23 October 2024
Read More3 October 2024
Read More26 September 2024
Read MoreWe are a family of strong 800+ people including 470+ professionals working from 14 locations across India.
We have a rich heritage and enduring legacy which are pivotal in shaping trust, excellence, and unparalleled legal expertise, thus building a strong reputation and a trusted brand.
Read MoreWe started in 1985 in a single room set up by the two founders with no prior experience of working in a law firm. Both the founders had outstanding academic records and focused on their deep understanding of the law to form the foundation of the firm.
Integrity, Knowledge and Passion are the principles that resonate with every member of our LKS family and the work that we do. These values drive us to build a community of legally sound professionals and well-serviced clients.
Everything we have accomplished over the last four decades is a result of our unique way of thinking which is deeply influenced by our core values and principles that define us.
Read MoreWe and our professionals consistently garner appreciation for the quality of our services and the depth of our legal expertise. This consistent acknowledgment serves as a testament to our unwavering commitment to exceed expectations.
16 September 2022
The Indo-Pacific Economic Framework for Prosperity (‘IPEF’) is a new economic framework between 13 (thirteen) Asian countries and the United States, sharing a commitment to free, open, fair and a prosperous Indo-Pacific that has the potential to achieve sustained and inclusive economic growth[1]. It rests on four pillars viz. (a) improvement of transparency, diversity, security and sustainability in supply chains; (b) clean energy, de-carbonization and infrastructure growth in line with the goals outlined in the Paris Agreement[2]; (c) commitment to promoting fair competition and enforcing effective tax, anti-money laundering, anti-bribery regimes in line with multilateral obligations; and (d) building a high-standard inclusive, free and fair trade commitment, including in the digital economy which would involve cross-border flow of personal data.
A press release[3] (‘Press Release’) by the Commerce Ministry indicates that India would not engage, at the moment, on the fourth pillar of IPEF relating to trade, promoting fair and inclusive practices including in the digital economy, stating that the Government would wait for ‘final contours to emerge’. The Press Release also acknowledges that the Government contemplated the step owing to the ongoing process of firming up digital framework and laws, particularly regarding privacy and data protection in light of the importance that the fourth pillar of IPEF accords to cross-border data flows.
The Information Technology Act, 2000 (‘IT Act’) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) permit transfer of sensitive personal data or information[4] (‘SPDI’) to third-parties and entities outside India that ensure the ‘same level of data protection’[5] adhered to under the SPDI Rules. Given that there is no further guidance on determination, assessment and tools to ensure such level of protection, this is typically met through contractual requirements.
The incidence of data localization and restrictions on cross-border transfer have also been marginally increasing in sector-specific regulations. At the outset, one of the most prominent instances relate to local storage of entire data of payment system operators[6], including card information and cardholder data. Similar local storage requirements are also applicable to insurance policyholder records[7], critical systems and data for organizations in financial sector[8], directions on outsourcing[9] applicable to banks and financial institutions.
The Supreme Court in Puttaswamy[10] affirmed the right to privacy and also emphasized on the importance of information and data flows as central to socio-economic ordering[11]. It also refers to the Justice A. P. Shah Committee Report[12] which highlights the need for a framework that recognizes that global data flows generate value for individuals and businesses and is central to trade in the digital economy era. Although the Supreme Court did not specify any contours for cross-border data flows, the earlier (and now withdrawn) Data Protection Bill, 2021 (‘Bill’) had provided for requirements around mandatory storage of (a yet undefined) critical personal data within India[13] and conditionally permitting sensitive personal data[14] to be transferred outside India. While sensitive personal data may be transferred pursuant to approved contracts or intra-group schemes, to jurisdictions found to be adequate or on permission to transfer specific category of sensitive data, critical personal data may be transferred on very limited grounds such as for provision of health or emergency services or on specific permissions of the Government. While the Bill has been withdrawn[15], media reports[16] indicate that a new and simplified framework for data protection, along with the Digital India Act, an information technology legislation may be introduced in the next sessions of the Parliament.
It is noteworthy the Bill is similar in certain aspects to the construct of the General Data Protection Regulation (‘GDPR’), this includes grounds for transfer of sensitive personal data. The Bill enables transfers of sensitive data to third countries on grounds of a determination of adequacy[17], which can be made by the Central Government for a specific jurisdiction having regard to applicable laws and international agreements. While this determination would be subject to effective enforcement of relevant laws by authorities and permission of the Central Government prior to sharing such data with a foreign Government agency, these would have to be factored in when considering the IPEF and subsequent agreements by the Government, which could form a basis of adequacy decisions.
Consequently, international agreements which require countries to promote free flow of personal data across jurisdictions and provide for certain safeguards in respect of data transferred, may be assessed by the Central Government to be ‘adequate’. In the context of the EU, this was seen in the erstwhile agreement between the European Union and United States[18] whose ‘adequate’ determination by the European Commission was held invalid by the Court of Justice of the European Union[19].
There have been widespread criticisms that cross-border data flow restrictions, geo-blocking and such measures have impinged on trade and created country-level internets[20]. As many bilateral and multilateral agreements focusing on free trade and commerce are also attentive to digital economies and free flow of data, as seen in the case of US-Japan Digital Trade Agreement[21], measures to increase interoperability between frameworks, ensuring free flow of personal and other data, apart from maintaining legal frameworks that provide for protection of personal information of digital users are emerging high-ranking prerogatives in such agreements. While certain sectoral regulations requiring local storage applicable to critical sectors may pass muster of these standards, attempts for broader restriction on cross-border transfers (such as under the Bill) may be at risk of being perceived as trade barriers, as seen in the USTR Report[22].
While the finer terms around IPEF requirements are yet to be seen, the future of international data transfers appears to be to balance personal data protection prerogatives with the need for uninterrupted data flows, to ensure supply of goods and services across borders, especially in the context of a vibrant digital economy. Forthcoming frameworks in India such as a Data Protection Bill or Digital India Act would have to take these into consideration and bring much needed clarity on this issue.
[The authors are Senior Associate and Partner, respectively, in the Data Protection and TMT practice at Lakshmikumaran & Sridharan, New Delhi]