Contestations of Data, ECJ Safe Harbor Ruling and Lessons for India

The European Court of Justice(ECJ) has invalidated a European Commission (EC) decision¹which had previously concluded that the Safe Harbor PrivacyPrinciples²provide adequate protections for European citizens’ privacy rights³for the transfer of personal data between European Union and UnitedStates. This challenge stems from the claim that public lawenforcement authorities in America obtain personal data fromorganisations in safe harbour for incompatible and disproportionatepurposes in violation of the Safe Harbour Privacy Principles. Thecourts judgment follows the advice of the Advocate General of theCourt of Justice of the European Union (CJEU) who recently opined⁴that US practices allow for large-scale collection and transfer ofpersonal data belonging to EU citizens without them benefiting fromor having access to judicial protection under US privacy laws. Theinadequacies of the framework is not news for the Commission andaction by ECJ has been a long time coming. The ruling raisesimportant questions about how increasingly the contestations ofpersonal data are being employed in asserting claims of citizenshipin context of the internet.

As the highest court in Europe,the ECJs decisions are binding on all member states. With thisruling the ECJ has effectively restrained US firms fromindiscriminate collection and sharing of European citizens’ data onAmerican soil. The implications of the decision are significant,because it shifts the onus of evaluating protections of personal datafor EU citizens from the 4,400 companies⁵subscribing to the system onto EU privacy watchdogs. Mostsignificantly, in addressing the rights of a citizen against anestablished global brand, the judgement goes beyond political andlegal opinion to challenge the power imbalance that exists withreference to US based firms.

Today, the free movement of dataacross borders is a critical factor in facilitating trade, financialservices, governance, manufacturing, health and development. However,to consider the ruling as merely a clarification of transatlanticmechanisms for data flows misstates the real issue. At the heart ofthe judgment is the assessment whether US firms apply the tests of‘necessity and proportionality’ in the collection andsurveillance of data for national security purposes. Application ofnecessity and proportionality test to national security exceptionsunder safe harbor has been a sticking point that has stalled therenegotiation of the agreement that has been underway between theCommission and the American data protection authorities.⁶

For EU citizens the stake in thecase are even higher, as while their right to privacy is enshrinedunder EU law, they have no administrative or judicial means ofredress, if their data is used for reasons they did not intend. Inthe EU, citizens accessing and agreeing to use of US based firms arepresented with a false choice between accessing benefits and givingup on their fundamental right to privacy. In other words, by seekingthat governments and private companies provide better data protectionfor the EU citizens and in restricting collection of personal data ona generalised basis without objective criteria, the ruling iseffectively an assertion of ‘data sovereignty’. The term ‘datasovereignty’, while lacking a firm definition, refers to a spectrumof approaches adopted by different states to control data generatedin or passing through national internet infrastructure.⁷Underlying the ruling is the growing policy divide between the US andEU privacy and data protection standards, which may lead to what isreferred to as the balkanization⁸of the internet in the future.

US-EU Data Protection Regime

The safe harbor pact between theEU and US was negotiated in the late 1990s as an attempt to bridgethe different approaches to online privacy. Privacy is addressed inthe EU as a fundamental human right while in the US it is definedunder terms of consumer protection, whichallow trade-offsand exceptions when national security seems to be under threat. Inorder to address the lower standards of data protection prevalent inthe US, the pact facilitates data transfers from EU to US byestablishing certain safeguards equivalent to the requirements of theEU data protection directive. The safe harbor provisions includefirms undertaking not to pass personal information to third partiesif the EU data protection standards are not met and giving usersright to opt out of data collection.⁹

The agreement was due to berenewed by May 2015¹⁰and while negotiations have been ongoing for two years, EU discontenton safe harbour came to the fore following the Edward Snowdenrevelations of collection and monitoring facilitated by large privatecompanies for the PRISM program and after the announcement of theTransAtlantic Trade and Investment Partnership (TTIP).¹¹EU member states have mostly stayed silent as they run their ownsurveillance programs often times, in cooperation with the NSA. EUinstitutions cannot intervene in matters of national securityhowever, they do have authority on data protection matters. EuropeanUnion officials and Members of Parliament have expressed shock andoutrage at the surveillance programs unveiled by Snowdens 2013revelations. Most recently, following the CJEU Advocate General’sopinion, 50 Members of European Parliament (MEP) sent a stronglyworded letter the US Congress hitting back on claims of ‘digitalprotectionism’ emanating from the US¹².In no uncertain terms the letter clarified that the EU has differentideas on privacy, platforms, net neutrality, encryption, Bitcoin,zero-days, or copyright and will seek to improve and change anyproposal from the EC in the interest of our citizens and of allpeople.

Towards Harmonization

In November 2013, as an attemptto minimize the loss of trust following the Snowden revelations, theEuropean Commission (EC) published recommendations in its report onRebuilding Trust is EU-US Data Flows.¹³The recommendations revealed two critical initiatives at the EUlevel—first was the revision of the EU-US safe harbor agreement¹⁴and second the adoption of the EU-US Umbrella Agreement¹⁵—aframework for data transfer for the purpose of investigating,detecting, or prosecuting a crime, including terrorism. The UmbrellaAgreement was recently initialed by EU and US negotiators and it onlyaddresses the exchange of personal data between law enforcementagencies.¹⁶The Agreement has gained momentum in the wake of recent cases aroundissues of territorial duties of providers, enforcement jurisdictionsand data localisation.¹⁷However, the adoption of the Umbrella Act depends on US Congressadoption of theJudicial RedressAct (JRA) as law.¹⁸

Judicial Redress Act

The JRA is a key reform that theEC is pushing for in an attempt to address the gap between privacyrights and remedies available to US citizens and those extended to EUcitizens, including allowing EU citizens to sue in American courts.The JRA seeks to extend certain protections under the Privacy Act torecords shared by EU and other designated countries with US lawenforcement agencies for the purpose of investigating, detecting, orprosecuting criminal offenses. The JRA protections would extend torecords shared under the Umbrella Agreement and while it does includecivil remedies for violation of data protection, as noted by theCenter for Democracy and Technology, the present framework does notprovide citizens of EU countries with redress that is at par withthat which US persons enjoy under the Privacy Act.¹⁹

For example, the measuresoutlined under the JRA would only be applicable to countries thathave outlined appropriate privacy protections agreements for datasharing for investigations and ‘efficiently share’ suchinformation with the US. Countries that do not have agreements withUS cannot seek these protections leaving the personal data of theircitizens open for collection and misuse by US agencies. Further, thearrangement leaves determination of efficiently sharing in thehands of US authorities and countries could lose protection if theydo not comply with information sharing requests promptly. Finally,JRA protections do not apply to non-US persons nor to records sharedfor purposes other than law enforcement such as intelligencegathering. JRA is also weakened by allowing heads of agencies toexercise their discretion to seek exemption from the Act and opt outof compliance.

Taken together the JRA, theUmbrella Act and the renegotiation of the Safe Harbor Agreement needconsiderable improvements. It is worth noting that EU’s acceptanceof the redundancy of existing agreements and in establishing theindependence of national data protection authorities in investigatingand enforcing national laws as demonstrated in the Schrems and in theWeltimmo²⁰case point to accelerated developments in the broader EU privacylandscape.

Consequences

The ECJ Safe Harbor ruling willhave far-reaching consequences for the online industry. Often, costlygovernment rulings solidify the market dominance of big companies. Ashigh regulatory costs restrict the entrance of small and mediumbusinesses the market, competition is gradually wiped out. Further,complying with high standards of data protection means that US firmshandling European data will need to consider alternative legal meansof transfer of personal data. This could include evolving modelcontracts binding them to EU data protection standards. As Schremspoints out, “Big companies don’t only rely on safe harbour: theyalso rely on binding corporate rules and standard contractualclauses.”²¹

The ruling is good news forEuropean consumers, who can now approach a national regulator toinvestigate suspicions of data mishandling. EU data protectionregulators may be be inundated with requests from companies seekingauthorization of new contracts and with consumer complaints. Some areconcerned that the ruling puts a dent in the globalized flow ofdata²²,effectively requiring data localization in Europe.²³Others have pointed out that it is unclear how this decision sitswith other trade treaties such as the TPP that ban datalocalisation.²⁴While the implications of the decision will take some time in playingout, what is certain is that US companies will be have torestructure management, storage and use of data. The ruling hascreated the impetus for India to push for reforms to protect itscitizens from harms by US firms and improve trade relations with EU.

The Opportunity for India

Multiple data flows taking placeover the internet simultaneously and that has led to ubiquity of datatransfers o ver the Internet, exposing individuals to privacy risks.There has also been an enhanced economic importance of dataprocessing as businesses collect and correlate data using analytictools to create new demands, establish relationships and generaterevenue for their services. The primary concern of the Schrems casemay be the protection of the rights of EU citizens but by seeking toextend these rights and ensure compliance in other jurisdictions, thecase touches upon many underlying contestations around data andsovereignty.

Last year, Mr Ram Narain, IndiaHead of Delegation to the Working Group Plenary at ITU had stressed, “respecting the principle of sovereignty of information throughnetwork functionality and global norms will go a long way inincreasing the trust and confidence in use of ICT.”²⁵In the absence of the recognition of privacy as a right andempowering citizens through measures or avenues to seek redressalagainst misuse of data, the demand of data sovereignty rings empty.The kind of framework which empowered an ordinary citizen in the EUto approach the highest court seeking redressal based on presumedoverreach of a foreign government and from harms abetted by privatecorporations simply does not exist in India. Securing citizen’sdata in other jurisdictions and from other governments begins withestablishing protection regimes within the country.

The Indian government has alsostepped up efforts to restrict transfer of data from India includingpushing for private companies to open data centers in India.²⁶Negotiating data localisation does not restrict the power of privatecorporations from using data in a broad ways including tailoring adsand promoting products. Also, data transfers impact any organisationwith international operations for example, global multinationals whoneed to coordinate employee data and information. Companies likeFacebook, Google and Microsoft transfer and store data belonging toIndian citizens and it is worth remembering that the NationalSecurity Agency (NSA) would have access to this data through serversof such private companies. With no existing measures to restrict suchindiscriminate access, the ruling purports to the need for India toevolve strong protection mechanisms. Finally, the lack of suchmeasures also have an economic impact, as reported in a recentNasscom-Data Security Council of India (DSCI) survey²⁷that pegs revenue losses incurred by the Indian IT-BPO industry at$2-2.5 billion for a sample size of 15 companies. DSCI has furtherestimated that outsourcing business can further grow by $50 billionper annum once India is granted a “data secure” status by theEU.²⁸EU’s refusal to grant such a status is understandable given thehigh standard of privacy as incorporated under the European UnionData Protection Directive a standard to which India does not matchup, yet. The lack of this status prevents the flow of data which isvital for Digital India vision and also affects the service industryby restricting the flow of sensitive information to India such asinformation about patient records.

Data and information structuresare controlled and owned by private corporations and networkstranscend national borders, therefore the foremost emphasis needs tobe on improving national frameworks. While, enforcement mechanismssuch as the Mutual Legal Assistance Treaty (MLAT) process or othermethods of international cooperation may seem respectful ofinternational borders and principles of sovereignty,²⁹ for users that live in undemocratic or oppressive regimes suchagreements are a considerable risk. Data is also increasingly beingstored across multiple jurisdictions and therefore merely applyingdata location lens to protection measures may be too narrow. Furtherit should be noted that when companies begin taking data storagedecisions based on legal considerations it will impact the speed andreliability of services.³⁰Any future regime must reflect the challenges of data transferstaking place in legal and economic spaces that are not identical andmay be in opposition. Fundamentally, the protection of privacy willalways act as a barrier to the free flow of information even so, asthe Schrems case ruling points out not having adequate privacyprotections could also restrict flow of data, as has been the casefor India.

The time is right for India toappoint a data controller and put in place national frameworks, basedon nuanced understanding of issues of applying jurisdiction to governusers and their data. Establishing better protection measures willnot only establish trust and enhance the ability of users to controldata about themselves it is also essential for sustaining economicand social value generated from data generation and collection.Suggestions for such frameworks have been considered previously bythe Group of Experts on Privacy constituted by the PlanningCommission.³¹By incorporating transparency in mechanisms for data and accessrequests and premising requests on established necessity andproportionality Indian government can lead the way in data protectionstandards. This will give the Indian government more teeth tochallenge and address both the dangers of theft of data stored onservers located outside of India and restrain indiscriminate accessarising from terms and conditions of businesses that grant suchrights to third parties.