The new trade deal between the United Kingdom and Japan puts a ban on data localisation while preserving “high standards of protection for personal data”. This is the first major trade deal for the UK post Brexit and was announced by UK’s Department of International Trade today.
The United Kingdom and Japan have agreed “in principle” to the UK-Japan Comprehensive Economic Partnership Agreement that has also committed to uphold principles of net neutrality. Under the deal, British businesses will not have to bear the extra cost of setting up servers in Japan. “This will help UK fintech firms operating in Japan – like Revolut and Transferwise – to innovate and grow [sic],” the International Trade Department’s statement read.
The UK has claimed that the digital and data provisions in this deal “go far beyond” the EU-Japan deal which came into force in February 2019. As a complement to that deal, Japan had earlier agreed to put in additional safeguards to comply with the adequacy standards put in place by EU’s General Data Protection Regulation (GDPR). These standards ensure that data transferred from the EU is protected as per GDPR standards.
It was unlikely that Japan would ever sign a bilateral trade agreement where its trade partner attempted to stymie free flow of data across borders. This is because Japanese Prime Minister Shinzo Abe had spearheaded the Data Free Flow with Trust (DFFT) framework at the World Economic Forum last year. DFFT aims to eliminate restrictions on cross-border transfer of information by electronic means, including personal information, and storing data in foreign servers.
In October 2019, USA and Japan had signed a Digital Trade Agreement wherein they had renewed their stance against data localisation. That agreement had also allowed for open access to government data.
Where does India stand?
DFFT gained traction through “Osaka Track” at the G20 summit in 2019 which was held in Japan. Most G20 members signed this framework to promote cross-border data flow with enhanced protections for intellectual property, personal information, and cybersecurity, but India, Indonesia and South Africa boycotted it. Even before the main G20 summit took place in July 2019, India’s Commerce and Industry Minister Piyush Goyal had argued against using free trade to justify the free flow of data at the G20 trade ministers meeting in June.
Through different legislations that are currently in work, India has sought to localise data within the country. In its Personal Data Protection Bill, 2019, which is currently being deliberated upon by a Joint Parliamentary Committee, sensitive personal data (including health, financial, biometric data) can be transferred outside India but only with the permission of the Data Protection Authority or the central government. More importantly, such data must continuously be stored in India as well. Critical personal data, which has thus far not been defined, can only be sent outside India under emergencies.
The Reserve Bank of India, too, has made it mandatory to store all payments related data within the country.
- USA, Japan sign Digital Trade Agreement, stand against data localisation
- Piyush Goyal at G20: Data is a sovereign asset, free trade can’t justify its free flow
- India and tech policy at the G20 Summit