DPO or Data Protection Officer, is the coveted corporate position that many professionals are after at this point of time. Every country wants to introduce a law to protect the Privacy of their citizens through a data protection regime. Along with the data protection law comes the need for compliance and under a threat of heavy fines.

This has generated a new senior corporate position of the DPO who is responsible for the compliance of the law in the organization that may be called a Data Controller, Data Processor or Data Fiduciary or by any other name.

DPOs are executives who have to monitor the data processing activities of the organization carried out by the technology team, sold by the business team and secured presently by the Information Security team and provide advise on how it should not be done. With the threat of large penalties for non compliance hanging like a Damocles sword, no CEO or the Board can ignore the need to identify and designate a competent person to hold the position which comes with a legal empowerment to supervise the activities of the CTO, CISO, CMO etc

With the Indian Personal Data Protection Act around the corner, GDPR, CCPA, Singapore PDPA, DIFC-DPA etc already in place, there is a scramble for appropriately skilled manpower to hold the important position of DPO in many organizations.

While Naavi has been urging the community to understand the Personal Data Protection and be ready before the bill becomes the law, complacency in some parts of the industry continued and many preferred to wait for the law to be enacted before getting prepared.

Now as some organizations are looking out for recruiting the right candidates, there is a likely hood of these laggards losing opportunities to other swift movers who have already taken steps to acquire relevant skills.

The manpower agencies are finding it difficult to put together a proper job specification because there is lack of understanding of the requirements even amongst them. As a result, reputed organizations are trying to recruit DPOs in India without even recognizing that the knowledge of Indian regulation for data protection (as it exists today in the form of ITA 2000 and as is emerging in the form of PDPA) is of paramount importance for such candidates.

Many prospective candidates are rushing to read the Personal Data Protection Bill 2019 now  after seeing an advertisement for DPO recruitment so that they can at least try to attend the interview and take their chance.

While Naavi along with Cyber Law College and Foundation of Data Protection Professionals (FDPPI) is conducting in depth training programs leading to “Certified Data Protection Professionals”, from last December, there are many who have started running now to catch the bus of opportunity which has already started moving.

To ensure that such of those people who are making their last minute efforts to prepare for their DPO interviews, Cyber Law College has created a ” Certified DPO Foundation”  Program.

The program will cover a gist of  Indian and Global data protection laws, Relevant Technology aspects, Data Audit aspects and Behavioural Skills all of which are relevant for an effective DPO.

This program for Aspiring DPOs will be conducted by Naavi  through web interactions. The program will be specifically tuned for the requirement of different aspirants and may run for 3-5 hours.

This would be a unique program for those professionals who are trying to catch up with an opportunity before it is too late. It will involve Counselling as well as transfer of key knowledge elements with problem solving skills to mentally prepare the aspirants for the responsibilities of a DPO.

Interested persons can contact Naavi for more details.

Naavi

In the PDPA version 2018, India had provided that a copy of all personal data has to be kept in India before it can be transferred out of the country. At the same time the transfer of sensitive and critical data was not allowed. Standard Contractual Clauses and Binding Corporate Rules were to be used along with consent for transfer of data outside India.

However succumbing to the pressure from vested business interests, the 2019 version of the Act has now allowed transfer of Non sensitive data without keeping a copy in India and sensitive data after keeping a copy in India.

The recent developments in the Court of Justice of EU invalidating the US Privacy shield and also expressed serious reservations on Standard Contract clauses and Binding Corporate Rules as alternatives to “Adequacy” decision of the EU Commission, it would be impossible for EU to transfer any personal data to US on the basis of the existing mechanisms such as the Privacy Shield, the Standard Contractual Clauses or Binding Corporate Rules.

The “Explicit Consent” of the data subject is the only possible method of transfer of personal data outside EU. We can therefore say that EU has now slipped into a very strict data localization norm much harsher than what PDPA 2018 comtemplated.

It is therefore time for the Joint Parliamentary Committee to also introduce similar data localization measures that

a) Without keeping a local copy, personal data cannot be transferred out of India

b) Explicit Consent would be mandatory even when a local copy is maintained.

c) Critical personal data will not be transferable even with explicit consent except for derogation such as medical emergency, fraud investigations, national security or an approval of the process by the DPA.

I hope the JPC takes note of this.

JPC should also note that in the emerging EU-US tussle, US companies will impose impossible and unreasonable conditions in their contracts on the Indian data processors and a mechanism should be built into our PDPA to protect the local data processors from such unconscionable contractual clauses.

Naavi

Refer Earlier Articles

EU Privacy -EDPB Clarifications

Naavi had earlier around 2005 initiated a Cyber Law Awareness Movement intensely across Karnataka. Later it did diffuse to the rest of the country. At that time, Naavi held hundreds of meetings and training sessions in the physical world across Karantaka and the country. Some of those efforts resulted in Cyber Law courses being introduced in many colleges across Karnataka and elsewwere.

Now, a similar situation has come in the field of Data Protection. With the Personal Data Protection Bill under discussion in the Joint Parliamentary Committee (JPC), the Kris Gopalakrishna Committee report on Data Governance in public for comments, FDPPI’s Certification programs on Indian and Global Data Protection laws in full swing, there is a crazy level of activity at least in the Webinar space.

Naavi’s  Cyber Law College in association with Foundation of Data Protection Professionals in India (FDPPI) has also undertaken  its “All India Movement on Data Protection Awareness” through invitation lectures on the “Upcoming Personal Data Protection Regime in India” to corporate across the country through the webinar medium.

The program would be called “Jnaana Jyothi”, the light of Knowledge and would be conducted with the participation of Naavi as an individual, Cyber Law College as the pioneering educational organization in Cyber Law and FDPPI a pioneering organization representing the Data Protection Professionals in India.

While these Invitation lecture series is being launched, the next 4 days will see four different events in the Data Protection domain, pre-empting the formal launch of this awareness movement.

Today on 29th July 2020, Naavi will participate in a discussion on the Data Governance Committee report. Tomorrow on 30th July 2020, Naavi will participate in a discussion on Personal Data Protection Bill and its impact on Small entities. On 1st August, Naavi will address the Association of Fraud Examiners in Hyderabad on  the emerging Personal Data Act in India and on Sunday the 2nd August, 2020, Naavi will participate in the FDPPI special knowledge awareness session on the impact of the rejection of US Privacy Shiled by the EU Court of Justice.

Interested professionals may gear up to follow all the four events and contribute their wisdom to the enhancement of knowledge.

Let the Jnaan Jyothi Program begin..

Naavi

(This is in continuation of the earlier article)

The EDPB in its clarifications of 23rd July 2020 on the EUCJ ruling invalidating the US Privacy Shield reiterates that

a) There is no grace period in which personal data can be continued to be transferred to EU on the basis of US Privacy shield alone.

b) Transfers now happening would be illegal and should be stopped.

c) Where SCCs are being used, an assessment has to be made on a case to case basis the circumstances surrounding the transfer, and to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If the assessment concludes that appropriate safeguards would not be ensured, the competent Supervisory authority has to be notified.

Since no US Company can afford to accept that it will not allow the national intelligence agencies to access the personal data as per the legal provisions of US, the safeguards expected by the EUCJ cannot be confirmed by any individual data importer. Hence in all cases, a notification has to be sent to the Supervisory authority that they cannot provide assurance of compliance.

If such a notice is given and the processing continues, then the US entities will be facing the possible penalties from the EU supervisory authorities.

The only option therefore is for US companies to withdraw their services from EU. This would mean that Face Book, Google, Twitter etc need to withdraw their services from EU.

Another option is for these agencies to approach the US Court to provide them a blanket cover of immunity from fines under GDPR arising out of their inability to meet the requirements of the EUCJ ruling and the consequent administrative fines.

The Cyber Insurance companies who have provided covers for such fines need to withdraw their cover as it is clear that the US entities are not permitted to continue their data processing activities.

c)  Binding Corporate Rules (BCR) will also be invalidated since the observations of the Court also applies since US law will have primacy over this tool.

Again EDPB expects the Data importer to make his own assessment whether or not the data can be trasferred on the basis of BCRs. If the entity is a US based entity, there is no way it can take a stand that it will yield to the requirements of GDPR even when it is in conflict with US laws. Hence US companies will not be able to use BCR.

Where the company is not an US company but has substantial interests in US, the use of BCR for transfer of data for processing into US and not accepting the right of the US intelligence for surveillance requests would attract the risk of being prosecuted under the US law.

In India if any company resists such request of the competent authorities, they can face imprisonment upto 7 years under Section 69 of ITA 2000. Similar provisions would be there in any Cyber Security laws in other countries including US.

d) The “Derogation s” under Article 49 are however available for transfer. Accordingly, “Explicit Consent” is an option available for transfer other than the other exceptions such as medical emergency etc.

Hence one of the best options available for data transfers in the current context is for Data Importers to insist that the Data Exporters have the necessary “Explicit Consent” from the Data Subjects for transfer of personal data. This should be made part of every data processing contract.

e) EDPB clarifies that if as part of derogations, the transfer is to be justified under “necessary for the performance of a contract”, it should be only for occasional transfers.

f) Similarly EDPB clarifies that if the “Public interest” has to be invoked for transfer, it should be based on finding of an important public interest and not based on the organization.

g) EDPB has clarified that the effect of this ruling would not be restricted to EU-US data transfers. The need for SCCs/BCRs to conform to the standard suggested in the judgement applies also to transfers to other countries.

This essentially means that any transfer from EU to India of personal data of EU data subjects under GDPR would require an SCC/BCR confirming that “Indian intelligence agency shall not have a right to demand access to information”.

This clause would be ultravires the ITA 2000 in particular and hence would be “Instigating” and Indian Company to “Reject a law of the Indian Parliament” for the incentive of the data processing contract.

I would like the MeitY to examine this point and confirm if they are ready to ignore the provisions of Sections 69, 69A, 69B and 70B of ITA 2000 when an Indian Company wants to get the data processing contract.

NASSCOM needs to examine this issue independently and advise all its members not to enter into any contractual clauses that compromise the sovereignty of the Indian Government.

NASSCOM should consider suggestion of the adoption of the “Disclaimer clause” suggested in the previous article which we reproduce here..to be added to all contracts…

“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to  under Article 23 of GDPR in the context”

NASSCOM or any other party may also move the Supreme Court for a ruling in this regard which pre-empts any Supervisory authority of EU in imposing fines on Indian entities on the basis of any contract which requires an Indian Citizen/Company to disrespect and refuse the authority of the Indian Government.

MHA needs to take special note of this and take steps in this regard. 

Naavi

(Comments invited)

Foundation of Data Protection Professionals in India (FDPPI) is organizing a webinar on Sunday the 2nd August 2020 to discuss the implications of the EUCJ ruling on Indian data processing industry. Those interested in joining the webinar may send an email to fdppi@fdppi.in.

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3

(This is a continuation of the earlier article)

In order to provide some clarity to the EU Court of Justice ruling of 16th July 2020 on the rejection of the US Privacy Shield, the EDPB has come up with answers to a list of questions that is being raised by the business community.

A copy of the document is available here

In a bid to soften the business impact of the decision, EDPB has tried to highlight that the judgement has upheld the validity of the Standard Contract Clauses (SCCs) which are available for use by the business entities for personal data transfer. It has specifically highlighted that the validity of SCCs is not questioned

“by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred.”

This observation has to be taken with a pinch of salt since the principle established under the judgement can still be used to invalidate any SCC if it can be established that the destination country’s intelligence system has access to the information under a process not acceptable to the EU Court.

This is also reiterated by EDPB itself stating

In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country.

In other words, the EU Court will stand in judgement of any powers to be exercised by other sovereign Governments  in respect of the powers to be given to their intelligence agencies.

While Article 23 does give such powers to the countries of the EU, it appears that the EUCJ wants to deny such powers to other sovereign countries.

EDPB reiterates that

The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.

This view clearly is an interference in the affairs of another country in its sovereign duties and indicates a myopic view of the Court lacking  the humbleness required in tackling international issues. This would be unacceptable to any self respecting foreign Government.

The EDPB cleverly points out that despite a valid contract,

the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.

It is to be noted that instead of making the data exporter responsible to validate if the contract is enforceable, it makes the data importer liable for the disclosure.

This will result in the data exporters bringing economic pressure on the data importer to sign on the dotted line to either declare that their respective intelligence agencies donot have the power to demand the information, which will be a false claim or force them into a confrontation with their own intelligence agencies when such a demand is made.

In political terminology this would amount to instigating an entity in a sovereign country to raise against the powers of law enforcement of its own sovereign Government.

It would be interesting to see if the Trump Government would accept this ruling and agree to subordinate it’s legitimate national security duties to the protection of the Privacy rights of the EU Citizens as directed by the EUCJ.

This could be an opening of a major international legal conflict where the US courts may be pitched against the EU Courts.

The US courts may however come into reckoning only when the EU data protection authorities or any EU Data controller tries to impose penalties on a US entity under any SCC clause. Until such time there will be a Damocles Sword hanging over the US joint data controllers taking up US business.

Alternatively, it is for the US business to reject against this EUCJ decision and reiterate their own SCC clauses and ensure that the contracts entered into with the EU Data controllers donot expressly agree to reject the authority of the country’s law enforcement requirements.

They should also reject the “Data Importer’s Responsibility” of due diligence by an express provision in the contract stating some thing similar to the effect

“Not withstanding anything contained above, the Data Exporter recognizes that the Data Importer is subject to the jurisdiction of the laws of the Data Importer’s country and is required to abide by the provisions of such law, in particular to the context referred to  under Article 23 of GDPR in the context”

(To Be Continued)

Naavi

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

EU Judgement on US Privacy Shield…Is this an assault on US Sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3