Topics In Demand
Notification
New

No notification found.

NASSCOM’s study on ‘Implications of Schrems II on EU-India Data Transfers’
NASSCOM’s study on ‘Implications of Schrems II on EU-India Data Transfers’

August 12, 2021

777

1

NASSCOM has published a study titled ‘Implications of Schrems II on EU-India Data Transfers’, analysing Indian laws relating to data transfers, in the context of EU-India data transfer and the recently adopted Standard Contractual Clauses (SCCs) by the European Commission (EC).

 

Background:

In July 2020, the Court of Justice of the European Union (CJEU) passed the Schrems II ruling which found that the ‘privacy shield’ that allowed data transfers between the European Union (EU) and the United States of America (US) is invalid because it lacked sufficient protections for EU residents’ data on account of government access to data under US surveillance law not being proportionate or strictly necessary to the state objective, absence of adequate independent oversight over surveillance requests and lack of effective remedies to EU residents. At the same time, the CJEU upheld SCCs as a valid method for data transfers to the US with certain riders, such as, authorities and organisations must conduct case-by-case assessments of the recipient country’s legal framework; where needed, organisations must adopt supplemental measures to protect individuals’ rights that are equivalent to EU standards etc.

The Schrems II decision’s most immediate impact was on EU-US transfers. However, it has implications for cross-border transfers across the world since the same principles will apply elsewhere. The EU is a significant market for the Indian Information Technology – Business Process Management (IT-BPM) industry, and therefore, the Schrems II judgment is likely to have an impact on the future of data transfers from European data controllers to data processors located in India.

 

Objectives of the Study:

With the above background, the objective of this study is to help the industry and regulatory authorities in India and the EU in assessing the following:

  • If the Indian government’s access to foreign data under Indian laws is proportionate or strictly necessary to the state objective;
  • Whether there is an adequate independent oversight over surveillance requests; and
  • Whether the laws enable foreign residents’ access to effective remedies for redress.

 

Methodology:

For this analysis, 273 Indian laws and regulations across different sectors were mapped, including, general criminal procedure law, law applicable to electronic data, telecom laws, banking and financial sector laws, healthcare laws and specialised investigation laws (e.g., for money laundering). The impact of India’s upcoming data protection legislation, the Personal Data Protection Bill, 2019 (PDP Bill) was also evaluated in the study.

Among 273 laws, a smaller set of laws were identified that are relevant from a Schrems II essential guarantees perspective on the basis of:

  • whether the law allows the Government to access ‘foreign’ data, i.e., can EU residents’ data be accessed under the law; and
  • whether the law covers situations of data ‘import’, i.e., situations where data about an EU resident is transferred from an EU company to an Indian data controller or processor.

These laws were analysed against the principles flowing from the Schrems II judgement, the European Board of Data Protection’s (EDPB) Guidance on European essential guarantees and supplementary measures, and the new SCCs adopted by the EC.

 

Key Takeaways of the study:

  • 233 of the 273 individual pieces of laws/rules/regulations do not contain any provision enabling Government access to imported data.
  • From amongst the remaining 40 laws, specific and potential concerns arise out of three primary “key” legislations, i.e., the Information Technology Act, 2000, the Indian Telegraph Rules, 1951 and the Code of Criminal Procedure, 1973 and rules issued thereunder.
  • While the analysis throws up some concerns arising out of the “key” laws, overall, Indian law fares better than US surveillance law. For instance, Indian law does not differentiate between Indians and non-Indian citizens when it comes to approaching courts under their writ jurisdiction. This could help meet the threshold of ‘effective remedy’.
  • Mere existence of likely concerns in the key laws does not prevent the importers of data from fulfilling their obligations under the SCCs. The new SCCs require a risk-based approach rather than a theoretical apprehension of data access by the government. Accordingly, the industry would need to evaluate relevant and documented practical experience of prior instances of requests for disclosure from public authorities, or the absence of such requests, to ascertain whether there are genuine concerns.
  • In its current form, the PDP Bill is likely to lay out a strong case for Indian laws’ adequacy with EU standards for data protection. However, potential concerns may remain on account of broad powers vested with the Central Government to exempt Government agencies from the application of the provisions of the PDP Bill if the Bill is enacted in its present form. Subject to such exemptions being narrowly tailored and based on legitimate state objectives of national security, the eventual passage of the PDP Bill is likely to enhance the overall evaluation vis-à-vis adequacy with the EU.

 

Way forward:

We look forward to engaging with the industry to understand a company level evaluation of the concerns highlighted in this study with respect to their data transfer circumstances and to understand the cases where these concerns are material or not.

We hope this will inform our work with the Government of India towards strengthening the oversight and remedy mechanisms to improve safeguards with respect to data access by the Government, in the ‘key laws’ identified in the study.

The study has been attached with this post.

For more information, kindly write to policy@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

202108_NASSCOM_schremsIIStudyFinal.pdf

images
Garima Prakash
Manager, Public Policy and Government Affairs

Reach out to me for all things policy about e-commerce, international trade, export controls, start-ups and fintech

© Copyright nasscom. All Rights Reserved.