The recent judgment by the Court of Justice of the European Union in the case of Max Schrems v. Facebook Inc. invalided the previously used Privacy Shield mechanism for the transfer of data between the EU and the U.S. The European Commission now needs to search for a different way to have a privacy-friendly data transfer regime between the two jurisdictions.
The judgment placed emphasis on essentially three aspects to analyze the Privacy Shield arrangement between the EU and U.S. They are, first, the surveillance regime in the U.S. and whether it provides for a suitable right to privacy for EU subjects. Second, the existence of effective legal rights in case there is privacy encroachment by U.S. surveillance authorities. Third, if there is a tribunal or judicial body wherein remedy is possible/enforceable in case the privacy is infringed by U.S. surveillance authorities.
The U.S. surveillance regime, of course, did not qualify any of the above three aspects, and hence, the decision to invalidate the Privacy Shield arrangement was taken. This decision was limited to EU-U.S. data transfer, but at the same time, countries like India — having a sizable market in information technology in EU — also need to analyze their surveillance regimes with respect to the above aspects in order to secure a favorable decision in case a similar scenario arises as that of the U.S.
Factors used by CJEU in invalidating the Privacy Shield
The CJEU took into consideration Article 45 of the EU General Data Protection Regulation, which states that personal data can be transferred to a third country if the data protection regime of that country provides for adequate data privacy at par with the GDPR. To analyze this, the first aspect the court noted was that Section 702 of the Foreign Intelligence Surveillance Act warrants unsupervised power to the U.S. intelligence agencies to conduct foreign surveillance, ultimately invading upon the right to privacy of even EU citizens.
The second aspect the court noted, by taking into consideration Section 702 of FISA, the Executive Order 12333 and Presidential Policy Directive 28, is that there exist no proper legal rights in the hands of EU citizens against the U.S. intelligence authorities that can be enforceable in a court of law.
The third aspect was that even though the arrangement of Privacy Shield did provide for an ombudsman wherein privacy rights could have been enforced, but at the same time, the court also termed the ombudsman as merely an integral part of the U.S. state department and hence lacked any kind of independence. Further, it stated that the ombudsman is incapable of ensuring any kind of judicial remedy for the EU citizens.
The above is the crux of the aspects that the EU court took into consideration to invalidate the Privacy Shield arrangement used for transfer of personal data. Now, an analysis of the Indian surveillance regime needs to be done to figure out what the outcome would be if a similar case arises in the European court.
Indian surveillance regime with respect to 'Schrems II' decision
The Information Technology Act 2000 governs the state’s surveillance in cyberspace. Section 69 of the act dictates that directions can be issued and information can be intercepted, monitored and decrypted. It is pertinent to note here that the section has a wide scope and is applicable to EU citizens, as well, implying a legislative sanction for foreign surveillance.
However, unlike Section 702 of FISA, Section 69 of IT Act 2000 has certain safeguards, such as the use of the terms like “sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence.” These terms, even though vague, are essential, as they do provide for a certain kind of purpose limitation, which is totally non-existent under the U.S. law. Also, the directions by the state under the Indian law needs to be in a written format as per Section 69 of the IT Act, adding another layer of protection. This may not be on par with the privacy standards of the EU; however, India still has a better chance to pass the aforementioned first aspect.
Now, considering the second aspect of the "Schrems II" judgment in India, the Supreme Court of India has already held the right to informational privacy as a fundamental right in the Puttuswamy case. The judgment states that the right to privacy falls under the broader ambit of Article 21 of the Indian constitution (right to life). It is pertinent to note here that the right to life is available with non-Indians, as well, implying that the right to privacy is also available with non-Indians (EU citizens, as well). This judgment recognized as part of binding opinion certain principles of privacy such as "legality, legitimate goal, proportionality and procedural guarantee" under the ambit of the right to privacy. These legal rights subsist in the hands of EU citizens, as well. That’s why it can be said that proper legal rights are available in the hands of EU citizens, thereby satisfying the second aspect.
Coming to the third aspect, India currently has no separate data protection authority that can adjudicate if any claim arises against its intelligence agencies. However, the courts can apply Section 69 of the IT Act and also the privacy principles enshrined in the Puttuswamy judgment. But, the American courts were also there that was independent enough; however, the "Schrems II" judgment stressed upon a separate tribunal or judicial authority that could thoroughly adjudicate such matters. This per se is not at par with GDPR, as the GDPR provides for a separate DPA. Hence, the chances are high that India’s surveillance regime may not pass the third aspect.
India is yet to enact a comprehensive data protection legislation. The "Schrems II" decision must be taken into consideration to make sure that India does not land in the same place as the U.S. did. Ensuring that India has a strong data privacy law will, in turn, make it easy for India in the data transfer system with the EU. The current surveillance regime of India still lacks legislative clarity. It can only be hoped that India’s surveillance regime is not dragged to the CJEU, but even if that happens, it will surely have a better chance — at least better than that of the U.S. — to have a favorable decision.
Photo by Srikanth D on Unsplash
If you want to comment on this post, you need to login.