In a development which has disturbed over 4500 companies in US doing business in EU region as data processors under the “Safe Harbor” agreement, the Court of Justice of the European Union has struck down the 15 year old agreement for not providing “Adequate Privacy Protection”.
Safe Harbor agreement was established between the United States Department of Commerce and the European Union (E.U.) in November 2000 to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European citizens. The agreement was a policy compromise set up in response to a European directive that differed from the 1998 European Commission Directive on Data Protection, which prohibited data transfer to non-European countries that did not adhere to stringent criteria. .
See Reports in Wall Street Journal and Computer World
The agreement had established a framework for a compromise solution between U.S. and E.U. privacy procedures.
In force since 2000, the data framework allowed companies based in the U.S. to store personal data about Europeans on U.S.-based computer servers by simply undertaking by a declaration to abide by a series of EU principles, enforced by the U.S. Federal Trade Commission. More than 4000 companies had availed this simple self-certification process.
The decision of the Court now requires these companies to find alternative means of continuing to process data of European citizens.
One of the alternate means is to enter into a contract on the lines of what is suggested by EU (See more about Model Contracts here).
The apprehension in EU circles is however that any arrangement between the parties may not prevent the US Government authorities having access to the data. Any individual commitment given by the data processing company would not be able to prevent the request of the law enforcement in US as well as the other Government authorities to either seek the information under a due process of law or by illegal snooping.
The Judgement does not have any direct impact on India since we are already working under the “Individual Contractual bindings” as well as the statutory commitments under ITA 2008 which includes a “Due Process” for interception. However at present the EU market may not have adequate trust in Indian Privacy Protection law particularly since we donot have a “Privacy Act”.
Following the confusion created in the US market, there is an opportunity that is now available to India which NASSCOM can pursue. Firstly, we need to speed up the passing of the Privacy Bill. Secondly the Privacy Bill can incorporate a commitment to protect privacy of any Person (including the citizen of another country) and set a “Due Process” which is “Stringent” for interception. Simultaneously the “Encryption Policy” should also support the need for Privacy Protection.
If possible, India can also try to enter into a separate Safe Harbor agreement with EU which addresses the concerns expressed by the Court and develop its own model contract (which is already inherent under Sec 79 and 43A of ITA 2008) so that Indian data processors can bid for the EU data processing contracts.
We look forward to the Government initiating some action on this.
Naavi
