How Does the New EU Laws Impact Data Processing in India Inc.?

Since 2020, there has been 2 (two) major activities in the European Union (“EU”) in relation to data protection:

• The first one was the – German Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (Data Protection Conference, DPC) as well as the European Data Protection Board (“EDPB”) wherein, the level of data protection in USA, India, China and Russia was analysed, from a government access standpoint;
• In July of 2020, the Court of Justice of the European Union (“CJEU”) passed a significant ruling on data transfers between the EU and USA. In this case, popularly known as (“Schrems II”), the CJEU found the ‘privacy shield’ that allowed data transfers between the EU and the US, as invalid.

Now let’s understand the above in detail:

to data in third countries’ and, published the final report on December 14, 2021 (“EDPB Report”).

The idea for the EDPB to commission this study was to understand in particular whether and to what extent government access rights exist and whether, against this background, the level of data protection in India, China and Russia can be assessed as adequate.

As per the said EDPB Report:

• The right to privacy and the right to data protection have taken a controversial path in India
• Although the Constitution does not recognise the right to privacy, the 2017 Puttaswamy v. Union of India decision of the Supreme Court of India explicitly acknowledged it as a fundamental right. In this landmark judgment, the Court ruled that the right to privacy is implied in Article 21 of the Constitution and is incidental to other freedoms guaranteed by the Constitution. In fact, the Court stated that the constitutional right to privacy can only be enforced against (bodies of) the State and not against civilians or private sector entities. However, the Court held that the right to privacy is enforceable against non- State entities on the basis of other national legislation;
• India lacked a comprehensive data-protection framework; and
• Indian government could not be held accountable for data privacy violations under the current applicable law.

• The EU’s concerns with India are that, the existing data protection legislations and mechanisms in India would not apply to access of data by the Government of India (in particular when national security is used as a justification for data access). In this respect, there would be a legislative vacuum and therefore access to data of EU citizens could not be ruled out as soon as they are stored on Indian territory.
• Any company, including a data company exporting data, may request the Indian company/start-up processing the said data in India, for a need to implement further technical and organizational safeguards to prevent government access to the said data.
• Neither the EDPB Report nor the findings made therein have any direct binding effect, but can be regarded as a standard for data privacy laws and its implementation in India.

Next week in our newsletter – ‘The Legal Edge’, we will take up and explain ‘The Implication of Schrems II on EU-India Data Transfers, as per the NASSCOM Report.