On May 6, 2025, India and the UK concluded talks on a comprehensive free trade agreement (FTA), after years of negotiations. The binding and enforceable agreement implements a package of measures, aimed in particular at opening the Indian market to UK exports.

A key chapter in the FTA concerns ‘digital trade’, which contains several provisions that are significant to the regulation of the digital ecosystem in India. Of particular interest are provisions on non-discrimination, data flows, access to source code, and electronic authentication. The primary beneficiaries of these provisions are likely to be foreign technology companies, who will be eager to use the new FTA to try and limit attempts by the government at regulating the digital ecosystem in India.

A key chapter in the FTA concerns ‘digital trade’, which contains several provisions that are significant to the regulation of the digital ecosystem in India.

This article examines some of the more problematic provisions in the FTA and explains why India may be better off avoiding such international agreements.

Non-discrimination

The FTA is to contain a provision that requires non-discriminatory application of competition law. While such a provision may appear desirable, given that non-discrimination–the principle demanding similar regulatory treatment for similar products/services from different countries–is a key principle of international trade law, such provisions are increasingly being used to challenge attempts at promoting competition in the digital ecosystem.

It is common knowledge that many sectors in the digital economy are dominated by Big Tech companies, prompting governments around the world to implement a range of pro-competition measures to protect consumers and small businesses alike from the various harms caused by abuse of dominance. For instance, the EU’s Digital Markets Act (DMA) designates certain dominant companies as ‘gatekeepers’ and imposes pro-competition obligations on them. Korea has sought to implement a law to open up app stores to competition. Similarly, a number of countries, including Japan and Germany, have implemented legislation to promote greater competition in the digital economy, while a number of others (such as Brazil) are considering similar interventions.

However, Big Tech companies have argued that attempts to create a level playing field in the digital ecosystem are targeted at companies from specific countries and, therefore, are discriminatory. Of course, this ignores the fact that Big Tech companies from certain countries do, in fact, dominate several digital markets; therefore, any remedies would naturally apply to them. Other domestic policies facing challenge on the basis of purported discrimination include Canada’s application of digital services taxes to large platforms and attempts by Canada and Australia to impose revenue-sharing arrangements between large platforms and local news providers.

India’s efforts to promote competition in the digital economy–for instance, a proposed DMA-like law that seeks to apply ex-ante competition obligations to dominant platforms–could therefore be subject to legal challenge under the FTA (should Big Tech companies based out of the UK be the subject of ex-ante measures). Notably, industry groups, such as the Computer and Communication Industry Association, have written to the Trump administration seeking the imposition of ‘reciprocal tariffs’ against India in view of India’s proposed pro-digital competition regulations. A “non-discrimination” clause in the FTA will allow these companies to raise mischievous disputes, solely to frustrate the application of Indian competition law to dominant entities engaged in anti-competitive and anti-consumer activities.

A “non-discrimination” clause in the FTA will allow these companies to raise mischievous disputes, solely to frustrate the application of Indian competition law to dominant entities engaged in anti-competitive and anti-consumer activities.

We may also see challenges to pro-competition measures taken in the context of digital public infrastructures, such as the proposed cap on market share of UPI transactions, where it will likely be claimed that such measures are implemented in a ‘discriminatory’ attempt to restrict foreign companies from enhancing their market shares in India. In comments to the US Trade Representative pertaining to the imposition of ‘reciprocal tariffs’ by the United States, the Coalition of Service Industries, an industry group including Visa and Mastercard, has already sought imposition of retaliatory measures against both India and Brazil due to purported preferencing of domestic payments systems (UPI and Pix respectively) over American owned payment alternatives.

Data flows

The FTA will include rules on cross-border data flows and location of computing/data facilities, under which the UK will get similar treatment to any other cross-border data flow deals agreed to by India. While this provision does not commit India to enable completely unrestricted flows of data between the two jurisdictions, it is nonetheless problematic.

There are many legitimate reasons why a country may want to restrict cross-border data transfers or require domestic storage/processing of certain categories of data.

There are many legitimate reasons why a country may want to restrict cross-border data transfers or require domestic storage/processing of certain categories of data. For instance, restrictions may seek to ensure effective application and enforcement of the country’s data protection and cybersecurity laws. Regulatory authorities may also require access to data to carry out their administrative and law enforcement functions. In addition, requiring domestic storage of data may serve broader economic and strategic goals of building a mature domestic ecosystem for data and AI.

India’s digital governance frameworks reflect these justifications. Under its Digital Personal Data Protection Act, 2023 (DPDPA), the government can impose restrictions on outward data transfers to countries that it may notify. The proposed rules under the DPDPA envisage further restrictions–allowing the government to specify conditions for outward transfers of personal data, and requiring entities notified as ‘significant data fiduciaries’ to localize certain classes of personal data. The DPDPA also reserves space for sectoral regulations that require localization of certain categories of data–such as the Reserve Bank of India (RBI) directives on payments data (introduced in 2018) and the insurance regulator’s requirements for domestic retention of policyholder records.

To date, India has steadfastly sought to protect its ability to regulate cross-border data flows. In international fora, it has resisted initiatives such as the Joint Statement Initiative on E-Commerce, a controversial initiative launched at the World Trade Organisation in 2017, which originally included commitments to liberalize cross-border data flows. Further, it has not undertaken any such binding commitments under its existing FTAs.

The provision under the India-UK does not restrict India from regulating cross-border data flows or requiring data localization. However, India is currently negotiating FTAs with the EU and the US, where both have sought commitments against restrictions on cross-border data flows. The negotiations with the US are especially relevant, given the backdrop of the US’s threat to impose so-called ‘reciprocal tariffs’ on India in view of the supposed non-tariff barriers implemented by India. In the face of such pressure, if India were to commit to liberalize data flows in favour of the US, the India-UK FTA would provide an avenue for the UK to demand similar treatment.

In the face of such pressure, if India were to commit to liberalize data flows in favour of the US, the India-UK FTA would provide an avenue for the UK to demand similar treatment.

The terms of the FTA could effectively require India to provide the UK with favourable terms pertaining to cross-border data transfers, divorced from any factual analysis of the UK’s ability or intent to protect Indian data. For instance, if the UK were to significantly weaken its domestic data protection law, as is feared with the passage of a new data protection law, or enter into ‘free flow of data’ agreements with countries with limited privacy protections (such as the US, with whom the UK recently announced a trade deal, that is expected to include an “ambitious set of digital trade provisions”), India may be hamstrung in its ability to impose restrictions on outward data transfers to the UK without breaching the India-UK FTA. Besides, the UK has already signed a number of trade agreements that seek to liberalize cross-border data flows, including the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), the UK-Ukraine Digital Trade Agreement, and the UK-Japan Comprehensive Economic Partnership Agreement. Indian data transferred to the UK, may therefore not remain in the UK under the terms of these agreements.

This raises a dilemma that countries such as Japan are already facing. In 2019, Japan was one of the first countries in the world to be the subject of an ‘adequacy decision’ under the EU’s General Data Protection Regulation. This is a finding from the EU executive that Japan offers a sufficiently high data protection standard. This decision permits relatively free flows of data between the two jurisdictions. Subsequently, Japan and the US entered into a digital trade agreement, which sought to enable free data flows between the two countries. The US is not the subject of an adequacy decision from the EU. However, the US-Japan agreement will enable European data to be transferred to the US, possibly frustrating the privacy rights of Europeans, and putting Japan in a position where it has to choose between upholding one of two international commitments.

The unrestricted transfer of Indian data to jurisdictions such as the US could not only expose Indians to privacy threats but also cause broader security problems, as demonstrated by the Cambridge Analytica incident.

Were a similar situation to develop in the India-UK context, this would provide a route for Big Tech companies to shift data to multiple locations, thereby possibly evading data protection obligations imposed by Indian (or even UK) law. Keep in mind that enforcing a privacy claim in a foreign jurisdiction can be exceedingly difficult, added to which Big Tech companies don’t have a particularly good record of privacy-related practices. The unrestricted transfer of Indian data to jurisdictions such as the US could not only expose Indians to privacy threats but also cause broader security problems, as demonstrated by the Cambridge Analytica incident.

Access to source code:

The FTA will include a provision that prohibits the Indian government, regulators, or independent third parties from accessing source code as a precondition to market access. This means that Indian regulators will be unable to independently verify that a particular piece of software, including those used in proprietary AI systems, is fit for purpose before being marketed to the public in India.

Software, including AI, can be programmed to serve illicit purposes or can have unintended consequences. We are only just becoming aware of the many dangers that unregulated development of AI systems can pose, which may range from replicating and exacerbating discrimination or biases to expropriating and misusing confidential data. Ensuring that a particular software acts within acceptable legal and ethical bounds is essential to prevent harms ranging from a loss of life and property to illegal surveillance and discrimination. Opening up the ‘black box’ behind AI systems is essential to prevent such harms from taking place.

Keep in mind that it is not unheard of for companies to fiddle with their software to short-change consumers. For instance, the Volkswagen emission scandal–where the car manufacturer fiddled with algorithms to make it appear that their cars were complying with pollution-related norms–clearly indicates the dangers of marketing unvetted software to the public.

Scrutiny of source code is all the more important given that imported AI systems may be trained on data of unknown provenance, thereby containing errors or biases that may make such systems unsuitable for use in the Indian context.

Scrutiny of source code is all the more important given that imported AI systems may be trained on data of unknown provenance, thereby containing errors or biases that may make such systems unsuitable for use in the Indian context. For instance, research indicates that facial recognition tools are more likely to make errors when it comes to darker faces. Allowing such AI tools to be imported and implemented in India, without appropriate scrutiny, could therefore be problematic.

India is clearly well aware of the dangers that could be posed through the use of unverified software and hardware. Accordingly, it implements certain source code disclosure norms in the context of the import of equipment used in telecom networks under the Indian Telecom Security Assurance Requirements. India’s National Strategy for AI, 2018, also highlights the importance of transparency and accountability of AI systems. It recognizes that the design and function of AI systems should be recorded and made available for scrutiny and audit, to the extent possible, to ensure that deployment of a system is fair, honest, impartial, and guarantees accountability.

Attempts at imposing requirements to vet an imported AI system (for security, data protection, bias, or other concerns) through scrutiny of its source code, could be challenged under the FTA.

Further, the case for inclusion of such a provision–that intellectual property of foreign firms could be stolen if disclosed to Indian authorities–appears far from convincing.

Further, the case for inclusion of such a provision–that intellectual property (IP) of foreign firms could be stolen if disclosed to Indian authorities–appears far from convincing. First, there does not appear to be any concrete evidence indicating that Indian tech companies indulge in large-scale theft of foreign IP. Second, regulations could be designed to impose secrecy obligations on any public authority that seeks access to source code for the purposes of regulatory scrutiny.

On balance, a provision that could significantly hamper scrutiny of AI systems, thereby possibly causing irreparable harm to the public, appears unwise. As software, and in particular AI, is intertwined into more and more sectors of our economy, directly affecting significant rights and interests of individuals and communities, it is vital that India retains the ability to scrutinize imported software products, and in particular AI systems, to prevent downstream harm ex-ante. Attempting to remedy significant harms (including diffused harms or those that may occur in the future) post-facto would appear to be a poor regulatory choice.

Legal recognition of electronic contracts and electronic authentication

The FTA will contain a provision on the legal recognition of electronic contracts and electronic authentication. This provision seeks to ensure that electronically authenticated transactions/contracts have the same legal validity as those executed on paper. Crucially, however, the provision also restricts governments from regulating authentication measures for electronic transactions between private parties. In effect, therefore, this provision curtails the regulatory capacity of the government to intervene in the security, verification, and transparency of electronic contracts and transactions.

In effect, therefore, this provision curtails the regulatory capacity of the government to intervene in the security, verification, and transparency of electronic contracts and transactions.

This has a twofold consequence of firstly running afoul of regulations and guidelines already in place in India, as well as locking in regulatory restrictions on a fast-evolving field where additional safeguards are likely to be required in the future.

Indian law requires a range of contracts (such as works contracts, leases, sale deeds, conveyances, etc.) to be executed on paper, registered, and subject to stamp duty. This is because these documents create or transfer legal rights, and these requirements ensure certainty of title, validity of rights, and admissibility in courts. These will have to be revised if solely electronic authentication is permitted. Besides possibly creating uncertainty of legal rights, the bypassing of stamp duty and registration charges through electronic measures erodes a crucial base of revenue for the Indian state–it is estimated that stamp duty is the third or fourth highest source of revenue for state governments (after state GST and excise taxes).

The financial sector is a domain in which security is essential, and governments have an interest in ensuring the safety and integrity of online transactions and by extension, in governing electronic authentication measures.

The financial sector is a domain in which security is essential, and governments have an interest in ensuring the safety and integrity of online transactions and by extension, in governing electronic authentication measures. The RBI has introduced a draft ‘Framework on Alternative Authentication Mechanisms for Digital Payment Transactions’, which requires an additional authentication factor (primarily SMS-delivered One Time Passwords) to secure digital payments in India. However, under the terms of the UK-India FTA, two-factor/additional factor authentication measures could be seen as an undue infringement on the freedom of electronic transactions. Similar standards, adopted by the Pension Fund Regulatory and Development Authority, as well as social security disbursements using Aadhaar authentication, are likely to be imperiled by this provision.

Each of these measures has been enacted as private entities cannot always be trusted to ensure the interests of users are protected. The need for fraud prevention is particularly evident in India, where cyber fraud incidents have surged, causing a loss of INR 32.07 billion in 5,82,000 cases between FY2020 and FY2024, as per the RBI. Such measures can now be challenged under the UK-India FTA, compromising the ability of the Indian government to ensure the security of the domestic digital ecosystem and the interests of the Indian consumer.

Transparency and due process

A final concern raised by the negotiation of the FTA concerns the lack of transparency around the negotiations. The Indian government (unlike the UK government) has not published any information on the expected benefits of the agreement. It has also not conducted any public consultations around the proposed FTA, and it is also unclear if Parliament has been apprised of its details. Soliciting public comments as well as Parliamentary scrutiny should be considered essential when entering into an agreement that creates enforceable rights and obligations that are likely to affect the lives of millions of Indians. Several countries–Canada, the UK, Australia, the US, etc. –conduct some degree of public consultations with respect to proposed trade agreements (many also require Congressional/Parliamentary approval). Carrying out public consultations provides much-needed context to trade negotiators, who may not always be experts in the various subjects covered under a trade deal. It is concerning that even now, despite the supposed finalization of the agreement, the text of the FTA is unavailable for public scrutiny and comment. It is a longstanding demand from many civil society actors, both in India and abroad, that trade agreement proposals and consolidated texts be made available to the public while there is still an opportunity to influence the outcome of the negotiation.

Conclusion

Over the last decade, Big Tech companies have been increasingly using digital trade agreements as a method to limit the sovereign ability of States to regulate their activities in public interest. Crucially, unlike many other aspects of international law, trade agreements create binding and enforceable commitments.

So far, the Indian government has generally resisted attempts to force it to sign up to trade agreements that would limit how it can implement measures to grow and regulate its digital economy. However, the UK-India FTA represents backsliding on this score.

So far, the Indian government has generally resisted attempts to force it to sign up to trade agreements that would limit how it can implement measures to grow and regulate its digital economy. However, the UK-India FTA represents backsliding on this score. A number of provisions could limit the ability of the Indian state to implement essential public interest regulation, for instance, pertaining to scrutiny of AI systems, the privacy of personal data, or adopting pro-competition measures in the context of the digital ecosystem. While the nature and scope of such measures can and should be subject to debate, signing up to an international agreement that restricts the ability to regulate a fast-changing digital ecosystem appears unwise.

This becomes even more worrying given that the Indian government is currently in the process of negotiating a trade deal with the United States which is likely to request similar or even more unfavorable provisions (from a digital sovereignty perspective). Even with the threat of ‘reciprocal tariffs’ hanging over the head of the Indian delegation, the Indian government should stand firm against Big Tech’s long list of complaints against the regulation of the digital economy and not offer concessions that compromize its ability to impose public interest regulation.

Even with the threat of ‘reciprocal tariffs’ hanging over the head of the Indian delegation, the Indian government should stand firm against Big Tech’s long list of complaints against the regulation of the digital economy and not offer concessions that compromize its ability to impose public interest regulation.

Rather than enter into trade agreements that significantly limit the ability of the Indian state to implement essential public interest regulation in the digital ecosystem, the government should ensure that such deals focus on creating essential and enforceable consumer protection rights, which would build trust in the digital economy, thereby helping it grow.