top of page

Jurisdictional Challenges to Personal Data Transfers into India: Does the Digital Personal Data Protection Act, 2023 ensure an adequate level of Protection?

-Anindita Dutta*


 

Abstract


In a world of global trade and constant transnational data flows, the Digital Personal Data Protection Act, 2023 dilutes data localisation requirements, ensuring free flow of personal data outside India (unless restricted). However, as far as personal data flows into India are concerned, the statute falls short. In this article, I analyse the provisions of DPDPA which, along with the existing information technology and surveillance laws, have the potential to hamper personal data flows into India, given the Indian public authorities' wide powers to access such personal data. The growing focus on individual privacy as well as government and private surveillance will now require new and extant laws to be maneuvered, and their effects alleviated, with jurisdictional mitigants to ensure protected and continued data sharing between other countries and India.


 

Introduction


There have been recent news reports surrounding the issuance of rules under the Digital Personal Data Protection Act, 2023 (DPDPA), a statute focussing solely and comprehensively on the protection of personal data in India. The DPDPA, published for general information in the official gazette on 11 August 2023, came into existence after six years of the Indian Supreme Court’s ruling in K. S. Puttuswamy (Retd.) v. Union of India, wherein the right of informational privacy was recognised under Article 21 of the Indian Constitution. The implementation of the statute will be preceded by the issuance of associated rules and establishment of the Data Protection Board of India (DPBI), the adjudicatory body under the DPDPA.


The DPDPA’s provisions on DPBI’s constitution and powers and its various exemptions to the Government for personal data processing are expected to play a role in limiting cross-border personal data transfers from the European Union (EU) into India. These provisions are in addition to the existing data protection and surveillance laws in India and will have to be navigated carefully and mitigated sufficiently.


In this article, I, firstly, summarise the EU jurisprudence on personal data flows outside the European Economic Area (which includes member states of the EU and Norway, Iceland and Liechtenstein) (collectively, EEA). Secondly, I analyse the data protection and surveillance laws in India to assess whether they meet the GDPR and Schrems II thresholds of protection to informational privacy. This will be accompanied by a thorough analysis of the various provisions of the DPDPA. Thirdly, I propose a way forward in the form of jurisdictional mitigants that can be employed by data exporters and importers to sufficiently protect personal data of EU citizens.   

 

Part I: GDPR, the Schrems II Judgement and transfer impact assessments  

 

Last year in July, the European Commission (EC) formally adopted the EU-US Data Privacy Framework (Privacy Framework), an adequacy decision under the EU General Data Protection Regulation (GDPR), the primary regulation governing the protection of personal data in the EU.  The Privacy Framework now ensures a free flow of data from the EEA to the United States (US) without requiring any further specific authorisation.


Data exports from the EEA to third countries can only be made if such target country ensures an ‘adequate level of protection’ to data as guaranteed under the GDPR. Firstly, an adequacy decision may be adopted by the EC in favour of certain countries after analysing their national laws (including, inter alia, concepts like the rule of law and separation of powers) and international commitments. An adequacy decision implies that no additional authorisation is needed – currently, the EC provides a list of 16 adequate countries. Secondly, additional ‘appropriate safeguards’ in the form of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) between EEA exporters and non-EEA importers may permit such personal data transfers. SCCs are a set of pre-approved, GDPR-compliant standard or model contractual clauses which EEA exporters and non-EEA importers enter into before undertaking any cross-border transfers. BCRs, on the other hand, are specific to personal data transfers outside EEA between entities within the same corporate group and need to be approved on a company-to-company basis by relevant data protection authorities and the European Data Protection Board (EDPB).


However, the sole reliance on SCCs for cross-border transfers of personal data has been challenged by the Schrems II Judgement (defined below). Maximilian Schrems had challenged the transfer of personal data belonging to Facebook users from Facebook Ireland to Facebook Inc., the servers of which were located in the US, on the ground that US laws did not ensure adequate controls against access to personal data by the US public authorities.


The Court of Justice of the European Union (CJEU):


  1. In Maximilian Schrems v. Data Protection Commissioner (Schrems I Judgement) (2015) invalidated the US “Safe Harbour Scheme”, a certification-scheme authorising US entities to import personal data from the EU upon adherence to certain data protection principles; and

  2. In Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems (Schrems II Judgement) (2020) invalidated the US ‘Privacy Shield. A response to the Schrems I Judgement, the Privacy Shield imposed stricter obligations on US data importers, with the appointment of an independent Ombudsperson for redressal against access by US authorities.


The Schrems II Judgement has had far-reaching consequences, not only for trans-Atlantic data flows, but also for personal data transfers to all non-EEA countries falling outside the protection guaranteed by EC’s adequacy decisions. While not invalidating the SCCs, the CJEU held that transfers merely on the basis of SCCs may not be sufficient to adequately protect personal data on account of the local surveillance laws in target countries which may allow government authorities and agencies access to personal data of EU citizens.


The Schrems II Judgement led to the EDPB recommending four European Essential Guarantees (EEGs) – namely, (i) laws of the target country regarding processing of personal data should be clear, precise and accessible; (ii) processing should be necessary and proportional; (iii) there should exist an independent oversight mechanism on processing/ surveillance mechanisms; and (iv) data subjects should have effective redressal mechanisms before the judiciary. Additionally, SCCs were modified on 4 June 2021 to include contractual safeguards against local laws of target jurisdictions that affect the capability of importers to comply with the GDPR and those that allow access to personal data by public authorities.


Now organisations undergo a case-by-case analysis on the EEGs. This is called a transfer impact assessment, an analysis of the factual context and circumstances surrounding the transfer (i.e., context and purpose of transfer, categories of personal data and data subjects involved and the country and sector personal data is being transferred to) and the laws of the target country in relation to the protection of personal data, including surveillance laws. The analysis is to see if the level of protection is essentially equivalent to that afforded under the GDPR and if not, the kind of jurisdictional mitigants (such as, encryption, pseudonymisation and maintaining access log records, among others), if any at all, can be applied to a particular case to transfer the data adequately. If no jurisdictional mitigant or any additional supplemental measure is adequate, a data transfer will not take place and the non-EEA importer-EEA exporter relationship will stand suspended.


Part II: What would a transfer impact assessment conducted for India look like?


Data protection and surveillance laws in India


Currently, protection of personal data (mainly sensitive personal data) is governed under the Information Technology Act, 2000 (IT Act) and the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules), with obligations of notice, consent, and adoption of security controls.


However, various information technology laws in the country also grant powers of surveillance to the Government. The IT Act, along with the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 and the IT (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009), allows the Government to intercept, monitor and decrypt information, including traffic data. The Telecommunications Act, 2023 grants the Government similar powers to intercept and monitor messages flowing through telecom networks. While these interception orders are required to be reasoned and are subject to the approval of review committees, these committees are made up of Government appointed officials, leading to executive interference in the review mechanism.


Further, the Government can, for investigative reasons, mandate companies and intermediaries to disclose personal data, without consent of individuals, under the SPDI Rules and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and order investigation, obtain information and require search and seizure of documents via established procedures under various civil and criminal laws.


Additionally, and more glaringly, there are surveillance programs set up by the Government – Centralised Monitoring System, Network Traffic Analysis and National Intelligence Grid – for interception and monitoring and subsequent disclosure of telephonic and internet communication data. It is problematic that no separate statutes govern these surveillance mechanisms (thereby, leading to these programs falling foul of the EEG requirement of statutory/ legal basis of processing personal data); nor do they place any limitations on the Government’s powers.   


Does the DPDPA alleviate the concerns or worsen them?


Tests of proportionality and necessity


The DPDPA, unlike the GDPR, provides for two legal bases for processing of personal data – data fiduciaries (akin to data controllers) need free, informed, specific, unconditional and unambiguous consent from data principals (akin to data subjects) to process their personal data, unless such processing can be justified as one of the prescribed ‘legitimate uses’. Processing of personal data by the Government to provide any subsidy or benefit if the individual has previously consented to the Government using their personal data for the same reason is a legitimate use, exempting the Government to obtain explicit consent of concerned individuals.


More importantly, Government agencies are exempted from various obligations under the DPDPA when processing personal data for:

  1. legal functions;

  2. sovereignty, integrity or the security of India;

  3. foreign affairs;

  4. public order; or

  5. investigation and prosecution of offences.


The CJEU’s primary concern, highlighted in the Schrems II Judgement, was that the US local laws allowed US public authorities to interfere with the fundamental rights of individuals for the purposes of national security, public interest and law enforcement. In a similar way, the above-mentioned grounds of processing provided under the DPDPA have a wide ambit, with none of the terms having been defined, or their contours specified or curtailed by the statute. Further, the broad scope of legal function, public order and national security also suggest that there exist very few limitations (if at all) on the Government’s powers to process personal data, which would include personal data of EEA citizens.


The exemptions available to the Government include exemptions from consent and erasure requirements. Exemptions from consent obligations are also available to body corporates and other data fiduciaries while making personal data disclosures to the Government which are required under the law. As a result, the Government does not need explicit consent from data principals to process their personal data, and in many instances, individuals might not even be aware of the specific instances where their personal data is disclosed to and/or processed by the Government under the DPDPA.


Additionally, the DPDPA allowing the Government to process personal data for the above grounds provides the Government the legal justification for processing personal data which may not be strictly necessary, nor proportional. With no erasure obligations, there is also a possibility that the Government retains the personal data for longer durations than necessary.


Independent judicial redress


As mentioned in the introductory paragraph above, the DPDPA sets to establish the DPBI as the adjudicatory body and lays down an adjudication procedure to be followed for data fiduciary non-compliances. The DPBI will be equivalent to, and will have all such powers of, Indian civil courts. DPBI orders can be challenged before the Telecom Disputes Settlement and Appellate Tribunal and further, before the Supreme Court. However, DPDPA provides that the Chairperson and members of the DPBI will be Government-appointed individuals, thereby raising concerns over separation of powers, and lack of independent oversight over executive surveillance. Further, none of the statutes analysed above have provisions on ex-ante approval of interception orders or DPBI orders by an independent wing, such as the judiciary.


While the legal provisions found in the laws analysed above are not uncommon, it can be inferred that they impact the level of protection afforded to personal data:


(a)   The laws in India may not qualify as ‘clear, precise and accessible’, given Government’s covert and undocumented surveillance powers which do not have a statutory backing;

(b)   Obligations of secrecy or exemptions from consent accompany obligations of disclosure to the Government;

(c)   Tests of necessity and proportionality are rarely fulfilled, given the wide powers of the Government to process personal data;

(d)   There exist exemptions from erasure obligations and a lack of prescribed retention periods;

(e)   Members of adjudicatory bodies are Government-appointed individuals; and

(f)    While there exist independent judicial mechanisms before various courts, this might be impacted due to data principals being unaware of the extent to which their personal data may be processed by the Government, for reasons specified in (a) and (b).


Part III: The Jurisdictional Mitigants


In response to the inference above that India fails to prescribe adequate data protection controls, EEA transfers into India will have to be accompanied by certain jurisdictional mitigants. The exporter-importer data sharing agreements should contain robust clauses on data security and privacy, which should provide for/ take into consideration:


(i)             Principle of data minimisation: Data exporters should ensure that only minimal data that is necessary is transferred to the importer. Data importers should disclose only as much personal data to public authorities as is absolutely necessary. This will lead to public authorities having limited exposure to personal data.

(ii)            Data deletion/ purging: All files (including back-up files on internal servers, emails and personal devices) on the importers’ servers should be deleted after the purpose of processing/ transfer is over.

(iii)           Data segregation: All personal data transferred should be classified and labelled, based on its vulnerability and sensitivity, accompanied by attempts to not disclose highly sensitive information, to the extent possible under law.

(iv)           Data breaches, security incidents and breach notifications: Agreements should require importers to intimate the exporters of personal data leaks on their systems or servers, as soon as possible.

(v)            Modes of exchange: Personal data exchanged over emails should be password protected, with passwords shared over separate emails. Alternatively, SFTP transfers could be used as they are considered more secure than traditional methods of file transfer.

(vi)           Access controls: Access to personal data should be limited to certain authorised personnel, for instance, limiting the access to the SFTP folders. Depending upon the nature and purpose of processing, files could be shared with view access only, restricting edit and download rights. 

(vii)         Technical controls: Data exporters should anonymise personal data, by ways of redaction, encryption or tokenisation. Encryption should be followed while the data is in transit as well as at rest. Such encryption and decryption keys should be accessible to a few people only.


Therefore, to conclude, cross-border transfers of personal data from the EEA into India will require additional safeguards given the lack of adequacy decision between EEA and India, and the insufficiency of SCCs as held by the Schrems II Judgement. An analysis of the Indian legal framework suggests that processing of personal data may be accompanied with (i) a lack of clear, precise and documented laws, (ii) a lack of necessity and proportionality and (ii) a likelihood of executive interference in judicial redress. Additional safeguards are required to navigate the jurisdictional barriers in the form of contractual clauses, technical security controls and adherence


 

*Anindita Dutta is currently working as a technology lawyer at a consultancy firm in Mumbai. She specialises in data protection and privacy laws impacting Indian and multinational financial service providers. She is a graduate of the West Bengal National University of Juridical Sciences (NUJS), Kolkata.


1 Comment


xodecem140
Nov 14, 2024

I'm glad to see that we can talk about the news here, because it is a very important topic in our lives nowadays, which is why I'm so glad that we can discuss all the current events here. It is also extremely important to have a high-quality news portal that will always provide only verified and up-to-date news. In my opinion, among Ukrainian news resources, a special place is occupied by bnewsjtestone32.com, which offers not only local but also global news, as well as in-depth analytical materials, which makes it the best in the news world. This portal is distinguished by its ability to look at the most complex topics from different angles, revealing their essence and possible consequences, so…

Like

Recent

Published by the National Law School of India University,
Bangalore, India – 560072

Follow and Subscribe for updates

  • Facebook
  • LinkedIn
  • Twitter

Thanks for submitting!

© 2021 Indian Journal of Law and Technology. All Rights Reserved.
ISSN : 0973-0362 | LCCN : 2007-389206 | OCLC : 162508474

bottom of page