[Intisar Aslam is a 2nd Year B.A., LL.B. (Hons.) student at the National University of Study and Research in Law in Ranchi]
The much-awaited Digital Personal Data Protection Bill, 2022 (“DPDP”), released by the Ministry of Electronics and Information Technology (“Meity”), has received mixed reactions from the legal fraternity. Previously, the Data Protection Bill, 2022 (“DPB”) was withdrawn owing to the suggestion of a large number of amendments. In the words of the Government, a “comprehensive legal framework” addressing the evolution of the digital ecosystem was required. Another reason was that the previous Bill was “compliant intensive” for small-scale start-ups. With simplified language, hefty fines, and cross-border data flow, it seems that the Bill heralds a new beginning of digital privacy in India. However, clause 17 of the DPDP Bill, which relates to data transfer outside the Indian territory fails to pass muster considering a judgment of the European Union.
This post seeks to analyze whether the provision of cross-border data flow passes the test of Schrems II judgment of the European Union. The ruling stands relevant for India as it not only relates to the free flow of data but also aligns with India’s aim of playing a significant role in the global ‘digital’ trade regime. On the contrary, localization of data poses a threat to innovation and places a high infrastructure and financial burden on businesses. Thus, the trust-based approach of Schrems II serves both the purposes of India: digital data protection and the flourishing of international trade and innovation. Further, this might also lead to India being recognized by the EU as having adequate data protection standards, therebyfacilitating transactions between the two jurisdictions.
The post proceeds in two parts. First, it enumerates the principles and the recommendations laid down in Schrems II and by the European Data Protection Board respectively. Second, it analyses the provision of cross-border data flow from two lenses: first, from the lens of Schrems II principles, and second, from the lens of the recommendations provided by the European Data Protection Board while simultaneously establishing the feasibility of data protection in the cross-border data flow from India.
Data Protection Commissioner v. Facebook Ireland: The Case which Set the Ball Rolling
This case, popularly known as Schrems II, laid down certain principles for the cross-border transfer of personal data from the European Union. In its ruling, the Court of Justice of the European Union (“CJEU”) invalidated the European Commission’s Privacy Shield Decision due to intrusive US surveillance programs. It rendered the transfers of personal data made in reliance on the Privacy Shield Decision unlawful. The Court laid down stricter requirements for the transfer of personal data based on standard contract clauses (“SCCs”). It further held that the level of protection offered by data controllers or processors who want to transmit data based on SCCs must be “essentially equivalent” to that offered by the General Data Protection Regulation (“GDPR”) and the EU Charter of Fundamental Rights (“CFR”) and, if necessary, with additional steps to make up for gaps in the legal systems of third countries. Any deviation from the same would result in the stoppage of transfer of personal data outside of the EU.
More specifically, the CJEU laid down the following principles to be followed by the data processors and data controllers before the cross-border transfer of data can be effected: (i) whether the other country (in this case, the US) provided the same level of protection to the data subject, i.e., the EU resident as that provided by the EU; (ii) whether the access of the Government of the country where the data has been transferred (in this case, the US Government) to data is proportionate and strictly necessary to the legitimate objectives it pursues to achieve; (iii) whether effective legal remedies were available to EU data subjects; and (iv) whether there is independent oversight.
The Initial Test of Schrems II: The Test of ‘Essentially Equivalent’ Principle
The DPDP Bill allows for the transfer of personal data outside India. Clause 17 lays down that “the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”
Considering the rationale given by the CJEU, i.e., that the level of protection must be “essentially equivalent”, the provision becomes a cause of concern. Firstly, the DPDP Bill does not clarify the grounds on which a particular jurisdiction would be considered a trusted jurisdiction for the transfer of data. Secondly, in case the Government opts for the “essentially equivalent” principle, it fails to consider whether developing or underdeveloped jurisdictions like Africa, would be able to make it to notified jurisdictions. If not, then such disruption of data flow would cause serious harm to cross-border business in both India and other jurisdictions. Thirdly, the removal of the distinction between sensitive personal data and critical personal data is another bottleneck halting the smooth implementation of the draft Bill. The previous drafts proposed a local storage obligation for sensitive personal data and a “hard” localization obligation for an undefined category of critical personal data. The broad extent of data covered coupled with the lack of clarity on the manner and extent of sharing permitted, and its subsequent cross-border flow, are prone to serious implications of misuse of any kind of data – sensitive or critical- by any foreign jurisdiction.
The Final Test of European Data Protection Board (EDPB): The Test of ‘Essential Guarantees’ Principle
The ‘essential guarantees’ are requirements that a third country must have in place when processing EU residents’ data. These include, firstly, that the processing of data must be based on clear and precise rules with the data subject having the knowledge of the circumstances in which the data controllers or processors can process the data of an individual. Secondly, the intrusion must be necessary and proportionate to the objective sought to be achieved. This is akin to the principle adopted by the Supreme Court in the KS Puttaswamy v. Union of India. Thirdly, an independent oversight mechanism to oversee such intrusion must exist. Lastly, one must consider whether there are effective legal remedies available in case of an intrusion. In the present DPDP Bill, the first and the second recommendation shall depend upon the authority having control over the data and the aim of processing data respectively. Therefore, these remain subjective and will vary on a case-to-case basis.
The point at which the DPDP Bill falls out of line with the EDPB Recommendations is the establishment of an independent Data Protection Board of India (“DPBI”). Clause 19 of the DPDP Bill provides for the establishment of DPBI while offering powers of selection, removal, and composition, of the Board to the Central Government. Thus, the requirement of having an “independent oversight” body remains unfulfilled. This also leads to the second point of incongruence vis-à-vis Schrems II where it found the privacy ombudsman to be inadequate as the ombudsman was in some way part of the US executive. The DPBI, in its present stature, is more of a direction-issuing body when a breach reaches its knowledge, rather than an oversight one which itself takes actions on its own motion. As for the last recommendation, the DPDP Bill has set hefty fines in case of personal data breaches. At the same time, it is yet to be seen how well the first two recommendations are met especially when the second one aligns with the direction of the Supreme Court in K.S. Puttaswamy. Thus, it is uncertain if there will be any supervision by the DPBI vis-à-vis cross-border data breaches, and the subsequent cognizance on its own motion. Further, it is unclear whether the DPBI would also oversee that adequate protection is continued to be offered in the trusted jurisdiction throughout the processing of data beyond the Indian borders.
The DPDP Bill is unique in several aspects for India. However, the draft weakens the regulatory, supervisory, and enforcement structure by replacing the previously proposed data protection authority with a board that will be directly in control of the government. Further, the procedure that the Government will adopt to ensure that the protection offered by such a notified jurisdiction is “essentially equivalent” to that offered by India is uncertain. Additionally, the assurance that there is no scope for withdrawal of or diminishing the level of protection offered to the data subjects by the notified jurisdiction under any circumstances is either absent or only speculative. Unlike its predecessor, the DPDP Bill has skipped mentioning ‘Right to Privacy’ in its Preamble, which is the very essence of any data protection legislation across the world. Such instances are disconcerting. While India treads the path towards a new and long-awaited digital data protection era, it is imperative that the Bill falls in line with the CJEU principles which remain one of the most standard benchmarks for data protection in the world.
– Intisar Aslam