Since 16th July 2020, when the European Court of Justice (EUCJ) came up with its ruling in the Schrems II case and invalidated the US Privacy Shield, there has been a crisis in the Data Processing industry world wide. The principles on which the EUCJ invalidated the US Privacy Shield was equally applicable to countries like India and hence if personal data from EU could not be transferred to US, it was equally difficult for data to flow into India either directly from EU or through the US.
Subsequently on 23rd July 2020, EDPB (European Data Protection Board) came up with some clarifications of the judgement which also re-iterated that personal data cannot be transferred from EU to US or any other country unless the requirements of Articles 46 or 47 of the GDPR are satisified.
On 10th November 2020, EDPB has come up with two recommendations related to the Schrems II judgement as guidelines of how the industry can be compliant with the requirements.
The first document indicates the measures that supplement transfer tools provided under GDPR. The second indicate the European essential guarantees for surveillance measures.
We need to explore whether these documents suggest any workable solution for Indian data processors who are processing or intend processing EU GDPR data.
Some of the essential aspects of these documents are as follows:
Recommendations 01/2020 on measures that supplement transfer tools
The Schrems II order mandates that the protection granted to the personal data in the EEA must travel with the data wherever it goes. In otherwords when data is sent out of EU region and continued to process in other countries, the level of protection to the Privacy rights of the EU GDPR subjects should be same as is available in EU.
The US Privacy shied was rejected because it was felt that the Ombudsman responsible for protecting the Right to Access of a EU data subject was an appointee of the Government and not an independent judicial authority. Secondly it was felt that the data is not insulated from surveillance from intelligence agencies.
In the light of these developments, US Privacy shield was rejected as an instrument of “Adequacy”. On the other hand the ruling held that Standard Contractual clauses (SCC) can continue to be one of the acceptable instruments under which a Data Exporter from EU can transfer the GDPR data out of EU.
While the SCC would be available as a tool for transfer as per Article 46 in case of repetitive transfers, the derogations, which includes the explicit consent under Article 47 would be available for occasional transfers.
The guidelines of November 10, 2020 suggest a five step process to be followed by the Data Exporter before accepting the SCC which can be supplemented by appropriate additional clauses.
Step 1: Data Exporter should be aware of where the data is going and whether it is relevant and limited.
Step 2: One of the transfer tools suggested in Article 46 namely, a legally binding and enforceable instrument between public authorities (eg bilateral treaty type documents), SCC, etc. or the applicable derogations.
Step 3: Data Exporter should make an assessment of the law or practice in the destination country that may impinge on the effectiveness of the appropriate safeguards being relied on.
Step4: Data Exporter should identify and adopt such measures as are necessary to bring the level of protection of the data transferred, upto the EU standard
Step 5: Data Exporter should take formal steps as may be required to adopt the supplementary measures
Step 6: Data Exporter should undertake periodical review.
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
Additionally, the EDPB guidelines has set out four principles under which the EU would like to be guaranteed that the surveillance measures in the destination country is acceptable.
- Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist
- Effective remedies need to be available to the individual
If therefore, Indian data importers need to continue their data processing contracts, they need to satisfy the Data Exporter with the above principles and go through the five steps of evaluation. The findings should be documented as a “Due Diligence”.
As regards the situation in India, if a company is processing EU data and the EU data subject has to exercise the right of Access, correction, portability and deletion (Forget), Indian laws should fall within the acceptable parameters set by the EUCJ.
In India, Section 69 of ITA 2000 is one law that supplements the Indian Telegraph Act and provides surveillance rights. When PDPA is enacted there will be Section 35 and 36 of the Act that will provide exemptions from the Indian law to the law enforcement agencies.
However, under Section 37 of the PDPA of India (as per current Bill) any processing operation involving the processing of personal data of foreigners can be notified as exempt from PDPA. Hopefully every Indian company engaged in the processing of personal data from EU will use this provision.
But Section 69 of ITA 2000 and the Indian Telegraph Act as well as some other sectoral regulations may have jurisdiction on all the data processing activities of an company which includes local data and foreign data. In such cases, the possibility of surveillance measures could come in for dispute by the EU agencies.
It is in this context that a great disservice has been made by the Maharashtra Government and the Mumbai Police by their persistent harassment of Republic TV which required Supreme Court intervention for what appeared to be a clear violation of human rights. The political system failed to bring quick end to the problem and Judiciary took an unreasonably long time to resolve the issue. The lower courts including the Mumbai High Court did not appear to have covered themselves with glory and it was only the supreme court which came to the rescue of the human rights principles involved.
What this incident indicates is that if a company in Maharashtra is processing personal data of EU and it falls into the bad books of the local police supported by the local Government, there could be various forms of harassment including seizing of data centers, arrest of data center employees etc., which could halt the company’s operations.
Though one can justify that it is illegal the local Police have proved that they are supreme can can even manipulate witnesses and evidences and carry their mission through. In every case, it is impossible for Supreme Court to come to the rescue of the company.
Hence the risk of surveillance by the local administration is a risk that every company functioning in the state of Maharashtra has to bear. Any true professional who is conducting a due diligence in India on a company in Maharashtra cannot therefore give a clean chit that the company is immune to “Republic Attack”. Hence it is near impossible for Data Importers in Mumbai or Pune to convince their business partners in EU region that they will meet the standards of surveillance mentioned in the November 10th document.
Sitting in a far away place, it is possible for Data Exporters that what happened in Mumbai is a reflection of the situation in India as a whole and if this perception is not removed the data processing business in India will be permanently affected. NASSCOM needs to give a thought to that possibility.
Naavi has been suggesting the Karnataka Government to initiate certain measures to counter such a perception to say “Bengaluru is not Mumbai” and “Data Processing regulations in Bengaluru is compliant to the International expectations”. If the Government implements some of these suggestions, it may be possible for IT companies to shift their data processing activities from centers in Maharashtra to somewhere in Karnataka.
Hopefully the Government of Karnataka will come up with appropriate strategies in this regard.