From the 1st of August 2016, the new Privacy Shield regime in US-EU data market space has come into operation. This has replaced the “Safe Harbor” regime that was declared as ineffective by the Court of Justice of EU (CJEU) in October 2015.
This new Privacy Shield will provide the framework for EU-US personal data transfers from now on and will work concurrently with the alternatives such as the BCR (Binding Corporate Rules), SCC (Standard Contractual Clauses of EU) and the CBPR (Cross Border Privacy Rule).
Relevance to Indian IT Companies
These EU-US developments will also apply to the data processing that happens in India either because the data transfering customer is an EU country or that these will emerge as general standards of the industry. Hence a general understanding of these principles is essential for Indian companies engaged in data processing activities involving “Personal Data” of non Indian Citizens.
As regards the data of the Indian Citizens, the ITA 2000/8 imposes its own obligations under Section 43A (For sensitive personal information), Section 72A (For all personal information) besides other provisions that apply to “Data” in general. The key aspect of the Indian law is that it provides legal backing to the contractual agreements between an Indian data processor and the foreign data vendor. Hence whether it is the Privacy Shield obligations or the BCR/SCC/CBPR obligations, they all get extended to Indian processors and become enforceable under the Indian law.
Indian companies therefore have to be completely alert to the developments in the EU-US data exchange scenario and follow it in India as the best Privacy practice particularly when processing of international data is involved. Since it is impractical to maintain one set of privacy standards to data of foreign nationals and another to Indian nationals, companies need to adopt the international standards for all personal data irrespective of whether it is pertaining to an Indian citizen or a foreign citizen.
This should establish the relevance of the new US-EU Privacy Shield regimes and the other frameworks to the Indian context.
What is Personal Information?
In Indian law, the rules under Section 43A define personal information as
” any information that relates to a natural person,which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “
In comparison, the “Sensitive Personal Information” is such personal information that contains any of the following type of information.
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:
In contrast the EU definition of Personal Information is contained in the following form
“‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
The EU definition appears broader than the Indian definition but we can assume that for practical purposes both mean the same. (Refer for details here)
However, it must be remembered that under European law, data is considered ‘transferred’ when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.
Hence the EU guidelines will become applicable in all cases where data is actually transferred to servers outside EU or when access is provided.
Essence of Privacy Shield
Privacy Shield principles are not much different from the general principles which are being followed in Safe harbor principle, there are a few significant differences that we need to take note of mainly in the enforcement of the provisions.
The intent of Privacy Shield is to transform the oversight system from self-regulating to one that is more responsive and proactive. The certification and annual re-certification process will remain unchanged, but the Department of Commerce will actively monitor compliance through detailed questionnaires, among other things.
Additionally, the FTC will maintain a “wall of shame” for companies that are subject to FTC or court orders in Privacy Shield cases.
Any EU citizen who believes that his or her data has been misused will have several redress possibilities under Privacy Shield. Among them, EU citizens will be able to report complaints directly to their local Data Protection Authorities. Redress mechanisms include established timelines for responses by a subject company. Privacy Shield also creates a new arbitration right for unresolved complaints.
Limitations imposed on US public bodies
There will be clear limitations, safeguards, and oversight mechanisms for access by public authorities for law enforcement and national security purposes. A new redress mechanism will inform a complainant whether an access or surveillance matter has been properly investigated and that either U.S. law has been followed or has been remedied in the case of non-compliance.
Steps to Certify
The subject Company should firstly develop and maintain a Privacy or Privacy Shield policy based on the following principles of certification under the EU-U.S. Privacy Shield, which includes
- Choice. The policy will also cover areas where consent, permission, data use limitations or opt-out strategies, and special treatment for “Sensitive Personal Data” are applicable.
- Access, Data Integrity, and Redress. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity, and Redress requirements needed to cover a Privacy Shield election.
A Privacy Shield company must maintain adequate and reasonable administrative, technical, and physical safeguards and controls designed to address appropriate security requirements for U.S. and EU applications that capture or process data within the scope of the certification.
Following a review of existing contracts, the contracts with the downstream Business Associates must be updated to addresses the specific Privacy Shield wording requirements.
Training of manpower to update them on the requirements of the Privacy Shield requirements need to be undertaken.
Documentation supporting the company’s Privacy Shield certification (e.g., policies and procedures, gap assessment report, and contract addendum) should be prepared/compiled and included in a compliance binder.
Companies who decide to adopt the Privacy Shield must register themselves with the International Trade Administration of the US department of Commerce and subject themselves to the self certification process involving completion of the required questionnaires.
Presently it is reported that 200 companies have signed up for the process in the first month when the registration started. Others may be weighing the need for registration vis a vis their present privacy practices which may have incorporated other measures such as BCR, SCC or CBPR.
Alternatives to Privacy Shield
BCR or Binding Corporate rules are internal rules adopted by multi national group companies which define the global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities (“DPA”). BCR does not however provide a basis for transfers made outside the group.
EU Standard Contractual Clauses
The Council and the European Parliament have given the EU Commission the power to decide, that certain standard contractual clauses offer sufficient safeguards as required.
The Commission has so far issued three sets of standard contractual clauses
- two sets for transfers from data controllers in EU to data controllers outside EU/EEA
- one set for the transfer from EU data controller to processors established outside the EU/EEA.
Adoption of these standard clauses could be considered if found suitable.
CBPR (Cross Border Privacy Rules of APEC)
The APEC Cross Border Privacy Rules (CBPR) system helps bridge the differences in privacy rules between different countries by providing a single framework for the exchange of personal information among participating economies in the APEC region.There are currently three participating APEC CBPR system economies: USA, Mexico and Japan, with more expected to join soon.
The APEC Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.
Participating companies are required to adhere to the standards established by the APEC CBPR system. All APEC CBPR system certified companies have their privacy policies and practices evaluated by an approved independent third party verifier (known as an “Accountability Agent”). Accountability Agents monitor and enforce companies’ compliance with the APEC CBPR program requirements. In appropriate cases, they are also required to report non-compliance to Privacy Enforcement Authorities.
The mechanisms such as the Privacy Shield, BCR, SCC or CBPR are different framework approaches to manage the privacy concerns when data from one country flows across to another and there could be differences in privacy laws between the two countries. Some of these frameworks differ in the system of enforcement and grievance redressal mechanism. While Privacy Shield is totally a self declaration based certification system, CBPR tries to bring in the Accountability Agent to certify at the first place. BCR may be for intra group data transfers in multi national companies and may not apply as a comprehensive approach. SCC framework is a good indicator and needs to be explored while drafting the Business Associate Contracts where data is transferred to sub contractors.
While these frameworks are essentially for the participating economies such as the EU-USA data transfers or within the CBPR signatories etc, Indian companies need to recognize the endorsement of ITA 2000/8 to these frameworks and the possibility that the vendors of USA or EU or any other country who transfer data for transfer to Indian companies may have incorporated a fine print clause in the SLAs or the Business Associate contracts and try to enforce indemnity clauses for any intended or negligent contravention of the privacy obligations.
It is time companies in India audit their privacy policies and its implementation status within the company to ensure that they are within manageable levels of deviation if any.