By Siddharth Sonkar
Recently, in his inaugural address, US President Joe Biden announced the appointment of Christopher Hoff, to oversee the negotiations over revising the United States (US)-European Union (EU) privacy shield — the privacy pact which governed the relationship between the US and the EU in relation to international data transfers until it was invalidated on 16 July, 2020 by the Court of Justice of the European Union (CJEU) in Data Protection Commission v. Facebook Ireland (Schrems II). The CJEU held that the protection afforded to data of EU persons in the US to be inadequate to an ‘essentially equivalent standard’ of protection as compared to that in the EU.
Even though this adequacy determination was in the context of cross-border data transfers from the EU to the US, this decision is significant for India as well. This is since the understanding of what constitutes adequate protection, depends on what the CJEU perceives this standard to be. In other words, irrespective of where the data is going, be it the US or India, the measure of protection remains objectively the same (i.e. the measure of protection afforded in the EU). Even though Schrems II did not invalidate the Standard Contractual Clauses (SCCs) as a basis for cross-border data transfers, data controllers in the EU are required to conduct a risk assessment on a case-by-case basis whether third country laws contain sufficient substantive and procedural guarantees cushioning the surveillance measures that are typically necessary for law enforcement purposes.
As a result, before transferring personal data of Europeans to India, businesses in the European Union closely evaluate Indian surveillance laws to evaluate whether there exist procedural and substantive guarantees against excessive surveillance in India.
Traditionally, the European Union has been slow in outsourcing data to India as opposed to the US. However, as our digital economy thrives, we are reportedly moving towards harnessing our potential as a $45 billion-worth, leading outsourcing hub. According to the Data Security Council of India, India’s outsourcing industry is worth $150 billion, contributing to about 9.3% of our GDP.
The decision in Schrems II is an opportunity for India to think a step ahead and consider whether its laws adequately protect our data-driven future, particularly as India moves towards becoming a data centre hub.
What is ‘Adequate’ Protection According to Schrems II?
In Schrems II, the CJEU’s concern with data transfers to the US was hinged broadly on the inadequacy of surveillance laws in the United States to accommodate privacy concerns of persons residing in the EU. In observing that the protection in the US is inadequate, the CJEU ruled broadly on three considerations:
- First, US surveillance laws were found to be more intrusive than is strictly necessary to protect national security.
- Second, the ombudsperson appointed to conduct oversight over US government agencies carrying out surveillance did not exercise sufficient judicial ‘independence’. This is because the ombudsperson was appointed by the US Secretary of State, in concurrence with the head of the National Security Agency (NSA). The executive exercising significant control of its own supervisory authority was not satisfactory according to the CJEU.
- Third, persons in the EU did not have an opportunity to be heard in a US court to object to such data-sharing practices (since the Fourth Amendment to the US Constitution is only available to American citizens, and US laws do not provide sufficient judicial remedy to EU persons).
The caution exercised by the CJEU in Schrems II is not an aberration: the ruling is consistent with the position of the CJEU in what it considers adequate, evident from a trajectory of cases including Digital Rights Ireland, the EU Canada PNR Opinion to Schrems I. In other words, if the CJEU were to determine tomorrow whether Indian laws adequately protect the data of EU citizens, it is likely to apply a similar, objective standard of protection.
India’s surveillance laws perhaps need to be evaluated more closely in the context of personal data of Europeans processed in India, particularly given India’s role in the outsourcing market.
Of course, surveillance is intrinsic in every jurisdiction, and is necessary to fulfil legitimate state purposes such as national security and law enforcement. Schrems II does not discourage surveillance per se. It simply warrants that there exist procedural as well as substantive guarantees available to citizens to cushion and legitimise surveillance practices. Schrems II makes us think about evolving into a jurisdiction with responsible surveillance practices encompassing the principles of oversight, proportionality and accountability, and in turn give a fillip to outsourcing in India.
Do Indian Laws Meet this Standard of Adequacy?
If we juxtapose this adequacy determination with our own laws (including those proposed) on data-sharing with the Government, in the context of the Schrems II decision, it may provide us with a benchmark to assess how Indian surveillance laws could be interpreted by businesses while making a risk assessment and making a decision on whether or not to transfer personal data of EU data subjects to India.
It is relevant to keep in mind the context in which Schrems II was decided. There was publicly available information about large scale implementation of surveillance programs by the United States government, coupled with the fact that big tech businesses were headquartered in the United States, providing significant control to the US government in accessing outsourced information from the EU to the US. Admittedly, however, the decision in Schrems II broadly evaluates the adequacy of safeguards in third country laws irrespective of the level of threat posed by the context of the processing activities. As a result, businesses involved in outsourcing data to India are bound to assess whether surveillance laws in India are adequate in order when making a decision as to whether it is feasible to transfer data to India given the associated risks involved.
While there exist some statutory surveillance mandates (for instance, under the Information Technology Act, 2000 and the Telegraph Act, 1885 and the rules thereunder) which prescribe procedural and substantive checks and balances, scholars such as Vrinda Bhandari, et al. have suggested that some of these laws may require judicial evaluation on the grounds of not being strictly necessary. Even though surveillance mandates under some statutes are prescribed in relation to specific purposes the extent of information that could be accessed under any of these purposes construed as not being strictly necessary under certain circumstances. Indicatively, section 91 of the Code of Criminal Procedure, 1973, section 5 of the Telegraph Act, 1885 and section 69 of the Information Technology Act, 2000 at present may be potentially conceived as laws that enable bulk surveillance as understood in Schrems II. As we move forward, in the Puttaswamy judgment, the Indian Supreme Court recognised that restrictions on the right to privacy should be just, fair and reasonable and need to pass the test of proportionality. However, section 35 of the proposed Personal Data Protection Bill, 2019 which is presently in draft form being considered by the Joint Parliamentary Committee further seeks to enable the Central Government to exempt government agencies from the scope of some or all provisions of the Bill, and is bereft of the requirement that exemptions are proportionate to the conditions warranting these exemptions from data protection obligations. Further, several Indian surveillance programmes (e.g. NATGRID, NETRA, etc.) are not derived from a specific and clear legal basis or specific statute, and the extent to which these programmes are operational is also not clear based on publicly available information.
Admittedly, the extent to which outsourced information is subject to Indian surveillance mandates is not clear from publicly available information. India does have a tendency to have onerous statutory provisions in text even if these laws are only seldom implemented. However Schrems II does not evaluate adequacy in terms of actual implementation of the law; the judgment assesses the adequacy of laws in third countries based on their capability or potential of resulting in excessive surveillance. As a result, in practice, businesses, consequent to Schrems II are inevitably required to assess the adequacy of third country laws vis-à-vis their ability to fulfil obligations under the SCCs before proceeding with a cross-border transfer of data of EU data subjects to a third country.
Under section 91 of the CrPC, orders for data access requests can be made by police officers in charge of a police station as well, i.e. the executive arm, bereft of the necessary requirement of judicial involvement (e.g. a court order). Similarly, the Review Committees under the Information Technology Act, 2000 and Telegraph Act, 1885 responsible for overseeing surveillance requests are mostly composed of the executive, i.e. the branch of government which is also responsible for making law enforcement requests. As a result of this conflict of interest, it may be difficult to characterise the review committee as ‘independent’, as understood in Schrems II. Going forward, Section 91(2) of the proposed Personal Data Protection Bill only requires that the Data Protection Authority be ‘consulted’ in requiring businesses to share data with its agencies. The non-binding nature of (i.e. absence of the requirement to concur with) its decisions could affect the faith of foreign courts in the strength of its oversight capabilities in the future As pointed out by Prashant Reddy here, the say of the Central Government in appointing the DPA is appointed could potentially be perceived as affecting its independence, as we saw in Schrems II as well.
In the context of constitutional remedies, unlike the Fourth Amendment, foreign data subjects are not without judicial redress since article 14 of the Constitution does possibly enable foreign citizens to also file writs in Indian courts (under Article 226) if decisions made against them are arbitrary. Separately, the right to personal liberty under article 21 of which privacy a facet is available not just to Indian citizens but foreign citizens/EU data subjects as well. However, rights under Article 19 (from which the right to privacy also also flows) are typically available only to Indian citizens. To put it simply, the scope of constitutional remedies against excessive surveillance available to non-citizens in India is not clear. This could limit the scope of claims that can be brought before the court by EU data subjects.
In the context of statutory remedies, some of the statutory provisions such as the ones mentioned above do not specifically provide for judicial recourse against surveillance practices discussed above. It is entirely possible that surveillance as well as search and seizure mandates under various laws exist hand in hand along with the PDP Bill whenever it is enacted, causing little to change as a result of its enactment in furthering procedural and substantive guarantees against excessive surveillance.
The Same Coin
Schrems II is a lesson that our civil liberties are not discordant with the potentials of our digital economy. This is because countries with excessive surveillance laws are experiencing a cost in terms of reticence, since businesses are refraining from transferring data to them if the procedural and substantive guarantees against excessive surveillance are not relatively robust. Instead, if such guarantees are embedded in regulation through an overhaul of the existing surveillance laws, it could instil confidence in industry perception and reinforce the belie that India provides EU data subjects with sufficient procedural as well as substantive guarantees against excessive surveillance, as envisioned in Schrems II. This in turn would create an industry perception of India as a safe option to outsource data for sub-processing in terms of associated regulatory risks associated with such outsourcing.
In other words, civil liberties and the digital economy are two sides of the same coin. Aligning our surveillance laws towards global best practices on adequacy may take us a giant leap forward towards securing the interests of an ‘Atmanirbhar Bharat’, a powerful data hub to which even more foreign data is outsourced in the future. Of course, excessive surveillance raises questions about the limits of our civil liberties. However, it also hurts innovation and economic growth.
Siddharth Sonkar is an Associate at Trilegal, Bangalore. Views are Personal. The author would like to thank Rahul Matthan, Jyotsna Jayaram, Thomas Vallianeth, Arindrajit Basu and Puja Saha for their valuable inputs.