New EU Data Protection Regime: Observations on Global Data Flows

By: Data Security Council of India

Niryat Bhawan, 3rd Floor Rao Tula Ram Marg New Delhi, India - 110057

26th September 2012

A NASSCOM Initiative

|1

1. International Data Flows: The Imperatives of the Information Age The importance of trans-border data flows in the globalized economy has increased dramatically. Global data flows, today, are no longer the result of a file transfer that was initiated by an individuals action for point-to-point transfer over 30 years ago. Rapid globalization of the world economy along with advancement in technology allows companies to reap benefits through trade in services. Trans-border data flow facilitates business process streamlining, improves market access, and maintains business relevance in fast-evolving business landscape. Transaction initiated on the Internet results in multiple data flows, via phenomena such as web 2.0, online social networking, search engine, and cloud computing. Ubiquity of data transfers over the Internet, and enhanced economic importance of data processing, with direct involvement of individuals in trans-border data flows has phenomenally increased. While this is exposing individuals to more privacy risks, it is also challenging businesses which are collecting the data directly entered by users, or through their actions without their knowledge, - e.g. web surfing, e-banking or e-commerce - and correlating the same through more advanced analytic tools to generate economic value out of data. Organizations are accountable for data collection and its use, since data has become one of the drivers of the knowledge based society which is becoming even more critical to business than capital and labor. Almost every industry sector dealing with trade in goods and services makes use of data flows. Cloud Computing which is set to change the global ICT landscape is heavily dependent on trans-border data flows. Countries are responding to this challenge by legislating and / or reforming privacy laws. It is universally recognized that there are different laws and privacy cultures in various parts of the world. The Fair Information Privacy Practices (FIPPs), developed by the United States in 1974, were the foundation for the development of OECD privacy principles that were announced in 1980 for promotion of free international trade and trans-border data-flows. The European Union came up with its Data Protection Directive in 1995, which has led to the establishment of Data Protection laws in nearly all of the European countries. There is similarity in the privacy principles that are promoted by all of these frameworks, but the approach to the implementation is somewhat different. While the US relies, to a great extent, on industry self-regulation, the EU approach is to have Data Protection Authorities with powers to call for databases; agreements, including approval of contractual agreements based on standard contractual clauses. APEC privacy framework, announced in 2004 is the most recent global effort of 21 countries; it is based on privacy principles, and cross-border privacy rules for data-flows, with accountability as a key principle which is sought to be enforced through existing laws and selfregulation. In India, the Information Technology (Amendment) Act, 2008 was notified for implementation on 27 October, 2010, which introduced provisions for protection of sensitive personal information through implementation of reasonable security practices by organizations. The Act recognizes self-regulation and promotes trans-border data flows with adequate protections. It also provides for Adjudicating Officer in every Indian state, with the powers of the civil court, to hear complaints and order compensation to the affected individuals. In the information age, governments, private sector and the civil society have to build legal regimes and practices which are transparent, and do not restrict trans-border data flows; inspire trust among individuals, and enhance their ability to control access to their data, even as economic value is generated out of such data collection and processing for all players.

A NASSCOM Initiative

|2

2. Issues in the existing EU Data Protection Directive The European Union came up with its Data Protection Directive in 1995, which has led to the establishment of Data Protection laws in nearly all of the European countries. Article 25 of the Directive, governs trans-border data flows, and lays down the conditions for transfer of personal data outside EU/EEA. Under this, free flow of information can only take place with a third country if its data protection regime is considered adequate by the EU. The process for granting adequate status remains opaque and only a handful of countries have been considered as adequate by the EU (latest being Uruguay). For countries that do not qualify as adequate, the Directive provides alternative ways for data transfer, which include BCRs, SCCs and derogations / exceptions. BCRs (enforceable codes of practices) can be used only by multinational organizations to transfer data within the groups companies and BCRs need to be approved by the Data Protection Authority (DPA) of a member state. SCCs, used in data controller-data processor relationships, through which the data is transferred to third countries, put too much obligation on the service providers, without necessarily improving data protection. For example, clause 6 states that if the data controller is declared insolvent or ceases to exist, then the entire liability has to be borne by the data processor. The transfer to third countries also needs to be authorized by the DPAs established in each member state. The DPAs also have the powers to call for databases; agreements, including approval of BCRs, contractual agreements based on standard contractual clauses. The new SCCs, effective as of May 15, 2010, introduced the concept of a subprocessor, and delineate the rights and responsibilities of the data collectors, data processors, and the subprocessors, vis--vis each other. While SCCs and BCRs appear to be "off the shelf" solutions to international data transfers outside EU, there is currently no fast-track method for obtaining DPA approval and the current method involves lot of bureaucratic hurdles. The adequacy approach to transfer of information along with bureaucratic structures & procedures have been heavily criticized, as they are considered to be unfriendly to businesses, that create non-tariff trade barriers for transfer of information outside the EU, without necessarily improving the data protection. Determining the adequacy of a country, we believe, is not the right approach in the first place. It is not the adequacy of the country which is based on looking only at laws, but the actual data security and privacy practices followed by a data processor in a non-EU country providing services to a data controller in EU are critical to data protection. What is of relevance here are the data protection best practices followed by the data processor for providing high level of assurance to the EU citizens. Addressing data security and privacy should be left to the data controller; they should be free to negotiate contracts with the data processors through the instruments of BCRs, contracts, and other derogations without requiring involvement of Data Protection Authorities. In fact, these may be encouraged as instruments to fill the missing part of data protection laws in the country where data is being transferred to (outside the EU). Also, the regulatory focus should be on what to protect instead of how to protect. Detailing on the how part kills flexibility and takes away freedom from businesses to do things that are appropriate to their environment and context. Now even if an adequacy assessment has to be done (though not the right approach in the first place), it should be more flexible with respect to whatever laws exist for data protection in the third countries. The focus should be more on adherence to the core principles of data protection, such as privacy principles, rather than similarity of legal framework to the EU Directive. If there are national laws that
A NASSCOM Initiative

|3

enforce the implementation of security practices for protecting personal information, with punishments for non-compliance; and recognize the importance of contracts for the same, such legal frameworks should be deemed to be adequate. A country can have similar privacy principles but the enforcement of such principles may differ based on its own evolution, culture and context. Expecting a country to have similar principles as well as similar enforcement regime is somewhat misplaced. Even within the countries of the EU, there are marked variations in the national laws; member-states have difference of opinion when it comes to enforcement of the EU Directive (Germany and UK have very different views on privacy enforcement). Privacy requirements of countries can be addressed by a global set of privacy principles and should not be constrained by local laws.

3. Concerns with the Proposed EU Data Protection Regulation It was expected that the existing issues (some of them highlighted above) in the Data Protection Directive would be addressed in the new proposed EU data protection regulation. The proposed Regulation does address some areas of concern, but some critical reforms especially with respect to international data flows have been left unaddressed. DSCI welcomes the EUs vision to harmonize data protection laws in EU member states, even though we feel this may be difficult to achieve in practice, given the different privacy cultures and trade imperatives of EU member states. Some member states may need to enact complementary legislation to deal with the effects of a regulation on their national legal systems. Member states such as Germany and UK have already opined their difference of opinion with respect to the proposed regulation. Having said that, if this single regulation is enacted across EU it will be beneficial for businesses operating in EU as it will reduce the compliance pressures. The jurisdiction of single DPA (depending on a companys main establishment) across EU, removal of notification requirements to DPAs for data processing activities, removal of authorization requirement from DPAs for data transfers using SCCs are all welcome steps as they reduce the administrative and bureaucratic requirements on businesses. With all the above positives, the new proposed regulation, however, fails to bring reforms for facilitating cross border data flows and also seems to be much more prescriptive: Complex & Opaque Adequacy Requirements: The adequacy requirement for transfer to third countries has not been removed; instead it has been made more complex - the adequacy process may now not only look at the country but also a territory, a processing sector or an international organization to determine adequacy in data protection. Also, international commitments of a country (e.g. Budapest Convention on Cyber Crime) will also be looked at while granting adequacy status. As highlighted in section 2 above, determining the adequacy of a country, we believe, is not the right approach. It is not the adequacy of the country which is based on looking only at laws, but the actual data security and privacy practices followed by a data controller / data processor in a non-EU country providing services to EU residents / data controller in EU are critical to data protection. What is of relevance here are the data protection best practices followed by such data controllers / data processor for providing high level of assurance to the EU citizens.

A NASSCOM Initiative

|4

Prescription & Over regulation through Accountability Principle: The privacy principle of accountability is being considered as one of the foundational principles for privacy protection in global discussions today. The proposed regulation has also introduced this principle for increasing the accountability of the data controllers. However, this principle works well when the implementation of privacy principles is left to the data controllers. The proposed regulation, instead, is prescriptive and tends to increase administrative burden on the data controllers through this principle and also takes data processors under its purview. For instance, it requires data controllers and data processors to keep detailed documentation of all data processing operations. Such a requirement burdens organizations without necessarily improving privacy protection. Liability of Data Processors: The regulation brings the data processors directly under its purview, detailing the responsibilities of data processors which are more extensive than the present Directive. These include documentation of processing, conducting privacy impact assessments in certain circumstances, obligations towards data breach notification, enlisting a subprocessor only with the prior permission of the data controller, among others. The data processors are definitely accountable for protecting privacy, however, explicitly mentioning the obligations of the data processor in the regulation seems to be over cautious and prescriptive approach. The data controllers are primarily responsible for privacy protection and through them the responsibility of protecting privacy should be passed on to the data processors via contracts and agreements. It is better left to the data controller to assess the risk arising from outsourcing and put appropriate safeguards that are in line with the data protection requirements of the country, instead of directly prescribing obligations of data processors and / or mandating the exact contractual terms. Extension of BCRs to Data Processors: The regulation extends the concept of the BCRs to data processors. This seems to be positive change, however, it is to be seen how this concept reduces the compliance burden on the data processors. In case the Commission prescribes the content of the BCRs and retains the obligations of data processors as has been done in the SCCs (such as obligations of the data processor towards data subject in case the data controller ceases to exist), then it will not reduce the burden of the data processors. Instead it may discourage the data processors to use BCRs as the data processors will have to get the BCRs approved and authorized by the DPA, when they will have the alternative of using SCCs that will not require prior authorization from the DPA under the proposed regulation. In our view, the DPA should not be required to approve and authorize the BCRs. This creates unnecessary bureaucratic hurdles and also puts pressure on the DPAs who already face capacity issues. The better and more practical approach would be to make data processors aware of their responsibilities and to allow them to frame their own codes of conduct based on the principles of data protection as defined in the regulation without requiring any approval or notification. In case of any breach / non-compliance, the data processors should be made accountable through the codes of conduct documented and practiced by them. New Principles, New complexities: The regulation introduces the concepts of right to be forgotten, privacy by design, privacy by default, data portability and data minimization. Though

A NASSCOM Initiative

|5

the intention is to strengthen the privacy rights of the EU residents, the complexities, hurdles and costs associated with introduction of such principles need to be clearly understood and appreciated. The implementation of such principles may inhibit innovation and may also impact the user experiences when availing services, without necessarily improving privacy. Take for instance, right to be forgotten providing this right to the users on the Internet is extremely difficult and unpractical even though desirable. Any content once posted on the Internet may not be traced because of further sharing & processing across multiple sites. In such a scenario, assuring the user of his / her right to be forgotten is misleading. Similarly, privacy by design is a good practice when designing products or services, however, too much emphasis on this concept could hinder innovation esp., for small / startup companies that are empowered by the Internet to deliver products & services. Privacy by default could prevent users to take complete benefit out of a product or service and also impact user experience, esp. in an online environment, as it will require effort on part of the user to understand the features and the businesses to make the user aware about how to enable certain features that have been disabled. It will better if the focus is on simplifying notice, providing simple choice & taking informed consent, increasing user awareness on privacy , among others instead of introducing such unrealistic and drastic concepts. Stringent & Unrealistic Data Breach Notification Requirement: As per the regulation, data breaches are to be notified by the data controller to the lead DPA and affected data subjects immediately within 24 hours after establishing a breach has occurred. This also implies that, through contractual contract or otherwise, data processors will be liable to notify every breach within a suitable timeframe to enable data controllers to notify data subjects and lead DPA within 24 hours. Such strict timelines would encourage knee-jerk reactions that could compromise the notification quality as it would be difficult to ascertain the facts of the breach within such a short time frame. This will take the focus of data controllers and data processors away from taking mitigating steps to plug the breach; they will be more worried about notifying, even though there is a provision for delaying the notification after providing reasoned justification to the DPA. There is also a risk that the DPA and data subjects will be inundated with notifications of trivial breaches. The limit of 24 hours is also very difficult to implement in an outsourced environment where data controller and its multiple processors and subprocessors work interdependently across the supply chain. A breach at the subprocessor level will be difficult to notify within 24 hrs. Data Protection Certification and Seals: The proposed regulation encourages the establishment of data protection certification mechanisms and of data protection seals and marks. However, whether such assurance mechanisms will imply compliance with the regulation is not clear. The codes of conduct in different industry verticals can be defined, that focus on implementing privacy program in organizations emphasizing on employee awareness, training, privacy impact assessments even as adherence to privacy principles will remain the key objective of these codes of conduct. It will be interesting to see how the data protection certifications and seals that validate such codes of practices will evolve as instruments for compliance with the regulation, which may be used by the data processors to deliver services to EU data controllers.

A NASSCOM Initiative

|6

Executive Powers of the European Commission: The proposed regulation gives too many executive powers to the European Commission to formulate rules for the implementation of the regulation. For example, the Commission has been empowered to specify criteria and conditions for restricting the processing of personal data, formulate practices and technical standards which the data controllers and data processors have to obey, specify conditions for deleting links, copies or replications of personal data from publicly available communication services, specify data protection by design requirements, specify the criteria and requirements for the responsibilities, duties and tasks pertaining to a data processor, specify circumstances in which a controller and a processor is required to notify data breach along with laying down the standard format of such notification, among many others. Such excessive empowerment of the European Commission is concerning. Firstly, such broad powers will allow the Commission to override the European Parliamentary process. Secondly, such powers will significantly undermine the freedom of the DPAs / national legislative bodies in formulating their own rules & guidelines. Thirdly, such powers reflect the prescriptive and over regulation approach of the EU, which delves into defining the very granular details, which ideally should be left to industry self-regulation.

Overall, the proposed regulation tries to create a single EU market from a compliance viewpoint, but fails to address the imperative of free flow of information outside EU/EEA. The regulation still has lot of restrictions in place which will continue to act as non-tariff trade barriers, and make it difficult for businesses to explore outsourcing opportunities that can help them save costs, become more productive and overall increase the competitiveness of the EU companies. The regulation is also very detailed and prescriptive leaving less space for businesses to assess risk and take decisions when transferring data outside EU/EEA. Though some bureaucratic requirements have been removed, new such requirements have been added. The new principles such as right to be forgotten, privacy by default among others can hamper the business innovation and user experience. The proposed regulation has received criticism from several quarters. Two U.S. technology trade groups, the Business Software Alliance and the Software and Information Industry Association, raised concerns about the proposal, saying it could limit the growth of the Internet. The proposal "errs too far in the direction of imposing prescriptive mandates for how enterprises must collect, store, and manage information," Thomas BouA(c), BSA's director of European affairs, said in a statement. Another rule that received pointed criticism is the requirement that data protection and privacy regulations be applied to any company that is active in the EU market, whether it's a European country or not. The Confederation of British Industry (CBI) has criticized the proposed regulation, claiming they will burden businesses and threaten innovation. The condemnation comes in the CBIs submission to the Ministry of Justice (MoJ), which will form part of the UK Governments response to the proposals and will be taken into negotiations in Brussels on the final version. Calling on the Commission to revise its proposals, the CBI favours a proportionate, risk-based approach to the scope of data protection regulation that balances the benefits with the costs of changes and their impact on innovative business models. Member states such as Germany and UK have already opined their difference of opinion with respect to the proposed regulation.

A NASSCOM Initiative

|7

4. Global Privacy Principles and Self-Regulation for Protecting Privacy and Promoting Trans-border Data Flows EU and the US have different approaches to privacy protection resulting in different international instruments of privacy. Should countries have privacy laws that are consistent? Or should the objective be outcome driven, based on globally accepted privacy principles and best practices with industry selfregulation under an appropriate law, i.e. co-regulation? Most countries are in agreement on the universality of a set of privacy principles, although emergence of several new ICTs has put some of these principles at risk; some new principles are being debated. The privacy principles represent conception of privacy, and there is high degree of agreement among various approaches US, OECD, EU, APEC in the world. There is thus a set of globally accepted privacy principles. With new principles having been enunciated in the proposed bills in the EU, and US, it is possible to identify core privacy principles (new). Transparency, enforcement and accountability are the cornerstone of privacy protection. Many countries do not have privacy laws; in some countries such as the US, data protection is realized through consumer protection laws. As long as there are laws that can be used to punish the violators, privacy can be protected. The EU Directive was based on OECD privacy principles, which in turn was inspired by the FIPPs of the United States. There is, therefore, high degree of compatibility between the EU and the US. However, similarity is at the privacy principle level, not in the method of implementation. Complete harmonization of privacy laws is not possible and any attempt to do will be counterproductive. APEC privacy principles are similar too, but they promote working with countries that may not have any privacy laws. APEC Privacy Program recognizes the role of SROs; they can fulfill the role of regulators. The focus is on accountability of data controllers and data processors. Hence, at this stage we should identify privacy principles; ways to enforce them; promote self-regulation through codes of conduct in sectors/industry verticals so as to ensure privacy protection in cross-border data-flows; create awareness and educate government and industry in sensitivities associated with privacy protection; promote the growth of privacy professionals; integrate with growing digital economy even as we protect the privacy of our citizens and consumers. Self-regulation should be encouraged to achieve higher level of compliance, since it is only the industry verticals which can undertake the responsibility of creating awareness in their respective sectors this is critical for the successful implementation and enforcement of the proposed privacy law. A bureaucratic, stringent and prescriptive approach to data protection must be avoided in the interest of global economic growth powered by business and technology innovation. 5. DSCI Approach At DSCI, we continue to promote best practices frameworks (DPF and DSF) for privacy protection and security of data these being two sides of the same coin are not juxtaposed against each other, instead they reinforce each other. Implementation of good privacy in an organization demands data security, while security technologies and best practices can help protect privacy of users along with implementation of best privacy practices, including training and employee awareness.

A NASSCOM Initiative

|8

DSCI recommends a holistic privacy program with focus on protecting key information assets. DSCI promotes self-regulation by sectors and verticals, with codes of conduct that are vetted by the government, as conforming to a set of privacy principles to encourage trans-border data flows, preserve and enhance economic value of data, and promote continued innovation of new technologies. DSCI has set up a Privacy Assessment Advisory Group (PAAG), comprising experts from Industry, Government, Consulting Firms, Academia etc., to seek guidance for development of an appropriate assessment process with a view to create a DSCI Privacy Seal. DSCI will continue to perform its role of creating awareness and education on privacy practices and frameworks, and work with the governments & regulators to create a more flexible global privacy regime, based on self-regulation.

A NASSCOM Initiative

DATA SECURITY COUNCIL OF INDIA

Statement of confidentiality This document contains information that is proprietary and confidential to DATA SECURITY COUNCIL OF INDIA (DSCI), and shall not be disclosed outside transmitted, or duplicated, used in whole or in part for any purpose other than its intended purpose. Any use or disclosure in whole or in part of this information without explicit written permission of Data Security Council of India is prohibited. 2012 DSCI. All rights reserved.