Potential Impact of Schrems II on India’s Adequacy Determination

About the author:

Author has an MSc in AI from UPC (Barcelona) and TUM (Munich). He works as a Technical Program Manager at Car.Software Org (Volkswagen AG), Berlin. Views expressed in this article are his own and do not reflect the views of his employer.

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18) (aka “Schrems II” after the petitioner, an Austrian privacy advocate Maximillian Schrems), invalidated the decision on the adequacy of the protection provided by the EU-US Privacy Shield, meaning the Privacy Shield is no longer available as an instrument for transferring personal data from the EU to the US.

This article is an attempt to evaluate India’s chances of securing an adequacy status from the EU, in the light of Schrems II judgement. It is divided into two parts. In Part I, the “what”, “why” and the “how” of adequacy decisions under GDPR are presented. Part II analyzes the alternatives to adequacy decisions and their relevance for India. It explores the contentious issues in India’s Personal Data Protection Bill, 2019 (“PDB Bill, 2019”), based on the grounds on which Privacy Shield was overruled. There is a reference to the EU-Japan adequacy agreement, which might serv