Mathew Chacko, Aadya Misra and Shambhavi Mishra
Schrems II and subsequent developments have led to an increased focus on the government access to data regime of ‘third countries’ (that is, countries not in the European Economic Area or EEA). Data exporters in the EEA are required to ensure that the transferred data is afforded a level of protection ‘essentially equivalent’ to that guaranteed under the General Data Protection Regulation. This article analyses whether the Indian government’s powers of access to data satisfy this test of ‘essential equivalence’.
For years, the European Union’s General Data Protection Regulation (“GDPR”) has been hailed as the harbinger of global data regulation. It dictated global data flows, provoked a flurry of similar legislations, persuaded global corporates to take data protection seriously and instigated wistful references from non-European data lawyers and regulators. The decision of the Court of Justice of the European Union in Data Protection Commissioner vs Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) threatens this trend towards “globalisation” and imposes an onerous requirement on exporters of data to ensure that the data subjects are guaranteed a level of protection. This requirement is essentially equivalent to those guaranteed under the GDPR and the Charter of Fundamental Rights of the European Union (the “Charter”).
While the Court of Justice was delivering the decision, authorities in Modi’s India, tasked with protecting national security, appeared to have been grappling with the increased use of sophisticated communication technology by “anti-national” interests on the one hand, and “cyber warfare” and “data grab” from across the border, on the other. A robust and nationalist interception framework was rapidly being evolved – both as a matter of policy and to be incorporated in proposed data legislation. This raises the question: are these often-exercised powers of interception consistent with the rights that European data subjects are guaranteed, i.e., a level of protection essentially equivalent to that guaranteed under the GDPR and the Charter?
1. THE SCHREMS II JUDGMENT AND U.S. SURVEILLANCE
1.1. Cross-border data transfers in the EU are subject to the GDPR. As a general rule, exports of personal data from the EU cannot undermine the protections afforded by European laws. The GDPR provides different legal bases for cross-border transfers; these include adequacy decisions awarded to third parties by the European Commission (“Commission”), appropriate safeguards that include standard contractual clauses (“SCCs”) adopted by the Commission and binding corporate rules (“BCRs”) approved by data protection authorities, and derogations for specific situations.
1.2. In 2016, the Commission issued an adequacy decision in respect of the New Framework for Transatlantic Exchanges of Personal Data for Commercial Purposes- the EU U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield was a framework that was jointly developed by the US Department of Commerce and the Commission to enable the transfer of personal data from the EU to the United States. Companies that were certified under the Privacy Shield fell within the scope of the Commission’s adequacy decision, and this enabled them to receive personal data from the EU.
1.3. In December 2015, Mr Maximillian Schrems complained of the transfer of his personal data from Facebook Ireland to Facebook Inc. in the United States. He required that Facebook Ireland (a subsidiary of Facebook Inc., and the entity with which users in the EU contracted with to use the Facebook platform) be prevented from transferring his personal data to the United States. This is because the law and practices in that country did not ensure adequate protection of his personal data against the surveillance activities undertaken by public authorities like the National Security Agency and Federal Bureau of Investigation.
1.4. In its decision, the Court of Justice of the European Union (“CJEU”):
(a) invalidated the EU-US Privacy Shield due to privacy-invading US surveillance programs; and
(b) upheld the validity of standard contractual clauses, conditionally.
1.5. The CJEU noted that Section 702 of the Foreign Intelligence Surveillance Act of 1978, which provides for the procedure of surveillance targeting foreign persons outside the U.S, did not contain any limitations on the power it conferred to implement surveillance programmes for foreign intelligence. Moreover, it did not provide for any guarantees to non-U.S. persons potentially affected by such programmes either. The legal bases under which surveillance may be carried out under surveillance programs were not limited to what was strictly necessary, contravening the principle of proportionality.
1.6. Accordingly, personal data transfers to the US-based on the Privacy Shield were rendered illegal. Companies and businesses certified under the Privacy Shield framework, that were previously able to legally transfer personal data to the US by ensuring compliance with the Privacy Shield principles (notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; recourse, enforceability, and liability), could no longer do so.
1.7. Separately, the CJEU held that organisations must suspend the export of personal data based on SCCs unless they could ensure that the data subjects are guaranteed a level of protection essentially equivalent to that guaranteed by the GDPR and the Charter.
1.8. The European Data Protection Board (“EDPB”) has subsequently released two recommendations affecting international data transfers in response to the Schrems II:
(a) Recommendations 01/2020 on Measures that Supplement Transfer Tools with the EU Level of Protection of Personal Data
The EDPB recommended steps that data exporters must undertake for assessing third countries and identifying supplementary measures that need to be taken. These include assessing the laws and practices of third countries to identify the effectiveness of transfer tools and identifying and adopting supplementary measures based on such assessment. Supplementary measures that may be adopted include technical, contractual, and organisational measures. Data transfers could not be commenced unless the data exporters find and adopt supplementary measures that ensure that the transferred data ensures an ‘essentially equivalent’ level of protection.
(b) Recommendations 01/2020 on the European Essential Guarantees for Surveillance Measures
The EDPB identified certain “essential guarantees” (“Essential Guarantees”) to ensure that transferred personal data is protected from surveillance measures that go beyond what is necessary and proportionate in a democratic society. Laws within transferee jurisdictions must comply with these Essential Guarantees, which are:
(i) processing must be based on clear, precise, and accessible rules;
(ii) necessity and proportionality regarding the legitimate objectives pursued need to be demonstrated;
(iii) an independent oversight mechanism must exist (“Independent Oversight Mechanism”); and
(iv) effective remedies must be available to the individual (“Effective Remedies”).
2. INDIAN LEGAL FRAMEWORK
2.1. THE LEGAL REGIME SURROUNDING SURVEILLANCE
While government access to data is possible under several Indian laws, the two legislations that are most often utilised by Indian enforcement authorities are the Information Technology Act, 2000 (“IT Act”) and the Telegraph Act, 1885 (“Telegraph Act”).
The Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 (“Interception Rules”) and the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009 (“Monitoring Rules”), issued under the Information Technology Act, prescribe the procedure and safeguards for the conduct of interception, monitoring, or collection of data.
According to Section 69 of the IT Act, directions for the interception, monitoring, and decryption of any information may be made to protect the sovereignty or integrity of India, the defense of the state, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognisable offence relating to above or for investigation of any offence. Separately, under Section 69B of the IT Act, directions for the monitoring and collecting of traffic data may be made on the grounds of enhancing cyber security and for the identification, analysis, and prevention of or the intrusion or spread of a computer contaminant in India.
Similarly, in case of public emergency, or the interests of public safety, Section 5 of the Telegraph Act empowers the Central and State Governments to issue directions for the interception of messages on the grounds of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order, or for preventing incitement to the commission of an offence. Rule 419A of the Indian Telegraph (Amendment) Rules 2007 (“Telegraph Rules”) provides for the review of any directions and orders passed under Section 5 of the Telegraph Act by a review committee consisting of members of the executive (“Review Committee”). The Review Committee constituted by the Central Government comprises of the Cabinet Secretary and the Secretaries to the Government of India in charge of Legal Affairs and the Department of Telecommunications, and the Review Committee constituted by the State Governments comprises of the Chief Secretary and the Secretary Law, and a Secretary to the State Government (other than the Home Secretary). There is no independent oversight since these personnel report to members of the Indian government.