How the Schrems II ruling impacts EU data transfers to India

The judgment in the so-called 'Schrems II' case in July last year emphasised that businesses must undertake thorough due diligence before transferring personal data from an EU country to a location outside of the European Economic Area (EEA), including India. This means assessing the risks that would apply to the data after it is transferred, evaluating the protections provided for under contract and domestic law in India, and implementing any additional measures necessary to address those risks.

The CJEU ruling highlighted the risks in particular that arise around the access that state authorities might have to data. For EU-India data transfers, businesses must assess the data access powers of Indian authorities, the related substantive and procedural safeguards and judicial remedies against such access, and whether these could be considered as essentially equivalent to the safeguards provided in the EU's General Data Protection Regulation (GDPR) and Charter of Fundamental Rights. This means evaluating whether there is a clear legal basis for access and that access is limited to what is necessary and proportionate, that there is independent oversight, and that there are effective remedies for EU data subjects.

It is likely businesses will determine that additional measures are necessary to meet the level of safeguards that EU law requires. However, options are limited and some measures could clash with the requirements of Indian law.

The position in India

Individual rights and judicial remedies

The ‘right to privacy’ and ‘informational privacy’ have been recognised, by the Supreme Court of India, as an intrinsic part of the ‘fundamental right’ of ‘right to life’ guaranteed under the Constitution of India. Crucially, the court has specifically extended this right to non-citizens as well, meaning it is open to EU data subjects to raise judicial review claims against any infringing actions of Indian authorities on the ground of a violation of their right to privacy.

The Supreme Court has also confirmed that this fundamental right can only be abridged by Indian authorities under specific laws, and that such laws must provide for procedural guarantees against abuse. Those laws must also set out the limits applicable to the exercise of such powers, and the action cutting across those rights must be necessary and proportionate and for legitimate purposes, according to the court. In addition, adopting principles similar to those contained in EU law, the Supreme Court also confirmed that the actions must be for ‘legitimate aims of the state’, ‘necessary in a democratic society’ and, ‘proportionate’.

The success of any claims challenging data access by Indian authorities will depend on facts and circumstances, however. Any judicial determination will be made pursuant to Indian law principles. Therefore, although claims by EU data subjects can be brought, the issue of whether the Indian framework ultimately provides ‘effective’ legal remedies to EU data subjects and can be regarded as being ‘essentially equivalent’ to EU framework, remains to be tested.

Data access mechanisms and grounds in India

At the heart of assessing the effectiveness of the legal remedies available to EU data subjects would be an assessment of the specific laws or powers under which Indian authorities could access personal data transferred from the EU.

Relevant to this assessment are the powers provided to Indian authorities under various provisions of Indian telecommunications and information technology laws that allow the authorities to carry out surveillance and monitoring, and seek disclosure of personal data, especially of telecommunications and internet traffic. Such information may include EU personal data transmitted to or by an Indian recipient.

Typically, these laws also prescribe specific grounds of such access or disclosure requirements, with examples including for reasons of national security, maintaining public order, preserving defence interests, addressing a public emergency or investigating offences. The laws also set out substantive and procedural safeguards and rules applicable to such surveillance or monitoring activities, such as prior approval by designated officers, maintenance of secrecy and confidentiality, limited retention periods and destruction of records after fulfilment of purpose, intra-departmental review of disclosure and monitoring orders by dedicated ‘review committees’.

Notably, access and monitoring mechanisms established under these laws require telecoms providers to facilitate the operation of a ‘central monitoring system’ for network traffic, and also require corporate entities and individuals to disclose information, and comply with orders for interception, monitoring and decryption if the data is encrypted.

Also, certain confidential surveillance programs have been established by the Indian government through ‘executive orders’, mainly for defence and counter-terrorism purposes. These include software-based frameworks for centrally connecting approved agencies to certain designated data providers – from telecoms providers to railways operators and airlines – and for detecting dubious traffic and keywords on communications and social media platforms. However, these initiatives have either been carved out from the purview of ‘information rights’ legislation in India or very little information regarding them has been made public. Therefore, limited details are available regarding the grounds and procedures of data access, targeted entities and data streams, and availability of procedural safeguards under such programs. 

However, the Indian Supreme Court’s decisions suggest that monitoring, surveillance and disclosure requirements under both legislative and executive mechanisms, and any data collection and other actions under such mechanisms, would be subject to constitutional remedies and judicial review. Potential grounds on which a legal challenge could be raised in this respect could include procedural irregularities on the part of the government, constitutional invalidity of the underlying law or executive order, or inadmissibility of any collected data as ‘evidence’.

While intra-departmental ‘review committees’ have been constituted to examine monitoring and disclosure orders under some Indian legislation, there are currently no independent data protection authorities or regulators in India. However, the proposed new Personal Data Protection Bill 2019 would provide for a new data protection and privacy framework in the country and envisages the creation of a data protection authority to oversee, regulate and provide appellate remedies on matters relating to data protection. The Bill accords a higher standard of protection to data subjects compared to the current regime and prohibits impingement of privacy or data rights without due satisfaction of specified requirements and procedural protocols. However, the Bill is yet to be enacted.

Actions for businesses

Businesses will have to internally assess feasibility of continuing data transfers to India in light of their analysis of Indian legislation and executive powers and relevant limitations, safeguards and judicial review mechanisms in place.

EU data controllers, in cooperation with Indian data recipients, will need to evaluate on a case-by-case basis whether transfers of EU personal data can be negatively affected by Indian regulations, both of a general and sectoral nature. The type and categories of data transferred may play an additional role in the assessment, along with any additional contractual, technical or organisational measures that are or may be implemented to safeguard such transfers.

EU data protection authorities (DPAs) are unlikely to approve or verify assessments of legality of personal data transfers to India prior to such transfers. The prospect of their evaluation taking place after data transfer arrangements have been implemented means there is a regulatory risk in adopting too optimistic an assessment of whether the arrangements are compliant.   

It is recommended that businesses consider the effectiveness of ‘additional measures’ – contractual, organisational and technical – that could be implemented. However, according to European Data Protection Board (EDPB), contractual or organisational measures would be deemed insufficient as they are not binding on the authorities in the non-EEA countries to which data are to be transferred. According to the EDPB, additional technical measures like encryption or pseudonymisation are the measures that are only likely to be effective – contractual or organisational measures can only supplement such technical measures. For any additional measures to be applied, however, it is important businesses check that their implementation does not entail violation of Indian law by the Indian data recipient.

Co-written by Harsh Walia and Abhinav Chandan, partner and counsel respectively at Indian law firm Khaitan & Co, along with Stephan Appt and Christina Kirichenko of Pinsent Masons.