The Commission undertook a study into India's data protection framework, but an Indian government official has said that the Commission is not yet ready to deem the country's systems as satisfying EU data adequacy rules.
EU-based organisations are banned from transferring personal data outside of the European Economic Area (EEA) unless the recipient country ensures an adequate level of protection. The Commission is able to make 'findings of adequacy' in respect of non-EEA countries; however, just 13 'third' countries have been recognised as providing adequate protection, including most recently New Zealand.
EU-based data controllers are free to send personal data to and from countries that the European Commission has recognised as providing adequate protection and do not need to implement alternative methods of compliance, such as by utilising European Commission model contract clauses. All data transfers must comply with other data protection requirements, including that the processing is fair and lawful.
The EU and India are currently in the middle of free trade talks and a "key demand" of the Indian government in the negotiations is that it is deemed as meeting the EU's data adequacy standard, according to a report by the Hindu Business Line.
However, the Commission's study has raised doubts about the willingness of the Commission to form that view, according to an Indian government official.
"The recent communication from the EU Justice Department is worrying for us as it indicates that the EU is not willing to offer us data secure status till we make changes in our systems," an official from India's Commerce Department said, according to the Hindu Business Line report. "This could take a long time as it may also require legislative changes."
A spokesperson for the Commission confirmed to Out-Law.com that the body is "willing to support the further facilitation of data transfers between the EU and India" but said that it was conditional on India "ensuring a high level of protection of personal data". The spokesperson did not reveal whether the Commission is yet ready to deem India as providing adequate data protection, but said that a "partial adequacy agreement" is one of the options available.
"The Commission commissioned a study undertaken by an independent expert, into the law relating to the protection of personal data in India," the Commission spokesperson said. "The study assessed a number of features exhibiting similarities and differences compared to the data protection framework in the EU."
"The EU Data Protection Directive recognises several bases upon which personal data may be transferred to a country outside of the EU," they said. "For example, personal data may be transferred where the protection of personal data is guaranteed by binding corporate rules that have been approved by European data protection authorities, or by standard contractual clauses adopted by the Commission."
"Another basis for the transfer of personal data is where the third country in question has been recognised as ensuring an adequate level of protection ... which involves a proposal from the Commission; an opinion of the group of the national data protection authorities (Article 29 working party); an opinion of the Article 31 Management committee of representatives of Member States; the adoption of the decision by the College of Commissioners and the scrutiny of the European Parliament," they added.
"Where a third country ensures an adequate level of protection, this procedure can result in an adequacy decision under [the] Directive. Where the Commission has not adopted a decision that a third country ensures an adequate level of protection, transfers of personal data may take place on the basis of other legal instruments, such as the binding corporate rules and standard contractual clauses ... Regarding data flows to India, the Commission is ready to facilitate these further where a high level of protection of personal data is ensured, and has proposed a joint expert dialogue to discuss these issues," the spokesperson said.
India cannot use designation of data adequacy as a bargaining tool in negotiations over a new free trade agreement, the spokesperson added, because "data protection is a fundamental right in the EU".
It is estimated that the Indian EU outsourcing market would grow from $20 billion annually currently to $50 billion shortly after a finding from the EU that the country provides adequate data protection, the Data Security Council of India has estimated, according to the Hindu Business Line report.