Consequent to the EU Court’s decision to reject the US Privacy Shield, EU has expressed its lack of confidence in the US state to monitor the Privacy Shield without adversely affecting the Privacy rights of the EU Citizens. It has also failed to let the US Government to specify the checks and balances that it wants to establish to protect the Privacy rights of EU citizens in good faith and enter into a negotiation on the due process.
Instead the EU Court has objected to the powers of the US intelligence agencies to demand personal data from the US based Data Controllers or Data Processors having access to EU data subject’s personal data. As a result even if the US authorities want the data in connection with the national security requirements, it would be considered unacceptable. The appointment of the Privacy Shield Ombudsperson and his/her reporting to the Secretary of State is also not acceptable to EU.
It is ironic that in June 2019 when Ms Keith Krach was confirmed by the US Senate to become the first Permanent Privacy Shield Ombudsperson, the EUDB had praised the appointment.
But the decision of the EU Court now means that this appointment cannot be trusted to protect the EU Citizen’s privacy. In Other Words the Court is suggesting that the Privacy of the EU Citizen supersedes the power of the US President and the Senate and the responsibilities they can be trusted with.
It appears that the EU Court has by this decision gone beyond its jurisdictional limits and expressing a view on a sovereign foreign Government and its functioning. It is expressing a distrust on the Government machinery that has to be trusted by the whole world for holding the nuclear button.
This decision means that EU businesses need to abide by this ruling and enforce the Standard Contractual Clauses.
I am reminded by the recent Chinese Law on Hong Kong which is reported to also state that “China has a power to prosecute Non Hong Kong Citizens”. Just as China is using the Hong Kong as an excuse to establish its extra territorial jurisdiction, EU Court is trying to establish its hegemony over non EU sovereign states.
There is a need for other Governments including India to wake up to this development and protect its own rights.
In the light of this development, it is most unlikely that the Indian DPA will ever be acceptable to the EU and the “Adequacy” status for India under GDPR is out of question.
Standard Contractual Clauses are equally problematic
In the coming days therefore we will focus more on the Standard Contractual Clauses (SCC).
We shall therefore look at some of the provisions of the SCC which to my mind appear objectionable.
Following is the extract from one of the recommended SCC documents meant for transfer of personal data to data processors. (This is a 2010 document which EU has not been able to update to GDPR but has accepted as also applicable under GDPR)
- Data Subject can enforce rights against the Data Importer
The Data Subject in this context is a EU citizen and the Data Importer is a company or Individual who is a citizen subject to the laws of the third country like India or US which are sovereign countries.
The SCC says
“The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.”
This means that when there is a default (read as fraudulent disappearance) by the EU’s Data Controller, the responsibility and liability shifts to the citizen of the third country.
Obligations of the Data Importer
The obligations mentioned here as Clause 5(a) to (e) and (g) include not only the obligation to maintain technical and organisational security measures, but also cover data breach notifications, rights of access, disclosure of sub processing contracts, disclosure to law enforcement authorities etc.
It also provides an acceptance that the EU Data Subject can bring a claim of compensation in the EU Country’s jurisdiction under the laws governing in that country. This also has to be extended to the sub processors.
It is clear that these SCC provisions donot respect the fact that the data importer is a citizen of another country and is bound to comply with the laws of that country. He does not have a right to abdicate his responsibility to the local Government and Constitution through a business contract though the economic power of the data exporter may force the data importer to sign on the dotted line and use his own economic power to make his sub processors also sign on the dotted line.
These contracts cannot be considered as contracts entered into through “Free Will”.
The Indian PDPA as envisaged under the current Bill, has one provision that tries to keep the processing of personal data of foreign citizens under a data processing contract separate from the obligations of the Indian law (Section 37).
It appears that Section 37 of the Indian PDPB is reminding EU that it is perhaps presuming that EU can lord over the world through the GDPR.
When India was discussing the framing of its laws and Justice Srikrishna committee visited Bangalore, the undersigned had raised the need for Indian law to protect the interests of Indian companies from the unreasonable demands of the GDPR like laws.
These were discussed in this article ” Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights”.
Out of these suggestions, the suggestion of “Data Trust” was adopted in the concept of “Consent manager” under PDPB and may also be used in the Non Personal data governance suggested by the Kris Gopalakrishna Committee report.
The other two ideas namely the Jurisdictional Umbrella and Reciprocal Enforcement Rights have not yet been included in our law and assume more relevance now after seeing the attitude of the EU Court in respect of the Privacy Shield.
I had suggested
“….However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.
Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.“
It had also been suggestted that
” Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include
a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction
b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies. “
I wish the JPC on Personal Data Protection Bill will keep these suggestions in mind so that the DPA is given enough powers to ensure that India can enforce its Data Protection Law for protection of the Privacy of its citizens in such a manner that EU or any other country using their economic clout donot try to create a “Data Colony” in India.
PS: All opinions expressed at Naavi.org are the personal opinions of Naavi