It’s surprising that India has not been granted adequacy status under GDPR since long and our entire Industry is satisfied that it is due to India not having strong Data Protection Laws in place.
An adequacy decision is crucial from business perspective because adequacy status permits cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority and in turn boosts the economy and could provide advantage to Indian companies dealing with EU. The Adequacy status will boost Indian economy further and will make dream of Hon Prime Minister regarding India becoming 5 trillion economies in coming future, a reality.
I strongly believe that India’s case for Adequacy was not properly argued on merits and Industry left it to the mercy of EU authorities for granting such status rather than commanding the same.
Let us first check relevant provisions of GDPR for adequacy.
Art. 45 GDPR speaks about Transfers on the basis of an adequacy decision
1A – transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
India is having Information Technology Act in place since 2000 and section 43A was introduced after amendment in 2008. Section 43A was more than sufficient of fulfilling this requirement of adequate level of personal data protection.
Section 43A – Compensation for failure to protect data. –
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
“Reasonable security practices and procedures” were defined as security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “Sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
So careful reading of section 43A reveals that requirement of GDPR regarding adequate level of protection was already catered. The organisations were mandated to follow the reasonable security practices either framed by Government of India or Best practises in the industry. Also, by defining Sensitive Personal Data there was no ambiguity in understanding what was the focus of the provision. The focus was to provide adequate protection to sensitive personal data by organisations who were involved in handling/procession or storing of that data. Additionally, the Indian Law has made provision for monetary compensation in case any organisation failed to protect the data and hence the provisions for data protection were properly and adequately addressed.
It was also clarified by GDPR that when assessing the adequacy of the level of protection, the Commission shall take account of the following elements:
1) The rule of law 2) Respect for human rights and fundamental freedoms 3) Relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law 4) The access of public authorities to personal data, as well as the implementation of such legislation 5) Data protection rules 6) Professional rules 7) Security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation 8) Case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.
If these additional 8 principles are also analysed, in my views India does not fall short in complying with all these requirements. Being largest democracy in world and its track record for last 75 years shows that Rule of Law in supreme in India. India is also a signatory to the Universal Declaration of Human Rights. The Indian constitution is greatly influenced by the Universal Declaration of Human Rights, 1948.
As regards availability of sectoral and general regulations, The Information Technology Act was in place since 2000 and Section 43A, which specifically addressed Data Protection was present since 2008. Section 69,69A and 69B dealt with interception of messages, decryption of messages for Public Safety and National Security.
Section 43A was adequate to provide Data Protection framework. The Information technology (Reasonable security practices and procedures and sensitive personal data of Information) Rules, 2011 added more provisions for Data protection and hence the IT Act became more stronger as regards to Data Protection.
The Adjudicating Officers as well as appellate authorities in form of TDSAT were well placed and hence judicial framework was also in place.
So, it can be well argued that as regards to Adequacy Status, India has fair or comparatively higher chances to attain the same.
As regards to the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States, I see no reason why this procedural requirement could not be complied for?
Had India offered the EU Commission for Adequacy assessment, I am sure that India would have and can still attain the same. And even after its assessment, there could be some suggestions regarding the adequacy level of protection which could have been easily implemented.
So, it’s my humble submission that Indian I T Industry has not made out a strong case for Adequacy Status, for reasons best known to them only.
The comments/ debates are welcome for better understanding of one and all.
Dr Mahendra Limaye
The author is having Doctorate in Law and practices in specialised domain of Cyber Litigation and is FDPPI certified Daat Privacy Professional.