Notes From a Foreign Field: The Impact of Schrems-II [Guest Post]

[This is a guest post by Rohit Gupta.]

---

On July 16, 2020, the Court of European Union (‘CJEU’) passed a landmark judgement in Data Protection Commission v. Facebook Ireland, Maximillian Schrems (‘Schrems II Decision’). The Schrems II Decision produced shockwaves for the practice of commercial transnational data transfers of personal data originating from the European Union (‘EU’) and being transmitted to a non-EU country, such as India. Under the EU data protection regime, data transfers are conducted pursuant to the European Union General Data Protection Regulation (‘GDPR’), in conjunction with the Charter of Fundamental Rights of the European Union (‘Charter’) and several other directive and regulations. Chapter V of the GDPR allows for transfers of data outside the EU through three different modes, provided that the receiving countries were determined to provide adequate privacy protections for the same. First, an adequacy decision may be passed by the Data Protection Commission as to the existence of adequate privacy protection within the domestic legal framework of the receiving country. Second, an agreement to provide adequate safeguards, accompanied with enforceable data subject rights and effective legal remedies for data subjects. These may take place between two public authorities, such as in the case of the EU-US Safe Harbour or Privacy Shield, or between the sending and receiving data processors, such as in the case of Standard Contract Clauses (‘SCCs’), or between affiliated companies within a single commercial enterprise, such as in the case of Binding Corporate Rules (‘BCRs’). Third, derogations, or exceptions, to the requirement of either one of the above may be availed in specific circumstances.

While the Schrems II Decision proceeds on the lines of evaluating the privacy protection of mechanisms used by companies incorporated in the United State of America (‘US’) to transmit data from the EU, this blog will translate the broader implications of the judgment, specifically in the context of India and its privacy regime, or a lack thereof.

The Schrems II Judgment

In 2012, Maximillian Schrems (‘Schrems’), an Austrian national, raised concerns regarding the transnational data transfer practices of Facebook under the Data Protection Directive 95/46/EC, the predecessor to the GDPR. However, the Irish Data Protection Commissioner (‘DPC’), the Irish supervisory authority for data protection, rejected the complaint on the basis of the European Commission’s Decision 2010/87, which upheld the validity of the EU-US Safe Harbour. Subsequently, the CJEU, in the Schrems I Decision, concluded that the standard of data protection afforded by the United States was not “essentially equivalent” to that afforded within the European Union. Hence, the Safe Harbour Decision was annulled.

A second complaint was formulated by Schrems on the claim that the use of SCCs by Facebook was invalid since the latter was obligated to allow the United States Government to access the foreign personal data collected through these agreements. The complaint also impugned the EU-US Privacy Shield. While the European Commission had affirmed the validity of both the aforementioned mechanisms in Decision 2000/520 and Decision 2016/1250 respectively, the complaint was referred to the CJEU by the Irish High Court for a final determination.

The CJEU, in the Schrems II Decision, concluded three crucial findings regarding the transnational transfer of personal data from European Union:

A. The CJEU Confirms Extra-Territorial Application of GDPR for EU-Citizens’ Data

First, it held that the GDPR would remain applicable to personal data that has been transferred out of the European Union by one economic operator, or body corporate, to another for any commercial purpose, regardless of whether such data may be processed by the governmental authorities of the latter for the purposes of public security, defence and State security.

B. SCCs to Hold Validity Only if Underlying Framework Provides GDPR-Esque Data Protection

Second, it affirmed the validity of SCCs, provided that the level of data protection must be of a standard which is “essentially equivalent” to that guaranteed under the GDPR, read with the Charter. To this effect, The CJEU mandated the use of “other clauses or additional safeguards” in circumstances where the SCC itself failed to secure adequate levels of protection. These may cover, for example, the issue of law enforcement and access of personal data by government agencies. Additionally, respective Data Protection Authorities were under the obligation to suspend or prohibit data transfer to any third country wherein the aforementioned privacy safeguards, and alternative methods to achieve the same, were absent. 

C. EU-US Privacy Shield Invalidated for Lack of Safeguard Against Government-Sanctioned Surveillance

Third, it invalidated the EU-US Privacy Shield on the grounds that (1) the United State surveillance regime, based on  Section 702 of the Foreign Intelligence Surveillance Act, 1978 and Executive Order 12333 (1981), assumes primacy of national interest and law enforcement over the fundamental right to privacy by allowing the sanctioning of surveillance with no apparent limitation, violating the principles of proportionality in so far as the same is not restricted by the requirement of necessity, (2) the United States does not provide foreign data subjects with an actionable right against the Government for privacy breaches, under the Presidential Privacy Directive 28 (2014) and Executive Order 12333 (1981), and (3) the United States legislative framework is inadequate in ensuring the independence of the judicial ombudsman, an authority established by the EU-US Privacy Shield and an undersecretary of state, and the requisite authority of the body to deliver binging judgments upon US intelligence services.

Implications for India: An Analysis in light of the Personal Data Protection Bill, 2019

According to Article 45 of the GDPR, the relevant inquiry into an adequacy decision involves an assessment of the rules and regulations applicable to data controllers and processors within a country. This also includes an analysis of the accompanying safeguards limiting the governmental access to foreign personal data. Per the Schrems II Decision, a like analysis would now be required for the operation of other modes of data transfer, such as Privacy Shields, SCCs, or BCRs. The recognition of the fundamental right to privacy in K.S. Puttaswamy v. Union of India (‘Puttaswamy Decision’) inducted principles of proportionality from Article 8 of the European Convention of Human Rights. Yet, without an underlying statutory framework, these rights lack remedial mechanisms that may be triggered by their violation. However, while the Personal Data Protection Bill, 2019 (‘PDPB’) remains to be passed, India exists in a state of limbo. Without a current standard of foreign personal data protection for all commercial operations, India does not qualify the criteria for an adequacy decision.

An analysis of the previous adequacy decisions illustrate that the privacy safeguards contained in the PDPB, such as data minimization, purpose limitation, transparency and accountability, may prima facie allow India to qualify for an adequacy decision as well.

Nonetheless, with regards to independent oversight and enforcement, the PDPB authorizes the Central Government to compose the supervisory authority, i.e. the Data Protection Authority of India, on the recommendations of the selection committee, which also comprises members of the Executive. To this effect, it may be noted that in the 2018 draft, this selection was based on judicial intervention. Additionally, governmental access to personal data collected for law enforcement purposes provided for under the Information Technology Act, 2000, and rules thereunder may also deter an adequacy decision. For example, on December 20, 2018, the Ministry of Home Affairs issued a notification, under the Section 69 of the Information Technology Act & Rule 4 of the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, authorizing 10 central agencies to intercept, monitor and decrypt any computer information.

Moreover, the PDPB itself allows the Central Government to exempt its agencies from the application of the legislation if the same is necessary in the interest of friendly relations with foreign states, public order, or to prevent inciting the commission of any cognizable offense related to the same. The use of vague and overbroad terms such as “public order” also affords arbitrary powers to the Central Government. Thus, the current concerns regarding the independence and impartiality of the oversight body and the arbitrary and obtrusive governmental access to foreign personal data vitiate any efforts to obtain an adequacy decision.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

However, for establishing and maintaining a Privacy Shield, the inadequacies of the PDPB and other state legislations must still be rectified by incorporating provisions within the agreement which nullifies the operation of the same. Whether this would be an overreach of the powers of the Executive under the separation of powers doctrine is the subject matter of another discussion. Similarly, the operation of SCCs may also be discontinued if these violations are not safeguarded against. Essentially, the effects of the Schrems II Decision, thus, extend to India just as they do for the United States.

A Bleak Picture of Alternatives

While the India Government may work towards obtaining an adequacy decision or establishing a Privacy Shield, Indian companies may avail the following alternatives, apart from the common practice of using SCCs. However, as has been highlighted herein, these alternatives are merely the next-best alternatives, and do not paint an optimistic picture in comparison to the traditional methods in use.

A. Binding Corporate Rules

BCRs represent codes of conduct which are used exclusively for intra-enterprise transfers, i.e., between enterprises engaged in a joint economic venture. The European Data Protection Board (‘EDPB’), however, has specified that companies reliant on BCRs would still be required to conduct a prior assessment to determine that the receiving nations’ privacy safeguards are essentially equivalent to those provided by the European Union. Nevertheless, an alike assessment is mandatorily conducted by the relevant data supervisory authority, which is obligated to pe-approve the BCRs in question for operation. As indicated above, India’s current and proposed data protection framework illustrates a lack of requisite safeguards. Additionally, the GDPR prescribes a requirement of mandatory physical presence within the EU, a condition that may limit opportunities for several small-to-medium scale businesses. These are also unlikely to be adopted for common use due to the time-intensive case-to-case approval process involved. To remedy the same, a model BCRs template may be prepared by each data supervisory authority to expedite the process. This must, however, be preceded by legislative efforts to secure the protection of incoming foreign personal data.

B. Derogations

Hinted by the CJEU itself, derogations under Article 49 of the GDPR allow for the legitimization of data transfers even in circumstances where the receiving state lacks adequate privacy safeguards. These may be allowed in specific circumstances, including when the express informed consent of the data subject is obtained, when the transfer is necessary for the performance of a contract between the data subject and the data controller, or when the transfer is necessary for public interest. However, the applicability of these derogations is exceptional in nature so that regular data transfers cannot be justified.

C. Data Localization

Another alternative is to switch to data localization which entails the storage of all consumer data within the territory from which it is collected. Thus, companies can opt to set up data storage infrastructures within the European Union. While other jurisdictions generally demand only the storage of a copy of data transferred under data localization obligations, such as for law enforcement purposes, this specific obligation would completely restrict the outstation transfer of data in the absence of requisite privacy safeguards. However, this would exponentially increase processing costs and would also restrict the operation of several services which require a to-and-fro transfer of data.

Conclusion

Since member-states of the EU represent major players in the globalization and commercialization scene, nations across the world are likely to enact “essentially equivalent” data protection regimes to prevent against the inability to trade and offer services within the EU. India would also be caught in such a wildfire lest it amend its domestic regime to suit the requirement expounded by the Schrems II Decision. Thus, the Schrems II Decision may catalyse the spread of European data protection principles as a global privacy standard. While the DPCs across the EU are releasing separate guidelines to assist foreign companies to chart measures needed to be adopted in order to comply with the Schrems Decision II, urgent initiative must be taken by the Indian Government to counteract the immediate effects of the possible destabilization of the India-EU data transfer network.

Coronavirus and the Constitution – XXXVII: The Pandemic, Labour Rights, and the Supreme Court’s Judgment in Gujarat Mazdoor Sabha

Editor’s Note 1: Posts about the contemporary Supreme Court may be read in the context of the caveats set out in this post (link).

---

Editor’s Note 2: Justice is an indivisible concept. We cannot, therefore, discuss contemporary Supreme Court judgments without also acknowledging the Court’s failure – at an institutional level – to do justice in the case involving sexual harassment allegations (link) against a former Chief Justice. This editorial caveat will remain in place for all future posts on this blog dealing with the Supreme Court, until there is a material change in circumstances (e.g., the introduction of structural mechanisms to ensure accountability)].

---

On 17 April 2020, a little under a month after the Covid-induced nation-wide lockdown had been imposed, the government of Gujarat issued a notification under Section 5 of the Factories Act. This notification exempted all the factories in the state of Gujarat from adhering to a set of workers’ rights guaranteed by the statute. Its effect was to increase the upper limit of working hours from nine to twelve per day and forty-eight to seventy-two per week, shorten rest intervals, and halve overtime pay. The Notification was initially intended to run until 19 July, but was later extended to 19 October.

Two trade unions challenged the Notifiction(s) before the Supreme Court. In an important judgment handed down today (Gujarat Mazdoor Sabha v State of Gujarat), a three-judge bench of the Court agreed with their arguments, and struck down the Notifications in their entirety (with a consequential direction to pay back-wages to those workers who had worked overtime on the reduced rates).

Chandrachud J.’s judgment for the Court revolves around two axes, both of which are important from a constitutional perspective. The first is a statutory analysis of whether the pre-conditions under Section 5 were satisfied; and the second is a broader argument about the role of labour laws in a constitutional democracy.

Section 5 of the Factories Act authorises the government to exempt any factory or class of factories from the provisions of the statute, in case of a “public emergency.” The Explanation to Section 5 defines “public emergency” as grave emergency that threatens the security of India (or any part of it) on account of war, external aggression, or internal disturbance. The State argued that the Covid-19 pandemic was “a public emergency”, caused by “internal disturbance”. Relying upon the Sarkaria Commission Report that had cited “epidemics” as examples of internal disturbances, the State therefore claimed that the manner in which Covid-19 had “disturbed the social order of the country” and caused “extreme financial exigencies”, justified the invocation of Section 5.

The Court rejected this argument. It began by noting that in judicial review, the existence of a “public emergency” must be demonstrated as an “objective fact” (paragraph 8). Secondly, the Court held that a reading of the Section 5 made it clear that both expressions – “public emergency” and “internal disturbance” – were to be read conjunctively, and the presence of both had to be satisfied as a pre-condition to invoking the Section. The Court then examined the scope of each of the phrases. Noting the genesis of these terms in colonial-era legislation and Constitutional Emergency provisions, the Court held that the terms would have to be given a narrow meaning. As Chandrachud J. observed:

Section 5 of the Factories Act authorises the government to exempt any factory or class of factories from the provisions of the statute, in case of a “public emergency.” The Explanation to Section 5 defines “public emergency” as grave emergency that threatens the security of India (or any part of it) on account of war, external aggression, or internal disturbance. The State argued that the Covid-19 pandemic was “a public emergency”, caused by “internal disturbance”. Relying upon the Sarkaria Commission Report that had cited “epidemics” as examples of internal disturbances, the State therefore claimed that the manner in which Covid-19 had “disturbed the social order of the country” and caused “extreme financial exigencies”, justified the invocation of Section 5.

On this basis, the Court held that “mere financial exigencies … do not qualify as an internal disturbance.” (para 17) Indeed, given that the phrase “internal disturbance” was used alongside “war” and “external aggression”, the principle of noscitur a sociis required interpreting it in that context, and in situations of similar gravity (para 18).

With respect to the phrase “public emergency”, the Court noted that its constituent phrase – a threat to the “security of India” – had been repeatedly interpreted in narrow terms by the Supreme Court, starting with the hoary old judgment of Romesh Thapar (para 20).

Having traced the genesis and meaning of both terms, the Court then applied them to the case at hand:

Even if we were to accept the Respondent’s argument at its highest, that the pandemic has resulted in an internal disturbance, we find that the economic slowdown created by the COVID-19 pandemic does not qualify as an internal disturbance threatening the security of the state. The pandemic has put a severe burden on existing, particularly public health, infrastructure and has led to a sharp decline in economic activities. The Union Government has taken recourse to the provisions of the Disaster Management Act, 2005.12 However, it has not affected the security of India, or of a part of its territory in a manner that disturbs the peace and integrity of the country. The economic hardships caused by COVID–19 certainly pose unprecedented challenges to governance. However, such challenges are to be resolved by the State Governments within the domain of their functioning under the law, in coordination with the Central Government. Unless the threshold of an economic hardship is so extreme that it leads to disruption of public order and threatens the security of India or of a part of its territory, recourse cannot be taken to such emergency powers which are to be used sparingly under the law. (para 28)

This is an important paragraph. As noted on this blog before, terms such as “public emergency”, “security of the State”, and “internal disturbance” are broad in their ambit; if they are to act as any kind of check upon unbridled executive power, it requires the judiciary to give them concrete content, and then – given their extraordinary nature – to insist upon strict compliance with the legal threshold before the government can invoke emergency-style powers. This is what the Court did: instead of letting the nature of the Covid-19 pandemic expand to fill the content of these clauses, it first accorded these clauses an autonomous – and narrow – interpretation, and upon finding that the pandemic did not fall within that interpretation, struck down the offending State action. This is a refreshing change from the otherwise deferential attitude shown by the Court at the first recitation of “public emergency” and “national security”, including in many cases concerning State action during the pandemic.

The Court also went on, however, to put its argument on a firmer – constitutional – footing. It located the Factories Act – and its guarantee of workers’ rights – in a long history of labour struggles (para 29), and grounded it within legislative recognition of the “inequality of bargaining power between workers and their employers” (para 30). Drawing upon the Directive Principles as interpretive guides, the Court noted that working hour guarantees and overtime payment had a constitutional foundation, as they came within the ambit of Articles 21 (right to life) and 23 (right against forced labour). Any restriction of those rights, therefore, would have to abide by the principle of proportionality. In the instant case, the Court found that the principle of proportionality had been violated:

The impugned notifications do not serve any purpose, apart from reducing the overhead costs of all factories in the State, without regard to the nature of their manufactured products. It would be fathomable, and within the realm of reasonable possibility during a pandemic, if the factories producing medical equipment such as life-saving drugs, personal protective equipment or sanitisers, would be exempted by way of Section 65(2), while justly compensating the workers for supplying their valuable labour in a time of urgent need. However, a blanket notification of exemption to all factories, irrespective of the manufactured product, while denying overtime to the workers, is indicative of the intention to capitalize on the pandemic to force an already worn-down class of society, into the chains of servitude. (para 36)

In other words, therefore, using the Directive Principles and the concept of a welfare-oriented democracy as an interpretive base, the Court (a) located the rights at issue within Articles 21 and 23, and (b) found that State action violating them failed to meet the test of proportionality.

Conclusion

The judgment of the Supreme Court is important in two respects. First, it is an important pushback against the trend where the State’s invocation of “public emergency” and “national security” has marked both the beginning and the end of the argument in court. In Gujarat Mazdoor Sabha, the Court shows that simply by performing the normal judicial function – of interpreting phrases in accordance with their accepted meaning, and by measuring State action against that meaning – the government’s justifications will often fail on their own terms. More broadly, the Court’s insistence that the invocation of such clauses is for exceptional situations – and must therefore be adhered to strictly – is both welcome and important. This must be seen in the context of two competing judicial philosophies. The first philosophy holds that “public emergency” and “national security” constitute a kind of constitutional blackhole: their very invocation by the State requires the Court to virtually abandon its basic function of judicial review. The second philosophy holds that, as a matter of fact, it is precisely because of the sweeping powers afforded to the State in such circumstances, judicial review must be heightened, so that basic rights do not become (in the the words of the judgment) “paper tigers.” In recent times, we have seen far too much of the first philosophy, and far too little of the second – something that the Court corrects in this case.

Secondly, the Court does not limit its arguments to the statutory framework. By using the Directive Principles as interpretive guides, it grounds core labour rights within Articles 21 and 23 of the Constitution, and subjects limitations to the doctrine of proportionality. This is equally important, because – as we have seen just recently – existing labour laws themselves have been replaced by new Labour Codes, which take a far more restrictive approach towards labour rights. The Court’s reminder that these rights are, ultimately, located in the Constitution, is therefore crucial as, in the coming days, questions will be raised about both the constitutionality – and the interpretation – of the new labour codes.