The Indo-Pacific Economic Framework for Prosperity (‘IPEF‘) is a new economic framework between 13 (thirteen) Asian countries and the United States, sharing a commitment to a free, open, fair and prosperous Indo-Pacific that has the potential to achieve sustained and inclusive economic growth. It rests on four pillars to know. (a) improving the transparency, diversity, security and sustainability of supply chains; (b) clean energy, decarbonization and infrastructure growth in line with the goals set out in the Paris Agreement; (c) commitment to promote fair competition and to apply effective tax, anti-money laundering and anti-corruption regimes in accordance with multilateral obligations; and (d) building high-level inclusive, free and fair business engagement, including in the digital economy, which would involve cross-border flow of personal data.
A press release (‘Press release‘) by the Ministry of Commerce indicates that India would not, for the time being, commit to the fourth pillar of the IPEF relating to trade, promoting fair and inclusive practices including in the digital economy, specifying that the government would wait ‘final contours to emerge‘. The press release also acknowledges that the government has considered this step due to the ongoing process of strengthening the digital framework and laws, particularly in relation to privacy and data protection, given the importance that the IPEF’s fourth pillar grants cross-border data flows.
Cross-border transfers: existing and upcoming legislation
The Information Technology Act 2000 (“IT law‘) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (‘PSDI Rules‘) allow the transfer of data or sensitive personal information (‘PSDI‘) to third parties and entities outside India who perform the ‘same level of data protection‘ complied with under the SPDI rules. Since there are no further guidelines on determination, assessment and tools to ensure such a level of protection, this is usually met by contractual requirements.
The impact of data localization and restrictions on cross-border transfers has also increased slightly in industry regulations. Initially, one of the most important cases concerns the local storage of all the data of the operators of payment systems, including card information and cardholder data. Similar local storage requirements also apply to policyholder recordscritical systems and data for organizations in the financial sectorguidance on outsourcing applicable to banks and financial institutions.
The Supreme Court of Puttaswamy affirmed the right to privacy and also underlined the importance of information and data flows as socio-economic ordering. It also refers to the report of the Justice Committee AP Shah which highlights the need for a framework that recognizes that global flows of data generate value for individuals and businesses and are at the heart of commerce in the age of the digital economy. Although the Supreme Court did not specify the contours of cross-border data flows, the earlier (and now withdrawn) Data Protection Bill of 2021 (‘Invoice‘) had laid down requirements concerning the compulsory storage of (still undefined) critical personal data in India and conditionally authorize sensitive personal data be transferred out of India. While Sensitive Personal Data may be transferred under approved contracts or intra-group programs, to jurisdictions deemed adequate, or upon authorization to transfer a specific category of Sensitive Data, critical Personal Data may be transferred for very limited reasons, such as the provision of health care or emergency services or upon specific government authorization. While the bill was withdrawnmedia reports indicate that a new simplified framework for data protection, as well as the Digital India Act, information technology legislation could be introduced in the next sessions of Parliament.
Interface between international agreements and data transfers
It should be noted that the bill is similar in some respects to the construction of the General Data Protection Regulation (‘GDPR‘), this includes the reasons for transferring sensitive personal data. The bill authorizes transfers of sensitive data to third countries based on a determination of adequacywhich may be made by the central government for a specific jurisdiction having regard to applicable laws and international agreements. Although this decision is subject to the effective application of relevant laws by the authorities and the authorization of the central government before sharing this data with a foreign government body, these should be taken into account when considering IPEF and subsequent agreements by the government, which could serve as the basis for adequacy decisions.
Therefore, international agreements that oblige countries to promote the free flow of personal data between jurisdictions and provide certain safeguards with respect to the data transferred, may be deemed by the central government to be “adequate”. In the context of the EU, this was seen in the old agreement between the European Union and the United States whose “adequate” decision of the European Commission has been declared invalid by the Court of Justice of the European Union.
Future of data flows and cross-border restrictions
There have been many criticisms that cross-border data flow restrictions, geo-blocking and such measures have impinged on commerce and created country-level internets.. As many bilateral and multilateral agreements focusing on free trade and trade also pay attention to digital economies and the free flow of data, as seen in the case of the digital trade agreement between the United States and the Japan., measures to increase interoperability between frameworks, guaranteeing the free flow of personal and other data, in addition to maintaining legal frameworks that provide for the protection of the personal information of digital users, bring out high-ranking prerogatives in these agreements . While some industry regulations requiring local storage applicable to critical sectors may override these standards, attempts to restrict cross-border transfers more broadly (as under the bill) are likely to be perceived as Customs barriersas seen in the USTR report.
Although the more precise terms regarding the IPEF requirements have yet to be defined, the future of international data transfers appears to be to balance the prerogatives of protecting personal data with the need for uninterrupted data flows, in order to ensure the supply of goods and services across borders, especially in the context of a dynamic digital economy. Upcoming frameworks in India, such as a draft Data Protection Bill or a Digital India Act, should take this into account and provide much-needed clarification on this issue.