b) clean energy, de-carbonization and infrastructure growth in line with the goals outlined in the Paris Agreement[2]; (c) commitment to promoting fair competition and enforcing effective tax, anti-money laundering, anti-bribery regimes in line with multilateral obligations; and (d) building a high-standard inclusive, free and fair trade commitment, including in the digital economy which would involve cross-border flow of personal data.
A press release[3] (‘Press Release’) by the Commerce Ministry indicates that India would not engage, at the moment, on the fourth pillar of IPEF relating to trade, promoting fair and inclusive practices including in the digital economy, stating that the Government would wait for ‘final contours to emerge’. The Press Release also acknowledges that the Government contemplated the step owing to the ongoing process of firming up digital framework and laws, particularly regarding privacy and data protection in light of the importance that the fourth pillar of IPEF accords to cross-border data flows.
Cross-border transfers: Existing and forthcoming law
The Information Technology Act, 2000 (‘IT Act’) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) permit transfer of sensitive personal data or information[4] (‘SPDI’) to third-parties and entities outside India that ensure the ‘same level of data protection’[5] adhered to under the SPDI Rules. Given that there is no further guidance on determination, assessment and tools to ensure such level of protection, this is typically met through contractual requirements.
The incidence of data localization and restrictions on cross-border transfer have also been marginally increasing in sector-specific regulations. At the outset, one of the most prominent instances relate to local storage of entire data of payment system operators[6], including card information and cardholder data. Similar local storage requirements are also applicable to insurance policyholder records[7], critical systems and data for organizations in financial sector[8], directions on outsourcing[9] applicable to banks and financial institutions.
The Supreme Court in Puttaswamy[10] affirmed the right to privacy and also emphasized on the importance of information and data flows as central to socio-economic ordering[11]. It also refers to the Justice A. P. Shah Committee Report[12] which highlights the need for a framework that recognizes that global data flows generate value for individuals and businesses and is central to trade in the digital economy era. Although the Supreme Court did not specify any contours for cross-border data flows, the earlier (and now withdrawn) Data Protection Bill, 2021 (‘Bill’) had provided for requirements around mandatory storage of (a yet undefined) critical personal data within India[13] and conditionally permitting sensitive personal data[14] to be transferred outside India. While sensitive personal data may be transferred pursuant to approved contracts or intra-group schemes, to jurisdictions found to be adequate or on permission to transfer specific category of sensitive data, critical personal data may be transferred on very limited grounds such as for provision of health or emergency services or on specific permissions of the Government. While the Bill has been withdrawn[15], media reports[16] indicate that a new and simplified framework for data protection, along with the Digital India Act, an information technology legislation may be introduced in the next sessions of the Parliament.
Interface between international agreements and data transfers
It is noteworthy the Bill is similar in certain aspects to the construct of the General Data Protection Regulation (‘GDPR’), this includes grounds for transfer of sensitive personal data. The Bill enables transfers of sensitive data to third countries on grounds of a determination of adequacy[17], which can be made by the Central Government for a specific jurisdiction having regard to applicable laws and international agreements. While this determination would be subject to effective enforcement of relevant laws by authorities and permission of the Central Government prior to sharing such data with a foreign Government agency, these would have to be factored in when considering the IPEF and subsequent agreements by the Government, which could form a basis of adequacy decisions.
Consequently, international agreements which require countries to promote free flow of personal data across jurisdictions and provide for certain safeguards in respect of data transferred, may be assessed by the Central Government to be ‘adequate’. In the context of the EU, this was seen in the erstwhile agreement between the European Union and United States[18] whose ‘adequate’ determination by the European Commission was held invalid by the Court of Justice of the European Union[19].
Future of data flows and cross-border restrictions
There have been widespread criticisms that cross-border data flow restrictions, geo-blocking and such measures have impinged on trade and created country-level internets[20]. As many bilateral and multilateral agreements focusing on free trade and commerce are also attentive to digital economies and free flow of data, as seen in the case of US-Japan Digital Trade Agreement[21], measures to increase interoperability between frameworks, ensuring free flow of personal and other data, apart from maintaining legal frameworks that provide for protection of personal information of digital users are emerging high-ranking prerogatives in such agreements. While certain sectoral regulations requiring local storage applicable to critical sectors may pass muster of these standards, attempts for broader restriction on cross-border transfers (such as under the Bill) may be at risk of being perceived as trade barriers, as seen in the USTR Report[22].
While the finer terms around IPEF requirements are yet to be seen, the future of international data transfers appears to be to balance personal data protection prerogatives with the need for uninterrupted data flows, to ensure supply of goods and services across borders, especially in the context of a vibrant digital economy. Forthcoming frameworks in India such as a Data Protection Bill or Digital India Act would have to take these into consideration and bring much needed clarity on this issue.
[The authors are Senior Associate and Partner, respectively, in the Data Protection and TMT practice at Lakshmikumaran & Sridharan, New Delhi]
[1] Statement on Indo-Pacific Economic Framework for Prosperity dated May 24, 2022, available here
[2] Paris Agreement (2016), available here
[3] Indo-Pacific Ministerial Meet, dated September 10, 2022, available here
[4] Rule 3, Information Technology Rules, 2011
[5] Rule 7, Information Technology Rules, 2011
[6] Reserve Bank of India, Storage of Payment System Data dated April 6, 2018, available here
[7] Rule 3(9), IRDAI (Maintenance of Insurance Records) Regulations, 2015, available here
[8] Para 3, Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions dated November 3, 2020, available here
[9] Master Direction on Outsourcing of IT Services, available here
[10] Justice (Retd) K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[11] Para 175, Puttaswamy (2017)
[12] Report of the Group of Experts on Privacy dated October 16, 2012, available here
[13] Section 34, Data Protection Bill.
[14] Section 3(41), Data Protection Bill.
[15] Bulletin – Part I, dated August 3, 2022; Lok Sabha, available here
[16] New Data Protection Bill, Digital India Act to make online world more accountable, MoneyControl, available here
[17] Section 34(1)(b), Data Protection Bill.
[18] EU-US Privacy Shield, 2016, available here
[19] Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, C-311/18 dated May 20, 2021
[20] The web really isn’t worldwide – every country has different access, available here
[21] U.S.-Japan Digital Trade Agreement, available here
[22] 2022 National Trade Estimate Report on Foreign Trade Barriers, available here
