NASSCOM-DSCI Survey on Government Data Access Requests for IT-BPM and GCC Companies

1. Context

As you might be aware, Earlier in July 2020, the Court of Justice of the European Union (CJEU’s) in the case of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems (Schrems-II) invalidated the US-EU Privacy Shield, and led to wide-reaching ramifications in terms of cross-border data transfers outside the EU, conducted on the basis of Standard Contractual Clauses (SCCs).

One of the main implications of the judgment,^[1] is that cross-border data transfers of personal data of EU residents, can no longer be held to be valid merely on the basis of SCCs, and would also require an independent assessment by the relevant data exporter, on the adequacy of protection granted by the jurisdiction of import. Such an assessment, and its validity will have to be determined by the relevant national Data Protection Commissioners (DPCs) in EU Member States.

The adequacy assessment inter alia looks at the existence of equivalent levels of protection under national data protection laws in the jurisdiction of import, the availability of judicial redress, and the existence of safeguards against illegal surveillance.

In this regard, NASSCOM and DSCI are currently working on a joint Work Program to assess the impact of the Schrems-II judgment on EU-India data transfers. As a part of this exercise, NASSCOM and DSCI are analysing the various legislative and regulatory requirements under Indian law, that can enable access to personal data (both domestic and foreign).

The current questionnaire seeks certain information regarding the on-ground implementation of these legislative requirements, and our Member companies’ prior experience with data access requests from the Government and Law Enforcement Agencies (LEA).

We hope you find the time to provide us with your responses. The inputs received would be a valuable addition to our Work Program and would enable a more informed discussion on the issue. We request you to kindly provided your responses before 31 January 2021.

[1] A brief analysis of the Judgment of the Court of Justice of the European Union in Schrems II is available at: https://community.nasscom.in/communities/policy-advocacy/data-protection-impact-of-recent-developments-on-the-future-of-eu-india-digital-trade.html

Part-1: Data Sharing with Indian Government

Question Title

* 1. Please provide your Contact Information

Name

Company

Email Address

Question Title

* 2. Please provide us with your Designation in the organisation

Question Title

* 3. What are your organisation’s current data retention policies regarding foreign data transfers?

Question Title

* 4. For the period between 1 January 2020 to 31 December 2020, how many data sharing requests have been received by your organisation from the Indian Government or its agencies?

Question Title

* 5. What percentage of these data sharing requests (if any) pertain to foreign data? (Pertaining to the time period between 1 January 2020 to 31 December 2020)

0-10%

10%-50%

50% or more

Question Title

* 6. What percentage of these requests were issued citing specific statutory or regulatory requirements? (Pertaining to the time period between 1 January 2020 to 31 December 2020)

0-10%

10-50%

50% or more

Question Title

* 7. For the period between 1 January 2020 to 31 December 2020, what is the number of foreign data transfers made to the Indian Government or its agencies pursuant to a data sharing request?

Question Title

* 8. Would the responses to Questions 4 to 7 be materially different for the time period from 1 January 2019 to 31 December 2019?

Question Title

* 9. What are the consequences of non-compliance with data sharing requests from Indian Government or its agencies?

Question Title

* 10. What are the grounds on which compliance with data sharing requests can be validly declined?

Question Title

* 11. Any other information that you would like to provide with respect to data sharing obligations with the Government, and LEA.

Part - II: Material Changes in Cross-Border Data Transfers Post Schrems-II

Question Title

* 12. After the passage Schrems-II judgment, has there been any material changes in:

a. Volume of actual cross-border data flows effected by your organisation to and from Europe?

b. Restrictions and safeguards applicable to cross-border data flows effected by your organisation to and from Europe?

c. Enforcement and regulatory interventions by European regulators regarding data transfers from Europe to India?

Question Title

* 13. Has your organisation sought clarity as to the impact of the Schrems-II judgment from European or National Regulators in Europe? If yes, please provide details of responses received (if any)

Question Title

* 14. Has your organisation received any queries from EU clients, regarding the impact of the Schrems-II judgment? If yes, what materials have been provided to demonstrate adequacy of protection to EU personal data?

NASSCOM-DSCI Survey on Government Data Access Requests for IT-BPM and GCC Companies

1. Context

Question Title

* 1. Please provide your Contact Information

Question Title

* 2. Please provide us with your Designation in the organisation

Question Title

* 3. What are your organisation’s current data retention policies regarding foreign data transfers?

Question Title

* 4. For the period between 1 January 2020 to 31 December 2020, how many data sharing requests have been received by your organisation from the Indian Government or its agencies?

Question Title

* 5. What percentage of these data sharing requests (if any) pertain to foreign data? (Pertaining to the time period between 1 January 2020 to 31 December 2020)

Question Title

* 6. What percentage of these requests were issued citing specific statutory or regulatory requirements? (Pertaining to the time period between 1 January 2020 to 31 December 2020)

Question Title

* 7. For the period between 1 January 2020 to 31 December 2020, what is the number of foreign data transfers made to the Indian Government or its agencies pursuant to a data sharing request?

Question Title

* 8. Would the responses to Questions 4 to 7 be materially different for the time period from 1 January 2019 to 31 December 2019?

Question Title

* 9. What are the consequences of non-compliance with data sharing requests from Indian Government or its agencies?

Question Title

* 10. What are the grounds on which compliance with data sharing requests can be validly declined?

Question Title

* 11. Any other information that you would like to provide with respect to data sharing obligations with the Government, and LEA.

Question Title

* 12. After the passage Schrems-II judgment, has there been any material changes in:

Question Title

* 13. Has your organisation sought clarity as to the impact of the Schrems-II judgment from European or National Regulators in Europe? If yes, please provide details of responses received (if any)

Question Title

* 14. Has your organisation received any queries from EU clients, regarding the impact of the Schrems-II judgment? If yes, what materials have been provided to demonstrate adequacy of protection to EU personal data?

Question Title

* 15. Are there any practical concerns relating to the implications of the Schrems-II judgment at present?

Question Title

* 16. Do you expect any concerns to unfold in the future, say over next 12 months? If yes, explain.

Question Title

* 17. Is there anything that you expect the Government of India or the EU regulators to do? If yes, explain.