Disclaimer

By clicking, "I Accept" below, you accept and acknowledge the following:

The purpose of this website is to provide general information and insights about TLH, Advocates & Solicitors, and not to advertise or solicit work in any manner whatsoever.

Please note that as per the Bar Council of India Rules, advocates in India are prohibited from advertising or soliciting work in any form or manner. You acknowledge that you are visiting this website at your discretion and that there has been no solicitation, invitation, or inducement of any sort whatsoever from TLH, Advocates & Solicitors or any of its professionals in relation to this website.

The content available on this website does not constitute legal or other professional advice and should not be substituted for advice relevant to particular circumstances.

The access and use of this website does not establish any fiduciary or other relationship between you and TLH, Advocates & Solicitors or any of its advocates.

Please read the ‘Terms of Use’ and our ‘Privacy Policy’ before accessing this website.

Blog default background
Blog
Information Technology

Privacy Shield Set Aside by CJEU ��� A Guidance for India

Authors:
Atif Ahmed
April 9, 2021
5 min read
Share this post
Copied!
  1. Introduction

The European Union (“EU”) is a major source of revenue for the information technology and business process outsourcing industry in India. However, there are several challenges that India faces with respect to transfer of personal data from EU to India. Presently, the data protection regime in India does not provide the same level of protection as the data protection regime in the EU, in particular because the Personal Data Protection Bill, 2019 has not been enacted yet. Further, Article 3 of the EU General Data Protection Regulation (“GDPR”) states that provisions of GDPR will be applicable even in a case where the processing of personal data takes place outside the EU.[1]

As such, in case of transfer of personal data from EU, it becomes relevant for Indian entities to comply with the provisions of the GDPR as non-compliance or breach of its provisions may attract a fine of up to 20,000,000 EUR (Twenty Million Euros) or 4% (four percent) of the total worldwide annual turnover of the preceding financial year, whichever is higher.[2]

  1. Cross Border Transfer

 Chapter V of the GDPR governs the cross border transfer of personal data from the EU to a third-country. Under Article 45 of the GDPR, the European Commission takes an ‘adequacy decision’ to ascertain whether the third country or international organisation ensures an ‘adequate’ level of data protection of the data subjects.[3] The countries / territories that have attained an adequacy decision include: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.[4] Transfer of personal data to these countries does not require any specific authorisation.

In absence of an adequacy decision in favour of a country, like India, the transfer of personal data from EU to such country may take place provided that appropriate safeguards are present to ensure that the privacy of the data subjects is protected.[5] Some of the most commonly used safeguards permitted by the GDPR include binding corporate rules and standard data protection clauses.

Binding corporate rules are internal policies of corporations relating to protection of data upon transfer of personal data from EU to a third country or organisation.[6] Such policies are required to ensure that processing of personal data is compliant with general data protection principles and that appropriate safeguards are in place. It may be relevant to note that corporations must confirm that the binding corporate rules are approved by the data protection authority in accordance with the consistency mechanism set out in Article 63 of the GDPR.[7]

Another commonly used mechanism to transfer personal data is the use of standard contractual clauses (“SCCs”), wherein standard terms and conditions are agreed upon between the data processors in order to protect personal data transferred from EU. These terms are issued by the European Commission to ensure that the processing of personal data is compliant with the provisions of the GDPR and are to be adopted by the processors completely and unaltered.[8]

In this regard it may be relevant to note that for greater ease of exchange of personal data between the United States of America and the EU, a framework known as EU-US Privacy Shield (“Privacy Shield”) was formulated to enable companies from the United States of America to receive personal data more easily from EU entities.

Tatva Legal, Hyderabad has an experienced team of corporate lawyers who, amongst other services, advise on matters involving data privacy and other such areas involving [TL1] information technology law.

  1. Impact of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems on the transfer of personal data

Recently the Court of Justice of the European Union (“CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems II [9] (“Schrems II) invalidated the decision of the Commission Implementing Decision (EU)[10] which affirmed the adequacy of the protection provided by the Privacy Shield, on the grounds that Privacy Shield does not provide the necessary limitations and safeguards with regard to interferences authorised by the national legislation in the United States of America and does not ensure effective judicial protection against such interferences.

In this context it may be relevant to note that the CJEU in Schrems II affirmed the Commission Decision[11] on the validity of the SCCs for the transfer of personal data to processors established in third countries with certain observations.

The CJEU stated that “it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”[12]

The CJEU also held that they “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. The recipient is, where appropriate, under an obligation, under Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract.[13]

he CJEU observed that SCCs cannot bind the public authorities of third countries as they are contractual in nature and it is pertinent to ensure that the government of the concerned country will not arbitrarily violate the privacy of the data subjects.

  1. Conclusion

The reasoning given by the CJEU in invalidating the use of Privacy Shield becomes relevant in global context as the decision places emphasis on the disproportionate access to personal data by public authorities and lack of effective judicial redress in the United States of America. It further displays the proactiveness of the EU in tackling any threat to the protection of personal data. Further, the reasoning behind the decision of the CJEU on Privacy Shield and SCCs indicates that the use of SCCs will need to be re-examined and to confirm whether SCCs provide sufficient protection in light of access by public authorities of the third country to which the personal data is transferred. Further clarifications are also required from courts with respect to the kind of additional safeguards and contractual clauses that may be established contractually in order to protect personal data from public authorities.

In India, data protection and privacy is presently regulated by the Information Technology Act, 2000 and its corresponding rules, wherein the public authorities have wide powers to access personal data. As such, existing data protection regimes will need to be further examined to ensure that adequate protection is afforded to personal data, including protection from the government themselves, and that supplementary measures may be required to ensure compliance with the aforesaid legislation by providing adequate level of protection.

The views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal, Hyderabad.

[1] Article 3 of the GDPR

[2] Article 83(5) of the GDPR

[3] Article 45 of the GDPR

[4] European Commission, Adequacy decision, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[5] Article 45(3) of the GDPR

[6] Article 47 of the GDPR

[7] Article 63 of the GDPR

[8] Squire Patton Boggs, Transfer, But How? Cross-Border Flow of Personal Data Under GDPR, available at https://www.ceelegalblog.com/2017/07/transfer-but-how-cross-border-flow-of-personal-data-under-gdpr/#page=1

[9] Case C-311/18, EU:C:2020:559

[10] 2016/1250/EU, C(2016) 4176

[11] 2010/87/EU, C(2010) 593)

[12] Supra note 9

[13] Supra note 9

No items found.
Data protection, GDPR, Information Technology, Personal Data, Transfer of Personal Data

Footnotes

Share this post
Copied!

Latest posts

July 10, 2025
From PSUs To Private Companies: Enforceability of Employment Bonds in India
This article explores the enforceability of employment bonds in India, focusing on their legal standing, key court decisions, and what makes such agreements valid or void in both public and private sectors.
Read more
Arrow Right
Corporate Law
July 9, 2025
SEBI’s New Disclosure Norms for Related Party Transactions: Redefining Corporate Governance in Listed Companies
The article revolves around corporate governance reforms introduced by SEBI related to Related Party Transactions (RPTs).
Read more
Arrow Right
Dispute Resolution
July 8, 2025
Revisiting the IBC-RERA Interplay in light of Umang Realtech
The article examines the evolving jurisprudence around the interface of the Insolvency and Bankruptcy Code (IBC) and the Real Estate (Regulation and Development) Act (RERA), with particular focus on the recent Umang Realtech decision.
Read more
Arrow Right
Corporate Law
June 14, 2025
The Finfluencer Effect: Unravelling Market Manipulation
Recently, the Indian stock market regulator, Securities and Exchange Board of India (SEBI) published a discussion paper addressing the growing concern pertaining to financial influencers, or finfluencers, providing financial advice. These influencers often lack the requisite qualifications and accountability for their recommendations.
Read more
Arrow Right
Employment Law
June 14, 2025
Contract Labour Deployment in India - Demystifying the Future Conceived by the Code on Occupational Safety, Health & Working Conditions, 2020
The business of human resource deployment by contractors for their clients has grown and evolved globally. In India, the contractor-sourced industrial workforce grew by about 293% between 2002-03 and 2021-22.[1] Recently, India has unfurled four labour codes that revamp its existing labour laws to meet the needs of the Indian workforce such as contract labour deployment.
Read more
Arrow Right
Corporate Law
June 14, 2025
Exploring Unchartered Territory? Laws for the Void
What can the Indian space sector learn from the Avengers? Besides, the incredible budget and scale, the key takeaway would be - bringing experts together to achieve phenomenal results. We all remember the fascinating back stories, the strength of and the role each member plays to fill an essential need under the able guidance of a strong leader.
Read more
Arrow Right
View All Blogs
Arrow Right