Notes From a Foreign Field: The Impact of Schrems-II [Guest Post]

[This is a guest post by Rohit Gupta.]

---

On July 16, 2020, the Court of European Union (‘CJEU’) passed a landmark judgement in Data Protection Commission v. Facebook Ireland, Maximillian Schrems (‘Schrems II Decision’). The Schrems II Decision produced shockwaves for the practice of commercial transnational data transfers of personal data originating from the European Union (‘EU’) and being transmitted to a non-EU country, such as India. Under the EU data protection regime, data transfers are conducted pursuant to the European Union General Data Protection Regulation (‘GDPR’), in conjunction with the Charter of Fundamental Rights of the European Union (‘Charter’) and several other directive and regulations. Chapter V of the GDPR allows for transfers of data outside the EU through three different modes, provided that the receiving countries were determined to provide adequate privacy protections for the same. First, an adequacy decision may be passed by the Data Protection Commission as to the existence of adequate privacy protection within the domestic legal framework of the receiving country. Second, an agreement to provide adequate safeguards, accompanied with enforceable data subject rights and effective legal remedies for data subjects. These may take place between two public authorities, such as in the case of the EU-US Safe Harbour or Privacy Shield, or between the sending and receiving data processors, such as in the case of Standard Contract Clauses (‘SCCs’), or between affiliated companies within a single commercial enterprise, such as in the case of Binding Corporate Rules (‘BCRs’). Third, derogations, or exceptions, to the requirement of either one of the above may be availed in specific circumstances.

While the Schrems II Decision proceeds on the lines of evaluating the privacy protection of mechanisms used by companies incorporated in the United State of America (‘US’) to transmit data from the EU, this blog will translate the broader implications of the judgment, specifically in the context of India and its privacy regime, or a lack thereof.

The Schrems II Judgment

In 2012, Maximillian Schrems (‘Schrems’), an Austrian national, raised concerns regarding the transnational data transfer practices of Facebook under the Data Protection Directive 95/46/EC, the predecessor to the GDPR. However, the Irish Data Protection Commissioner (‘DPC’), the Irish supervisory authority for data protection, rejected the complaint on the basis of the European Commission’s Decision 2010/87, which upheld the validity of the EU-US Safe Harbour. Subsequently, the CJEU, in the Schrems I Decision, concluded that the standard of data protection afforded by the United States was not “essentially equivalent” to that afforded within the European Union. Hence, the Safe Harbour Decision was annulled.

A second complaint was formulated by Schrems on the claim that the use of SCCs by Facebook was invalid since the latter was obligated to allow the United States Government to access the foreign personal data collected through these agreements. The complaint also impugned the EU-US Privacy Shield. While the European Commission had affirmed the validity of both the aforementioned mechanisms in Decision 2000/520 and Decision 2016/1250 respectively, the complaint was referred to the CJEU by the Irish High Court for a final determination.

The CJEU, in the Schrems II Decision, concluded three crucial findings regarding the transnational transfer of personal data from European Union:

A. The CJEU Confirms Extra-Territorial Application of GDPR for EU-Citizens’ Data

First, it held that the GDPR would remain applicable to personal data that has been transferred out of the European Union by one economic operator, or body corporate, to another for any commercial purpose, regardless of whether such data may be processed by the governmental authorities of the latter for the purposes of public security, defence and State security.

B. SCCs to Hold Validity Only if Underlying Framework Provides GDPR-Esque Data Protection

Second, it affirmed the validity of SCCs, provided that the level of data protection must be of a standard which is “essentially equivalent” to that guaranteed under the GDPR, read with the Charter. To this effect, The CJEU mandated the use of “other clauses or additional safeguards” in circumstances where the SCC itself failed to secure adequate levels of protection. These may cover, for example, the issue of law enforcement and access of personal data by government agencies. Additionally, respective Data Protection Authorities were under the obligation to suspend or prohibit data transfer to any third country wherein the aforementioned privacy safeguards, and alternative methods to achieve the same, were absent. 

C. EU-US Privacy Shield Invalidated for Lack of Safeguard Against Government-Sanctioned Surveillance

Third, it invalidated the EU-US Privacy Shield on the grounds that (1) the United State surveillance regime, based on  Section 702 of the Foreign Intelligence Surveillance Act, 1978 and Executive Order 12333 (1981), assumes primacy of national interest and law enforcement over the fundamental right to privacy by allowing the sanctioning of surveillance with no apparent limitation, violating the principles of proportionality in so far as the same is not restricted by the requirement of necessity, (2) the United States does not provide foreign data subjects with an actionable right against the Government for privacy breaches, under the Presidential Privacy Directive 28 (2014) and Executive Order 12333 (1981), and (3) the United States legislative framework is inadequate in ensuring the independence of the judicial ombudsman, an authority established by the EU-US Privacy Shield and an undersecretary of state, and the requisite authority of the body to deliver binging judgments upon US intelligence services.

Implications for India: An Analysis in light of the Personal Data Protection Bill, 2019

According to Article 45 of the GDPR, the relevant inquiry into an adequacy decision involves an assessment of the rules and regulations applicable to data controllers and processors within a country. This also includes an analysis of the accompanying safeguards limiting the governmental access to foreign personal data. Per the Schrems II Decision, a like analysis would now be required for the operation of other modes of data transfer, such as Privacy Shields, SCCs, or BCRs. The recognition of the fundamental right to privacy in K.S. Puttaswamy v. Union of India (‘Puttaswamy Decision’) inducted principles of proportionality from Article 8 of the European Convention of Human Rights. Yet, without an underlying statutory framework, these rights lack remedial mechanisms that may be triggered by their violation. However, while the Personal Data Protection Bill, 2019 (‘PDPB’) remains to be passed, India exists in a state of limbo. Without a current standard of foreign personal data protection for all commercial operations, India does not qualify the criteria for an adequacy decision.

An analysis of the previous adequacy decisions illustrate that the privacy safeguards contained in the PDPB, such as data minimization, purpose limitation, transparency and accountability, may prima facie allow India to qualify for an adequacy decision as well.

Nonetheless, with regards to independent oversight and enforcement, the PDPB authorizes the Central Government to compose the supervisory authority, i.e. the Data Protection Authority of India, on the recommendations of the selection committee, which also comprises members of the Executive. To this effect, it may be noted that in the 2018 draft, this selection was based on judicial intervention. Additionally, governmental access to personal data collected for law enforcement purposes provided for under the Information Technology Act, 2000, and rules thereunder may also deter an adequacy decision. For example, on December 20, 2018, the Ministry of Home Affairs issued a notification, under the Section 69 of the Information Technology Act & Rule 4 of the Information Technology (Procedure for Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, authorizing 10 central agencies to intercept, monitor and decrypt any computer information.

Moreover, the PDPB itself allows the Central Government to exempt its agencies from the application of the legislation if the same is necessary in the interest of friendly relations with foreign states, public order, or to prevent inciting the commission of any cognizable offense related to the same. The use of vague and overbroad terms such as “public order” also affords arbitrary powers to the Central Government. Thus, the current concerns regarding the independence and impartiality of the oversight body and the arbitrary and obtrusive governmental access to foreign personal data vitiate any efforts to obtain an adequacy decision.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

Article VII of the World Trade Organization’s General Agreement on Trade in Services, on the other hand, mandates that the EU offer similar opportunities to countries to negotiate comparable arrangements as offered to other countries. This mandate is based on the principle of non-discrimination and anti-protectionism. Thus, India has a claim to initiate negotiations for a Privacy Shield which would bypass the costly and time-consuming alternatives, such as SCCs or BCRs. This would also nullify the need to comply with respective Data Protection Commissions’ requirements for obtaining individual adequacy decisions.

However, for establishing and maintaining a Privacy Shield, the inadequacies of the PDPB and other state legislations must still be rectified by incorporating provisions within the agreement which nullifies the operation of the same. Whether this would be an overreach of the powers of the Executive under the separation of powers doctrine is the subject matter of another discussion. Similarly, the operation of SCCs may also be discontinued if these violations are not safeguarded against. Essentially, the effects of the Schrems II Decision, thus, extend to India just as they do for the United States.

A Bleak Picture of Alternatives

While the India Government may work towards obtaining an adequacy decision or establishing a Privacy Shield, Indian companies may avail the following alternatives, apart from the common practice of using SCCs. However, as has been highlighted herein, these alternatives are merely the next-best alternatives, and do not paint an optimistic picture in comparison to the traditional methods in use.

A. Binding Corporate Rules

BCRs represent codes of conduct which are used exclusively for intra-enterprise transfers, i.e., between enterprises engaged in a joint economic venture. The European Data Protection Board (‘EDPB’), however, has specified that companies reliant on BCRs would still be required to conduct a prior assessment to determine that the receiving nations’ privacy safeguards are essentially equivalent to those provided by the European Union. Nevertheless, an alike assessment is mandatorily conducted by the relevant data supervisory authority, which is obligated to pe-approve the BCRs in question for operation. As indicated above, India’s current and proposed data protection framework illustrates a lack of requisite safeguards. Additionally, the GDPR prescribes a requirement of mandatory physical presence within the EU, a condition that may limit opportunities for several small-to-medium scale businesses. These are also unlikely to be adopted for common use due to the time-intensive case-to-case approval process involved. To remedy the same, a model BCRs template may be prepared by each data supervisory authority to expedite the process. This must, however, be preceded by legislative efforts to secure the protection of incoming foreign personal data.

B. Derogations

Hinted by the CJEU itself, derogations under Article 49 of the GDPR allow for the legitimization of data transfers even in circumstances where the receiving state lacks adequate privacy safeguards. These may be allowed in specific circumstances, including when the express informed consent of the data subject is obtained, when the transfer is necessary for the performance of a contract between the data subject and the data controller, or when the transfer is necessary for public interest. However, the applicability of these derogations is exceptional in nature so that regular data transfers cannot be justified.

C. Data Localization

Another alternative is to switch to data localization which entails the storage of all consumer data within the territory from which it is collected. Thus, companies can opt to set up data storage infrastructures within the European Union. While other jurisdictions generally demand only the storage of a copy of data transferred under data localization obligations, such as for law enforcement purposes, this specific obligation would completely restrict the outstation transfer of data in the absence of requisite privacy safeguards. However, this would exponentially increase processing costs and would also restrict the operation of several services which require a to-and-fro transfer of data.

Conclusion

Since member-states of the EU represent major players in the globalization and commercialization scene, nations across the world are likely to enact “essentially equivalent” data protection regimes to prevent against the inability to trade and offer services within the EU. India would also be caught in such a wildfire lest it amend its domestic regime to suit the requirement expounded by the Schrems II Decision. Thus, the Schrems II Decision may catalyse the spread of European data protection principles as a global privacy standard. While the DPCs across the EU are releasing separate guidelines to assist foreign companies to chart measures needed to be adopted in order to comply with the Schrems Decision II, urgent initiative must be taken by the Indian Government to counteract the immediate effects of the possible destabilization of the India-EU data transfer network.