This article is written by Shorya Subhluxmi, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
Table of Contents
In Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, Case C-311/18 (“Schrems II”), the Court of Justice of the European Union (“CJEU”) invalidated the European Union-United States Privacy Shield (“Privacy Shield”) and upheld the validity of Standard Contractual Clauses (“SCC”). With this judgement, the Privacy Shield can no longer be used to legitimise the transfer of personal data from any European Union (“EU”) member state to the United States of America (“US”) other than in conformity with the applicable data privacy law. Entities transmitting data from the EU to the US will now be required to employ SCCs to secure a continuous data flow. In this article, we examine how this case affects Indian businesses and data transfers from the EU to India.
Indian companies receiving data from the EU have generally relied on SCCs and Binding Corporate Rules (“BCR”) to meet compliance requirements under the GDPR. BCRs are rules that govern an entity or a group of entities and apply to data transfers within the group. However, with India yet to be considered by the EU as having an established legal or regulatory framework that ensures data protection and privacy, existing SCCs and BCRs will have to be revisited to ensure unimpeded flow of data from the EU to India, post-Schrems II. India’s law enforcement apparatus has a wide range of powers that may be exercised in the interest of national security, with such powers being recognised by the Courts as an exception to the fundamental right to privacy. Much like in the US, if law enforcement authorities were to approach an Indian company for access to the personal data of EU citizens, the company would generally have to comply- irrespective of any contractual obligations between the company and a data importer/exporter.
Before the introduction of Schrems II
In the beginning of this century, large volumes of data were travelling between the EU and the US and for this, the two countries agreed to follow a set of data privacy standards known as “Safe Harbour” for personal data to be transferred from the EU to the US. Companies regulated by the Federal Trade Commission or the Department of Transportation in the United States were permitted to obtain Safe Harbour certification to acquire personal data from the European Union if proper protections were in place to secure the information.
Max Schrems, an Austrian privacy advocate, filed a complaint against the Irish Data Protection Commissioner in 2015. Mr Schrems claimed that the transmission of his personal data from Facebook Ireland to its parent company in the United States, which was based on the SCCs, did not protect his fundamental rights under EU law, considering the US public authorities’ ability to spy on EU citizens’ personal data without proper supervision or judicial remedies. He suggested that the Irish DPC, not the SCCs in general, should halt those specific transfers. However, the Irish DPC believed that the SCCs are part of a larger problem and should be invalidated in general.
The DPC filed a petition with the Irish High Court, demanding that it send doubts about the SCCs’ legitimacy to the CJEU. This action stems from Mr Schrems’ previous complaint against Facebook (known as Schrems I), which resulted in the invalidation of the Privacy Shield’s predecessor, Safe Harbour.
Following the CJEU’s invalidation of the Safe Harbour principles, the EU and the US resumed negotiations, which resulted in a new agreement known as the “Privacy Shield.” The Privacy Shield kept the Safe Harbour foundations in place but introduced new safeguards focusing on individual rights for EU citizens, stronger regulations for US firms, and constraints on the US government’s access to data. Options for filing data privacy complaints through an Ombudsperson, tighter monitoring of Privacy Shield complying organisations, and tougher reporting duties for companies were among the reforms. The Privacy Shield facilitated the cross-border transfer of large volumes of personal data from the EU to the US by allowing US-based companies to self-certify and publicly commit to compliance with Chapter 5 (five) of the EU General Data Protection Regulation (“GDPR”), which pertains to the transfer of personal data to third countries or international organisations.
The Privacy Shield was declared illegal by the CJEU in Schrems II. The court voiced its displeasure with US intelligence actions in connection to personal data transmitted to the US. Following the repeal of the Privacy Shield, SCCs have gained prominence as one of the few existing avenues for unrestricted cross-border data transmission from the EU to third-party nations, including the United States.
The importance is given to SCCs
The SCCs are a set of EU-recommended standard contractual terms and conditions for data transfers from the EU to non-EU countries, which must be followed by both the data exporter and the data importer. The goal of SCCs is to protect personal data that is transferred from the European Economic Area to territories that are not regarded to provide adequate protection for personal data through contractual commitments that comply with GDPR regulations. The CJEU reviewed the validity of SCCs and discussed the criteria that must be considered when determining whether the level of protection provided by the SCC meets the GDPR’s Article 45 requirement.
Transfer of personal data to a third country or organisation is only permitted under Article 45 of the GDPR. If the European Commission has determined that the third country or organisation can provide an “adequate” level of protection while taking into account a variety of factors such as the rule of law, respect for human rights, national security and criminal law, and access to personal data. The Commission will also look into whether the third country provides effective and enforceable data subject rights, as well as administrative and judicial remedies for data subjects.
In order to compensate for the absence of data protection in a third country, data exporters and importers may now be required to implement additional safeguards under Schrems II to ensure that the degree of protection provided by SCCs is similar to the GDPR. The CJEU concluded that the Commission’s non-exhaustive list of criteria for determining adequacy in Article 45 of the GDPR corresponds to the list of criteria required by the SCCs to be considered by a data exporter when determining whether the degree of security provided by a data importer is sufficient for that specific data transfer to a jurisdiction outside the EU. The exporter must examine the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime of the importer’s nation while evaluating.
Grounds on which adequacy is determined
To determine adequacy, the Commission primarily reviews if the laws of the third country offer the same level of protection for personal data as are provided under the GDPR. Apart from this, a finding of adequacy requires the Commission to analyze a wide range of factors, such as:
- The rule of law, respect for human rights and fundamental freedoms and availability of effective administrative and judicial redress for the data subjects, whose personal data is being transferred;
- The existence of an independent supervisory authority with adequate enforcement powers;
- The international commitments entered into by the third country, particularly relating to the protection of personal data.
India and adequacy
In the past, SCCs have been used by Indian enterprises receiving data from the EU to meet GDPR compliance requirements. However, because India is yet to be deemed by the EU to have an established legal or regulatory framework that safeguards data protection and privacy, existing SCCs would need to be reviewed in order to ensure that data flows freely from the EU to India following Schrems II. In the interest of national security, India’s law enforcement apparatus has a wide variety of capabilities, which have been recognised by the courts as an exception to the fundamental right to privacy.
One can suggest that with the Personal Data Protection Bill being introduced, India has made progress toward building a legal framework for data protection. While the Bill is based on the GDPR, there are major differences between the two data protection regulations. Firstly, the Bill grants India’s Central Government the authority to exempt government entities from the bill’s provisions on the grounds of national security, sovereignty, and public order. While the GDPR contains comparable clauses, they are governed by other EU rules and judicial scrutiny. The Bill lacks such safeguards, and it might possibly grant the Central Government access to personal data outside of the present GDPR framework.
Secondly, the bill gives the government the power to require businesses to divulge whatever “non-personal” data they acquire with the government. While the purpose of such a provision is presumably to improve government service delivery, the regulations are silent on how the data will be utilised, if it will be shared with other private enterprises, or whether the data will be compensated. Given the foregoing, it is unclear that the Bill in its current form will enable India to meet Article 45 of the GDPR’s third-party “adequacy” requirements, making it more vital for data importers to implement SCCs with proper safeguards.
The way forward
Apart from the conventional practice of employing SCCs, the Indian government may work towards obtaining an adequacy determination or establishing a Privacy Shield but that does not seem to be happening in the near future. Till then Indians can refer to the sample SCCs published by the EU for personal data transfers from EU data controllers to non-EU data controllers. The EU had also issued a set of contractual provisions governing data transfers from EU data controllers to non-EU data processors.
Another route to consider is via BCRs, which are codes of conduct that are only used for intra-enterprise transfers, i.e. transfers between businesses that are part of a joint venture. However, the EDPB has stated that enterprises that rely on BCRs must still do a previous evaluation to ensure that the receiving countries’ privacy standards are fundamentally equal to those offered by the European Union. Nonetheless, the relevant data supervisory authority is required to conduct a similar examination before approving the BCRs in question for operation.
The EPDB Recommendations also include examples of supplementary measures that can be implemented to ensure equivalence with the GDPR, such as technical measures that can be implemented based on the circumstances of the data transfer, contractual measures that can be added to complement and reinforce safeguards, transparency obligations that can be annexed to the contract and bind the importer, and other measures that can be added to ensure equivalence with the GDPR. Companies must also examine data flows and consider implementing additional safeguards, all the while meticulously documenting their GDPR compliance activities.
As a result of the Schrems II Decision, European data protection standards may become a global privacy norm. While DPCs across the EU are issuing separate guidelines to assist foreign companies in determining the steps that must be taken to comply with Schrems Decision II, the Indian government must take immediate action to mitigate the immediate effects of the potential destabilisation of the India-EU data transfer network.
- Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC
- Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries. https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX%3A32004D0915
- EPDB Recommendations.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: