The EDPB in its clarifications of 23rd July 2020 on the EUCJ ruling invalidating the US Privacy Shield reiterates that
a) There is no grace period in which personal data can be continued to be transferred to EU on the basis of US Privacy shield alone.
b) Transfers now happening would be illegal and should be stopped.
c) Where SCCs are being used, an assessment has to be made on a case to case basis the circumstances surrounding the transfer, and to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If the assessment concludes that appropriate safeguards would not be ensured, the competent Supervisory authority has to be notified.
Since no US Company can afford to accept that it will not allow the national intelligence agencies to access the personal data as per the legal provisions of US, the safeguards expected by the EUCJ cannot be confirmed by any individual data importer. Hence in all cases, a notification has to be sent to the Supervisory authority that they cannot provide assurance of compliance.
If such a notice is given and the processing continues, then the US entities will be facing the possible penalties from the EU supervisory authorities.
The only option therefore is for US companies to withdraw their services from EU. This would mean that Face Book, Google, Twitter etc need to withdraw their services from EU.
Another option is for these agencies to approach the US Court to provide them a blanket cover of immunity from fines under GDPR arising out of their inability to meet the requirements of the EUCJ ruling and the consequent administrative fines.
The Cyber Insurance companies who have provided covers for such fines need to withdraw their cover as it is clear that the US entities are not permitted to continue their data processing activities.
c) Binding Corporate Rules (BCR) will also be invalidated since the observations of the Court also applies since US law will have primacy over this tool.
Again EDPB expects the Data importer to make his own assessment whether or not the data can be trasferred on the basis of BCRs. If the entity is a US based entity, there is no way it can take a stand that it will yield to the requirements of GDPR even when it is in conflict with US laws. Hence US companies will not be able to use BCR.
Where the company is not an US company but has substantial interests in US, the use of BCR for transfer of data for processing into US and not accepting the right of the US intelligence for surveillance requests would attract the risk of being prosecuted under the US law.
In India if any company resists such request of the competent authorities, they can face imprisonment upto 7 years under Section 69 of ITA 2000. Similar provisions would be there in any Cyber Security laws in other countries including US.
d) The “Derogation s” under Article 49 are however available for transfer. Accordingly, “Explicit Consent” is an option available for transfer other than the other exceptions such as medical emergency etc.
Hence one of the best options available for data transfers in the current context is for Data Importers to insist that the Data Exporters have the necessary “Explicit Consent” from the Data Subjects for transfer of personal data. This should be made part of every data processing contract.
e) EDPB clarifies that if as part of derogations, the transfer is to be justified under “necessary for the performance of a contract”, it should be only for occasional transfers.
f) Similarly EDPB clarifies that if the “Public interest” has to be invoked for transfer, it should be based on finding of an important public interest and not based on the organization.
g) EDPB has clarified that the effect of this ruling would not be restricted to EU-US data transfers. The need for SCCs/BCRs to conform to the standard suggested in the judgement applies also to transfers to other countries.
This essentially means that any transfer from EU to India of personal data of EU data subjects under GDPR would require an SCC/BCR confirming that “Indian intelligence agency shall not have a right to demand access to information”.
This clause would be ultravires the ITA 2000 in particular and hence would be “Instigating” and Indian Company to “Reject a law of the Indian Parliament” for the incentive of the data processing contract.
I would like the MeitY to examine this point and confirm if they are ready to ignore the provisions of Sections 69, 69A, 69B and 70B of ITA 2000 when an Indian Company wants to get the data processing contract.
NASSCOM needs to examine this issue independently and advise all its members not to enter into any contractual clauses that compromise the sovereignty of the Indian Government.
NASSCOM should consider suggestion of the adoption of the “Disclaimer clause” suggested in the previous article which we reproduce here..to be added to all contracts…
“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to under Article 23 of GDPR in the context”
NASSCOM or any other party may also move the Supreme Court for a ruling in this regard which pre-empts any Supervisory authority of EU in imposing fines on Indian entities on the basis of any contract which requires an Indian Citizen/Company to disrespect and refuse the authority of the Indian Government.
MHA needs to take special note of this and take steps in this regard.
Foundation of Data Protection Professionals in India (FDPPI) is organizing a webinar on Sunday the 2nd August 2020 to discuss the implications of the EUCJ ruling on Indian data processing industry. Those interested in joining the webinar may send an email to firstname.lastname@example.org.
Articles in this series