Earlier in July 2020, the Court of Justice of the European Union (CJEU’s) in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems (Schrems-II) invalidated the US-EU Privacy Shield, and led to wide-reaching ramifications in terms of cross-border data transfers outside the EU, conducted on the basis of Standard Contractual Clauses (SCCs).
The Decision of the CJEU
The case owes its genesis to a complaint filed with the Irish Data Protection Commissioner (DPC) in 2015, by Austrian privacy advocate Maximilian Schrems. It was contended, that Mr. Schrems’ fundamental rights to privacy under European Laws were not protected in the course of cross-border transfers of his personal data from Ireland to US pursuant to SCCs, since despite the existence of SCCs, US public authorities could carry out surveillance on EU individuals, without any judicial recourse being available to EU individuals against such unbridled surveillance under US laws. Subsequently, the Irish DPC moved the Irish High Court to refer questions relating to the validity of SCCs to the CJEU.
While in its decision in the Schrems-II case, the CJEU held SCCs to be a valid basis for cross-border transfers pursuant to Article 48 of the European Union General Data Protection Regulation (EU GDPR), it emphasised upon the need for organisations to conduct assessments along the lines of the factors for adequacy listed out under Article 45(2) of the EU GDPR, to determine whether European data subjects are afforded appropriate safeguards, enforceable rights and effective legal remedies in the jurisdiction of export.
The CJEU’s decision has led to significant uncertainty for businesses engaging in cross-border data transfers outside EU, since the CJEU placed: (a) an explicit obligation upon data exporters to assess the adequacy level of remedies in the jurisdiction of export; (b) an obligation upon data importers to represent that their legal systems will enable them to achieve meaningful and substantive compliance with the SCCs; and (c) an obligation upon the relevant Data Protection Authority (DPA) of the exporting national jurisdiction, to investigate and come to a conclusion as to the adequacy of the SCCs in light of national laws, and the parties’ due diligence, in instances where complaints are lodged.
Being outside the scope of a formal adequacy decision under the GDPR, coupled with the possibility of multiplicity of opinions across relevant DPAs, has led to uncertainty in terms of achieving meaningful compliance with SCCs and the provisions of the GDPR. Moreover, while the CJEU’s decision looked at SCCs alone, the underlying basis of the decision could be interpreted to imply that similar assessments might be required in the context of other mechanisms such as Binding Corporate Rules (BCRs).
On the specific point of the validity of the US-EU Privacy Shield, the CJEU concluded that US laws do not limit or effectively oversee public authorities’ access to EU personal data; and the Privacy Shield did not grant EU individuals actionable and effective rights before the courts against such public authorities. Consequently, the CJEU held the US-EU Privacy Shield to be invalid.
NASSCOM and DSCI Interaction with EU Delegation to India and Representatives of DG JUSTICE and DG CONNECT
Against this backdrop, NASSCOM and DSCI interacted with members of the EU Delegation to India and the EC Project on International Digital Cooperation, along with representatives of the European Commission’s Department for Justice and Consumers (DG JUSTICE) and the Directorate-General for Communications Networks, Content and Technology (DG CONNECT) earlier in September. The objective of the meeting was to inter alia discuss developments relating to data regulation in India and Europe, including the Supreme Court’s decision in K.S. Puttaswamy v. Union of India, the provisions of the Personal Data Protection Bill, 2019 (PDP Bill), the decision of the CJEU in Schrems-II, and efforts at defining a framework for the regulation of non-personal data, and to discuss the potential impact of the these developments upon the future of India-EU digital trade.
Participants agreed that privacy being held as a fundamental right under Article 21 of the Constitution of India thereby requiring horizontal application of any potential privacy laws to both private entities and the Government, was a significant factor in inspiring confidence in the future of EU-India data transfers.
Moreover it was agreed that while the PDP Bill is a strong step in the right direction towards positioning India as a responsible data processing destination, going forward, and in the aftermath of the Schrems-II decision, certain aspects of the PDP Bill might require review – in particular the scope of exemptions granted to both the Government, and to processors of foreign data, in order to ensure that the India IT/ITeS industries continues to have ease of access to European markets and customers.
Overall, the discussion was a useful starting point for NASSCOM and DSCI’s future engagement with the EC Project, towards ensuring the sustained growth of EU-India digital trade through responsible and secure cross-border data flows.