-Abhishek Saurabh*
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18) (aka “Schrems II” after the petitioner, an Austrian privacy advocate Maximillian Schrems), invalidated the decision on the adequacy of the protection provided by the EU-US Privacy Shield, meaning the Privacy Shield is no longer available as an instrument for transferring personal data from the EU to the US.
This article is an attempt to evaluate India’s chances of securing an adequacy status from the EU, in the light of Schrems II judgement. It is divided into two parts. In Part I, the “what”, “why” and the “how” of adequacy decisions under GDPR are presented. Part II analyzes the alternatives to adequacy decisions and their relevance for India. It explores the contentious issues in India’s Personal Data Protection Bill, 2019 (“PDB Bill, 2019”), based on the grounds on which Privacy Shield was overruled. There is a reference to the EU-Japan adequacy agreement, which might serve as an alternative for India while not fully aligning its privacy regime with the EU. The article concludes with a few recommendations.
Part I
What is an adequacy decision?
On May 25, 2018 the landmark General Data Protection Regulation (GDPR) of the European Union (“EU”) came into effect. Broadly speaking, it is a set of regulations which sets out rules applicable to the processing of personal data of EU citizens, regardless of whether the processing takes place within the EU or outside. This extraterritorial applicability means that it is also applicable to non-EU organizations. Any data which can be used to identify an individual directly or indirectly, falls within the purview of the GDPR. Depending on the extent and the severity of violation, non-compliance by a company can result in fines to the tune of millions of Euros.
Article 45 of GDPR empowers the European Commission (“the Commission”) to determine whether a country outside of the EU ensures an adequate level of data protection. Once the adequacy decision with a third country is adopted by the Commission, data can flow from the European Economic Area (“EEA”) (the 28 EU member states as well as Norway, Liechtenstein and Iceland) to the third country without any further safeguard being necessary. In other words, transfer of data to the third country in question shall be considered equivalent to an intra-EEA transmission of data. The adequacy decision, however, is subject to periodic review by the Commission.
Grounds on which adequacy is determined
To determine adequacy, the Commission primarily reviews if the laws of the third country offer the same level of protection for personal data as are provided under the GDPR. Apart from this, a finding of adequacy requires the Commission to analyze a wide range of factors, such as:
The rule of law, respect for human rights and fundamental freedoms and availability of effective administrative and judicial redress for the data subjects, whose personal data is being transferred;
The existence of an independent supervisory authority with adequate enforcement powers;
The international commitments entered into by the third country, particularly relating to the protection of personal data.
Current status of adequacy decisions
Adequacy decisions were originally introduced in 1995 on the basis of the Directive 95/46/EC with a view to encouraging other countries to formulate data protection laws similar to those in the EU. They have been carried over into GDPR with minor changes.
So far, the EU has granted “adequacy status” to 13 countries. Japan is the only country to have signed the mutual adequacy agreement after the GDPR came into effect. In fact, this was the first mutual agreement signed by the EU with a non-EU country.
As noted in this official press memo, with several other countries out of the aforesaid 13, the EU had unilaterally adopted the adequacy decision. The decisions on Canada and the U.S. are “partial” adequacy decisions, meaning personal data can flow from the European Economic Area (EEA) to these countries subject to additional safeguards and authorizations. For example, the decision on Canada applies only to the private entities falling within the scope of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is applicable to entities engaged in commercial activity and includes federally-regulated businesses like banks, airlines and telecommunications companies. However, it is not applicable to not-for-profits, political parties and associations, educational institutions and hospitals, as long as they don’t engage in any commercial activities.
Similar to Canada, the decision on the US was applicable to the companies committing to abide by the binding Privacy Shield principles. Under Privacy Shield, US companies must first sign up to this framework with the U.S. Department of Commerce. Such companies have to comply with what is called “Privacy Principles”. They should have a privacy policy in line with these principles. They must renew their “membership” to the Privacy Shield on an annual basis. If they do not, they can no longer receive and use personal data from the EU under that framework.
What’s noteworthy, even after nearly a quarter of a century since the idea of adequacy was first effected, Japan is the only major economy outside of the EU to have entered into a mutual adequacy agreement – that too after the GDPR came into force.
Keeping this in mind, one might wonder if it is worth investing the time and effort into the process of securing an adequacy status for a non-EU country. After all, in the last, close to three decades, despite the requirements of adequacy, the EU has been one of the largest trading partners for most of these countries, including India, with which it does not have any type of adequacy agreement.
In the following sections, we will see the alternatives to an adequacy status and the relevance of this status for India.
Part II
What if there is no adequacy decision?
In the absence of a blanket decision covering all data transfers – which is what adequacy provides – there are legal instruments which enable the transfer of data from the EU to a third country. Additionally, pursuant to Article 49 of the GDPR, in exceptional cases like those of public interest, data can be transferred, subject to the data exporter ensuring that the transfer meets the strict necessity test.
The two prominent legal instruments using which companies can lawfully engage in cross border data transfers are Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). BCRs are designed to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfer of personal data across EU borders. SCCs are contracts that require the data importer to commit to EU equivalent standards of data protection, even when none exist in domestic legislation. These are the principle methods used to transfer personal data to third countries with which the EU does not have any adequacy decision.
However, this working paper from the World Bank Group on International Data Flows and Privacy points out that implementing BCRs and SCCs is expensive, both in terms of time and cost. They create a strong incentive for the data importer to establish a local presence in the EU, thereby reducing the margins for firms which export IT services.
Christina Gay, in this paper, argues against regulatory convergence towards a GDPR-like standard for developing countries, for such convergence might result in undesirable consequences. Instead, Gay recommends that third party countries (including the developing ones) and the EU can build off of the EU-US Privacy Shield agreement as a means to resolve the conflict between regulatory heterogeneity and the desire for free international data flows. This agreement enabled over 5000 companies to transfer EU citizens’ personal data from the EU to the US, provided they self-certify that they fulfilled the principles laid out by the framework. These principles in the Privacy Shield were deemed to be adequate by the European Commission thereby allowing transatlantic data flows. As Gay points out, by recognizing the Privacy Shield, the EU opened opportunities for other countries to engage in cross-border data flows. This is because, as per Article VII of the General Agreement on Trade in Services (GATS), the EU is bound to offer opportunities to other countries to negotiate an agreement comparable to the Privacy Shield.
However, with the CJEU striking down the validity of Privacy Shield in Schrems II, this option is no more available and hence adequacy determination for India assumes importance.
Relevance of adequacy status for India
There has been very little research on the value of data flows and adequacy. As noted in “The Cost of Data Inadequacy”, a report from the UCL European Institute, even for the countries which have received adequacy decisions, there is no study which establishes any discernible and measurable economic change before and after having negotiated the adequacy agreement. This can largely be attributed to the fact that unlike trade and investment, information on data flows is not captured in official surveys. The UCL report further notes an observation of the Organization for Economic Co-operation and Development (OECD) that “intra-firm transactions in cross-border data flows are unlikely to be recorded at all in official trade statistics”.
The aforesaid report seems to be the most comprehensive study on estimating the value of adequacy decisions, albeit only for the UK. It pegs the “aggregate” cost to firms in the UK between £1 billion and £1.6 billion due to additional compliance obligations, should they want to continue transferring data from the EU to the UK.
For firms in India too, the economic cost can be estimated to be in that ballpark. The figure represents money that the companies would have otherwise spent on business, for instance, investing in new equipment, staff etc. but are now required to channel into compliance related activities, in the absence of an adequacy decision.
In general, the lack of an adequacy decision, could inter alia, have the following implications.
Increased risk of GDPR fines, due to the new compliance requirements;
Reduction in EU-India trade, especially digital trade;
Reduced investment (both domestic and international);
Relocation of business functions, infrastructure, and personnel outside of India;
Reduced competitiveness of Indian tech industry.
While there are alternatives to adequacy decisions, the lack thereof might be detrimental to the Indian economy, particularly at a time when the economy is already in shambles and the road to recovery appears to be long. This is perhaps one of the reasons why India plans to approach the EU seeking an adequacy status.
How does Schrems II bring India at risk of not getting adequacy?
From the perspective of adequacy decision, the following two points in the PDP Bill, 2019 are rather contentious.
The first being Section 35, according to which the central government pursuant to a written order can authorize the government agencies to process personal data and exempt them from the provisions in the Bill. The section does not specify the procedure to be followed by said government agency while processing personal data under this provision. This leaves the possibility of the executive encroaching on the fundamental rights of citizens merely by an executive order leaving doubts as to whether a legitimate or proportionate objective is fulfilled. Furthermore, the Executive might acquire discretionary powers resulting in arbitrary state action, thereby contravening the Supreme Court’s interpretation of Right to Equality under article 14. Contrast this with Article 23 of the GDPR, which allows the EU and member states to introduce derogations on grounds of national security, defense, public security etc. Such derogations, however, have to respect the essence of fundamental rights and freedoms.
Second, as per section 42, members of the Data Protection Authority (DPA) are to be appointed by a selection committee consisting entirely of the members of the executive (secretaries of the department of the central government). Likewise, under section 44, the power to remove the members of the DPA is vested with the central government. Both these provisions make the independence of DPA questionable. This assumes even more importance, given that the data fiduciaries (anyone collecting or using data), as per the bill, can very well be organizations within the executive. In contrast to PDP Bill, 2019, under GDPR, an “independent” supervisory authority has to be established by each member state in a transparent manner by their parliament, government, head of the state and an independent body.
Prior to Schrems II, because the EU-US Privacy Shield agreement was still a valid instrument, there was hope that India might manage to negotiate a similar agreement. However, now that the CJEU has overturned it, this option is ruled out. The CJEU in Schrems II noted that this agreement acknowledges the primacy of the requirements relating to national security, public interest and compliance with the US laws, thereby allowing interference with the fundamental rights of individuals whose data is being transferred. The CJEU reasoned that the US government’s surveillance programs are not limited in scope and may allow processing of a disproportionate amount of data. The court further indicated that the Privacy Shield does not provide affected individuals any way to appeal before an entity offering remedies equivalent to those provided by the GDPR.
Clearly, the grounds on which Privacy Shield has been invalidated holds good for the two contentious issues in the PDP Bill, 2019, mentioned above. As such, it’s highly unlikely that India and the EU will manage to harmonize their privacy frameworks to arrive at an umbrella adequacy agreement.
That said, the EU-Japan agreement which was negotiated in early 2019, gives some hope. As has been explained by Flora Wang in this paper, the EU acknowledged Japan as providing an essentially equivalent level of data protection to the GDPR despite the two nations having disparate notions of privacy and enforcement of privacy related regulations. Perhaps, the most significant difference between two privacy regimes is that the Japanese privacy framework emphasizes the importance of data as an economic commodity, while the EU considers data protection and privacy to be fundamental rights. Other than this, there were other cultural and legal challenges too, despite which the EU and Japan harmonized their privacy frameworks. This was made possible by the two parties agreeing to append the Supplementary Rules to the latter’s Act on the Protection of Personal Information (APPI). Japan made a few concessions in the Supplementary Rules to satisfy the EU’s adequacy requirements. The one, perhaps relevant to India’s case is the rule ensuring data subject rights will apply to all personal data transferred from the EU, irrespective of their retention period, even though Japanese law does not provide such protections. These Supplementary Rules are binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
A similar approach might help India to reap the financial benefits of adequacy decision while implementing a data privacy framework which is commensurate with its values, culture and national security.
Conclusion
Regardless of whether one likes it or not, the EU has managed to use its market power as the world’s largest trading bloc with nearly 500 million consumers, to make GDPR the de facto global standard of data protection and privacy. CJEU’s verdict on Schrems II seems to have furthered this cause.
While an adequacy decision, full or partial, is desirable for India for economic reasons, considering the arguments presented in the previous section, it is unlikely that India will secure one given the privacy regime India has envisaged through PDP Bill, 2019. The EU-Japan agreement does show that the EU is willing to take into account contextual differences in its finding of adequacy. India might take a cue from this and secure a partial adequacy status by making a few concessions. Regardless, legal uncertainty will loom large on any such decision unless the PDP Bill is substantially changed, which again appears to be improbable. All of these will likely result in companies seeking to implement SCCs.
Keeping the negative consequences of a no-adequacy decision in mind, the Central Government may adopt certain frameworks within the privacy law that bridge the gap with the EU, namely:
The government can see if it is possible to review the national security and surveillance frameworks to negotiate sector specific adequacy agreements;
The government can provide adequate support like information on additional safeguards for SCCs, as raised in the Schrems II judgement (not covered in this article);
The government can prepare to provide financial assistance to firms, particularly the small and medium enterprises (SMEs) so that they can comply with the new requirements without hurting their prospects of growing;
The government can promote empirical research on the social and economic impacts of data protection, digital trade, and the value of data flows, in order to improve the quality of public policy and democratic engagement in these areas.
Author has an MSc in AI from UPC (Barcelona) and TUM (Munich). He works as a Technical Program Manager at Car.Software Org (Volkswagen AG), Berlin. Views expressed in this article are his own and do not reflect the views of his employer.