India is ripe for a legal action that challenges mass surveillance of personal user data: not just that within the country, but also the collection of data of Indian citizens by US companies. A ruling today from the European Court of Justice has struck down the Safe Harbor mechanism (notes on how it worked below) which facilitates the transfer of personal data from the EU to servers hosted in the US, which essentially means that user data generated in the EU will have to be hosted in the EU, and be governed by EU laws for data protection.

Quite simply, the court has said that the data held in US servers isn’t secure enough for EU data, given that the NSA’s ‘PRISM’ program gives the US government “unrestricted access to data stored on servers in the United States owned or controlled by a range of companies active in the internet and technology field, such as Facebook USA.”

The Lowdown on the judgment

1. How this began: The ruling comes following a complaint from Maximillian Schrems in 2013, in which he said that the law and practices of the United States offer no real protection of the data kept in the United States against State surveillance, following the revelations by Edward Snowden in May 2013. The complaint was filed with the Data Protection Authority in Ireland, since the terms for Facebook in the EU are applicable to Ireland. Facebook Ireland keeps its subscriber data in servers in the United States.

MediaNama’s take: Readers should note that the US National Security Agency is believed to be accessing servers of companies like Facebook, Google and Microsoft, which also store data of Indian citizens, apart from snooping via other means. Firstly, there is cause for someone to approach the Supreme Court of India, in the interest of protecting the rights of Indian citizens, to ensure that data belonging to and generated by Indian users isn’t accessible to the NSA, and companies like Facebook and Google are prevented from sending Indian data to servers in the US. Secondly, there is a need to push for a Privacy and Data Protection law in India, to ensure that rights of Indian citizens are protected.

2. The weakness of the safe harbour scheme: In its ruling, the court points that the safe harbor scheme is weak, given that it relies on self-certification and self-assessment by private organisations and some intervention by the public authorities. Categorically, the court points out that the safe harbour scheme, “does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.”

MediaNama’s take: Does data get transferred outside India under any particular law? We’re not sure, but it’s pretty clear that Indian citizens should not be subjected to mass surveillance by the US government, and India needs to take steps to ensure this. It’s the only way of ensuring that the data of Indian users is governed by the country where that data originates from, and not of the country in which it is stored

3. States must protect right to privacy and data protection: The court ruled that, referring to the NSA surveillance, that “where systemic deficiencies are found in the third country to which the personal data is transferred, the Member (EU) States must be able to take the measures necessary to safeguard the fundamental rights protected by Articles 7 and 8 of the Charter (of FundamentalRights of the European Union)”.

Note that Charter of Fundamental Rights of the European Union (link) includes:

Article 7: Respect for private and family life ; Everyone has the right to respect for his or her private and family life, home and communications.

Article 8: Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

The court points out that “Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter”, and that “the continuing transfer would create an imminent risk of grave harm to data subjects“.

MediaNama’s take: India doesn’t believe that the right to privacy is fundamental. To quote Mukul Rohatgi, the Attorney General of India, representing the Indian state: “The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.”

4. Rights of EU citizens and the usage of the data: The court pointed out that:

– “…citizens of the (European) Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other United States security agencies.”

– An additional factor is that the citizens of the (European) Union who are Facebook users are not informed that their personal data will be generally accessible to the United States security agencies.”

– The United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.

– Neither the US FTC nor private dispute resolution bodies have the power to monitor possible breaches of principles for the protection of personal data by public actors such as the United States security agencies.

– “…transfers of personal data to third countries should not be given a lower level of protection than processing within the European Union.”…”The protection against surveillance by government services provided for in section 702 of the Foreign Intelligence Surveillance Act of 1978 applies only to United States citizens and to foreign citizens legally resident on a permanent basis in the United States.”

– “…there are no opportunities for citizens of the Union to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.”

MediaNama’s Take:What will it take our for the Indian government to protect data belonging to Indian users?India doesn’t have a data protection authority. In fact, we don’t even have significant enough protection for data collected within India, leave alone ensuring that our data is protected in other countries. Secondly, do citizens in India have a right to be heard regarding surveillance? Given the mass surveillance programs in India, from the Centralised Monitoring System, NETRA, linking of all user data to Aadhar, collating databases using NATGRID, and the secrecy that all of this is cloaked under, rules and regulations are enforced so that either this data cannot be collected, or that accessing it is subject to judicial oversight, independent of the executive branch of the government.

*

Also note that MediaNama has contacted Facebook India for responses to the following questions:

1. Where does Facebook store data from its Indian users?

2. Where does Facebook store data from its Internet.org users?

3. Does Facebook store any Indian user data within India?

4. Does Facebook provide data to the US’ National Security Agency (NSA), as revealed by Edward Snowden (and acknowledged by the EU court) under the PRISM program?

Readers should note that Facebook hasn’t responded to our questions in the past six-eight months, and we’re not sure if they’ll respond now.

*

What does the Safe Harbor for user data provide for?

– Users need to be informed about: the purpose for which data is collected, used, and on how to contact the organisation with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organisation offers individuals for limiting its use and disclosure. A notice must be provided when individuals are first asked to provide personal information to the organisation or as soon thereafter, as is practicable, but in any event before the organisation uses such information for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party’.

– A choice to users: about “whether their personal information is to be disclosed to a third party or to be used for a purpose that is incompatible with the purpose or purposes for which it was originally collected or subsequently authorised by the individual. As regards sensitive information, an individual ‘must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised by the individual through the exercise of opt in choice’”

– Rules on the onward transfer of data. Thus, ‘to disclose information to a third party, organisations must apply the Notice and Choice Principles’;

– Organizations need to take reasonable precautions to ensure that the data is protected from loss, misuse, unauthorized access, disclosure, alteration and destruction.

– Data integrity: to ‘take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current’

– Users must be allowed to make changes: a person whose personal information is held by an organisation must, in principle, ‘have access to [that] information … and be able to correct, amend, or delete it where it is inaccurate’

– Users should be able to take action in case of non-compliance: “an obligation to make provision for ‘mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organisation when the Principles are not followed’.”