Data localization
Source: By Rahul Matthan: Mint
The world has always been divided in how it thinks about privacy. As the Justice Srikrishna Committee pointed out, there are basically three distinct approaches—the American, European and Chinese. The panel recommended that India should consider a fourth path, and the Personal Data Protection Bill that is currently being discussed by a joint parliamentary committee represents the alternative that it believed India should adopt.
These different approaches have co-existed in a sort of uneasy equilibrium for some time now. China has applied strict restrictions on foreign data companies that operate within its territory, while Chinese data companies have taken care to comply with local laws whenever they have ventured outside that country. India, without any sort of legal framework to speak of, has relied on extra statutory measures—contractual clauses and binding corporate rules—to trade with Europe. Similarly, despite some fundamental differences between the US and European data protection laws, governments on both sides of the Atlantic have always taken the trouble to create exceptional legal frameworks to facilitate the free flow of data between US and European companies. Earlier this month, that equilibrium was destroyed—perhaps for good.
The Court of Justice of the European Union (CJEU), while issuing its ruling on a complaint filed by Maxmillian Schrems against Facebook Ireland, struck down the US-EU Privacy Shield on the grounds that the US law did not afford a level of protection that was compatible with protections required under Europe’s General Data Protection Regulation (GDPR).
In particular, the court referred to the fact that under US law, US companies were required to make personal data available to the US National Security Agency and Federal Bureau of Investigation, and that its Foreign Intelligence Surveillance Act allows US surveillance programmes to operate in ways that do not guarantee the privacy of non-US persons targeted by these. For these reasons, it held that US law did not meet the threshold of proportionality that is central to the European privacy law, and struck down the Privacy Shield.
But, perhaps more significantly, the CJEU held that even where personal data is intended to be transferred outside the EU under the standard contractual clauses (SCCs), if the laws of transferee countries made it impossible for data processors to comply with their obligations under the SCCs, transfer of data should not be permitted. If data of European citizens has already been transferred under these clauses, it must be returned or destroyed forthwith. The CJEU was making it clear that contractual clauses are not enough—the national law must also allow for compliance with GDPR obligations.
As much as this decision has been framed in the context of the US-EU Privacy Shield, the principles laid down have far broader applicability. India does not have a privacy law and all transfers of personal data between European and Indian companies take place under the standard contractual terms approved by EU data regulators. If the underlying law becomes relevant, all these data transfers would have to be revisited.
Much like the US, law enforcement agencies in India also have wide and sweeping powers. National security is a recognised exception to the fundamental right to privacy, and even though the right to privacy judgment made it clear that governmental actions impinging upon privacy must be proportionate, surveillance is often carried out with little heed to the effect it has on the privacy of targeted individuals. If law enforcement authorities approach an Indian company demanding access to the personal data of EU citizens stored in its servers, notwithstanding any contractual commitments to the contrary, these companies often have no option but to comply. That being the case, in the light of the CJEU judgment, the fact that the data was transferred to India under the SCCs is no longer sufficient to constitute compliance with the data transfer obligations under the GDPR if local law enforcement can compel the disclosure of this data.
Many countries, beyond just the US and India, will be affected by this decision. Businesses that trade with Europe had expected to fulfil their GDPR obligations by agreeing to be bound by the SCCs. If that is no longer sufficient and if compliance is conditional upon the countries in which they operate changing their laws to meet the standards Europe demands, that might be too much to expect. While this may not have been its intention, the long-term impact of the CJEU decision is likely to be that European data will never leave European shores again.
I have always said that data localization is not in our national interest. I’ve argued against the data localization principles that were introduced in the Personal Data Protection Bill because I was concerned that a policy that required the personal data of citizens of India to be processed only within the physical boundaries of our country would adversely affect our ability to take full advantage of the global data economy.
But in the aftermath of Schrems II, I have to admit that I feel a bit foolish. After all, there is not much difference between a law that requires all data to be processed within the territorial jurisdiction of your country and one that only allows you to transfer data if it satisfies conditions that no other country really wants to meet.
