Mathew Chacko, Aadya Misra and Shambhavi Mishra
Schrems II and subsequent developments have led to an increased focus on the government access to data regime of ‘third countries’ (that is, countries not in the European Economic Area or EEA). Data exporters in the EEA are required to ensure that the transferred data is afforded a level of protection ‘essentially equivalent’ to that guaranteed under the General Data Protection Regulation. This article analyses whether the Indian government’s powers of access to data satisfy this test of ‘essential equivalence’.
For years, the European Union’s General Data Protection Regulation (“GDPR”) has been hailed as the harbinger of global data regulation. It dictated global data flows, provoked a flurry of similar legislations, persuaded global corporates to take data protection seriously and instigated wistful references from non-European data lawyers and regulators. The decision of the Court of Justice of the European Union in Data Protection Commissioner vs Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) threatens this trend towards “globalisation” and imposes an onerous requirement on exporters of data to ensure that the data subjects are guaranteed a level of protection. This requirement is essentially equivalent to those guaranteed under the GDPR and the Charter of Fundamental Rights of the European Union (the “Charter”).
While the Court of Justice was delivering the decision, authorities in Modi’s India, tasked with protecting national security, appeared to have been grappling with the increased use of sophisticated communication technology by “anti-national” interests on the one hand, and “cyber warfare” and “data grab” from across the border, on the other. A robust and nationalist interception framework was rapidly being evolved – both as a matter of policy and to be incorporated in proposed data legislation. This raises the question: are these often-exercised powers of interception consistent with the rights that European data subjects are guaranteed, i.e., a level of protection essentially equivalent to that guaranteed under the GDPR and the Charter?
1. THE SCHREMS II JUDGMENT AND U.S. SURVEILLANCE
1.1. Cross-border data transfers in the EU are subject to the GDPR. As a general rule, exports of personal data from the EU cannot undermine the protections afforded by European laws. The GDPR provides different legal bases for cross-border transfers; these include adequacy decisions awarded to third parties by the European Commission (“Commission”), appropriate safeguards that include standard contractual clauses (“SCCs”) adopted by the Commission and binding corporate rules (“BCRs”) approved by data protection authorities, and derogations for specific situations.
1.2. In 2016, the Commission issued an adequacy decision in respect of the New Framework for Transatlantic Exchanges of Personal Data for Commercial Purposes- the EU U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield was a framework that was jointly developed by the US Department of Commerce and the Commission to enable the transfer of personal data from the EU to the United States. Companies that were certified under the Privacy Shield fell within the scope of the Commission’s adequacy decision, and this enabled them to receive personal data from the EU.
1.3. In December 2015, Mr Maximillian Schrems complained of the transfer of his personal data from Facebook Ireland to Facebook Inc. in the United States. He required that Facebook Ireland (a subsidiary of Facebook Inc., and the entity with which users in the EU contracted with to use the Facebook platform) be prevented from transferring his personal data to the United States. This is because the law and practices in that country did not ensure adequate protection of his personal data against the surveillance activities undertaken by public authorities like the National Security Agency and Federal Bureau of Investigation.
1.4. In its decision, the Court of Justice of the European Union (“CJEU”):
(a) invalidated the EU-US Privacy Shield due to privacy-invading US surveillance programs; and
(b) upheld the validity of standard contractual clauses, conditionally.
1.5. The CJEU noted that Section 702 of the Foreign Intelligence Surveillance Act of 1978, which provides for the procedure of surveillance targeting foreign persons outside the U.S, did not contain any limitations on the power it conferred to implement surveillance programmes for foreign intelligence. Moreover, it did not provide for any guarantees to non-U.S. persons potentially affected by such programmes either. The legal bases under which surveillance may be carried out under surveillance programs were not limited to what was strictly necessary, contravening the principle of proportionality.
1.6. Accordingly, personal data transfers to the US-based on the Privacy Shield were rendered illegal. Companies and businesses certified under the Privacy Shield framework, that were previously able to legally transfer personal data to the US by ensuring compliance with the Privacy Shield principles (notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; recourse, enforceability, and liability), could no longer do so.
1.7. Separately, the CJEU held that organisations must suspend the export of personal data based on SCCs unless they could ensure that the data subjects are guaranteed a level of protection essentially equivalent to that guaranteed by the GDPR and the Charter.
1.8. The European Data Protection Board (“EDPB”) has subsequently released two recommendations affecting international data transfers in response to the Schrems II:
(a) Recommendations 01/2020 on Measures that Supplement Transfer Tools with the EU Level of Protection of Personal Data
The EDPB recommended steps that data exporters must undertake for assessing third countries and identifying supplementary measures that need to be taken. These include assessing the laws and practices of third countries to identify the effectiveness of transfer tools and identifying and adopting supplementary measures based on such assessment. Supplementary measures that may be adopted include technical, contractual, and organisational measures. Data transfers could not be commenced unless the data exporters find and adopt supplementary measures that ensure that the transferred data ensures an ‘essentially equivalent’ level of protection.
The EDPB identified certain “essential guarantees” (“Essential Guarantees”) to ensure that transferred personal data is protected from surveillance measures that go beyond what is necessary and proportionate in a democratic society. Laws within transferee jurisdictions must comply with these Essential Guarantees, which are:
(i) processing must be based on clear, precise, and accessible rules;
(ii) necessity and proportionality regarding the legitimate objectives pursued need to be demonstrated;
(iii) an independent oversight mechanism must exist (“Independent Oversight Mechanism”); and
(iv) effective remedies must be available to the individual (“Effective Remedies”).
2. INDIAN LEGAL FRAMEWORK
2.1. THE LEGAL REGIME SURROUNDING SURVEILLANCE
While government access to data is possible under several Indian laws, the two legislations that are most often utilised by Indian enforcement authorities are the Information Technology Act, 2000 (“IT Act”) and the Telegraph Act, 1885 (“Telegraph Act”).
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”) and the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 (“Monitoring Rules”), issued under the Information Technology Act, prescribe the procedure and safeguards for the conduct of interception, monitoring, or collection of data.
According to Section 69 of the IT Act, directions for the interception, monitoring, and decryption of any information may be made to protect the sovereignty or integrity of India, the defense of the state, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to above or for investigation of any offence. Separately, under Section 69B of the IT Act, directions for the monitoring and collecting of traffic data may be made on the grounds of enhancing cyber security and for the identification, analysis, and prevention of or the intrusion or spread of a computer contaminant in India.
Similarly, in case of public emergency, or the interests of public safety, Section 5 of the Telegraph Act empowers the Central and State Governments to issue directions for the interception of messages on the grounds of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of an offence. Rule 419A of the Indian Telegraph (Amendment) Rules 2007 (“Telegraph Rules”) provides for the review of any directions and orders passed under Section 5 of the Telegraph Act by a review committee consisting of members of the executive (“Review Committee”). The Review Committee constituted by the Central Government comprises of the Cabinet Secretary and the Secretaries to the Government of India in charge of Legal Affairs and the Department of Telecommunications, and the Review Committee constituted by the State Governments comprises of the Chief Secretary and the Secretary Law, and a Secretary to the State Government (other than the Home Secretary). There is no independent oversight since these personnel report to members of the Indian government.
The Review Committee is not the 'Independent’ Oversight Mechanism envisaged by the Essential Guarantees. Additionally, since there is no provision for notifying an individual that their data is being accessed, such individuals are not aware of the surveillance or interception and are, therefore, not able to exercise remedies. Neither the IT Act nor the Telegraph Act provides Effective Remedies for subjects who are under surveillance. The EDPB’s guidance on Essential Guarantees reveals that such remedies include general data subject rights, such as the right to access, rectification, or erasure, and the right to bring actions in independent and impartial courts.
Primarily, data protection obligations in India arise out of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 issued under the IT Act. Under these Rules, organisations may disclose sensitive personal data only on the grounds of prior permission of the provider of the information, contractual necessity, or legal compliance. However, no prior consent of the provider of the information is required when such disclosure is required by government agencies mandated under the law.
The Interception Rules, Monitoring Rules, and the Telegraph Rules all impose strict confidentiality and secrecy obligations on persons receiving requests for the interception or monitoring of information or communications. While constitutional remedies may lie, these processes may not satisfy European law, especially since in most cases, data subjects are not aware of the surveillance. This lack of awareness precludes data subjects from exercising Effective Remedies since they are not aware that they should be exercising remedies in the first place. Theoretically, under the Right to Information Act, 2005 citizens may seek access to information under the control of public authorities, which may enable them to seek access to information relating to their personal data in a public authority’s possession. However, this right has hardly ever been successfully exercised. Separately, exercising this right would, at the minimum, require individuals to at least suspect that they are under surveillance.
3. INDIAN SURVEILLANCE PROGRAMMES
3.1. Indian surveillance programmes include:
(a) Central Monitoring System ("CMS”): The objective of CMS is to automate interception and monitoring of telecommunications. The government has clarified that the oversight mechanism available under the Rule 419A of the Indian Telegraph (Amendment) Rules 2007 extends to the operation of CMS as well.
(b) Network Traffic Analysis (“NETRA”): The NETRA software monitors internet traffic on a real-time basis and is used by intelligence agencies, such as the Research and Analysis Wing.
(c) National Intelligence Grid (“NATGRID”): NATGRID is an information technology framework to connect law enforcement and security agencies such as the Intelligence Bureau or the Enforcement Directorate with data providers such as airlines, banks, or railways to enhance the country’s counter-terrorism capabilities and it has been clarified that the extant privacy regime applies to NATGRID as well.
Powers of surveillance under these programmes (and the absence of limits to the exercise of these powers) appear, prima facie, to be inconsistent with European Law. The Essential Guarantees provide that the processing must be based on clear, precise and accessible rules. However, there are no notified laws under which these surveillance programs have been set up, and no clear grounds under which surveillance is carried out. These surveillance programs have no statutory basis and there are no ‘clear, precise or accessible’ rules that lay down the scope or applicability of these surveillance programs along with any minimum safeguards against misuse. The Indian government has argued that the procedures under the IT Act and the Telegraph Act are followed, but as discussed in Section 2.1, there is no independent oversight mechanism in place and individuals are rarely aware that they are being surveyed. Prima facie, Indian surveillance programmes do not comply with any of the Essential Guarantees.
4. AND WHAT OF THE CONSTITUTION …?
4.1. In the People’s Union for Civil Liberties v Union of India, the Supreme Court held that the interception of telegraphic messages or the tapping of telephonic conversations is an infraction of fundamental rights guaranteed under the Indian constitution and must be done only per the procedure established by law. The Supreme Court also laid down the procedural guidelines to be followed before issuing such orders or directions enabling interception which were later given statutory backing in the form of Rule 419A of the Telegraph Rules. Interestingly, the court held that in the absence of an enabling provision in the Telegraph Act, the court could not require judicial scrutiny of orders as a procedural safeguard.
4.2. Subsequently, in KS Puttaswamy vs Union of India (Aadhaar, 5 Judge), the Supreme Court ruled on Section 33 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act of 2016 that allows for the disclosure of information in certain cases. The Supreme Court observed that:
(a) an individual whose information is sought to be released must be afforded an opportunity of a hearing (and of an appeal); and
(b) to avoid the misuse of such a provision, a judicial officer, preferably a sitting High Court judge must also be ‘associated’ in issuing directions for disclosure on national security grounds.
4.3. While the judiciary has, in many instances, placed restrictions on the exercise of similar powers, Indian law may not pass the high threshold imposed by the CJEU (and the EDPB). The prospective Indian draft Data Protection Bill empowers the Central Government to exempt any government agency from the application of the law on grounds such as the sovereignty and integrity of India and public order, subject to prescribed procedure (just, fair, reasonable and proportionate procedure), safeguards, and an oversight mechanism – the contours of which are unclear. The Justice B.N. Srikrishna Committee Report makes some pertinent recommendations, the new data protection law must ‘carefully outline watertight exemptions that are narrow and are availed in limited circumstances’ and that ‘surveillance should not be carried out without a degree of transparency that can pass the muster of the Puttaswamy test of necessity, proportionality, and due process.’ It is hoped that the final version of the bill incorporates these.
Indian laws enabling interception and monitoring of information or communication, and the surveillance programmes do not, prima facie, appear to satisfy the Essential Guarantees as identified by the EDPB, and accordingly, are not consistent with the standards required under the GDPR. Nonetheless, the Supreme Court in Manohar Lal Sharma vs Union of India has constituted a 'technical committee', comprising of members with expertise in the fields of cybersecurity, digital forensics, and networks and hardware, with a promising mandate to, among other things, make recommendations relating to the amendments required under existing law and procedure surrounding surveillance for securing the improved right to privacy, and establishing a mechanism for citizens’ grievances if they suspect that they are being surveilled. While this does not change the status quo, it does signal a welcome relook at Indian surveillance laws and practices.
India is also in the process of overhauling its data protection laws. If the real-world implications of increased scrutiny of data transfers from Europe to India encourage Indian legislators to temper the urge to provide sweeping powers of surveillance and interception to enforcement authorities, Maximillian Schrems may well have written himself into Indian legislative history. However, all indications are that even though Modi’s India is more conscious of the rights of data subjects – national security would, like it always has, trump such considerations.
Mathew is the Head of the Technology, Media & Telecommunications practice group at Spice Route Legal, and one of the firm’s founding partners, with extensive experience in advising on cross border data protection and cybersecurity matters.
LinkedIn URL: linkedin.com/in/mathewchacko1
Aadya Misra is a senior associate with Spice Route Legal’s Technology, Media and Telecommunications practice group, with a special focus on, and extensive experience in, handling data protection, cybersecurity and privacy mandates. She is an internationally recognised data protection expert and an IAPP certified privacy professional.
LinkedIn URL: linkedin.com/in/aadyamisra
Shambhavi Mishra is an associate with Spice Route Legal’s market leading Data Protection, Privacy and Cybersecurity practice, with a focus on the data privacy and protection aspects of ad-tech, marketing, and social media.
LinkedIn URL: linkedin.com/in/shambhavi-mishra-9a7101213