On 16th July, the European Court of Justice (EUCJ) gave its ruling on whether the US Privacy Shield arrangement with EU is acceptable for “Adequacy” under Article 45.  The  reference for the ruling had been made by the Ireland High Court following a proceedings in Data Protection Commissioner Vs Facebook Ireland and Maxmillian Schrems.

The ruling has a far reaching impact on the Indian data market since India is a prominent data processor on the global scenario and a large part of the Indian business flows through US. In most of the cases, the Indian companies are sub contracting “Processors” and not “Data Controllers”and are therefore bound by contractual obligations of the upstream data controllers, many of whom are US firms.

These Data Controllers in US may be operating in different countries including EU and are obligated to meet the GDPR requirements. Being US companies some of them were depending on the US privacy shield to get the data transferred to US and further use the Standard Contractual Clauses to sub contract processing to India.

Such Companies will have to suspend their operations until they conclude a fresh contract with the EU Joint Data Controllers and thereafter also make suitable amendments to their Indian Contracts. This legal formality will take at least a few weeks in which the data processing may lack appropriate legal sanction. Conservative companies will therefore stop the processing activities until their legal departments and DPOs clear the continuation of the processing activity.

In view of these developments, it is necessary for Indian Data Processors to study the implications of the EU ruling and take steps to protect their interests.

The EDPB (European Data Protection Board) which is the apex regulator of GDPR has now provided its clarifications on the week old ruling which answers many of the doubts that the industry practitioners had.

The EDPB clarification is discussed here for the information of the industry.

Background

The EUCJ ruling of 16th July 2020, covers interpretations of the EU Directive dated 24th October 1995 on the protection of privacy of European citizens, the Validity of Standard Contract Clauses as per commission’s decision of 5th February 2010 and the Adequacy provided to US Privacy Shield arrangement through decision dated 12th July 2016.

It may be noted that GDPR was adopted on 14th April 2016 to be effective for implementation from 25th May 2018. The Privacy Shield arrangement was finalized immediately after the adoption of GDPR.

Prior to October 6, 2015, EU and US data transfer was governed by the International Safe harbor principles  which was replaced with the Privacy shield arrangement after GDPR became effective.

“Safe harbor” was a self certification scheme in which the US data importers gave an assurance to the data protection principles. The “Safe harbor” system was accepted as “Adequate” for personal data transfer from EUs based on the European Commission’s decision in 2000 that the principles met the compliance requirements with the then existing EU directive of 1995.

Though this adhered to the 7 basic Privacy principles self certified  by the US organization, it had also been over turned earlier by the EUCJ in October 2015 after which the Privacy Shield was negotiated.

The reason for rejection of the safeharbor principles was because the Court ruled that

“legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life“

The “Privacy Shield” arrangement therefore brought “Stronger Obligations” on US Companies including higher cooperation between  EU data protection authorities and the US.

It was envisaged that

“The new arrangement included commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access.

Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson”.

The current EUCJ order related to the acceptability of this Privacy Shield arrangement with the EU regulations on Privacy which had been negotiated between the EU and US authorities.

The ruling refers to the several recitals and Articles to flag the objective of GDPR in terms of the  scope of the regulation. It also highlighted that under the Privacy Shield arrangement, the US Government had committed to create a new oversight mechanism for national security interference, the “Privacy Ombudsperson who should  be independent of the intelligence community”.

The Court observed that

“Privacy Shield Ombudsperson, although described as ‘independent from the Intelligence Community’, was presented as ‘[reporting] directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided’”

..the Ombudsperson is appointed by the Secretary of State and is an integral part of the US State Department,..”

“…there is nothing ..to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely”

…”Therefore, the ombudsperson mechanism to which the Privacy Shield Decision
refers does not provide any cause of action before a body which offers the persons
whose data is transferred to the United States guarantees essentially equivalent to
those required by Article 47 of the Charter.”

In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.

The Court proceeded to also comment on whether this decision will create a vacuum disturbing the business by stating..

“..in view of Article 49 of the GDPR, the annulment of an adequacy decision such as the Privacy Shield Decision is not liable to create such a legal vacuum. That article details the conditions under which transfers of personal data to third countries may take place in the absence of an adequacy decision under Article 45(3) of the GDPR or appropriate safeguards under Article 46 of the GDPR.”

As a result of the above ruling all transfers to US presently based on Privacy Shield are to be considered invalid ab-initio and replaced with other alternative measures to continue the transfer.

The Court has not ruled any punitive action to be initiated for the transfers which could have occurred so far.

However, from the date of this ruling and until alternatives are in place, there has to be a stoppage of all data transfers leading to a freezing of operations of many companies.

To the extent many of the US companies would have sub contracted the processing to Indian companies, the processing in India will also have to stop forthwith.

Effect of Article 23 

It may be noted that Article 23 of GDPR  states as follows:

Article 23:Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims

In otherwords GDPR considers that “National Security” etc could be reasons for which GDPR provisions may be over ruled by the member states by their own laws.

This principle appears to have been ignored when the Court ruled that the US Secretary of State cannot supervise the “Ombudsperson” in a manner that could prevent its intelligence agencies access the personal data of EU Citizens transferred to US under the Privacy Shield arrangement.

Alternatives

Companies need to now explore alternative measures to continue their activities.

One such alternative would be  Article 49 which refers to derogation for specific situations.

Additionally, Articles 46 which refer to transfers subject to appropriate safeguards and Article 47 regarding Binding Corporate rules or Article 48  regarding mutual legal assistance treaties between countries may also provide an alternative.

However both Article 46 and Article 47 need to conform to the principles under which the US Privacy Shield was rejected and ensure that there exists an effective judicial remedy to the Data Subjects with “independence” which was not available in the Ombdsperson scheme of the US privacy shield.

If therefore, SCC/BCR provide for judicial relief through  Arbitration, the enforcement mechanism has to be still administered within the US system. Hence the effectiveness of any adverse arbitration decisions will continue to be a point of dispute.

At the same time, it is to be recognised that it is not feasible for any US based organization to ignore any demand for information from their National Security agencies. While surveillance is amenable for judicial review, to the extent that the US national interests are involved and “Intelligence” is always speculative, it is difficult to deny completely the authority of the investigative agencies for data.

The “Derogations” unde Section 49 therefore remain the only option for the companies and this includes “Explicit Consent from the data subject for transfer of data”.

It can therefore be expected that all EU data exporters need to revise their Privacy Policy to include an explicit consent for transfer of personal data from EU to US and other countries based on a reasonable assurance of safeguards from the down stream processor.

The European Data Protection Board (EDPB) has on 23rd July 2020 come up with a clarification on a series of questions that were raised in the light of the judgement which is further discussed in the continuing article.

(To Be continued…)

Naavi

Reference Articles:

EU Judgement on US Privacy Shield…Is this an assault on US sovereignty?

EU Judgement on US Privacy Shield…Is this an assault on US Sovereignty?

Why the Standard Contractual Clauses of GDPR are disturbing.

Articles in this series

The EDPB Clarifies on Privacy Shield…1

The EDPB Clarifications on Privacy Shield…2

The EDPB Clarifications on Privacy Shield…3

Two years back, when I wrote the article “Is Net4India closing down”? , I thought it was meant only to stimulate the company into gearing itself towards improving its service deficiencies. At that time I had got some information from some of the employees that things were not good and the promoters have not been mostly staying abroad etc. However, I did not anticipate that my question would be revisited after 2 years and there will be lot more people who are facing serious issued on account of the company unable to service its customers.

At a time when Internet is considered a fundamental right and Digital India requires promotion, a company which holds the domain name registrations of thousands of persons, hosted data, digital identity information, content of immense value etc., is threatening to walk away leaving the customers in the lurch.

From information available, it appears that some creditor of the company has filed a bankruptcy application and some consultant must have taken charge of all its assets without knowing the criticality of continued service. Presently services where there is an inflow of money to Net4india such as renewals are being attended to. But any request for domain name transfers, issue of Authentication codes or change of registration information etc is not being attended to. It is possible that the physical office of Net4India might have become dysfunctional and only some of its servers are running.

There are companies which have hosted their websites and e-mail services with Net4India and finding it difficult to maintain their services.

Several affected persons have written to me and also posted comments on the articles published in this blog enquiring about the status.

I have taken up the issue with the ICANN’s country head Mr Samiran, the upstream ICANN registrar, OpenProviders of whom Net4India is said to be a reseller as well as the MeitY and NIXI.

So far the responses from them are not satisfactory. Mr Samiran has promised to find a resolution. Open Provider has expressed its inability to take care of the re-seller’s clients on ethical grounds and MeitY/Nixi is maintaining its customary silence.

Since the net result of Net4India failing to provide the contracted services to its customers is “Denial Of Service”, it is a contravention under Section 43 of ITA 2000 and therefore comes under the jurisdiction of the Adjudicators under ITA 2000.

It also  automatically qualifies as a Section 66 offence.

The Company has not provided any response to the various queries of the customers and not provided any reasons for discontinuing its service other than the Covid related notice they have put up.

Who ever is the complainant under the Bankruptcy proceedings and the consultant who is attending to the proceedings are part of the problem and have caused the denial of access though they may have some legal excuses of their own. But since they have not provided any public notice so far, it must be presumed that they are not interested in disclosing their interest. By remaining silent, they are forcing the public to make payments to a suspected insolvent company which would be a fraud on genuine customers of Net4India.

I have invited a few of my advocate friends to assist the customers of Net4India in raising the issue with appropriate authorities.

I believe that MeitY has the ability to find a solution and they are ignoring the travails of the public. There is  need to make MeitY realize that we cannot allow the Internet Governance system to be run without making the licensed registrars take responsibility for properly winding down their business if need be.

Just as when small Banks go for bankruptcy, RBI and Government bails them out, here is a case to organize the take over of the part of Net4India business by another operator so that the services can be continued.

Meity has all the powers in this regard in respect of dot in domain names and additionally can exercise its persuasive power to also address the other domain name registrations and business with Net4India.

If a notification is required from MeitY under Section 79 of ITA 2000 since Net4India is an intermediary, it can be done immediately.

I request all the affected persons to come together and form a “Forum of Net4India Customers” so that a collective action can be taken.  Initial facilitation for getting people together can be done by Naavi.org and interested persons can send a one page note indicating their name, address, with e-mail and mobile particulars along with the brief note on their issues. It will be forwarded to appropriate advocates for follow up.

I am requesting some advocates in Bangalore, Mumbai, Nagpur and Delhi to take up the issue with the Adjudicators.

Please contact me without delay.

Naavi

Though Cyber Law College has introduced certain new online streaming video based courses under it’s E-Education initiative, its earlier association with Apnacourse.com continues.

Presently three courses namely Certified Cyber Law Professional, Certified HIPAA Aware Professional and Certified GDPR professional are on this platform.

These are administered by Apnacourse.com and interested persons can pursue the programs through the following links. participation Certificates can be obtained for these programs from ApnaCourse.com/Cyber Law College on request.

Naavi

One of the first and foremost challenges in implementing Data Protection regulations in the Indian scenario is to recognize which law is applicable to a particular processing.

The “Personal Data Protection Standard of India” (PDPSI) is the standard framework which has recognized this challenge in the multiple stake personal data scenario and tried to address it.

Typically a Company in India, say IN, receives a data processing assignment from Companies in different countries say AT in Austria, or US in USA. AT may have personal data of Austrian Citizens subject to GDPR. On the other hand, US may be a globally operating company and may have Data US-1 related to California, US-2 related to UK and US-3 related to France and may be US-4 related to India itself.

Both AT and US would be entering into a Data processing agreement incorporating SCC s obtaining an undertaking for compliance to GDPR and/or all applicable Privacy laws.

The term “All Applicable Privacy Laws” may include “applicable privacy, information security, data protection, and data breach notification laws and regulations”.

In such cases, we can recognize that being “GDPR Compliant” or following “ISO 27701 Certification” would not be sufficient to be in compliance.

PDPSI which is developed as a “Techno legal compliance framework for multiple legal stakes” therefore considers it extremely important to classify the subject personal data that we are trying to protect with a proper classification tag that identifies the applicable law.

For example in the above case, it is easy to tag all personal data received under the Contract with AT as “GDPR Stake”. But when we deal with US as a client, we cannot designate all personal data received under the contract as GDPR or CCPA or SHIELD or other laws. Without properly identifying the stake, there is no way we can evaluate the sufficiency of the Notice, Consent, Rights Management, Cross Border restrictions, DPO requirements etc.

At this point of time, there is also a necessity to be clear about the “Role Definitions” whether IN is a Data Processor alone or is a Controller or Joint Controller. This will also be determined by the contract which is signed between IN and AT or US and is part of the determination of the applicable law.

In case IN is a “Data Processor” alone, his liability under the contract is limited to the Contractual agreement. Hence the jurisdiction mentioned in the contract will determine the applicable law. Hence irrespective of whether the US data consists of data from multiple jurisdictions, the contract will have one jurisdiction for law and for courts/arbitration  as agreed to in the contract which could be US or India. Similarly the Austrian contract may be in accordance with the Austrian law or Indian law and subject to arbitration or Court jurisdiction in Austria or India etc.

If however IN is not a “Data Processor” but a “Joint Controller”, then it will be subject to the individual laws of each of the countries of origin of the personal data. In certain cases we may not be able to determine the country of origin purely by technical means such as IP address resolution and we need to specifically ask the data subject providing the information through a consent form, to which privacy law regime he would subject himself to by choice. By default it could be the location of residence as declared in his residential address if collected or the location of the IP address from which he provides his information (Though this is not always the correct identification of the place of residence of the data subject).

The EDPB guideline 3/2018 dated 12th November 2019 provides the clarity that the territorial scope of GDPR must be determined on the basis of whether the data controller has a direct relationship with the data subject or is working through another entity which is the data controller. If the processor is not having direct interaction by directing his business to the data subjects in the EU, he is not a “Data Processor” coming under the definition of GDPR. He is only a sub contractor for processing and is bound by the contractual agreement with the data controller.

If in the case above IN wants to be a “Data Controller” and enters into such an agreement with US, then it will have to in most of the cases deal directly with multiple data protection authorities and may also have to have representative persons in many countries. He also has to implement his Privacy and Security Controls differently for different sets of data.

The proposed Indian PDPA has given an exemption for such processing from PDPA if the processing activity is properly notified but other laws have not provided such exemptions. But each law defines the material scope according to which it is applicable to the personal data of it’s citizens/consumers as defined in the said law.

One of the Standards in PDPSI is the “Law based scoping” that takes into account

the identification of the role of the implementation organization as to whether it is a “Controller” or a “Processor” or a “Sub contractor-processor” with relevance to the personal data set that is the subject matter of protection. At the same time, it will also tag the applicable law as to whether GDPR is applicable or any other law is applicable to the identified and separated data set.

Different instances of PDPSI such as PDPSI-IN or PDPSI-GDPR or PDPSI-CCPA take care of secondary level differences in the required compliance by adopting different sets of implementation specifications.

By adopting this flexible approach PDPSI has become a universal framework that can be applied to all data protection laws with appropriate changes in the Implementation specifications which are recorded by the implementer through a “Standard Variance Document”.

Cyber Law College will be shortly conducting exclusive training program for implementers who would like to explore PDPSI as an implementation framework in greater detail. As Naavi has explained earlier,this framework is part of the “Aatma Nirbhar or Self Reliance” program in Data Protection in India to reduce the dependence of MSME organizations on international frameworks.

Interested persons can contact naavi through e-mail to help scheduling of the program.

Naavi

(This is the continuation and  summary article in the series)

The Kris Gopalakrishna Committee was constituted on 13th September 2019 with a brief terms of reference to study the various issues relating to Non Personal data and make specific suggestions. It was headed by Shri Kris Gopalakrishna, Co-Founder Infosys and contained 7 other members.

The Committte’s recommendations were released on July 12th and public comments have been solicited upto August 13.

The task entrusted to the committee was complex and the committee has come up with a comprehensive set of suggestions which are very promising. These are early days though as the recommendations will be churned again and again until it is implemented. But the road map has been set and the journey has begun.

In order to enable more people understanding the import of the recommendations and respond with their comments to the Government, I have tried to provide through a series of 8 articles preceding this, a glance at the recommendations. By no means these are complete and require refinement.

However, we must recognize that this is the fore runner to a new regulation of immense importance to the industry in India. It is of interest not only to Jio or Google or FaceBook, but also the entire IT industry, the public, the Government etc.

We often say “Data is Oil” and recognize its economic potential. A time has come now to look at the regulation that can ensure that the harnessing of “Data” as a “National Asset”.

We are now on the threshold of passing the “Personal Data Protection Act” which will regulate that part of the Data Universe that has the identity of an individual. Now a new “Non Personal Data Regulation Act” will address the regulation of the rest of the Data universe.

The law is yet to be framed. Even the Bill is not ready. But the die is cast. In due course an Act will be come into being. The industry has to gear itself to this new development.

The development will have a profound impact on the businesses because it will drag the many establishments including several Government agencies into a hitherto not present regulatory environment.  It will give raise to new opportunities in the area of technology which innovative technology start ups can harness.

The professional work force which was slowly coming to terms with the Data Protection Act will now have another disruption to contend with. As I have already been hinting at, the Non Personal Data Governance will bring in a new professional namely, “Data Governance Officer” in a corporate set up who will discharge a new function different from what the DPO or CISO or CTO or CCO or CRO discharges. This will be a new breed of “Data Management Experts” who will be “Techno Management Experts” who will come out of the Business Schools having both management skills and Technology skills.

As is customary, Naavi starts his journey into this world of Data Governance and will try to facilitate other professionals to join in.

Currently Naavi is focussed on the Foundation of Data Protection Professionals in India (FDPPI) and the “Foundation of Data Governance Professionals in India” will be a natural extension.

I invite other professionals to start thinking in this direction as we address both Personal Data and Non Personal Data management as a common objective.

For the time being however, let us concentrate on studying the recommendations of the Committee and formulate our comments to be submitted to the Government. With the Government requiring to complete its obligations on passing the PDPB 2019 at the earliest, the Non Personal Data Regulation Act may take some time to emerge. But let us use this interim period to learn more on this subject and prepare ourselves for the new era.

I have tried to provide below a list of articles that have appeared on this site in the past for immediate reference. I look forward to comments from others to collate more thoughts on this subject.

Naavi

Earlier Articles

September 16 2019:

Views of Kris Gopalakrishna.. What do they indicate for the Privacy regulation in India?
Views of Kris Gopalakrishna…on Privacy…2 Leveraging data for the benefit of the individuals

Views of Kris Gopalakrishna…on Privacy…3

September 2019-July 2020

Kris Gopalakrishna clarifies the role of Data Governance Committee-September 16,2019

What is Data Governance Framework ?-September 14, 2019
Committee on Data Governance…: Is it relating to Anoymized Personal Data or Non Personal Data?-September 14, 2019
What is Community Privacy? and who has the right of disposal?-September 23, 2019

Churning Expected in Corporate Data Governance hierarchy-26th September, 2019

The Consortium of “PDPA opposing companies” puts Kris Gopalakrishna under radar-March 8, 2020

July 2020

Differential Privacy and PDPA 2020-July 10, 2020

Data Governance Regulator may be designated by the Kris Gopalakrishna committee-July 11, 2020

Kris Gopalakrishna Committee submits reports-July 12, 2020

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-1

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-2

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-3
Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-4

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-5

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-6

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-7

Regulation of Non Personal Data.. Recommendations of the Kris Gopalakrishna Committee-8

New Regulations… New Opportunities…New Responsibilities

(This is a continuation of the previous article)

Technology Architecture

The Kris Gopalakrishna Committee (KGC) has also added key guiding principles on technology that can be used for creating and functioning of shared data directories, data bases and for digital implementation of rules and regulations related to data sharing briefly indicated below.

Mechanisms for Accessing data

All sharable Non-Personal Data and datasets created or maintained should have a REST (Representational State Transfer) API for accessing the data.

Data sandboxes can be created where experiments can be run, algorithms can be deployed and only output being shared, without sharing the data.

Distributed for Data Security

data storage in a distributed format so that there is no single point of leakage; sharing to be undertaken using APIs only, such that all requests can be tracked and logged; all requests for data must be operated after registering with the company for data access etc.

Even when data is stored in a distributed or federated form, as appropriate, there could be coordinated management of them like would be required for data trusts and data infrastructures for important Non-Personal Data in different sectors.

Creating a standardized data exchange approach for data collation and exchange.

Prevent de-anonymization by using the best of the breed differential privacy algorithm.

A system architecture to enable the implementation of the guidelines has also been provided by the Committee.

(To be continued)

Naavi