Naavi had earlier around 2005 initiated a Cyber Law Awareness Movement intensely across Karnataka. Later it did diffuse to the rest of the country. At that time, Naavi held hundreds of meetings and training sessions in the physical world across Karantaka and the country. Some of those efforts resulted in Cyber Law courses being introduced in many colleges across Karnataka and elsewwere.

Now, a similar situation has come in the field of Data Protection. With the Personal Data Protection Bill under discussion in the Joint Parliamentary Committee (JPC), the Kris Gopalakrishna Committee report on Data Governance in public for comments, FDPPI’s Certification programs on Indian and Global Data Protection laws in full swing, there is a crazy level of activity at least in the Webinar space.

Naavi’s  Cyber Law College in association with Foundation of Data Protection Professionals in India (FDPPI) has also undertaken  its “All India Movement on Data Protection Awareness” through invitation lectures on the “Upcoming Personal Data Protection Regime in India” to corporate across the country through the webinar medium.

The program would be called “Jnaana Jyothi”, the light of Knowledge and would be conducted with the participation of Naavi as an individual, Cyber Law College as the pioneering educational organization in Cyber Law and FDPPI a pioneering organization representing the Data Protection Professionals in India.

While these Invitation lecture series is being launched, the next 4 days will see four different events in the Data Protection domain, pre-empting the formal launch of this awareness movement.

Today on 29th July 2020, Naavi will participate in a discussion on the Data Governance Committee report. Tomorrow on 30th July 2020, Naavi will participate in a discussion on Personal Data Protection Bill and its impact on Small entities. On 1st August, Naavi will address the Association of Fraud Examiners in Hyderabad on  the emerging Personal Data Act in India and on Sunday the 2nd August, 2020, Naavi will participate in the FDPPI special knowledge awareness session on the impact of the rejection of US Privacy Shiled by the EU Court of Justice.

Interested professionals may gear up to follow all the four events and contribute their wisdom to the enhancement of knowledge.

Let the Jnaan Jyothi Program begin..

Naavi

(This is in continuation of the earlier article)

The EDPB in its clarifications of 23rd July 2020 on the EUCJ ruling invalidating the US Privacy Shield reiterates that

a) There is no grace period in which personal data can be continued to be transferred to EU on the basis of US Privacy shield alone.

b) Transfers now happening would be illegal and should be stopped.

c) Where SCCs are being used, an assessment has to be made on a case to case basis the circumstances surrounding the transfer, and to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If the assessment concludes that appropriate safeguards would not be ensured, the competent Supervisory authority has to be notified.

Since no US Company can afford to accept that it will not allow the national intelligence agencies to access the personal data as per the legal provisions of US, the safeguards expected by the EUCJ cannot be confirmed by any individual data importer. Hence in all cases, a notification has to be sent to the Supervisory authority that they cannot provide assurance of compliance.

If such a notice is given and the processing continues, then the US entities will be facing the possible penalties from the EU supervisory authorities.

The only option therefore is for US companies to withdraw their services from EU. This would mean that Face Book, Google, Twitter etc need to withdraw their services from EU.

Another option is for these agencies to approach the US Court to provide them a blanket cover of immunity from fines under GDPR arising out of their inability to meet the requirements of the EUCJ ruling and the consequent administrative fines.

The Cyber Insurance companies who have provided covers for such fines need to withdraw their cover as it is clear that the US entities are not permitted to continue their data processing activities.

c)  Binding Corporate Rules (BCR) will also be invalidated since the observations of the Court also applies since US law will have primacy over this tool.

Again EDPB expects the Data importer to make his own assessment whether or not the data can be trasferred on the basis of BCRs. If the entity is a US based entity, there is no way it can take a stand that it will yield to the requirements of GDPR even when it is in conflict with US laws. Hence US companies will not be able to use BCR.

Where the company is not an US company but has substantial interests in US, the use of BCR for transfer of data for processing into US and not accepting the right of the US intelligence for surveillance requests would attract the risk of being prosecuted under the US law.

In India if any company resists such request of the competent authorities, they can face imprisonment upto 7 years under Section 69 of ITA 2000. Similar provisions would be there in any Cyber Security laws in other countries including US.

d) The “Derogation s” under Article 49 are however available for transfer. Accordingly, “Explicit Consent” is an option available for transfer other than the other exceptions such as medical emergency etc.

Hence one of the best options available for data transfers in the current context is for Data Importers to insist that the Data Exporters have the necessary “Explicit Consent” from the Data Subjects for transfer of personal data. This should be made part of every data processing contract.

e) EDPB clarifies that if as part of derogations, the transfer is to be justified under “necessary for the performance of a contract”, it should be only for occasional transfers.

f) Similarly EDPB clarifies that if the “Public interest” has to be invoked for transfer, it should be based on finding of an important public interest and not based on the organization.

g) EDPB has clarified that the effect of this ruling would not be restricted to EU-US data transfers. The need for SCCs/BCRs to conform to the standard suggested in the judgement applies also to transfers to other countries.

This essentially means that any transfer from EU to India of personal data of EU data subjects under GDPR would require an SCC/BCR confirming that “Indian intelligence agency shall not have a right to demand access to information”.

This clause would be ultravires the ITA 2000 in particular and hence would be “Instigating” and Indian Company to “Reject a law of the Indian Parliament” for the incentive of the data processing contract.

I would like the MeitY to examine this point and confirm if they are ready to ignore the provisions of Sections 69, 69A, 69B and 70B of ITA 2000 when an Indian Company wants to get the data processing contract.

NASSCOM needs to examine this issue independently and advise all its members not to enter into any contractual clauses that compromise the sovereignty of the Indian Government.

NASSCOM should consider suggestion of the adoption of the “Disclaimer clause” suggested in the previous article which we reproduce here..to be added to all contracts…

“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to  under Article 23 of GDPR in the context”

NASSCOM or any other party may also move the Supreme Court for a ruling in this regard which pre-empts any Supervisory authority of EU in imposing fines on Indian entities on the basis of any contract which requires an Indian Citizen/Company to disrespect and refuse the authority of the Indian Government.

MHA needs to take special note of this and take steps in this regard. 

Naavi

(Comments invited)

Foundation of Data Protection Professionals in India (FDPPI) is organizing a webinar on Sunday the 2nd August 2020 to discuss the implications of the EUCJ ruling on Indian data processing industry. Those interested in joining the webinar may send an email to fdppi@fdppi.in.

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3

(This is a continuation of the earlier article)

In order to provide some clarity to the EU Court of Justice ruling of 16th July 2020 on the rejection of the US Privacy Shield, the EDPB has come up with answers to a list of questions that is being raised by the business community.

A copy of the document is available here

In a bid to soften the business impact of the decision, EDPB has tried to highlight that the judgement has upheld the validity of the Standard Contract Clauses (SCCs) which are available for use by the business entities for personal data transfer. It has specifically highlighted that the validity of SCCs is not questioned

“by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred.”

This observation has to be taken with a pinch of salt since the principle established under the judgement can still be used to invalidate any SCC if it can be established that the destination country’s intelligence system has access to the information under a process not acceptable to the EU Court.

This is also reiterated by EDPB itself stating

In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country.

In other words, the EU Court will stand in judgement of any powers to be exercised by other sovereign Governments  in respect of the powers to be given to their intelligence agencies.

While Article 23 does give such powers to the countries of the EU, it appears that the EUCJ wants to deny such powers to other sovereign countries.

EDPB reiterates that

The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.

This view clearly is an interference in the affairs of another country in its sovereign duties and indicates a myopic view of the Court lacking  the humbleness required in tackling international issues. This would be unacceptable to any self respecting foreign Government.

The EDPB cleverly points out that despite a valid contract,

the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.

It is to be noted that instead of making the data exporter responsible to validate if the contract is enforceable, it makes the data importer liable for the disclosure.

This will result in the data exporters bringing economic pressure on the data importer to sign on the dotted line to either declare that their respective intelligence agencies donot have the power to demand the information, which will be a false claim or force them into a confrontation with their own intelligence agencies when such a demand is made.

In political terminology this would amount to instigating an entity in a sovereign country to raise against the powers of law enforcement of its own sovereign Government.

It would be interesting to see if the Trump Government would accept this ruling and agree to subordinate it’s legitimate national security duties to the protection of the Privacy rights of the EU Citizens as directed by the EUCJ.

This could be an opening of a major international legal conflict where the US courts may be pitched against the EU Courts.

The US courts may however come into reckoning only when the EU data protection authorities or any EU Data controller tries to impose penalties on a US entity under any SCC clause. Until such time there will be a Damocles Sword hanging over the US joint data controllers taking up US business.

Alternatively, it is for the US business to reject against this EUCJ decision and reiterate their own SCC clauses and ensure that the contracts entered into with the EU Data controllers donot expressly agree to reject the authority of the country’s law enforcement requirements.

They should also reject the “Data Importer’s Responsibility” of due diligence by an express provision in the contract stating some thing similar to the effect

“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to  under Article 23 of GDPR in the context”

(To Be Continued)

Naavi

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

EU Judgement on US Privacy Shield…Is this an assault on US Sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3

On 16th July, the European Court of Justice (EUCJ) gave its ruling on whether the US Privacy Shield arrangement with EU is acceptable for “Adequacy” under Article 45.  The  reference for the ruling had been made by the Ireland High Court following a proceedings in Data Protection Commissioner Vs Facebook Ireland and Maxmillian Schrems.

The ruling has a far reaching impact on the Indian data market since India is a prominent data processor on the global scenario and a large part of the Indian business flows through US. In most of the cases, the Indian companies are sub contracting “Processors” and not “Data Controllers”and are therefore bound by contractual obligations of the upstream data controllers, many of whom are US firms.

These Data Controllers in US may be operating in different countries including EU and are obligated to meet the GDPR requirements. Being US companies some of them were depending on the US privacy shield to get the data transferred to US and further use the Standard Contractual Clauses to sub contract processing to India.

Such Companies will have to suspend their operations until they conclude a fresh contract with the EU Joint Data Controllers and thereafter also make suitable amendments to their Indian Contracts. This legal formality will take at least a few weeks in which the data processing may lack appropriate legal sanction. Conservative companies will therefore stop the processing activities until their legal departments and DPOs clear the continuation of the processing activity.

In view of these developments, it is necessary for Indian Data Processors to study the implications of the EU ruling and take steps to protect their interests.

The EDPB (European Data Protection Board) which is the apex regulator of GDPR has now provided its clarifications on the week old ruling which answers many of the doubts that the industry practitioners had.

The EDPB clarification is discussed here for the information of the industry.

Background

The EUCJ ruling of 16th July 2020, covers interpretations of the EU Directive dated 24th October 1995 on the protection of privacy of European citizens, the Validity of Standard Contract Clauses as per commission’s decision of 5th February 2010 and the Adequacy provided to US Privacy Shield arrangement through decision dated 12th July 2016.

It may be noted that GDPR was adopted on 14th April 2016 to be effective for implementation from 25th May 2018. The Privacy Shield arrangement was finalized immediately after the adoption of GDPR.

Prior to October 6, 2015, EU and US data transfer was governed by the International Safe harbor principles  which was replaced with the Privacy shield arrangement after GDPR became effective.

“Safe harbor” was a self certification scheme in which the US data importers gave an assurance to the data protection principles. The “Safe harbor” system was accepted as “Adequate” for personal data transfer from EUs based on the European Commission’s decision in 2000 that the principles met the compliance requirements with the then existing EU directive of 1995.

Though this adhered to the 7 basic Privacy principles self certified  by the US organization, it had also been over turned earlier by the EUCJ in October 2015 after which the Privacy Shield was negotiated.

The reason for rejection of the safeharbor principles was because the Court ruled that

“legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life“

The “Privacy Shield” arrangement therefore brought “Stronger Obligations” on US Companies including higher cooperation between  EU data protection authorities and the US.

It was envisaged that

“The new arrangement included commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access.

Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson”.

The current EUCJ order related to the acceptability of this Privacy Shield arrangement with the EU regulations on Privacy which had been negotiated between the EU and US authorities.

The ruling refers to the several recitals and Articles to flag the objective of GDPR in terms of the  scope of the regulation. It also highlighted that under the Privacy Shield arrangement, the US Government had committed to create a new oversight mechanism for national security interference, the “Privacy Ombudsperson who should  be independent of the intelligence community”.

The Court observed that

“Privacy Shield Ombudsperson, although described as ‘independent from the Intelligence Community’, was presented as ‘[reporting] directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided’”

..the Ombudsperson is appointed by the Secretary of State and is an integral part of the US State Department,..”

“…there is nothing ..to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely”

…”Therefore, the ombudsperson mechanism to which the Privacy Shield Decision
refers does not provide any cause of action before a body which offers the persons
whose data is transferred to the United States guarantees essentially equivalent to
those required by Article 47 of the Charter.”

In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.

The Court proceeded to also comment on whether this decision will create a vacuum disturbing the business by stating..

“..in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.”

As a result of the above ruling all transfers to US presently based on Privacy Shield are to be considered invalid ab-initio and replaced with other alternative measures to continue the transfer.

The Court has not ruled any punitive action to be initiated for the transfers which could have occurred so far.

However, from the date of this ruling and until alternatives are in place, there has to be a stoppage of all data transfers leading to a freezing of operations of many companies.

To the extent many of the US companies would have sub contracted the processing to Indian companies, the processing in India will also have to stop forthwith.

Effect of Article 23 

It may be noted that Article 23 of GDPR  states as follows:

Article 23:Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims

In otherwords GDPR considers that “National Security” etc could be reasons for which GDPR provisions may be over ruled by the member states by their own laws.

This principle appears to have been ignored when the Court ruled that the US Secretary of State cannot supervise the “Ombudsperson” in a manner that could prevent its intelligence agencies access the personal data of EU Citizens transferred to US under the Privacy Shield arrangement.

Alternatives

Companies need to now explore alternative measures to continue their activities.

One such alternative would be  Article 49 which refers to derogation for specific situations.

Additionally, Articles 46 which refer to transfers subject to appropriate safeguards and Article 47 regarding Binding Corporate rules or Article 48  regarding mutual legal assistance treaties between countries may also provide an alternative.

However both Article 46 and Article 47 need to conform to the principles under which the US Privacy Shield was rejected and ensure that there exists an effective judicial remedy to the Data Subjects with “independence” which was not available in the Ombdsperson scheme of the US privacy shield.

If therefore, SCC/BCR provide for judicial relief through  Arbitration, the enforcement mechanism has to be still administered within the US system. Hence the effectiveness of any adverse arbitration decisions will continue to be a point of dispute.

At the same time, it is to be recognised that it is not feasible for any US based organization to ignore any demand for information from their National Security agencies. While surveillance is amenable for judicial review, to the extent that the US national interests are involved and “Intelligence” is always speculative, it is difficult to deny completely the authority of the investigative agencies for data.

The “Derogations” unde Section 49 therefore remain the only option for the companies and this includes “Explicit Consent from the data subject for transfer of data”.

It can therefore be expected that all EU data exporters need to revise their Privacy Policy to include an explicit consent for transfer of personal data from EU to US and other countries based on a reasonable assurance of safeguards from the down stream processor.

The European Data Protection Board (EDPB) has on 23rd July 2020 come up with a clarification on a series of questions that were raised in the light of the judgement which is further discussed in the continuing article.

(To Be continued…)

Naavi

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

EU Judgement on US Privacy Shield…Is this an assault on US Sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3

Two years back, when I wrote the article “Is Net4India closing down”? , I thought it was meant only to stimulate the company into gearing itself towards improving its service deficiencies. At that time I had got some information from some of the employees that things were not good and the promoters have not been mostly staying abroad etc. However, I did not anticipate that my question would be revisited after 2 years and there will be lot more people who are facing serious issued on account of the company unable to service its customers.

At a time when Internet is considered a fundamental right and Digital India requires promotion, a company which holds the domain name registrations of thousands of persons, hosted data, digital identity information, content of immense value etc., is threatening to walk away leaving the customers in the lurch.

From information available, it appears that some creditor of the company has filed a bankruptcy application and some consultant must have taken charge of all its assets without knowing the criticality of continued service. Presently services where there is an inflow of money to Net4india such as renewals are being attended to. But any request for domain name transfers, issue of Authentication codes or change of registration information etc is not being attended to. It is possible that the physical office of Net4India might have become dysfunctional and only some of its servers are running.

There are companies which have hosted their websites and e-mail services with Net4India and finding it difficult to maintain their services.

Several affected persons have written to me and also posted comments on the articles published in this blog enquiring about the status.

I have taken up the issue with the ICANN’s country head Mr Samiran, the upstream ICANN registrar, OpenProviders of whom Net4India is said to be a reseller as well as the MeitY and NIXI.

So far the responses from them are not satisfactory. Mr Samiran has promised to find a resolution. Open Provider has expressed its inability to take care of the re-seller’s clients on ethical grounds and MeitY/Nixi is maintaining its customary silence.

Since the net result of Net4India failing to provide the contracted services to its customers is “Denial Of Service”, it is a contravention under Section 43 of ITA 2000 and therefore comes under the jurisdiction of the Adjudicators under ITA 2000.

It also  automatically qualifies as a Section 66 offence.

The Company has not provided any response to the various queries of the customers and not provided any reasons for discontinuing its service other than the Covid related notice they have put up.

Who ever is the complainant under the Bankruptcy proceedings and the consultant who is attending to the proceedings are part of the problem and have caused the denial of access though they may have some legal excuses of their own. But since they have not provided any public notice so far, it must be presumed that they are not interested in disclosing their interest. By remaining silent, they are forcing the public to make payments to a suspected insolvent company which would be a fraud on genuine customers of Net4India.

I have invited a few of my advocate friends to assist the customers of Net4India in raising the issue with appropriate authorities.

I believe that MeitY has the ability to find a solution and they are ignoring the travails of the public. There is  need to make MeitY realize that we cannot allow the Internet Governance system to be run without making the licensed registrars take responsibility for properly winding down their business if need be.

Just as when small Banks go for bankruptcy, RBI and Government bails them out, here is a case to organize the take over of the part of Net4India business by another operator so that the services can be continued.

Meity has all the powers in this regard in respect of dot in domain names and additionally can exercise its persuasive power to also address the other domain name registrations and business with Net4India.

If a notification is required from MeitY under Section 79 of ITA 2000 since Net4India is an intermediary, it can be done immediately.

I request all the affected persons to come together and form a “Forum of Net4India Customers” so that a collective action can be taken.  Initial facilitation for getting people together can be done by Naavi.org and interested persons can send a one page note indicating their name, address, with e-mail and mobile particulars along with the brief note on their issues. It will be forwarded to appropriate advocates for follow up.

I am requesting some advocates in Bangalore, Mumbai, Nagpur and Delhi to take up the issue with the Adjudicators.

Please contact me without delay.

Naavi