The Court of Justice of the European Union (“CJEU”) on July 16, 2020 passed a landmark decision in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, Case C-311/18 (“Schrems II”) that invalidated the European Union-United States Privacy Shield (“Privacy Shield”) and upheld the validity of Standard Contractual Clauses (“SCC”). With this decision, the Privacy Shield can no longer be used to justify the transfer of personal data from any member state of the European Union (“EU”) to the United States of America (“US”) other than in accordance with the applicable data privacy law. Entities transferring data from the EU to the US shall now be compelled to use SCCs to ensure an uninterrupted flow of data. In this article, we look at how this case impacts companies in India and the transfer of data from the EU to India.
The Privacy Shield: A Brief History
With high volumes of data flowing between the EU and the US, in 2000 the two regions had agreed to adhere to a set of data privacy principles titled “Safe Harbour” that would permit the transfer of personal data from the EU to the US. US companies that were regulated by either the Federal Trade Commission or the Department of Transportation were allowed to gain Safe Harbour certification and receive personal data from the EU, provided an adequate level of safeguards was in place to protect the data.
Following the public disclosures of large-scale surveillance programs run by the US Government on its own citizens, the Safe Harbour principles were challenged before Irish Courts and were subsequently referred to the CJEU. In its October 6, 2015 decision in Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (“Schrems I”), the CJEU declared the Safe Harbour principles as invalid and noted that if US companies were to find themselves in conflict with national security, public interest or the law enforcement requirements of the US government, such requirement would inevitably prevail over Safe Harbour requirements. The CJEU further noted that US companies that had provided undertakings under the Safe Harbour principles were bound to disregard, without limitation, the protective rules laid down by the principles when in conflict with national requirements, giving rise to potential interference by the state.
The invalidation of Safe Harbour principles by the CJEU led to renewed negotiations between the EU and the US, which culminated in a new arrangement titled the “Privacy Shield”. The Privacy Shield retained the core of the Safe Harbour principles but added additional safeguards that focused on individual rights for EU citizens, stricter requirements for US businesses, and restrictions on access to personal data by the US Government. The changes included options to file complaints regarding data privacy through an Ombudsperson, increased monitoring of Privacy Shield compliant companies, and stricter reporting obligations for companies. By enabling US based companies to self-certify and publicly commit to compliance with Chapter 5 (five) of the EU General Data Protection Regulation (“GDPR”) which pertains to the transfer of personal data to third countries or international organisations, the Privacy Shield facilitated cross-border transfer of large volumes of personal data from the EU to the US and underpinned Trans-Atlantic trade.
Impact of Schrems II
As mentioned above, the CJEU invalidated the Privacy Shield in Schrems II. The court expressed concern over US intelligence activities in relation to personal data that was transferred to the US, especially under Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) which enabled the surveillance of non-US citizens located outside the US, in order to collect intelligence. The CJEU also noted that Executive Order 12333 of the US Government allowed the National Security Agency (intelligence agency of the United States Department of Defense) to collect personal data that was being transmitted through underwater cables on the floor of the Atlantic Ocean, in bulk. Further, the Ombudsperson mechanism set up under the Privacy Shield was inadequate as it neither guaranteed the independence of the Ombudsperson nor could it guarantee actionable rights for data subjects of substantial equivalence to the standards imposed by the GDPR.
The invalidation of the Privacy Shield has led to significantly greater importance being attached to SCCs as one of the few remaining means of continuing unimpeded cross-border data transfer from the EU to third-party countries, including the US. The SCCs are a set of standard contractual terms and conditions recommended by the EU for data transfer from the EU to non-EU countries, with which both the data exporter and importer have to comply. The aim of SCCs is to protect personal data leaving the European Economic Area through contractual obligations, in compliance with GDPR requirements, to territories that are not considered to offer adequate protection for personal data.
The CJEU considered the validity of SCCs and discussed the factors which need to be considered to determine whether the adequacy of the level of protection offered through the SCC is of the standard required by the GDPR under Article 45. Under Article 45 of the GDPR, transfer of personal data to a third country or an organisation may take place only where the European Commission (“Commission”) has decided that the third country or organisation can offer an “adequate” level of protection while taking into account a variety of conditions such as the rule of law, respect for human rights, national security and criminal law, access of public authorities to personal data, data protection rules, existence of one or more independent supervisory authorities etc. The Commission shall also consider whether the third country has effective and enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are being transferred.
With Schrems II, data exporters and importers may now have to put in place additional safeguards to ensure that the level of protection given by SCCs is equivalent to the GDPR, in order to compensate for the lack of data protection in a third country. The CJEU concluded that the non-exhaustive list of criteria prescribed in Article 45 of the GDPR for assessment of adequacy by the Commission corresponds to the list of criteria required by the SCCs to be taken into consideration by a data exporter when determining whether the level of protection offered by a data importer is adequate for that specific data transfer to a jurisdiction outside the EU. When performing the assessment, the exporter must take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The assessment should include:
The CJEU also noted that SCCs may not always sufficiently ensure effective protection of transferred personal data, particularly when the laws of the third country allow its public authorities to interfere with rights of the data subjects. It based the validity of the SCCs on whether the additional effective mechanisms and safeguards make it possible to ensure compliance with a level of protection equivalent to that guaranteed within the GDPR. In the event of a breach of the SCC clauses, or if it is impossible to honour the clauses, the transfer of personal data must be suspended or prohibited. If data has already been transferred under SCCs, it must be returned or destroyed immediately.
Repercussions for Indian Companies
Indian companies receiving data from the EU have generally relied on SCCs and Binding Corporate Rules (“BCR”) to meet compliance requirements under the GDPR. BCRs are rules that govern an entity or a group of entities, and apply to data transfers within the group. However, with India yet to be considered by the EU as having an established legal or regulatory framework that ensures data protection and privacy, existing SCCs and BCRs will have to be revisited to ensure unimpeded flow of data from the EU to India, post Schrems II. India’s law enforcement apparatus has a wide range of powers that may be exercised in the interest of national security, with such powers being recognised by the Courts as an exception to the fundamental right to privacy. Much like in the US, if law enforcement authorities were to approach an Indian company for access to personal data of EU citizens, the company would generally have to comply- irrespective of any contractual obligations between the company and a data importer/exporter.
India has made progress towards establishing a legal framework for data protection, with the Personal Data Protection Bill (“Bill”) being tabled in the Lower House of India’s Parliament on December 11, 2019. While the Bill has been modelled along the lines of the GDPR, there are a few significant differences between the two data protection laws:
Given the above, it is unlikely that the Bill in its current form would allow India to meet third-party “adequacy” requirements as prescribed under Article 45 of the GDPR, and thus making it increasingly important for data importers to put in place SCCs with adequate safeguards.
Mitigation Measures by Companies
With the increased importance of SCCs in data transfer agreements between EU and third-party countries, both importers of data from India and exporters of data from EU will need to undertake several measures to ensure that the SCCs are of equivalency with the protection standards of the GDPR to ensure the unimpeded flow of data across jurisdictions. Companies may take the following measures to ensure compliance:
Following Schrems II, the European Data Protection Board (“EDPB”), an independent body of the EU in charge of application of the GDPR, released recommendations on November 10, 2020 (“EPDB Recommendation”) on measures that can be taken to ensure compliance with the EU level of protection of personal data. A summary of the recommendations are as follows:
Suggested Changes to SCC Clauses
The EU, under decisions 2001/497/EC and 2004/915/EC, had issued sets of SCCs for personal data transfers from EU data controllers to non-EU data controllers. It had also issued a set of contractual clauses for data transfers from EU data controllers to non-EU data processors, under decision 2010/87/EU. These SCCs are likely to be superseded by a new set of draft SCCs that the Commission has released in response to Schrems II. The new draft SCCs include contractual clauses for data transfers from EU data processors to non-EU data processors, and from EU data processors to non-EU data controllers.
While supervisory authorities are still considering how Schrems II would impact these standard form clauses, the Commissioner for Data Protection and Freedom of Information for the German State of Baden- Württemberg (“LFDI BW”) recently published indicative guidance on how supplemental measures may be added to SCCs pursuant to Schrems II, by amending the following SCC Clauses:
The EPDB Recommendations also provide examples of supplementary measures that can be adopted to ensure equivalence with the GDPR, including technical measures that may be implemented based on the circumstances of the data transfer, contractual measures that can be added to complement and reinforce safeguards, transparency obligations that can be annexed to the contract and bind the importer, organisational measures and data minimisation measures, internal policies for governance of transfers within groups of enterprises and adoption of standards and best practices.
While these recommendations by the LFDI BW and EPDB are non-exhaustive and recommendatory in nature, companies must remember to ensure that their SCCs or other transfer tools are suitably modified to meet GDPR adequacy standards based on the nature of data transfer they are engaged in, and evaluate the transfer tool on a case-by-case basis. Companies must also review data flows and consider putting in supplementary measures (such as further contractual obligations), while diligently documenting their GDPR compliance efforts.
This paper has been written by Suchita Ambadipudi (Partner), Vinod Joseph (Partner) and Pranav Pillai (Associate).
11, 1st Floor, Free Press House
215, Nariman Point
Mumbai – 400021
9 – 10 Bahadur Shah Zafar Marg
Delhi – 110002
68 Nandidurga Road
Bengaluru – 560046
3rd Floor, 27B Camac Street
Kolkata – 700016
The rules of the Bar Council of India do not permit advocates to solicit work or advertise in any manner. This website has been created only for informational purposes and is not intended to constitute solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work in any manner. By clicking on 'Agree' below, you acknowledge and confirm the following:
a) there has been no solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
b) you are desirous of obtaining further information about us on your own accord and for your use;
c) no information or material provided on this website is to be construed as a legal opinion and use of this website will not create any lawyer-client relationship;
d) while reasonable care has been taken in ensuring the accuracy of the contents of the website, Argus Partners shall not be responsible for the results of any actions taken on the basis of information provided in this website or for any error or omission in the website; and
e) in cases where the user has any legal issues, the user must seek independent legal advice.