By Sandeep Thomas Chandy
The past couple of years have witnessed an intense growing debate on the right to privacy for consumers in the digital world. The Aadhaar leaks and the Cambridge Analytica scandal have intensified the debate, by calling for stronger privacy regulations to protect the interest of consumers.
However, till date, the debate has been about user consent requirement, the right to be forgotten, regulations on surveillance, and the obligations of data handlers. One often forgotten aspect in this debate, is the role of World Trade Organisation (WTO) in formulating privacy regulations.
Data privacy and international trade
International trade is majorly governed by the WTO and restricted by its rules. Any actions by the WTO member states that are inconsistent with the WTO’s rules or commitments can be challenged by the other member states before the organisation’s Dispute Settlement Body (DSB). If the DSB holds the action to be inconsistent, the particular member state is required to ensure that its actions comply with the WTO’s rules and commitments.
One of the multilateral agreements under the WTO is the General Agreement on Trade in Services (GATS), which entered into force in 1995, and governs trade in services through four modes.
The most relevant of these modes—mode 1—governs the cross-border supply of services. In various disputes concerning GATS, the DSB held that GATS’s mode 1 includes the supply of service through the internet.
This means that if any WTO member state has committed to allow market access to any cross-border service, which considers its core function as the handling of personal data, the domestic regulations governing the personal data of that particular member state is required to be consistent with GATS. If it is not, then it can be challenged by any member state before the DSB.
What does GATS say about data privacy?
GATS lays out a number of specific instances where member states are exempt from its rules. One of these is the protection of the privacy of individuals, in relation to the processing and dissemination of personal data. For availing this exemption, WTO member states are required by GATS to demonstrate that the privacy regulation in place is not a disguised trade restriction, and that it is the least restrictive measure available.
The first requirement would pose challenges on the member states which enact stronger than usual privacy regulations. These member states would be forced to justify the reasons for the increased protection. It is a known fact in the information technology sphere that even the highest level of security can be compromised by those determined to do so. Till date, the European law, which is slated to enter into force on May 25th is considered as the most comprehensive, and one that grants the most rights to consumers.
The second requirement would pose problems to the member states that plan to implement or have already implemented data localisation as a method for safeguarding personal data. This is because data localisation is considered as a drastic step for safeguarding personal data, which affects the free flow of information, as compared to alternatives like imposing legal obligations on how data handlers should handle users’s personal data. Localisation measures have also been stated to be cost inefficient for business. It has also been alleged that data localisation is a method disguised to facilitate easier surveillance of citizens.
US’s position on data privacy
The United States Trade Representative released the annual National Trade Estimates report of on March 30, which has red-flagged data localisation measures of about 11 countries, including India.
“Digital trade is under threat from a growing number of laws and regulations that block the flow of data across borders, impede the provision of services such as cloud computing, or otherwise restrict the ability of firms to take advantage of best-in-class digital services. Some of these government actions are explicitly protectionist, while others impose unnecessary burdens on digital trade in seeking to address legitimate public policy goals,” the report stated.
The US, which is also a WTO member state, had raised concerns about the Chinese cybersecurity law, which discourages cross-border data transfers, and encourages local storage and processing.
Except the US, most of the countries have followed the European Union by implementing or proposing to enact privacy regulations. Some have used this opportunity to ensure data remains within their jurisdiction, making it easier to snoop on their citizens. One such example, cited by many, is China.
This situation leaves the US isolated due to its position, and its interest in protecting its businesses, leaving open the possibility of an aggressive stand against privacy regulations, which may affect American businesses. The flagging of privacy measures in the trade estimates report is a possible hint towards this direction.
The US can comfortably attack privacy regulations through the WTO, which clearly has jurisdiction over cross-border data flows. The US can also employ unilateral actions undermining the jurisdiction of the WTO. Regrettably, the latter has been a favourite tactic of the Trump Administration.
Sandeep Thomas Chandy is an international trade lawyer based out of New Delhi, India. He works as a Research Fellow at the Centre for Trade and Investment Law, Ministry of Commerce, Government of India. The views expressed in this submission reflect only those of the author. They do not reflect that of the Ministry of Commerce or Government of India or any of its affiliates.