Privacy Shield Set Aside by CJEU ��� A Guidance for India
- Introduction
The European Union (“EU”) is a major source of revenue for the information technology and business process outsourcing industry in India. However, there are several challenges that India faces with respect to transfer of personal data from EU to India. Presently, the data protection regime in India does not provide the same level of protection as the data protection regime in the EU, in particular because the Personal Data Protection Bill, 2019 has not been enacted yet. Further, Article 3 of the EU General Data Protection Regulation (“GDPR”) states that provisions of GDPR will be applicable even in a case where the processing of personal data takes place outside the EU.[1]
As such, in case of transfer of personal data from EU, it becomes relevant for Indian entities to comply with the provisions of the GDPR as non-compliance or breach of its provisions may attract a fine of up to 20,000,000 EUR (Twenty Million Euros) or 4% (four percent) of the total worldwide annual turnover of the preceding financial year, whichever is higher.[2]
- Cross Border Transfer
Chapter V of the GDPR governs the cross border transfer of personal data from the EU to a third-country. Under Article 45 of the GDPR, the European Commission takes an ‘adequacy decision’ to ascertain whether the third country or international organisation ensures an ‘adequate’ level of data protection of the data subjects.[3] The countries / territories that have attained an adequacy decision include: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.[4] Transfer of personal data to these countries does not require any specific authorisation.
In absence of an adequacy decision in favour of a country, like India, the transfer of personal data from EU to such country may take place provided that appropriate safeguards are present to ensure that the privacy of the data subjects is protected.[5] Some of the most commonly used safeguards permitted by the GDPR include binding corporate rules and standard data protection clauses.
Binding corporate rules are internal policies of corporations relating to protection of data upon transfer of personal data from EU to a third country or organisation.[6] Such policies are required to ensure that processing of personal data is compliant with general data protection principles and that appropriate safeguards are in place. It may be relevant to note that corporations must confirm that the binding corporate rules are approved by the data protection authority in accordance with the consistency mechanism set out in Article 63 of the GDPR.[7]
Another commonly used mechanism to transfer personal data is the use of standard contractual clauses (“SCCs”), wherein standard terms and conditions are agreed upon between the data processors in order to protect personal data transferred from EU. These terms are issued by the European Commission to ensure that the processing of personal data is compliant with the provisions of the GDPR and are to be adopted by the processors completely and unaltered.[8]
In this regard it may be relevant to note that for greater ease of exchange of personal data between the United States of America and the EU, a framework known as EU-US Privacy Shield (“Privacy Shield”) was formulated to enable companies from the United States of America to receive personal data more easily from EU entities.
Tatva Legal, Hyderabad has an experienced team of corporate lawyers who, amongst other services, advise on matters involving data privacy and other such areas involving [TL1] information technology law.
- Impact of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems on the transfer of personal data
Recently the Court of Justice of the European Union (“CJEU) in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems II [9] (“Schrems II”) invalidated the decision of the Commission Implementing Decision (EU)[10] which affirmed the adequacy of the protection provided by the Privacy Shield, on the grounds that Privacy Shield does not provide the necessary limitations and safeguards with regard to interferences authorised by the national legislation in the United States of America and does not ensure effective judicial protection against such interferences.
In this context it may be relevant to note that the CJEU in Schrems II affirmed the Commission Decision[11] on the validity of the SCCs for the transfer of personal data to processors established in third countries with certain observations.
The CJEU stated that “it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”[12]
The CJEU also held that they “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. The recipient is, where appropriate, under an obligation, under Clause 5(b), to inform the controller of any inability to comply with those clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract.”[13]
he CJEU observed that SCCs cannot bind the public authorities of third countries as they are contractual in nature and it is pertinent to ensure that the government of the concerned country will not arbitrarily violate the privacy of the data subjects.
- Conclusion
The reasoning given by the CJEU in invalidating the use of Privacy Shield becomes relevant in global context as the decision places emphasis on the disproportionate access to personal data by public authorities and lack of effective judicial redress in the United States of America. It further displays the proactiveness of the EU in tackling any threat to the protection of personal data. Further, the reasoning behind the decision of the CJEU on Privacy Shield and SCCs indicates that the use of SCCs will need to be re-examined and to confirm whether SCCs provide sufficient protection in light of access by public authorities of the third country to which the personal data is transferred. Further clarifications are also required from courts with respect to the kind of additional safeguards and contractual clauses that may be established contractually in order to protect personal data from public authorities.
In India, data protection and privacy is presently regulated by the Information Technology Act, 2000 and its corresponding rules, wherein the public authorities have wide powers to access personal data. As such, existing data protection regimes will need to be further examined to ensure that adequate protection is afforded to personal data, including protection from the government themselves, and that supplementary measures may be required to ensure compliance with the aforesaid legislation by providing adequate level of protection.
The views and opinions expressed in this article belong solely to the author and do not reflect the position of Tatva Legal, Hyderabad.
[1] Article 3 of the GDPR
[2] Article 83(5) of the GDPR
[3] Article 45 of the GDPR
[4] European Commission, Adequacy decision, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
[5] Article 45(3) of the GDPR
[6] Article 47 of the GDPR
[7] Article 63 of the GDPR
[8] Squire Patton Boggs, Transfer, But How? Cross-Border Flow of Personal Data Under GDPR, available at https://www.ceelegalblog.com/2017/07/transfer-but-how-cross-border-flow-of-personal-data-under-gdpr/#page=1
[9] Case C-311/18, EU:C:2020:559
[10] 2016/1250/EU, C(2016) 4176
[11] 2010/87/EU, C(2010) 593)
[12] Supra note 9
[13] Supra note 9