The pandemic has had varying degrees of effect on businesses depending on its customer pulse. Facebook, Amazon and the like referred to as ‘massive facilitators’ have seen a surge in their subscriber base as well high rates of activity. ‘Surveillance’ as a global concern and ‘Data Protection’ as its natural corollary have sprung up as healthcare apps and vaccination drives become lucrative sources of data transfer. Most jurisdictions face either of these two problems – the lack of an adequate data protection regime (e.g. India); or, when there exists a legal framework, the interoperability of domestic regimes being a definite source of conflict and uncertainty. This article elaborates on the latter while sketching the impact of the Schrems II case in light of its first anniversary.
The decision in the Schrems II case had two main outcomes. The Court of Justice of the European Union (CJEU) invalidated the ‘EU-US Privacy Shield Framework’ which was the principal document relied on by companies in both the jurisdictions for data flow. A pertinent reason for such a drastic step can be credited to the extremely strict data export norm followed under the General Data Protection Regulation (GDPR) regime and the lack thereof under any United States (US) law. The CJEU went on to uphold the standard data protection clauses (SCCs). However, it laid down the accompanying prerequisites of various supplementary measures such as requiring case-by-case assessment. Surveillance has not been a public secret since the Snowden debate in the US. Various social movements such as the ‘Black Lives Matter’ movement and Trump’s immigration policy have been hushed under the carpets of national security (for e.g. the Foreign Intelligence Surveillance Act) and targeted efficiency. With the help of big tech companies harboured in the US, coupled with the lack of observance to data localization norms under the GDPR, the capacity of big data significantly undermines the privacy standards followed in the EU.
This decision can be causally linked to the fundamental differences in US surveillance laws and the UK privacy regime. In the US, amidst rising tensions of ‘net neutrality in trouble’ and human right concerns, political ideologies significantly influence general regulatory policies. The result of engaging in digital trade in and/ or with the U.S is capitalistic gains that root for minimal intervention from foreign institutions which it publicly endorses through its multilateral agreements such as the Trans-Pacific Partnership . On the other hand, a common characteristic among laws that govern data and data-flow in the EU is that it provides straight-jacket security and/ or regulatory solutions, placing individual rights such as right to be forgotten, freedom of speech and expression and right to privacy at a pedestal regardless of the size or capacity of the companies doing business. This view is deduced from the fact that it leaves no leeway for Small, Medium Enterprises (SMEs) in abiding by the GDPR . It is thus easy to appreciate how the EU is adamant about its ‘adequacy’ requirements vis-à-vis data protection. However, this fundamental difference can be very stifling in terms of enforcement of data protection regimes to the evident lack of interoperability in terms of the underlying interests. Abiding by the requirements under the GDPR involve significant costs which small companies are unable to bear, which translates to ‘99% of all businesses in the EU’. At this point it is essential to point out that while GDPR seeks to alleviate bad practices, it has certainly planted the bad seeds. It has eliminated competition for big technology companies which have eventually come to be known as ‘gatekeepers’ or ‘guardians’ of privacy. Additionally, the trade-off for the US to decrease surveillance or reduce surveillance capitalism far outweighs the potential harm that an EU citizen’s data will be exposed to, in the event that the National Security Agency (NSA) intercepts it.
The Way Forward
Earlier this year, the Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) had suggested repealing the GDPR with significant changes in its approach to data itself. The unwritten truth is that big technology companies are the gatekeepers of privacy. However, such power needs to be used to overcome the hurdle of lack of interoperability by using technology to neutralize the power imbalance between governmental requests and regulatory responses. The EU has made an attempt towards stirring such discussion with its recent proposal on end-to-end encryption. Such appreciation for high data protection thresholds is brewing even in India as it recognizes privacy as a fundamental right under the Constitution of India. The CJEU’s decision in the Schrems II case can serve as a guiding lamp for India’s awaited data protection legislation in ensuring an effective baseline in data protection standards. This will further help cement trade and international relations between India and developed countries.