Applying Principles of Liability to Cross Border Transfers of Data in India

The jurisprudential landscape on privacy seems to be witnessing a tectonic shift in light of an emerging data protection framework in India with the publication of the B.N Srikrishna White Paper on Data Protection. The replacement of the EU Directive 95/46/EC with the EU General Data Protection Regulation (GDPR) this May further evidences this thought. In light of these developments, it becomes crucial to identify questions which Indian discourse on data protection has left unanswered.


One such question related to applicability of a future law is: once a data protection framework operationalises, whenever a data breach takes place, how would attribution of liability shape itself when a data controller based outside India operates in India? Would liability be extendedly attributed to the controller based outside India or its Indian establishment(s) or both?  Upon a careful perusal of the White Paper, it is realized that the document is silent on which entity may be impleaded when a data controller based outside India (such as Facebook U.S.A) operates in India through its subsidiaries (such as Facebook India).


The answer to this question is fundamentally crucial for any potential data protection authority in the future in determining which entity may be proceeded against in pursuit of remedying data subjects. In a plethora of situations, data controllers situated abroad carry out their activities through subsidiaries or establishments in the country of the data subject. In most of these cases, the data is not processed in the country of the data subject; it is transferred across borders to the host country where the main establishment of the data controller is situated for processing. This blurs the convenience in attributing culpability to an entity for data breach in the country of the data subject since it is not clear whether the main establishment or the establishment in the country of the data subject or both is/are liable for the breach.


While the White Paper Document does briefly discuss the Google Spain Case, the reference is primarily in the context of the right to be forgotten instead. On the other hand, one finds patches to this answer upon tracing discourse back to the Private Member Bill on Data Protection proposed by Baijayant Panda in the Parliament. Article 3 of the Bill (discussing applicability) stipulates that the Bill would be applicable to two kinds of data controllers. First, to controllers which operate within Indian territory through an establishment, irrespective of whether data processing is carried out at such place or outside India. Second, the Bill would extendedly apply to controllers which do not have an establishment in India, but offer goods or services to persons in India. The second condition seems to envisage an expressly broader application of the Data Protection Bill as compared to the nearing EU GDPR and the now-to-be erstwhile EU Directive 95/47. These allow member states to apply national law to controllers outside the state only if they carry out processing of data in the context of activities carried out by their establishments in such states. (I shall delve into deeper into this in a bit).


With the publication of the White Paper document, the relevance of the Private Member Bill seems to have been sidelined.  However, assuming a future data protection law adopts a similar provision, speculating the feasibility of the same becomes imperative to understand where contours of such a law should lie. The central idea behind this piece is to understand whether such a provision successfully answers the question posed above or results in an anomaly.


Assuming a similar provision (to Article 3) is adopted in a future Data Protection law, it is not clear whether a future Indian DPA would be able to proceed against data controllers in a situation where: 1) the data controller is based outside India (Facebook Inc.), 2) it does not have an establishment in India, 3) the Data Controller does not actively offer goods/services in India: however, 4) the data subject avails the goods/services online. The aforementioned anomaly was partially resolved in the EU through a recent non-binding opinion by Advocate General Bot in a reference to the European Court of Justice by the German Data Protection Authority (DPA). The question concerned the case of UnabhängigesLandeszentrumfürDatenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH in the presence of,inter alia,Facebook Ireland Ltd. In the opinion, the AG ruled that under the EU Data Protection Directive, any National Authority in the EU can proceed against a data controller breaching data protection laws, provided the processing has taken place in the context of the activities in such a state, regardless of even if the controller company is established in another member state.


In this case, a German Company was required to close a fan page hosted by Facebook Ireland Ltd. Administered by the German Company, the page was hosted by Facebook Ireland. The data which was gathered from visitors was stored in the form of cookies by the German Company in hard drives. However, the visitors were not informed that their personal data was being collected in this manner.  The background of this case includes Facebook Inc. which provides services of social network in the entire EU territory with the means of intermediaries in the form of several establishments. One of these establishments, Facebook Ireland is the designated controller of personal data processing in the EU. Responsibilities of Facebook Germany on the other hand are restricted to the promotion and sale of advertising space directed towards residents of Germany.


The crucial issue being decided in this case is parallel to the moot question raised by this piece: in a situation where Facebook Ireland & Facebook Inc. jointly are responsible for processing data and Facebook Germany (or Facebook India, for that matter) is only responsible for marketing activities of Facebook, should the German DPA (or Indian DPA, more relevant to us) exercise its powers of intervention against Facebook Ireland (or Facebook India) or both? Or are such powers exercisable only by the DPA where the controller undertakes responsibility to process data (and if so, how would an Indian DPA proceed against Facebook Inc.)?


Significantly, Facebook Ireland contended that being based outside Germany, the German National law cannot apply to it. Irish National Law should apply to it instead (Facebook Ireland was making this argument since the Irish DPA did not object to the processing in this case). On the other hand, the German DPA argued that the processing taking place by Facebook Inc. was in the context of advertisement-related activities facilitated by Facebook Germany. The German DPA relied on the case concerning Weltimmo, where the CJEU held that the Hungarian DPA has power to impose a fine on a service provider in Slovakia since its activities are in the context of activities of the Hungarian establishment of the service provider. The DPA also relied on Google v. Spain in which Google Inc. was required to delete information belonging to a Spanish citizen since the processing by Google Inc. was in the context of activities of Google Spain, an establishment of Google Inc. despite operating only in the area of advertising.


The AG, relying on both decisions rendered its opinion in favour of the German DPA to hold that since Facebook Inc. is generating significant revenue from advertisements facilitated by Facebook Germany, the joint processing activities of Facebook Inc. and Facebook Ireland are inextricably linked to the activities of Facebook Germany, its establishment in Germany. Since the data processing is specifically intended to enable targeted advertisement by Facebook in Germany, it could be considered as being part of the activities undertaken by Facebook’s establishment, in Germany. Significantly, the Attorney General held that the Location of Controller was irrelevant: Facebook Ireland (data controller) in this case could have been based even in a third country outside the EU for that matter. Moreover, the Court reasoned that since the controller is the only entity that exerts a decisive influence on the data processing at issue, it is to the controller that any measure requiring data processing to be stopped should be addressed [Since Facebook Germany is not responsible for processing, it is not a controller]. Therefore, German DPA can proceed against Facebook Ireland


Why Are Controllers Held Accountable To Multiple Data Protection Authorities In The EU?


Under the EU Directive 95/46/EC (‘DPD’), the one-stop shop principle was not incorporated. Since the GDPR has not yet taken effect, the DPD was applied to this case. However, once the GDPR comes into force, the one-stop shop (OSS) principle would be implemented. Thereon, data controllers would have to deal with only the DPA in the member state of their main establishment. So, once the EU GDPR is implemented, Facebook Ireland would solely be accountable for data breaches and the aggrieved data subjects would have to approach the DPA in Ireland and not Germany in such cases.


Options For India Based On The Approach On The EU Approach


Based on the approach in the EU, India has two possible alternatives out of which it could adopt one model in its data protection framework in the future:


One, it could hold establishments/subsidiaries of Data Controllers in India liable regardless of whether or not they are responsible for processing of Indian Data as long as the processing is in the context of activities conducted by the establishment/subsidiaries [as under Directive 95/47]. This would result in utmost convenience for a future DPA in communicating with or proceeding against a breaching entity whose establishment is based in India, since the DPA could directly proceed against such an establishment (eg., Facebook India). This, however, may seem tangential to the intent behind the OSS rule in the GDPR, resulting in divergence from future EU Law.


Two, it could hold the main establishment/parent entity of controllers liable for processing of data relating to activities within the Indian context. In the latter, there may be concerns relating to jurisdiction which could be allayed based on the precedential notions ofBanyan Treeand World Wrestling Entertainment(arguably also adopted in aforementioned Article 3). In these cases, Indian jurisprudence (in the context of intellectual property rights) affirmed the possibility of a virtual presence of business entities in India although physically situated abroad by virtue of providing goods and services in India.  The rationale derives strength from equating transactions online in India as virtually the same as these business entities having physically accessible shops in India.


However, if the second option is adopted, in a plethora of situations where websites are not actively rendering goods or services in India, controllers may still face the heat of the DPA. This may be detrimental for small-scale data controllers/websites not having sufficient resources and not intending to provide services in India even though Indians may be actively going to such websites and availing them. At the same time, it would help in holding large-scale controllers accountable directly as long as it offers such goods or services in India rather than having to undertake the onerous task of establishing an inextricable link between its processing activities and the activities of its (often sham) establishment in India which may, as witnessed in Google Spain and Weltimmo, be a tricky endeavour.


Siddharth Sonkar is a third year student of the National University of Juridical Sciences (NUJS), Kolkata, with an interest in law, technology and legal policy.

Siddharth Sonkar

Leave a Reply

Your email address will not be published. Required fields are marked *