One of the key concerns associated with EU data protection regulations is the possibility of a transfer of data from EU to India for processing being blocked by virtue of the legislation. This threat was present in the Data Protection days and will continue in the GDPR days. However, in order to understand the impact of GDPR on companies already processing EU personal data, we can take a fresh look at the provisions of GDPR on data transfers contained in Chapter V of the regulations
Under Article 44,
Any transfer of personal data .. to a third country .. shall take place only if,…the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country … to another third country …. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
The first basis for permitted transfer is the “Principle of Adequacy” under Article 45.
Under this principle, transfer is permitted without further authorization if the Commission has decided that the third country ensures an adequate level of protection. For this purpose, the Commission shall on an ongoing basis monitor the developments in third countries and a periodical review at least once in 4 years. The list of countries which the Commission considers as falling under “Adequacy” principle will be published in the official journal of the Commission and on its website.
The adequacy of a Country to come under this automatic approval process depends on
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral,
including concerning public security, defence, national security and criminal law and
the access of public authorities to personal data, as well as
the implementation of such legislation, data protection rules, professional rules and security measures,
including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation,
case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject,
with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
If India aspires to be within this privileged list of countries, it is necessary that it has to expedite the “Indian Data Protection Act” which the Government has indicated would be in place by October-November this year.
The most important aspect of this law is that it will perhaps ensure that a “Data Commissioner of India” would be appointed who can enter into consultation with the EU to enable India be considered as an eligible under this Adequacy principle.
However to gain the status of the “Adequate Country”, the law as enacted and practiced will have to satisfy other requirements of the Commission which includes
- respect for human rights and fundamental freedoms as well as the control exercised by the Government on accessing of the data
It would not be easy to meet this criteria particularly in the light of the propaganda that is carried on by our opposition parties such as the Congress and Communists against the Modi Government which keeps reverberating in the international media. A well orchestrated information campaign would be required to be run by the Government to counter such anti publicity.
Secondly, it is difficult for a terrorist attack prone country like India to adopt the standards of freedom of speech and hands off policy by the Government against security concerns and this can always be a stumbling block for India to be able to get into this exclusive club.
Thirdly, aspiring for the “Adequacy” status under GDPR may adversely affect our treaties with other countries such as US or Singapore etc and we cannot subordinate our national interests of data sharing solely for the commercial consideration of making it easier for Indian corporates to please their EU business partners.
ITA 2000/8 already has several provisions which enables abrogation of some rights of privacy including the right of erasure which cannot be and should not be tampered with just to please the EU data protection whims and fancies. The removal of Section 66A by the Supreme Court has already placed a burden on the law enforcement agencies in India and the end to end encryption of WhatsApp and other messaging systems has made regulation of Internet more complicated than it was earlier. Any further dilution of the law will make it difficult for Indian Law enforcement to fulfill their obligations to protect the country from enemies from outside and inside.
In view of these challenges, it would be difficult for Indian regulators to provide a general assurance that meets the stringent expectations of EU commission to provide an “Adequate” status for India under GDPR. (P.S: Naavi has other suggestions in this regard which we will discuss in a separate article).
We therefore look at the proposed Data Protection Act of India to ease the situation substantially to assure the EU commission about the Privacy concerns under GDPR-Transfer of Data considerations, but not completely fulfill its expectations to claim an “Adequacy” status.
India will therefore continue to look for other options available under GDPR to ensure that Data Transfer to India is not hampered by GDPR.
(….Discussion will continue)
Naavi