How Does the New EU Laws Impact Data Processing in India Inc.? (Part II)

Since 2020, there has been 2 (two) major activities in the European Union (“EU”) in relation to data protection:

• The first one was the – German Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (Data Protection Conference, DPC) as well as the European Data Protection Board (“EDPB”) wherein, the level of data protection in USA, India, China and Russia was analysed, from a government access standpoint;
• In July of 2020, the Court of Justice of the European Union (“CJEU”) passed a significant ruling on data transfers between the EU and USA. In this case, popularly known as (“Schrems II”), the CJEU found the ‘privacy shield’ that allowed data transfers between the EU and the US, as invalid.

In this second part of the Series, now let’s understand the above in specific to, the Implication of Schrems II on EU-India Data Transfers, as per the NASSCOM Report:

In July of 2020, the CJEU passed a significant ruling on data transfers between the EU and USA. In the case of “Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems”, the Schrems II Case, the CJEU found the ‘privacy shield’ that allowed data transfers between the EU and the US, as invalid.

At the same time, the CJEU upheld standard contractual clauses (“SCCs”) as a valid method for data

transfers to the US, but with certain riders.

Impact:

Whilst the CJEU’s decisions in the Schrems II case impacted EU-US data transfers, it is pertinent to note that this ruling had implications for cross-border transfers across the world since the same principles will apply elsewhere, in relation to EU data transfers.

In other words, we can conclude that as per the precedent set by the Schrems II case, any and all businesses must undertake thorough due diligence before transferring personal data from an EU country to a location outside of the European Economic Area (“EEA”), including India.

Importance:

Hence as per the Schrems II case, for any contract entered into by an Indian company for data transfer from the EU, the following steps may be included, as a new standard:

• assessing the risks, that would apply to the data, after it is transferred;
• evaluating the protections clauses that would apply as per the laws of India; and
• implementing any additional measures necessary to address the said risks.

EU’s concerns with India, regardless of the EDPB report and/or the Schrems II judgement remain the same i.e., the access the Government of India might have to the data transferred from the EU, once it enters Indian jurisdiction.

In regards to this, businesses in India would likely be requested by their EU counterparts to determine additional measures, necessary to meet the level of safeguards that the EU law requires, in addition to requirements under the Indian laws.

In November 2020, NASSCOM initiated member consultations, and subsequently undertook a project to assess the applicable Indian law framework, and the revised SCCs, to:

• understand existing gaps in the Indian framework vis-à-vis the European essential guarantees highlighted by the CJEU and the EDPB;
• identify modes of data transfers available to Indian IT-BPM industry and additional measures required in light of the Schrems II judgment, the EDPB’s guidance on supplementary measures, and the new SCCs; and
• assess impact of India’s forthcoming data protection law (i.e., The Personal Data Protection Bill, 2019) on the overall evaluation of the Indian framework’s adequacy with the EU essential guarantees.

The Report further asks two questions:

• first, whether the law allows the Government to access ‘foreign’ data, i.e., can EU residents’ data be accessed under the law? and
• second, whether the law covers situations of data ‘import’, i.e., situations where data about an EU resident is transferred from an EU company to an Indian data controller or processor?

Applicability to EU imported data:

The Personal Data Protection Bill, 2019 (“PDP Bill”) does not have enabling provisions for the government of India to access data- in that the power to seek data will still be derived from the Information Technology Act, 2000; The Telegraph Act,1885 or The Code of Criminal Procedure,1973.

The PDP Bill was introduced in the Lok Sabha by the Ministry of Electronics and Information Technology in December 2019 and was subsequently referred to a Joint Parliamentary Committee for re-consideration of several contentious clauses. Post extensive stakeholder consultations, the Joint Parliamentary Committee submitted its report in December 2021 that includes the recommendations of the Joint Parliamentary Committee along with the draft bill, now titled the Data Protection Bill, 2021.

Businesses in India will have to accept and comply with EU laws in addition to Indian laws, and record the same in the contract;

Operationally, business in India may require to set up internal policies and/or mechanisms in place to safeguard the interests of their EU counterpart.

The EU data controllers may write to companies under its jurisdiction, which may further down to the Indian parties working on EU data for request for cooperation and/or for documents/clarifications on whether transfers of EU data can be accessed/ affected by Indian regulations.

The EU data protection authorities (DPAs) as a regulator may undertake an assessment of business under its jurisdiction, of whether the contractual arrangements are compliant with EU laws.