When the EU General Data Protection Regulation was first introduced in 2016, 12 countries were deemed adequate by the European Commission to transfer personal data outside the EU. The GDPR provisions that authorize cross-border data transfers require organizations to either operate out of a country that has been deemed adequate by the European Commission or incorporate standard data protection clauses adopted by the commission or the supervisory authority, among other things. This meant that most of the entities already on their journey toward achieving GDPR compliance had to rewrite contracts with customers and service providers to transfer personal data outside the EU.
Since the Indian information technology and IT-enabled services industries derive close to 30% of its revenue from Europe, they were impacted by the regulation.
The reciprocal nature of sharing data across borders is meant to reduce the burden of compliance on organizations. India sought an adequacy assessment in 2009–10 in the hopes this reduced burden would bolster IT offshoring capabilities of Indian companies. However, the results were not published.
Read more about India's data privacy law in "What you should know about India's forward-moving privacy bill," by IAPP Staff Writer Jennifer Bryant
In 2019, a new draft of the Indian data protection framework was announced and has been referred to the Joint Parliamentary Committee for further action. It is highly imperative the committee considers whether the bill in its current state, along with the existing rules regarding access to personal data in the Telegraph and Information Technology acts, will enable India to request a new adequacy assessment from the EU.
According to Article 45 of the GDPR, the result of the adequacy decision is based on an analysis of the rules related to the management of personal data that are applicable to data controllers and data processors in that country (data fiduciaries and data processors in the Indian bill). The commission also takes into consideration potential safeguards and limitations applicable to public authorities that access and process personal data. Essentially, for India to be adopted as an adequate country, the privacy rights of users enshrined in the draft bill, along with enforcement capabilities of the data protection authority, will need to show there is an "adequate level of protection for personal data."
For the purposes of this article, the commission’s adequacy decision on Japan, the newest addition to the list of EU-approved countries, will serve as a benchmark to grade India’s current status.
Privacy in the constitution
The commission’s analysis of the Japanese constitution, along with clarifications from their supreme court judgment, indicates jurisprudence on the rights of individuals in the context of protection of personal information.
In 2017, the Supreme Court of India affirmed the constitutional right to privacy. An individual’s right to privacy was declared in Part III of the Constitution, i.e., the section dealing with fundamental rights. Just like most fundamental rights, this right could, however, be overridden by compelling state and public interests. The test to determine privacy infringements was largely drawn from the proportionality standard laid down in the European Convention on Human Rights (Article 8). With respect to this analysis, it is reasonable to assume the current interpretation passes the commission’s test for adequacy.
Privacy principles in the data protection framework
The privacy principles of data minimization, data accuracy, purpose limitation, lawfulness and fairness of processing, security of processing, transparency (the multiple language requirements still remain), and accountability are present in India’s Personal Data Protection Bill 2019. In addition, the principle of storage limitation has been tweaked in the draft bill. Originally, the principle of storage limitation permitted organizations to retain personal data until the purposes of processing are fulfilled with the option to store it for longer periods of time to comply with statutory obligations. Under the proposed bill, data fiduciaries can also retain personal data for longer periods of time if the data principal has provided explicit consent, in addition to storing it for fulfillment and compliance purposes.
Oversight and enforcement of the legislation
The data protection legislation is expected to specify an independent authority tasked with the function of monitoring and enforcing compliance. The authority must act independently and exercise its powers under the legislation impartially.
Japan’s adequacy status was limited to the Act on the Protection of Personal Information that regulated the business operators handling personal information and not the public authorities. Consequently, in the decision adopted by the commission, the analysis didn’t warrant close consideration of the composition of a selection committee and oversight and impartiality was judged primarily on the functions of the authority itself.
In India, as the bill applies to the data fiduciaries operating in the executive branch, the composition of the authority becomes relevant to analyze the impartiality. Currently, the central government appoints the authority members and chairperson based on the recommendation of the selection committee. The 2019 bill is a significant departure from the 2018 version as the selection committee is primarily composed of members of the executive branch. In 2018, the members were from the judiciary. It is reasonable to assume this change may raise concerns regarding the independent character of the authority.
Access to personal data by public authorities
In Japan, personal data collection during an investigation can only occur if a warrant has been issued by the court. Personal information collected by the Japanese public authorities falls under the Act on the Protection of Personal Information held by administrative bodies that regulates the management of retained personal data.
Law enforcement agencies in India primarily rely on the Code of Criminal Procedure or Information Technology Act to request electronic data from service providers in the country. The IT Act authorizes access to such information without an imminent threat to public safety. The CrPC allows the court or officer in charge of the police station to request access to any data provided it is necessary or desirable for the purpose of the investigation, inquiry or trial. The current framework under the code does not have the necessary safeguards to protect individual privacy rights.
The situation is exacerbated under the 2019 bill, which gives the central government sweeping powers to exempt government agencies from the legislation if necessary in the interest of friendly relations with foreign states, public order or to prevent inciting the commission of any cognizable offense related to the same. Including the term “public order” to the bill drastically lowers the threshold for the central government to exercise such a power.
In 2015, the Safe Harbor Agreement between the U.S. and EU was invalidated due to unfettered access to personal data of EU residents provided to U.S. law enforcement agencies. In the "Schrems II" case that followed, the efficacy of transfers based on EU standard contractual clauses was challenged on the basis of similar arguments raised in "Schrems I."
The lack of safeguards under the Indian law regarding the access of personal data by public authorities could be disastrous to its adequacy status.
The 2019 bill has been marketed as being similar to the GDPR, but a closer analysis of some of the key provisions suggests the opposite. In light of the above-mentioned arguments, the members of the Joint Parliamentary Committee have their work cut out for them, and it is imperative they suggest modification of the key provisions to promote a stronger data protection framework in the country.
If you want to comment on this post, you need to login.