The free flow of data across borders underpins today’s globalised economy. Such flows are growing exponentially and are estimated to have raised world GDP by about 10 per cent over the past decade. India is a major beneficiary. Data flows drive the country’s most dynamic exports of digitally-delivered data processing and other business services.
But the international transfer of personal data also raises concerns about the protection of privacy. Earlier this week, the European Union (EU) introduced the world’s most legally comprehensive data protection regime, in keeping with its concept of privacy that stems from its own unique history and cultural trajectory.
What does the new EU regulation mean for India? In 2016-17, nearly a quarter of India’s IT-enabled exports — ranging from financial accounts and analysis to health transcriptions and diagnostics — went to the EU. Provision of these services often requires the collection of data from EU citizens. The EU regulation makes exporting harder by making data transfers more difficult.
Developing countries like India face a dilemma now. Data transfers to a non-EU country will henceforth be permitted only if the latter enacts a national privacy law equivalent to the EU law. A handful of countries, including Argentina and Uruguay, have already done so. However, a national law imposes the same standard on all firms in the country, even when they sell at home. The risk is that such prematurely stringent privacy laws could hamper the development of domestic markets. For example, by constraining the operation of credit bureaus and other information-sharing mechanisms, such laws could limit access to finance and other services.
Enacting EU-type national privacy legislation would increase the cost of doing business and lead to a loss of competitiveness in other markets. A recent survey suggested that Fortune 500 companies would need to spend $16 million on average to avoid falling foul of the EU regulation. The increased costs would hurt not just access to services at home but also competitiveness in foreign markets where privacy is a less acute concern. When the Philippines drafted tough national privacy legislation to ensure continued access to the EU market, US firms based in that country suspended investment plans because operating costs would increase.
If a country’s national law does not pass the EU adequacy test, as happened with India, then its firms are required either to accept corporate rules that bind their operations all over the world, or to use special model contracts for each EU business deal. Both options require firms to ensure levels of data protection that would be offered in the EU. Both also require a data controller or processor, who can be held liable for breach, to be established in an EU member state.
These requirements increase costs and limit the benefits of digital trade, especially for smaller firms. A survey in India of service exporters showed that the EU’s earlier data protection regime had a significant impact on India’s exports, even though it was less strict. The corporate rule process took over six months and 90 per cent of respondents chose to use model contracts instead, but those too proved complex and time-consuming. Two-thirds of surveyed exporters claimed a significant loss of business opportunities because of data protection concerns.
Can the EU’s legitimate need to protect privacy be fulfilled without hurting a developing country like India? A recent example of cooperation offers a solution. When the EU first enacted its privacy rules, US national laws were deemed inadequate. To safeguard transatlantic data flows, the EU and the US negotiated an agreement that was updated after the Snowden revelations as the “Privacy Shield”. Under this agreement, US firms promise to protect the privacy of European citizens to EU standards in return for unrestricted data flows. The firms’ commitment is monitored and enforced by US institutions, notably the Federal Trade Commission and the Department of Commerce.
This arrangement has created a valuable opening. Under WTO law on services trade, the EU is required to offer other countries an opportunity to negotiate comparable arrangements. India must take advantage of this opportunity, while strengthening its case for recognition by creating credible assessment institutions.
Such an arrangement would have big advantages over existing options. First, Indian firms serving the EU market would not be required to establish a presence in the EU or accept rules and contracts that are costly and time-consuming. The assessment of conformity with EU standards would take place at home by domestic regulators.
Second, India would not need to pass a national privacy law whose stringency is determined by foreign norms. It would be free to create domestic standards to meet domestic needs, while following foreign standards for specific export markets. It would thus avoid a conflict between two vital development goals — preserving access to foreign services markets for its exporters and improving access to services for its citizens.