This article is written by Sneha Mohanty, a student from School of Law, Christ University, Bangalore.

Introduction

India has time and again faced the question of the adequacy of its data protection regime in multiple forums. This issue has cropped up in a multitude of cases. Thus, the conversation with regard to data privacy and data protection in India is not a new one. With the fast track developments in the field of data protection in other countries, India has often been on its toes to advance its data protection laws. The following case should light India’s path in making more advancements with regard to cross border data transfer. 

What is Schrems II?

The Court of Justice in the European Union issued its judgement in the much sought after case, Data Protection Commissioner v. Facebook Ireland Ltd, which gained its popular nickname, Schrems II. This case highlighted the obvious lacunae in the data protection and surveillance regime of the US and invalidated the Privacy Shield altogether. In layman terms, Privacy Shield is the framework set up, designed by the US Department of Commerce for regulation cross border data transfers between the US and EU for commercial purposes only. The objective for the creation of such a framework is to ascertain whether the companies in both the countries exchanging the data match their respective levels of data security and protection of personal information. 

To briefly summarise, this case was preferred by one Maximillian Schrems with regard to his personal data being unduly transferred by Facebook Ireland to Facebook Inc, in the US. The CJEU looked at this case from three major perspectives, namely, the status of Privacy Shield, the validity of Standard Clauses of Contract (SCC) and the existence of a Data Protection Authority or a Tribunal to exclusively look into this matter. As logic would dictate, the US failed all the three aforementioned aspects. The Privacy Shield was totally invalidated, the US did not have an exclusive data protection authority or a tribunal and the SCC’s were to be vetted in a case to case basis and the third country’s data protection regime was to be analysed thoroughly in order to prevent misuse of personal data of the EU citizens. This would leave the US with almost no possible way to transfer data to or from EU without fixing the loopholes pointed out by the CJEU. 

Schrems ii and India 

India has a sizeable amount of business and commercial data exchanges with the countries in EU. The Schrems judgment definitely will have a domino effect over the data protection regimes not only in India, but all the other countries that are directly and indirectly exchanging data with the EU. As of now, India has a handful of laws and rules which provide a basic framework for data protection. However, over the time, there have been several criticisms of the same, anticipating the durability and the coverage of the laws. The data transfer chapter in India is guided by the Information Technology Act, 2000 as of now. This Act was drafted to legally recognise the transactions carried out by way of electronic data interchange. 

Apart from that, there are certain judgments for instance, the Puttaswamy Judgment which recognises the Right to Privacy as a fundamental right, and falling under Article 21 of the Indian Constitution, it is applicable to non citizens at the same time. The Indian judiciary and legislature have from time to time created and interpreted rules and laws in order to suit the newfound complexities connected to data privacy. However, there has been a dire need of a data protection charter which compiles and advances the already existing laws. 

One may deduce that India should be prepared in terms of its data protection regime in case it faces a similar fate as the US. Moreover, there are several lacunae still in the laws of India which can be pointed out with regard to cross border data transfer. This can be better understood when Indian Data Protection regime is analysed side by side the Schrems ii case. 

• Considering the first aspect of the Schrems ii, “Whether India’s data protection regime can match the GDPR?”

One feels that India’s data protection laws are not as advanced, wide encompassing and pragmatic as the GDPR, but there have been some historic, notable instances where India has acknowledged the advancement of such regime. However, this is a warning sign for India to advance its laws and match up with the GDPR and consider taking similar level of security and care of the citizen’s personal data. 

• In accordance with the second aspect, that is the existence of a separate, independent tribunal, India would stand back too. 

Although the Supreme Court of India is built to act independently and impartially, but the 

CJEU stresses upon the country having an independent tribunal which will specifically look into matters relating to data protection. Although the Personal Data Protection Bill, 2019 specifically mentions about establishing such a tribunal and an authority, however, as of now and this date, there exists no such authority. 

•  Highlighting the final aspect, that is the rights and recourse EU citizens will have with regard to their data in the third country, India does have that one aspect covered. 

As mentioned above, India has acknowledged and stressed upon data protection from time to time by highlighting the fact that Right to Privacy falls under Article 21. By this logic, EU citizens have the same right as well, since Article 21 extends to non citizens as well. Here one can ascertain that EU citizens do have a proper set of rights under the Indian Constitution and that can be used as a recourse. 

Conclusion

As already stated above, the Schrems ii is a warning sign and a wake-up call for India to straighten its data protection regime and advance its coverage and implementation. The Schrems judgment will not only affect the US but it will have effects on every other country that deals commercially with the EU. However the SCC’s are still valid, but the CJEU asserted that these will be considered and vetted on a case to case basis, looking at the regime in the host country. Under this aspect, there have to be certain levels of due diligence done before actually getting into a contract with another country’s company. The third country has to build up its regime and make it as advanced and pragmatic as the GDPR in order to cross the hurdle. 

For India, the Schrems judgment along with the GDPR should work as a blueprint for our data protection laws. This will not only allow us to dodge a scenario that the US fell in with EU, but also protect our own subjects and hold their rights as a priority. 

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: