Post

Navigating State Access: DPDPA Section 17(2) vs. EU Adequacy Post-Schrems II

Navigating State Access: DPDPA Section 17(2) vs. EU Adequacy Post-Schrems II

The global landscape of data privacy is increasingly shaped by the tension between individual rights and national security imperatives. For India-first entities engaged in cross-border data flows, understanding how different jurisdictions balance these competing interests is crucial. Today, we delve into the comparative nuances of government surveillance carve-outs, anchoring our analysis in India’s Digital Personal Data Protection Act, 2023 (DPDPA), specifically Section 17(2), and contrasting it with the stringent requirements for EU data transfers as established by the Schrems II judgment.

DPDPA’s Framework for State Exemptions

India’s DPDPA, now fully operational, includes provisions that permit the processing of personal data without explicit consent under certain conditions. Section 17(2) is particularly relevant, exempting “any instrumentality of the State” from certain DPDPA provisions when processing personal data for specific purposes. These include national security, public order, preventing incitement to commit any cognisable offence, or for the investigation, prosecution, or arrest of any person for a cognisable offence. This exemption covers key obligations such as consent requirements (Section 6), data principal rights (Chapter III), and data fiduciary obligations (Chapter IV), among others.

While the DPDPA itself does not explicitly detail the procedural safeguards or oversight mechanisms for these exemptions, India’s broader legal framework provides context. Surveillance and interception activities are governed by laws like the Information Technology Act, 2000 (Section 69) and the Telegraph Act, 1885, which include provisions for authorised interception by government agencies. Furthermore, the Supreme Court’s landmark Puttaswamy judgment (2017) established that any invasion of privacy must be proportionate, necessary, and backed by law. The IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, also lay down some procedural safeguards. However, these existing frameworks are distinct from the DPDPA’s data processing exemptions for state instrumentalities, which permit the use of already collected data, potentially without the data principal’s knowledge or consent, for defined state purposes. The Reserve Bank of India’s (RBI) data localization mandates for payment system data, while not a surveillance carve-out, also ensure that certain sensitive data remains within India’s jurisdiction, potentially simplifying state access under Indian law.

EU Adequacy and the Schrems II Standard

In the European Union, the General Data Protection Regulation (GDPR) sets a high bar for data protection. Article 45 of the GDPR allows for data transfers to third countries only if the European Commission determines that the country ensures an “adequate level of protection” for personal data. This adequacy standard was rigorously tested and redefined by the Court of Justice of the European Union (CJEU) in the Schrems II judgment (Case C-311/18).

Schrems II invalidated the EU-US Privacy Shield, primarily due to concerns over US government surveillance practices. The CJEU ruled that third-country surveillance laws must provide “essentially equivalent” protection to fundamental rights guaranteed in the EU, including the right to privacy (Article 7 of the Charter of Fundamental Rights of the European Union) and the right to an effective remedy (Article 47). Key requirements include:

  1. Necessity and Proportionality: Surveillance measures must be strictly necessary and proportionate to the legitimate aim pursued.
  2. Independent Oversight: An independent body must oversee surveillance activities.
  3. Effective Judicial Remedies: Individuals must have access to effective judicial remedies against state surveillance. The judgment significantly heightened the scrutiny of third-country government access to data, placing the onus on data exporters to conduct Transfer Impact Assessments (TIAs) and implement supplementary measures where necessary.

Comparative Analysis: Stricter, Looser, or Silent

Comparing DPDPA’s Section 17(2) with the EU’s adequacy requirements post-Schrems II reveals several distinctions:

  • Scope of Exemption: Both frameworks allow for exemptions for national security and public order. However, DPDPA Section 17(2) explicitly exempts “any instrumentality of the State” from a broad range of DPDPA obligations, including consent, notice, and data principal rights, for specified purposes. While GDPR Article 23 allows Member States to restrict certain rights for similar public interest reasons, the EU’s adequacy assessment applies these restrictions to third countries with a much higher degree of scrutiny regarding their implementation.
  • Oversight and Remedies: This is where the most significant divergence lies. The DPDPA Section 17(2) itself is silent on the requirement for independent oversight or specific judicial remedies for data principals whose data is processed under this exemption. While India’s broader legal framework and constitutional principles (Puttaswamy) mandate necessity, proportionality, and a legal basis for state action, the explicit, independent oversight and effective judicial remedy mechanisms demanded by Schrems II for third-country surveillance are not directly embedded within DPDPA’s exemption clause. This makes DPDPA’s Section 17(2) appear looser on its face compared to the EU’s adequacy standard.
  • Transparency: The DPDPA generally mandates transparency regarding data processing. However, the broad exemptions under Section 17(2) could potentially reduce transparency for individuals regarding state processing of their data, contrasting with the EU’s emphasis on transparency and individual rights even in the context of public interest processing (subject to specific restrictions).
  • Data Localization: India’s regulatory environment, particularly through RBI norms, is stricter on data residency for certain sectors (e.g., payment data). While not directly a surveillance carve-out, mandating data storage within India means that such data is unequivocally subject to Indian laws, including those governing state access, rather than foreign jurisdictions.

Trade-offs and Divergent Philosophies

These differences reflect divergent philosophical approaches. India’s DPDPA, while a robust step towards privacy, balances individual rights with national sovereignty and the state’s capacity to maintain public order and security, often relying on existing constitutional principles and sector-specific laws for oversight. The DPDPA’s exemption framework is designed for domestic application within India’s established legal and governance structures.

The EU’s framework, particularly post-Schrems II, prioritizes the fundamental rights of its citizens, demanding that any third country receiving EU personal data demonstrates “essentially equivalent” protections, with a strong emphasis on independent oversight and effective judicial redress for state access. This places a significant burden on third countries and data exporters to demonstrate robust safeguards against disproportionate government surveillance.

Practical Takeaway

For Indian businesses, especially those operating globally or processing data of EU residents, understanding these distinctions is paramount. Compliance with the DPDPA alone may not suffice for facilitating data transfers from the EU. Indian entities acting as data importers for EU data must conduct thorough Transfer Impact Assessments (TIAs) that critically evaluate the impact of DPDPA Section 17(2) and India’s broader surveillance framework on the data they receive. They will need to assess whether supplementary measures are required to ensure “essentially equivalent” protection as per Schrems II. General Counsels and Data Protection Officers must proactively map data flows, identify potential state access points under Indian law, and be prepared to articulate the safeguards and remedies available to data principals, even if not explicitly detailed within the DPDPA’s exemption clause itself. Navigating these complex, often conflicting, regulatory landscapes will remain a key challenge for global businesses in the coming years.

This post is licensed under CC BY 4.0 by the author.