NASSCOM Schrems II Study

Implication of Schrems II on EU-
India Data Transfers

A Mapping and Analysis of Indian Privacy and Surveillance
Legislation and Practical Guidance on Cross-Border Transfers
August 2021
Image: Wikimedia Foundation Servers-8055 13.jpg, Victorgrigas, CC BY-SA 3.0, via Wikimedia Commons
Table of Contents
PREFACE ........................................................................................................................... 3
NASSCOM......................................................................................................................... 4
EXECUTIVE SUMMARY ...................................................................................................... 5
INTRODUCTION................................................................................................................ 7
EDPB ‘Essential Guarantees’ and the new SCCs ............................................................. 7
Objective and Structure of the Study.............................................................................. 8
Methodology and Limitations......................................................................................... 9
PART – I: EU LAW - SCHREMS II PRINCIPLES, EDPB GUIDANCE AND THE NEW SCCS .... 10
(A) Schrems II on SCCs and practical guidance to data exporters/importers ........... 11
(B) Principles for Analysing Foreign Country’s Law and Practice.............................. 14
PART – II: ANALYSIS OF INDIAN LAW .............................................................................. 18
PART – III: CONCLUSION AND WAY FORWARD.............................................................. 28
ANNEXURE I .................................................................................................................... 31
ANNEXURE II ................................................................................................................... 52
ANNEXURE III .................................................................................................................. 68
2|Pa g e
PREFACE
In July 2020, the Court of Justice of the European Union (CJEU) passed a significant ruling on data
transfers between the European Union (EU) and the United States of America (US).1 In this case,
popularly known as Schrems II,2 the CJEU found the ‘privacy shield’ that allowed data transfers
between the EU and the US, invalid.3 In the court’s opinion, US surveillance law did not have sufficient
protections for EU residents that met EU standards, and the privacy shield could not fill those gaps. 4
In sum, this was because: government access to data under US surveillance law was not
proportionate or strictly necessary to the state objective; it did not provide for adequate
independent oversight over surveillance requests; and it did not allow EU residents effective
remedies for redress.5
At the same time, the CJEU upheld standard contractual clauses (SCCs) as a valid method for data
transfers to the US, but with certain riders. In the court’s view, authorities and organisations must
conduct case-by-case assessments of the recipient country’s legal framework. Where needed,
organisations must adopt supplemental measures to protect individuals’ rights – such that the
protections are equivalent to EU standards.6 In fact, after the decision, the European Board of Data
Protection (EDPB) issued revised guidance on supplementary measures that need to accompany
transfers under SCCs in case of any gaps between the third country’s domestic legal framework and
the EU’s essential guarantees. More recently, the European Commission (EC) adopted revised SCCs
that are in line with the CJEU’s decision. The new SCCs repeal the old SCCs with effect from 27
September 2021.7
The CJEU’s decision’s most immediate impact was on EU-US transfers. However, this ruling has
implications for cross-border transfers across the world since the same principles will apply
elsewhere. While data transfers continue pursuant to SCCs, there could be an apprehension that
national authorities of different EU member states may issue divergent opinions on validity of
recipient countries’ laws, putting at risk the continued validity of transfers to those countries.
The EU region is a significant market for the Indian Information Technology – Business Process
Management (IT-BPM) industry, and therefore, the Schrems II judgment is likely to have an impact
on the future of data transfers from European data controllers to data processors located in India.
1
See, Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems,
https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en&mode=lst
&dir=&occ=first&part=1&cid=12312155. (Last accessed on 12 July 2021)
2
See, Part II for context of Schrems I,
https://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=re
q&dir=&occ=first&part=1&cid=143358. (Last accessed on 12 July 2021)
3
The GDPR prescribes different tools for data transfers between the EU and third countries or international
organisations. These include transfers subject to (a) ‘adequacy decisions’ of the European Commission based on the
level of data protection afforded by third countries, (b) appropriate safeguards such as Standard Contractual Clauses
which allow for data transfers between data controllers in the EU and data processors outside the EU or Binding
Corporate Rules, and (c) exceptions or derogations, such as explicit consent to transfer data.
4
See Paras 184-185, and 197-199, Schrems II.
5
See Infra Part I(B) of this Paper.
6
See Infra Part I(A) of this Paper.
7
The new SCCs were published in the EU official journal on 07 June 2021, and will come into effect 20 days after their
publication, i.e. 27 June 2021, Article 4, https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (Last accessed on 12 July 2021)
3|Pa g e
Accordingly, in November 2020, NASSCOM initiated member consultations, and subsequently
undertook a project to assess the applicable Indian law framework, and the revised SCCs, to:
• understand existing gaps in the Indian framework vis-à-vis the European essential
guarantees highlighted by the CJEU and the EDPB;
• identify modes of data transfers available to Indian IT-BPM industry and additional measures
required in light of the Schrems II judgment, the EDPB’s guidance on supplementary
measures, and the new SCCs; and
• assess impact of India’s forthcoming data protection law on the overall evaluation of the
Indian framework’s adequacy with the EU essential guarantees.
The objective of this study is to help the industry and governments assess if the Indian government’s
access to foreign data under Indian laws is proportionate or strictly necessary to the state objective;
whether there is an adequate independent oversight over surveillance requests; and whether the
laws enable foreign residents’ access to effective remedies for redress.
The study attains greater significance against the backdrop of the recent revelations surrounding the
use of spyware by sovereign governments for mass surveillance. While bulk surveillance is not
entirely inconsistent with emerging international customary norms around data protection (as
suggested by European jurisprudence on the subject), the revelations highlight the manner in which
developments in technology can affect the impact of such surveillance on individual privacy and
thereby necessitate the need for periodic reviews of due process requirements and safeguards
contained in the laws that enable such bulk and real-time data access. The present study, however,
does not directly concern itself with such situations of extra-ordinary access, and attempts to assess
the adequacy of safeguards in laws that enable Government data access more generally, in the
context of the European essential guarantees.
The study is not a legal opinion. It is only intended to serve as an input for an assessment of Indian
data access laws and practices.
NASSCOM looks forward to engaging with the industry to understand a company level evaluation
of the concerns highlighted here with respect to their data transfer circumstances and to understand
the cases where these concerns are material and where they are not. We hope this will inform our
work with the Government of India towards strengthening the oversight and remedy mechanisms to
improve safeguards with respect to data access by the Government, in the ‘key laws’ identified here.
I would like to acknowledge the team at Ikigai Law led by Sreenidhi Srinivasan for their extended
assistance in developing this study and my colleague Indrajeet Sircar who led this project. Should
you have any questions or concerns relating to the present study, I request you to share them with
us at [email protected].
Ashish Aggarwal
Vice President and Head of Public Policy
NASSCOM
4|Pa g e
EXECUTIVE SUMMARY
For our analysis, we mapped 273 Indian laws and regulations across different sectors (listed in
Annexure II). We examined Indian general criminal procedure law, law applicable to electronic data,
telecom laws, banking and financial sector laws, healthcare laws and specialised investigation laws
(e.g., for money laundering).
From this large set, we identified laws that are relevant from a Schrems – II essential guarantees
perspective by asking two questions:
▪ first, whether the law allows the Government to access ‘foreign’ data, i.e., can EU residents’
data be accessed under the law? and
▪ second, whether the law covers situations of data ‘import’, i.e., situations where data about
an EU resident is transferred from an EU company to an Indian data controller or processor?
We analysed these laws against the principles that flow from the CJEU’s judgment in Schrems II, the
EDPB’s Guidance on European essential guarantees and supplementary measures, and the new
SCCs adopted by the EC.
EDPB’s guidance on essential guarantees and the new SCCs offer some comfort on the fallout of
Schrems II on transfers to third countries.8 Under the new SCCs, organisations must conduct a case-
by-case assessment of Indian data access laws and practices before transferring data. 9 In this
assessment, organisations can factor in actual practice as well, i.e., the kind and actual number of
requests received from public authorities and under which law. The adoption of a risk -based
approach rather than a theoretical apprehension of data access offers some relief because the actual
requests received for government access to ‘imported’ data may be limited. Therefore, in carrying
out this case-by-case assessment, organisations may be able to narrow down the set of laws to be
analysed to those invoked in practice and relevant to data ‘import’ situations. Data importers should
therefore actively consider documented practical experiences to identify the set of laws relevant to
their sector.
In our analysis, 233 of the 273 individual pieces of laws/rules/regulations) do not contain any
provision enabling Government access to imported data.
From amongst the remaining 40 laws, specific and potential concerns arise out of three primary
“key” legislation, i.e., the Information Technology Act, 2000 (IT Act), the Indian Telegraph Rules,
1951 (Telegraph Rules) and the Code of Criminal Procedure, 1973 (CrPC), and Rules issued
thereunder.
Specifically, while the availability of writ remedies under the Constitution of India are likely to be
considered effective remedies, the lack of statutory remedies against potentially excessive
interference by Government agencies and the absence of independent judicial oversight over
Government data access requests issued under the above laws could pose concerns. Moreover,
certain provisions under the CrPC might pose concerns with respect to adherence to a required
8
See Infra Part II(A) of the Paper.
9
We have identified a narrow set of data access laws from our mapping exercise. For Methodology, see Part (II) of this
paper.
5|Pa g e
standard of due process, specificity, necessity, and proportionality in relation to Government data
access requests.
We evaluated the impact of India’s upcoming data protection legislation, the Personal Data
Protection Bill, 2019 (PDP Bill). In its current form, the PDP Bill is likely to lay out a strong case for
Indian laws’ adequacy with EU standards for data protection. However, potential concerns may
remain on account of broad powers vested with the Central Government to exempt
Government agencies from the application of the provisions of the PDP Bill if the Bill is enacted
in its present form. Subject to such exemptions being narrowly tailored and based on legitimate
state objectives of national security, the eventual passage of the PDP Bill is likely to enhance the
overall evaluation vis-à-vis adequacy with the EU.
While our analysis of the key laws throws up some concerns arising out of general procedural
laws and applicable telecom and IT laws, overall, Indian law fares better than US surveillance
law. For instance, Indian law does not differentiate between Indians and non-Indian citizens when it
comes to approaching courts under their writ jurisdiction. This could help meet the threshold of
‘effective remedy’.
Finally, mere existence of likely concerns in the key laws does not prevent the importers of
data from fulfilling their obligations under the SCCs. The new SCCs require a risk-based
approach rather than a theoretical apprehension of data access by the government.
Accordingly, the industry would need to evaluate relevant and documented practical experience of
prior instances of requests for disclosure from public authorities, or the absence of such requests, to
ascertain whether there are genuine concerns.
6|Pa g e
INTRODUCTION
For the Indian IT-BPM sector, the EU is a significant market. Indian organisations service European
clients by providing SaaS, IT, and business support services, for which they require free flow of data
from Europe. The industry already faces an opportunity cost. In the absenc e of an Indian data
protection law and an ‘adequacy decision’ under EU’s General Data Protection Regulation ( GDPR)
in India’s favour,10 the IT-BPM sector relies heavily on SCCs for data flows from the EU. Post Schrems
II, EU-India transfers under SCCs would depend on how relevant EU authorities view Indian data
access laws, when measured against EU standards. What adds to this complexity is the inconsistent
application of standards by different European authorities, in some cases involving member states’
surveillance laws. EU law on the subject has not always been consistent, especially with the European
Court of Human Rights (ECtHR) and the CJEU, at times, taking different positions.11
EDPB ‘Essential Guarantees’ and the new SCCs

After the CJEU’s decision, there was significant uncertainty around its impact on data transfers from
the EU to the US and elsewhere.
In November 2020, the EDPB issued two sets of recommendations:
• first, the ‘essential guarantees’ or principles to be met by the recipient country’s

surveillance/data access laws; and
• second, practical guidance to data exporters and supplementary measures that they could
consider for ensuring continued transfers.12 Illustratively, such supplementary measures
could include: encryption, pseudonymisation of data, internal processes to respond to
government data access requests, among others.13
In June 2021, the European Commission adopted the much-awaited new version of SCCs.14 The new
SCCs codify the Schrems II requirement of conducting a case-by-case assessment. They also offer
additional guidance on relevant factors for such assessments. Importantly, the SCCs acknowledge
that in assessing a recipient country’s law and practice, organisations can also draw from ‘relevant
and documented practical experience’, i.e., prior instance of data access requests received from
public authorities.15 So, the likelihood of receiving a request is factored into the assessment. This is
useful since, while there may be innumerable laws with data access provisions, few are likely to be
10
See, India to approach the EU seeking ‘adequacy status with the GDPR, the Economic Times, 30 July 2019,
https://economictimes.indiatimes.com/internet/india-to-approach-the-eu-seeking-adequacy-status-with-the-
general-data-protection-regulation/articleshow/70440103.cms (Last accessed on 12 July 2021).
11
See, Squaring the Circle? International Surveillance, Underwater Cables and EU-US Adequacy Negotiations (Part 2),
Theodore Christakis, 13 April 2021, https://europeanlawblog.eu/2021/04/13/squaring-the-circle-international-
surveillance-underwater-cables-and-eu-us-adequacy-negotiations-part2/ (Last accessed on 12 July 2021).
12
See, EDPB Recommendations on European Essential Guarantees,
https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguarantee
ssurveillance_en.pdf (Last accessed on 12 July 2021); See also, EDPB Recommendations on Supplementary Measures
to Ensure Compliance with EU Level of Protection of Personal Data,
https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurest
ransferstools_en.pdf (Last accessed on 12 July 2021).
13
See, Clause 15, SCCs- Obligations of the data importer in case of access by public authorities, https://eur-
lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (Last accessed on 12 July 2021); See
also, Annex 2 of the EDPB guidance on supplementary measures.
14
See, Commission implementing decision (EU) 2021/94 of 04 June 2021 on SCCs for transfer of personal data to third
countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ( new SCCs),
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (Last accessed on 12 July
2021).
15
See, Clause 14, new SCCs.
7|Pa g e
invoked by law enforcement agencies (LEAs) in actual practice. The data processor’s assessment of
documented and systemic examples of data access requests in actual practice, will therefore be
relevant to the assessment.
Post Schrems II, the EDPB guidance and the new SCCs, organisations that wish to rely on SCCs to
transfer data must assess data access laws of the recipient country and how they hold up against the
‘essential guarantees.’ In case of gaps, organisations must implement additional protections as
supplementary measures.
The new SCCs repeal the old SCCs with effect from 27 September 2021. Therefore, all arrangements
for data transfers entered after this date need to be based on the new SCCs. All arrangements based
on the old SCCs entered prior to 27 September 2021, will however continue to be a valid basis for
data transfers up till 27 December 2022, provided the processing operations underlying the
arrangements remain unchanged. Beyond 27 December 2022, however, all data transfers must
adhere to the new SCCs exclusively.16
Schrems II has triggered a global debate on the adequacy of domestic data protection regimes.
Moreover, it has highlighted the necessity for third countries with business interests in the EU region,
to introduce legislative changes to comply with the GDPR. As India is on the cusp of finalising its data
protection law, the new law could play a key role here, by offering additional protections to bridge
any gaps.
The 2019 version of the PDP Bill17 was criticised by privacy advocates for granting sweeping powers
to the government to exempt any of its agencies from meeting data protection obligations. 18 Wide
exemptions may adversely impact the EU view of the Indian regime. Needless to say, the law would
also be critical for any future bid by India for adequacy under the GDPR. 19
Objective and Structure of the Study

In this paper, we describe the Schrems II decision that found US surveillance law insufficient thereby
invalidating the US-EU Privacy Shield arrangement. Thereafter, we analyse Indian data access and
surveillance law against the EU standards employed by the CJEU to assess US privacy and
surveillance legislation in Schrems II.
For this, we identify relevant Indian data access laws that will likely be examined by EU authorities in
any assessment of EU-India data transfers pursuant to SCCs (see Methodology below). We then test
these laws against the Schrems II principles and the EDPB ‘essential guarantees.’ We believe this
assessment is useful in two ways:
• first, it can enable the Indian IT-BPM industry to identify any gaps in law that may need to be
filled through supplementary measures.
• second, it can enable policy makers to understand the key laws or provisions that may attract
an adverse view from EU authorities.
In Part I, we describe the principles emerging from Schrems II and how they were applied to US law.
We examine the EDPB guidance and the new SCCS to help the Indian IT-BPM industry understand
what lies ahead. From the Schrems II decision, the EDPB guidance and the new SCCs, we distil the
principles for analysing a recipient country’s legal framework.
16
The new SCCs were published in the EU official journal on 07 June 2021, and will come into effect 20 days after their
publication, i.e. 27 June 2021, Article 4, https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (Last accessed on 12 July 2021).
17
The draft Personal Data Protection Bill 2019 (PDP Bill),
http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf (Last accessed on 12 July 2021).
18
See, Clause 35, PDP Bill.
19
Supra Note 10.
8|Pa g e
In Part II, we analyse Indian data access and surveillance laws against those principles. We attempt
to provide a risk matrix- how likely is it that the law will be viewed adversely by an EU authority (high
risk, medium risk, low risk).
In Part III, we conclude with a brief discussion of the Supreme Court’s decision in Puttaswamy,20 the
necessity and proportionality principle in Indian law, and how this strengthens India’s legal
framework- potentially even lowering the risk of an adverse reaction from an EU authority. We also
discuss India’s forthcoming data protection law, where the law makes the Indian case stronger and
where it falls short.
Methodology and Limitations

For our analysis, we mapped 273 Indian laws and regulations across different sectors (listed in
Annexure II). We examined Indian general criminal procedure law, law applicable to electronic data,
telecom laws, banking and financial sector laws, healthcare laws, and specialised investigation laws
(e.g., for money laundering). From this large set, we identified laws that are relevant from a Schrems
II essential guarantees perspective by asking two questions:
(i) Does the law allow government to access ‘foreign’ data, i.e., can EU residents’ data be
accessed under the law?
(ii) Does the law cover situations of data ‘import’, i.e., data about an EU resident transferred
from an EU company to an Indian data controller or processor?
There are other edge cases where there is no ‘import’ of European data as such or the law is not
directly relevant to the IT-BPM industry, but the provisions allowing data access are wide enough or
ambiguous enough to cover EU residents’ data. For instance, the Prevention of Money Laundering
Act 2002 (PMLA) requires ‘reporting entities’ to maintain certain records and share the same, upon
request with the Financial Intelligence Unit (FIU), under the Ministry of Finance. Reporting entities
typically include financial institutions and financial intermediaries, and not IT-BPM intermediaries.
While data access from financial intermediaries could include EU residents’ data, it is not a question
of ‘import’ of data from an EU company to an Indian data processor/ controller, which are the subject
of this analysis. We have not included such laws in the main analysis, but these are captured in
Annexure I.
This mapping indicates that while, there are innumerable laws that permit data access, not all are
key to the analysis- in that:
1. Several are irrelevant to the analysis since they will not extend to European residents’ data
flowing in from the EU.
2. Many others that meet the above two questions are rarely invoked in practice, especially in
the context of the IT-BPM sector.
This helps identify the ‘key’ laws that might trigger the need for additional protections/
supplementary measures. It is also in line with the guidance in the new SCCs to look at practical
experience in the assessment.
Limitation: In our analysis, we have primarily looked at the text of the statutes, and not done
an exhaustive case law search to interpret the legal text.
20
See, K.S. Puttaswamy vs. Union of India, (2017) 10 SCC 1,
https://main.sci.gov.in/supremecourt/2012/35071/35071_2012_Judgement_24 -Aug-2017.pdf (Last accessed on 12
July 2021).
9|Pa g e
PART – I: EU LAW - SCHREMS II PRINCIPLES, EDPB
GUIDANCE AND THE NEW SCCS
In 2013, Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection
Commissioner, alleging that Facebook Ireland transferred his data to the US pursuant to the EU-US
safe harbour framework,21 but that the US legal framework did not have enough protections for his
data.22 This complaint is the genesis of a series of rulings on the validity of EU-US data transfers.
From this first complaint, in 2015, the CJEU invalidated the safe harbour framework, holding that it
allowed US public authorities to interfere with the fundamental rights of EU citizens, without
providing adequate protections 23 (Schrems I).
To allow transfers to continue and to address the CJEU’s concerns, the European Commission and
the US negotiated a new ‘privacy shield’ in 2016 - with additional protections. The privacy shield
framework was based on a system of self-certification, by which US companies committed to follow
a set of privacy principles issued by the US Department of Commerce, to meet EU standards.
These principles required companies to allow data subjects to seek access to their personal data;
publish privacy notices specifying their participation in the framework, their use of EU residents’ data;
take measures to protect personal data from loss, disclosure, unauthorised access, etc.24 The
framework also created an independent redress mechanism called the ‘ombudsperson’, to examine
complaints and requests from EU data subjects in relation to national security access to data by US
public authorities.25
The European Commission adopted the privacy shield after assessing the limitations and safeguards
in US surveillance laws and the additional protections in the privacy shield. 26 In Schrems II however,
the CJEU found the privacy shield also to be inadequate. It upheld SCCs, subject to certain caveats.
In this part:
(A) We first discuss the CJEU’s ruling in Schrems II on SCCs, the EDPB’s practical guidance to data
exporters, including supplementary measures and close out with guidance in the new SCCs. This will
help organisations understand next steps (which includes an assessment of their country’s law and
practice on data access by public authorities).
(B) Then we describe how this assessment can be carried out. For this, we discuss the CJEU’s
assessment of US law against EU standards and the EDPB’s essential guarantees, broken down into
21
The GDPR sets out different tools for transferring data between the EU and third countries. These include transfers
pursuant to an adequacy decision of the EC on the level of data protection afforded by third countries; SCCs, code of
conducts, BCRs; and exceptions in specific circumstances. So far, the EC has recognised 13 countries as providing
‘adequate’ protection. Thus, other countries rely on different means of data transfer under the GDPR including SCCs.
So far, 14 countries have received adequacy decisions. The US is not one of them. In 2000, the US and EU negotiated
the safe harbour framework to allow transfers.
22
In Max Schrems vs. Data Protection Authority (Schrems I), the CJEU struck down the safe-harbour framework following
a complaint by Schrems, who alleged that the US does not afford adequate protection to personal data transferred
by Facebook Ireland to the US,
https://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=EN&mode=re
q&dir=&occ=first&part=1&cid=143358 (Last accessed on 12 July 2021).
23
Ibid.
24
See, Privacy Shield Overview, https://www.privacyshield.gov/program-overview (Last accessed on 12 July 2021).
25
The privacy shield ombudsperson was a senior official within the US Department of State, ‘independent’ from the US
intelligence community, https://ec.europa.eu/info/sites/default/files/2016-08-01-ps-citizens-guide_en.pd_.pdf (Last
accessed on 12 July 2021).
26
Para 43, Schrems II.
10 | P a g e
questions for clarity. This will lead us into the analysis of Indian data access/surveillance laws in Part
II.
(A) Schrems II on SCCs and practical guidance to data exporters/importers

As noted earlier, the CJEU upheld the validity of SCCs for transfers, with certain conditions. Key
takeaways:
• SCCs are valid : The CJEU upheld the validity of SCCs but indicated that
SCCs are only intended to provide contractual guarantees. Since public authorities are
not a party to the contract, SCCs are not binding on them. Therefore, the
CJEU required organisations to verify (on a case-by-case basis) whether the law of the third
country protects the rights and personal data of individuals by providing additional
safeguards that supplement SCCs. The judgement does not spell out these supplemental
measures.27
• Legal framework and SCCs are both relevant to determine equivalence : The CJEU
acknowledged that organisations can transfer data in the absence of an adequacy decision,
by providing appropriate safeguards, enforceable rights and effective legal remedies. These
safeguards should ensure that data subjects whose data is transferred to a third country
pursuant to SCCs are afforded a level of protection ‘essentially equivalent’ to EU standards.
• For assessing the level of equivalent protection in the context of a transfer, both the SCCs
and the relevant aspects of the legal framework of the third country should be taken into
account.28
• EU data protection authorities could suspend transfers in case of inadequate

safeguards: Where organisations fail to provide adequate additional safeguards, the EU
data protection authorities can suspend the transfer of data to a third country,
particularly where the law of that third country imposes obligations on the data importer
which impinge on the contractual guarantee of an adequate level of protection against
access to data by the government of that third country.29
• Consequences of not observing the requirements under SCCs : In cases where

organisations fail to ensure adequate protection, the data received should be returned or
destroyed,30 and data subjects should receive compensation for damages caused where
SCCs are breached.31
EDPB’s practical guidance to exporters, including supplementary transfer tools:

After the CJEU’s decisions, practitioners around the world sought to assess its impact on transfers to
their countries.32 While transfers to the US were hit most immediately, there were concerns that EU
27
See, Para 133, Schrems II.
28
See, Para105, Schrems II.
29
See, Para 118 – 121, Schrems II.
30
31
32
See, 7 predictions for the road ahead after “Schrems-II”, Brian Hengesbaugh and Elisabeth Dehareng, 28 July 2020
https://iapp.org/news/a/seven-predictions-for-the-road-ahead-after-schrems-ii/ (Last accessed on 12 July 2021).
11 | P a g e
data protection authorities could issue adverse opinions on a third country’s law and practice, halting
transfers to that country.33 Data exporters were required to undertake case-by-case assessments of
a country’s law and practice, in collaboration with importers, and adopt supplementary measures,
where needed. Acknowledging the complexity of this exercise, 34 the EDPB provided guidance on
assessing country’s laws (discussed later in the section). It also offered data exporters a series of steps
to follow and suggestions on supplemental measures to consider: 35
• Know your transfer, i.e., mapping all data transfers to third countries.
• Verify the transfer tools, i.e., identify which transfer mechanism is invoked (such as, SCCs,
BCRs and adequacy decisions by the EC).
• Assess the law or practice of the third country based on essential guarantees. (discussed
later in Part B of this section)
• Identify and adopt supplementary measures, where needed. These measures could
include reviewing the circumstances under which the transfer occurs, business sectors in
which the transfer occurs, categories of personal data processed (for e.g., Data relating to
children may fall within the scope of a different law in the third country), etc.
• Take any formal procedural steps to adopt the supplementary measures.
• Re-evaluate periodically.
We have included a more detailed overview of the supplemental measures in Annexure III.
The New SCCs
While the EDPB recommendations offered some practical guidance, organisations were also waiting
for the new versions of the SCCs. The previous versions of the SCCs were issued in 2010.36 The
European Commission had been working on a new set of SCCs to brin g them in line with the GDPR,
and post July 2020, with Schrems II.
The new SCCs were adopted on 4 June 2021 and have come into effect from 27 June 2021. 37
Organisations must use the new SCCs for any new transfers after 27 September 2021. 38 Existing
transfers under old SCCs must transition to the new ones by 27 December 2022. 39
33
See, Global data transfer uncertainty undermines EU digital ambitions, Luca Bertuzzi, 09 July 2021,
https://www.euractiv.com/section/data-protection/news/global-data-transfer-uncertainty-undermines-eu-digital-
ambitions/ (Last accessed on 12 July 2021).
34
See, EDPB Recommendations on Supplementary Measures,
35
Ibid.
36
See, Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to
processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council,
Official Journal of the European Union, https://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2010:039:0005:0018:EN:PDF (Last accessed on 12 July 2021).
37
Supra Note 16.
38
See, Clauses 2 and 3, Article 4, SCCs.
39
See, Clause 4, Article 4, SCCs.
12 | P a g e
The new SCCs retain several sections of the earlier version though the look and feel of the SCCs
differs substantially from the last version.40 Substantively, the new SCCs recognise situations where
data controllers reside outside the EU but may still be subject to the GDPR. This would help global
multinationals subject to the GDPR be able to better comply with it. They also incorporate ‘docking
clauses’ which enable the addition of parties to the SCCs at a later date.41
Codifying Schrems II
The new SCCs codify the Schrems II requirement of case-by-case assessments. They require the
parties to warrant that the laws and practices of the third country will not prevent the importer from
fulfilling its obligations under the SCCs.42 To provide this warranty, the parties need to consider:
i. the circumstances of the data transfer including, the category of personal data transferred,
the transmission channels used, the type of recipient, the purpose of processing, the
economic sector in which the transfer occurs, etc.
ii. the laws and practices of the third country on disclosure of personal data to public
authorities; and
iii. any relevant contractual or technical safeguards put in place to supplement the safeguards
under the SCC.43
This assessment also needs to be documented by both parties and provided to relevant supervisory
authorities upon request.
The footnote to this Clause 14 in the SCC is significant. In assessing the third country’s ‘law and
practice’, it allows relevant and documented practical experience with prior instances of requests for
disclosure from public authorities, or “the absence of such requests”. So, the new SCCs allow for a
risk-based approach rather than a theoretical apprehension of data access by the government. 44
In addition, the new SCCs set out obligations of the data importer in case of access by public
authorities.45 This includes:
• notifying the exporter in case it receives a request for data access;

• if it is prohibited from notifying the exporter, then taking steps to seek a waiver;
• where permissible, continuously providing the data exporter with as much relevant
information as possible on a regular basis about the requests received;
• assessing the legality of the requests from public authorities, and where necessary,
challenging the request; and
• providing the bare minimum required information to public authorities.46
40
There is now one umbrella document with general clauses, and then specific sections for controller -processor,
controller-controller, processor-controller, or processor-processor sections to choose from.
41
See, Clause 7, SCCs.
42
43
44
See, A deeper dive into the new Standard Contractual Clauses, Janine Regan, Marcus Evans, Lara White and Christoph
Ritzer, 07 June, 2021, and New Standard Contractual Clauses- Dentons’ initial analysis, 10 June 2021,
https://www.dentons.com/en/insights/articles/2021/june/10/new -standard-contractual-clauses-dentons-initial-
analysis?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=Social&utm_term=358020 (Last
45
See, Clause 15, SCC.
46
Ibid.
13 | P a g e
(B) Principles for Analysing Foreign Country’s Law and Practice
We now discuss the benchmarks for the assessment of a third country’s laws. We describe how US
surveillance law fared in Schrems II and the EDPB’s guidance on ‘essential guarantees.
Assessment of US law in Schrems II
In assessing the privacy shield, the CJEU tested if the US granted a level of protection to EU residents
that would be equivalent to the EU. In doing so, the CJEU examined the:
i. US Foreign Intelligence Surveillance Act (FISA);

ii. Executive Order (E.O.) 12333; and
iii. Presidential Policy Directive 28 (PPD 28).
For reference,
• Section 702 of FISA allows the US Attorney General and the Director of National Intelligence
to submit written certifications to the FISA Court to authorise surveillance of non -US persons
in the US for up to a year.47 The officers need not demonstrate which non-US persons are
covered nor do they need to show a link to a crime. It is enough if they show that a significant
purpose of surveillance is to obtain ‘foreign intelligence’ and attest to minimum safeguards.
• EO 12333 deals with collection of foreign ‘signals intelligence’.
• PPD 28 introduced some restrictions on signals intelligence activities but allowed bulk
collection of data.48
The CJEU observed that:
• Government’s access to data should be proportionate and strictly necessary to the

legitimate objectives it pursues to achieve: The CJEU held that the seriousness of the
interference should be proportionate to the public interest aim being pursued and
balanced against the rights of the data subject. 49 There should be a defined scope
of limitation on the exercise of the right, clear and precise rules governing the scope and
application of the measure in question and minimum safeguards. 50
Section 702 of the FISA allowed US intelligence agencies to conduct foreign intelligence
surveillance programmes, without limitations or guarantees for non-US citizens targeted
by these programmes.51
The Foreign Intelligence Surveillance Court (FISC) instituted under the FISA, does not
assess or authorise individual surveillance measures, but rather approves surveillance
programs such as PRISM and UPSTREAM.
The CJEU observed that the FISA Court did not undertake the case-by-case assessment
that the principles of the GDPR and EU Charter required to satisfy proportionate and
necessary action.52 EO 12333 allowed ‘bulk’ collection of data, without access to such
47
See, US surveillance: s702 FISA, EO 12333, PRISM and UPSTREAM, Richard Lawne, 13 August 2020,
https://www.fieldfisher.com/en/insights/us-surveillance-s702-fisa-eo-12333-prism-and-ups (Last accessed on 12 July
2021).
48
49
50
51
52
14 | P a g e
data by US intelligence being subject to any judicial review. Both Section 702 of FISA
and EO 12333 showed lack of clear and precise rules or minimum safeguards.
• Effective legal remedies available to EU data subjects: Relevant FISA provisions, E.O.
12333 and PPD - 28, failed to grant EU data subjects any rights actionable in courts
against US authorities.
The CJEU noted that this failed to fulfil the threshold of effective and enforceable
rights53 - and that the presence of the privacy shield ombudsperson did not remedy this
gap (see below).
• Independent oversight: The privacy shield had an ombudsperson framework to enforce

privacy rights. This was tested against the requirement that data subjects should have
the right to bring a legal action before an impartial or independent court or
authority (judicial or administrative).
The CJEU observed that even though the ombudsperson is defined as ‘independent
from the Intelligence Community’, she was required to directly report to the US Secretary
of State.54 This could stand in the way of her discharging her duties without any influence.
Additionally, the Ombudsperson was appointed by the Secretary of State and was an
integral part of the US State Department. This affected her independence from the
executive. The judgment also pointed out that the Ombudsperson did not have the
power to adopt decisions that were binding on the intelligence services. The CJEU held
that the Ombudsman mechanism lacked independence and failed to fulfil the
adequacy threshold.
Two key considerations here that are relevant to the Indian law analysis.
First, US law differentiates between investigations for criminal investigations purposes or routine law
enforcement involving US persons (for which a high standard of a ‘probable cause’ warrant needs to
be met); and foreign intelligence investigations involving non -US persons (for which the FISA
process or EO 12333 are invoked). So, US persons typically have greater rights when compared with
non-US persons. An interesting point of contrast with Indian law- which as such, does not differentiate
between Indian citizens and non-Indian citizens when it comes to redress against privacy
interferences.55 This could play a role in making a stronger case for ‘effective remedies’ under Indian
law (see Part III analysis).
Second , EU courts’ application of the standards has not always been consistent. Critics of Schrems II
point out that EU member state law would not meet the standards expected from US law under
Schrems II.56 Some scholars have called out ‘double standards’ arguing that the CJEU chose to apply
the strictest set of requirements when assessing US law, which EU member states may not meet. 57
They note, for instance, that French law allows bulk foreign surveillance for a broad range of
purposes (‘major interests of French policy’ or the ‘major economic, industrial or scientific interests
of France’), without prior court or independent administrative authority’s authorisation. 58 In Big
Brother Watch, the ECtHR acknowledged bulk surveillance to be an essential intelligence
53
54
55
See, Article 21, Constitution of India.
56
See, Geopolitical Implications of the European Court’s Schrems II Decision , Kenneth Propp and Peter Swire, 17 July
2020, https://www.lawfareblog.com/geopolitical-implications-european-courts-schrems-ii-decision (Last accessed
on 12 July 2021).
57
Supra Note 11.
58
Ibid.
15 | P a g e
capability.59 While the programme was eventually found inadequate, that was because of lack of
sufficient oversight over certain processes and inadequacy of safeguards, 60 and not because of bulk
collection per se.
On oversight, in Big Brother Watch, the ECtHR found that the power to authorise bulk surveillance
need not be with a judicial or administrative authority.61 The UK law, which was in question, warrants
for interception were issued by the Secretary of State, but the ECtHR found adequate oversight
through the ‘Interception of Communication Commissioner’. The ECtHR observed that the
Communications Commissioner was independent of the executive and the legislature, had held a
high judicial office, and was tasked with overseeing the general functioning of the surveillance
regime. The Commissioner reported annually to the Prime Minister, and his report was a public
document which was laid before Parliament. Therefore, even though warrants were authorised by
the Secretary of State, the Commissioner provided ‘sufficient’ independent oversight.62 Also, the
French authority that oversees surveillance is composed of political appointees- a factor that played
into the assessment of ‘independence’ of oversight in Schrems II.63
This suggests there may be some margin in interpreting EU principles. The EDPB’s
recommendations on ‘essential guarantees’ helps in this context.
European Data Protection Board’s recommendations on ‘essential guarantees’ 64

Essential guarantees are requirements that the third country must have in place when processing EU
residents’ data. We break down the guarantees into questions- to help streamline the analysis of
Indian law in later sections.
Essential
Sn. What needs to be assessed?
guarantees
1 Processing • Is there a legal basis for the intrusion? 65

. should be • Are the rules clear and precise, i.e., is there enough clarity on who the
based on rules apply to, duration of surveillance, the procedure to be followed,
clear, precise, precautions to be taken while communicating the data to others? 66
and accessible • Are the rules accessible, i.e., can individuals understand the
rules. circumstances under which authorities can resort to such measures? 67
59
See, Para 384, Big Brother Watch.
60
61
62
See, Paras 378 and 381, Big Brother Watch.
63
In November 2020, among other things, the CJEU ruled on the French Intelligence Act, 2015 pursuant to a case filed
by the La Quadrature du Net, French Data Network, and the Federation of Associative Internet Service Providers. It
was alleged that the- (i) Act infringed the French Constitution, and the European Convention for the Protection of
Human Rights and Fundamental Freedoms, and (ii) collection and use of personal data under the French Intelligence
regime was not subject to any prior authorisation by a court or an independent entity. The CJEU observed that any
retention or collection of location or traffic data by electronic communications services should be subject to review
by a court or by an independent administrative authority. However, the court did not question the ‘independence’ of
the French commission (Commission nationale de contrôle des techniques de renseignement) responsible for
examining the requests made by intelligence agencies. The Commission is composed of two deputies, two senators,
two members of the Council of the State, two magistrates, and an ex pert in the field of electronic communication,
https://curia.europa.eu/juris/document/document.jsf?docid=232084&doclang=en (Last accessed on 12 July 2021).
64
See, EDPB Recommendations on the European Essential Guarantees for Surveillance Measures,
https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguarantee
ssurveillance_en.pdf (Last accessed on 12 July 2021).
65
See, Para 26, EDPB guidance on Essential Guarantees.
66
Ibid., Para 27.
67
Ibid., Para 28.
16 | P a g e
Essential
Sn. What needs to be assessed?
guarantees
2 The intrusion • Is the seriousness of the interference balanced against the intended
. should be objective?68
necessary and • Are there minimum safeguards providing individuals sufficient
proportionate guarantees against abuse? 69
to the • Does the law allow generalised storage of data without differentiation or
objective. limitation, without any objective criterion defining limits of access (bulk
storage and access without limitation)?70
• Is there a connection required to be established between the data
retained and the objective sought to be achieved?71
3 An • Is there an effective, independent, and impartial oversight system that
. independent consists of either a judge or another body sufficiently independent from
oversight the executive?72
mechanism • Does this independent oversight occur during the implementation of the
should exist. surveillance measures?73 (Although not essential, this can be a
contributing factor in assessing whether oversight is adequate)
4 Effective • Does the law allow an individual to pursue legal remedies against state
. remedies need action?74
to be available • Are individuals told about the intrusion- and if not is this because
to the notification will jeopardise the tasks of the authorities processing such
individual. personal data?75
• Can the legality of the surveillance be challenged retrospectively after the
data subject is notified of the surveillance?76
• Can a data subject who suspects that their communications are being
intercepted apply to courts for relief without an explicit notification that
their communications are being intercepted? 77
• Can the court order the authority to grant the data subject access to their
personal data or obtain a rectification or erasure of such data?78
Under each of the guarantees, there are a range of principles/ questions to be considered. While
some are minimum standards, such as the need for a ‘law’ authorising surveillance, others allowsome
margin, rather than being bright line considerations. For instance, while judicial oversight of requests
is preferred, it is not the only way of meeting the independent oversight standard. We account for
this in our analysis in Part II.
68
Ibid., Para 33.
69
Ibid., Para 35.
70
Ibid., Para 37.
71
Ibid., Para 38.
72
Ibid., Para 39.
73
Ibid., Para 40.
74
Ibid., Para 43.
75
Ibid., Para 44.
76
Ibid., Para 45.
77
Ibid.
78
Ibid., Para 47.
17 | P a g e
PART – II: ANALYSIS OF INDIAN LAW
There are several Indian laws across sectors that allow data access by public authorities.
Theoretically, several of these laws apply to both ‘Indian’ and ‘foreign’ data. However, an assessment
of the laws indicates that most of these are unlikely to apply to foreign data that flows in from an EU
organisation to an Indian data controller or processor- in a way that attracts Schrems II or would be
relevant in undertaking the case-by-case assessment required in the new SCCs.
For reference, in Schrems II, the CJEU examined FISA, EO 12333 and PPD 28. These laws authorised
‘foreign intelligence’ surveillance, that are applicable to data access of non-US persons.79 While there
may be a host of other US laws with data access provisions, this was the set of laws as sessed, as it
involved foreign intelligence surveillance and access to EU data.
To identify the set of Indian laws relevant for this analysis, we:
1. mapped data access provisions across 273 laws, spanning IT, banking and finance, health,
and telecom laws (the list of all laws is in Annexure II);
2. identified provisions in those laws that allowed LEAs to seek data and excluded those
without data access provisions (this classification has been identified under Annexure-II).
Based on this exercise we identified a total of 40 laws/regulations out of which 29 pertained
to regulation of the BFSI sector, 4 pertained to regulation of healthcare and allied sectors, 6
pertained to IT and Telecom laws and regulations, and 1 general law);
3. for these 40 laws within the scope of analysis, we examined if the laws applied to a situation
of data transfer by an EU entity to an Indian data processor or controller, and identified
situations that do not involve such imports, and further identified any edge cases or instances
where the likelihood of the law being invoked for data access of EU residents is low, but
there remains a theoretical possibility (these have been identified in Annexure – I).
We finally narrowed down to a select set of 3 laws/regulations or the ‘key laws’ that are most routinely
invoked for data access covering potentially EU data that flows in. We also include India’s
forthcoming PDP Bill in this analysis. The key laws (including the PDP Bill) are:
i. the Information Technology Act 2000 and its rules allowing access to data by LEAs, rules for
interception and for collecting traffic data;
ii. the Criminal Procedure Code 1973;
iii. The Telegraph Act 1885 and rules, which set forth the procedure and safeguards for
intercepting telecommunications; and
iv. the PDP Bill.
We analyse these laws against the EDPB ‘essential guarantees.’ Given the margin in EU standards, it
is difficult to conclude how certain aspects of these laws will fare against EU principles. We attempt
a preliminary risk-assessment, based on EDPB’s guidance and Schrems II principles.
79
Data access of US persons, on the other hand, is governed by different laws, such as the Electronics Communications
Privacy Act, and importantly, protected by the US Fourth Amendment Constitutional guarantee. In contrast, as such,
Indian surveillance law does not deal differently with investigations or i ntelligence involving Indian citizens and
‘foreign intelligence’ involving non-Indians. The fundamental right to privacy is available to citizens and non -citizens
(Article 21).
18 | P a g e
We offer a matrix of how likely it is for a law/regulation to be viewed adversely by an EU authority.
Specific Concerns Exist
Potential Concerns Exist
Aligned with European Essential Guarantees
In a nutshell, Indian surveillance law is primarily found in:
1. the Information Technology Act 2000 (IT Act) and rules for interception when it comes to
accessing electronic information; and
2. the Telegraph Act 1885 and rules under it for interception of communications.
India has programmes like the National Intelligence Grid (NATGRID) (a framework to connect
security agencies with data providers like banks, railways, telecom, etc. for counterterrorism/
intelligence purposes) and the Central Monitoring System (CMS) (a framework to enable central and
regional databases to help law enforcement with interception and monitoring). There are no
separate laws authorising these. According to the government, orders for interception under these
programmes are made under the IT Act framework and the Telegraph Rules. 80
Further, general criminal procedure law - the Criminal Procedure Code 1973 (CrPC) - is often
invoked by police officers to seek access to stored data (such as emails, subscriber information) from
organisations.81
In addition to these laws, case laws have added to the jurisprudence on permissible government
access to data. In 2017, the Indian Supreme Court recognised the fundamental right to privacy in
K.S. Puttaswamy v. Union of India.82 In this decision, the Court laid down a test to decide if state action
interfering with privacy was valid. In our analysis below, we do not factor in this test since there is
minimal guidance on the application of the test so far. But, in Part IV, we discuss whether the
Puttaswamy test could shift the assessment from ‘high risk’ to ‘medium’ or ‘low risk’ in some cases.
Information Technology Act, 2000 and Rules

Significance: The IT Act is the primary legislation that governs surveillance/interception of
‘electronic data’. It also deals with electronic transactions, data privacy and security.
1. The Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules 2009 (Interception Rules) set out the procedure for
interception under the IT Act.
2. The Information Technology (Procedure and Safeguards for Collection of Traffic Data) Rules
2009 set out the procedure for collection of ‘traffic data’ (this is similar to the Interception
Rules, and so we do not deal with it separately).
3. Lastly, a general obligation to assist LEA has been placed upon intermediaries under the
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules
2021 (IL & DMEC Rules) which require intermediaries to respond to requests from LEAs
within 72 hours of receiving such requests. Such requests may extend to any assistance
including access to data.
80
See, Centre urges Delhi HC to dismiss petition seeking stoppage of data collection through CMS, NATGRID, NETRA,
ANI, 05 February 2021, https://www.aninews.in/news/national/general-news/centre-urges-delhi-hc-to-dismiss-
petition-seeking-stoppage-of-data-collection-through-cms-natgrid-netra20210205143638/ (Last accessed on 12 July
2021).
81
See, Section 91, CrPC.
82
Supra Note. 20.
19 | P a g e
It remains unclear if the Interception Rules would remain applicable for access requests under the IL
& DMEC Rules.
Applicability to EU ‘imported’ data: The IT Act does not differentiate between data of Indians and
others. Government agencies/ LEAs may issue orders for interception or monitoring of anyone,
which could include EU residents. This data accessed could include personal data of EU residents
that has been transferred by an EU entity to an Indian company.
Process under law: Section 69 of the IT Act empowers both the central and state government to
direct interception, monitoring or decryption of any electronic information, if it is necessary in the
interests of sovereignty and integrity of India, the security of the State, public order or for preventing
incitement to the commission of an offence relating to the above. The Interception Rules
i. contain guidelines and procedures which set out the manner in which LEAs can direct the
interception/monitoring/ decryption, and
ii. provide for the establishment of a review committee to periodically review the interception
orders and their compliance with Section 69.
Takeaway – Potential Concerns Exist
Overall, there are some key differences between US and Indian laws that may strengthen the
Indian case. For instance, the IT Act and rules have some minimum safeguards, such as
procedures for order, review, shorter duration of interception, and targeted orders. Further, there
is no difference in treatment of Indian and EU residents, in access to judicial remedies through
writ jurisdiction. However, the independence of the oversight mechanism under the IT Act
(similar to US law), is in question, owing to the lack of any judicial/ legislative oversight. One could
argue that writ jurisdiction allows an effective channel of redress and oversight, beyond the Review
Committee. However, the ultimate assessment will need to be based on actual practice, wherein
routine issuance of interception orders, without application of mind or oversight, might raise
additional concerns from the point of view of adequacy vis-à-vis the European Essential
Guarantees.
Detailed Analysis:
Principles Analysis
Clear, Precise Legal basis: The Interception Rules are rules framed by the central government. The
and Accessible power to order interception is thus derived from delegated law and not in a statute.
Rules Privacy advocates have called for surveillance laws to be codified in statute, saying
delegated legislation will not suffice given the degree of intrusion. 83 However, Indian case
law recognises statutory rules as ‘law’ for testing any intrusion into privacy. 84 On similar
lines, EDPB guidance calls for assessing whether the law is ‘legally binding’ under
domestic law. 85 In Schrems II, EO 12333 and PPD 28 (which are orders and not statutes)
were both examined, but not questioned on the issue of ‘legality’. So, the Interception
Rules will likely meet the EU threshold of legality.
Clear, precise, and accessible rules: The Interception Rules set out the procedure for
ordering interception, monitoring and decryption, such as, who can order the
83
See, State of surveillance in India, Centre for Internet and Society, 29 March 2016,
https://privacyinternational.org/long-read/1165/state-surveillance-india (Last accessed on 12 July 2021).
84
See, Shreya Singhal vs. Union of India, (2015) 5 SCC 1, https://www.meity.gov.in/writereaddata/files/Honorable-
Supreme-Court-order-dated-24th-March%202015.pdf (Last accessed on 12 July 2021).
85
See, Para 27, EDPB Essential Guarantees.
20 | P a g e
Principles Analysis
interception, procedures for order, limits on duration, procedure for review, etc. There is
also a set of grounds under which it can be invoked (security of State, public order, etc.).
In contrast, US FISA is far-reaching- in that it requires no connection with any act as such,
and it would suffice to show that the person being surveilled was not a US person and the
surveillance was for ‘foreign intelligence’ purposes. Since the Interception Rules do set
out the minimum requirements for clarity and accessibility, 86 it can be argued that
they meet the EU threshold.
Necessity and Proportionality, through minimum safeguards: The Interception Rules have some
Proportionality safeguards to protect personal data against risk of abuse, such as:
• limits on duration of interception,
• the authorities that can order this,
• the requirement that the authority can only issue an interception order when it
is not possible to obtain the information by any other means. 87
An additional layer of comfort in the context of digital interception is that the language of
Interception Rules is based on the guidelines laid down by the Supreme Court of India for
telephonic interception under the Indian Telegraph Act 1885. In the People’s Union for
Civil Liberties (PUCL) v. Union of India, the Supreme Court set out certain guardrails
against the government’s use of its powers of surveillance/interception. It could be argued
that this meets the requirement of minimum safeguards.
However, actual practice could be a relevant factor here. Certain commentators observe
that in practice, interception orders are issue routinely without application of mind. 88 Such
commentators called out Indian surveillance programmes like NATGRID and CMS in this
regard. In December 2018, over 10 agencies were authorised to issue interception
requests, adding to concerns around bulk collection of data,89 however all interception
continues to be based on the procedure under the Interception Rules to issue interception
orders.90 Therefore, it needs to be evaluated whether there exists any evidence of
systemic and routine issuance of interception orders without application of mind, and
without prior judicial or other independent oversight (see below). If such evidenc e
exists, then there may be concerns.
Ordering interception for what is strictly necessary : The Interception Rules allow the
government to seek interception and monitoring only when it is in the interests of
sovereignty and integrity of India, the security of the State and public order. It can be
argued that the IT Act allows the government to access data strictly for
fulfilling these legitimate state aims. Privacy advocates have argued that these grounds
are wide and far-reaching.91 However, similar broad purposes have been found by EU
member states/ authorities to meet the standards before. For instance, French law allows
bulk foreign surveillance for a broad range of purposes, including ‘major interests of
86
See, Para 30, EDPB Essential Guarantees.
87
See, Rules 4, 8, and 11 of the Interception Rules.
88
See, CPIL and Anr vs. Union of India and Others – Delhi High Court, Sflc.in, 12 February 2020, https://sflc.in/legal-
challenge-cpil-and-sflcin-surveillance-projects-cms-natgrid-and-netra (Last accessed on 12 July 2021); See also, No
blanket permission given for surveillance under NETRA, NATGRID: Centre to HC, The Economic Times, 05 February
2021, https://economictimes.indiatimes.com/news/defence/no-blanket-permission-given-for-surveillance-under-
netra-natgrid-centre-to-hc/articleshow/80706304.cms?from=mdr (Last accessed on 12 July 2021).
89
See, Ministry of Home Affairs, Cyber and Information Security Division, 20 December 2018,
https://egazette.nic.in/WriteReadData/2018/194066.pdf (Last accessed on 12 July 2021).
90
Supra Note. 88.
91
See, Supreme Court issues notice on IFF's petition for surveillance reform , Internet Freedom Foundation, 14 January
2019, https://internetfreedom.in/supreme-court-issues-notice-on-iffs-petition-for-survelliance-reform-
saveourprivacy/ (Last accessed on 12 July 2021).
21 | P a g e
Principles Analysis
French policy’ or the ‘major economic, industrial or scientific interests of France’. Also, in
comparison to FISA which requires no link to criminality or objective grounds, the IT Act
does set out grounds that are consistent with restrictions recognised in the Indian
Constitution. And this helps in meeting the necessity threshold.
Independent Composition of the committee poses a threat to its independence : The IT Act and
Oversight: Rules do not provide for prior judicial oversight of interception requests , which per the
EDPB, is an important safeguard, though not the only way of ensuring independent
oversight.92 Under the Interception Rules, a Review Committee constituting entirely of the
executive branch, reviews interception orders, after they have been issued (no prior
oversight). Given that government agencies itself are responsible for making surveillanc e
requests, the absence of any independent judicial member or subsequent judicial/
parliamentary oversight over the functioning of the Review Committee, raises a concern
with regard to the European expectations of independent oversight . This is comparable
to CJEU’s decision in Schrems II- where it found the privacy ombudsman to be inadequat e
as the ombudsman was in some way part of the US executive. (This may be subject to the
question of effective remedies below, as EU residents may still be able to bring cases
before Indian courts through writ jurisdiction).
Effective Statutory remedies: There is no remedy in the IT Act or Rules. No notice is given to
Remedies: individuals that alerts them that their data is being intercepted. This is a concern since the
person surveilled will never know they were being surveilled-impeding their right to
effective remedy. However, notification to individuals is not a prerequisite to meeting the
threshold, per EDPB guidance93 if there is an effective channel for redress through courts
with no obstacles to approaching them. 94 Under US law, EU residents faced significant
obstacles in bringing actions before courts due to standing requirements that were hard
to justify.95 This may contrast with Indian law (see below).
Other remedies: Interception of messages by the government infringes the fundamenta l

right to privacy of individuals (including EU data subjects). Right to privacy stems from
Article 21 (right to life and personal liberty) of the Constitution of India. It affords non-
citizens the opportunity to approach Indian courts for infringement of
their fundamental rights. Therefore, even though there are no specific remedies available
under the IT Act, EU data subjects would be able to move the Supreme Court under its
writ jurisdiction (Article 32) for violation of their right to privacy. Additionally, explicit
notification of such surveillance may not be necessary for the purpose of seeking legal
relief. Also, the powers of a Constitutional Court of the High Court/Supreme Court are
wide enough to allow the passing of an order requiring grant of access to the
individual or to permit rectification/erasure of that data.96
92
See, Para 42 of EDPB Guidance.
93
94
95
96
See, Articles 32, 142 and 226, Constitution of India.
22 | P a g e
Indian Telegraph Act 1885 and Telegraph Rules
Significance: The Indian Telegraph Act, 1885 (Telegraph Act) sets out the ‘exclusive privilege’ of
the Central Government for the ‘establishment, working and maintenance of a telegraph. The term
‘telegraph’ has been widely defined to include all forms of telecommunication equipment, wired or
wireless and includes all voice or data in any form.
The Unified License (UL) sets out the terms under which telecom operators can provide their
services.97 The UL is issued by the government under its powers under Telegraph Act and it therefore
is subject to the same limits and controls on interception, as the Telegraph Act.
Also, voice based business process outsourcing service providers are regulated by the Department
of Telecommunications under the Other Service Providers (OSPs) Guidelines.98 These guidelines
may be relevant when an EU data controller seeks voice based business process outsourcing
services from a data processor in India. OSPs could receive requests for interception/ access to data
under applicable law.
Applicability to EU ‘imported’ data: The Telegraph Act does not differentiate between domestic
and foreign data. Government agencies/LEAs may seek any data as may be required by them for the
purpose of investigation through the provisions of this Act.
Process under law: Section 5 (2) of the Telegraph Act empowers both the central and state
government to direct interception of any message to or from any person transmitted or received by
any telegraph, if it the governments are satisfied that it is necessary in the interests of sovereignty
and integrity of India, the security of the State, or public order or for preventing incitement to the
commission of an offence. The procedure for interception under the Telegraph Act is governed by
the Indian Telegraph Rules (Amendment) 2007 (Telegraph Rules). Rule 419A of the Telegraph Rules
provides that a competent officer should consider if there are any alternate means of acquiring
information before issuing an interception order. They also provide for the establishment of a
committee to periodically review the orders of interception and their compliance with the Telegraph
Act. The Telegraph rules are similar to the Interception Rules.
In addition, the UL Security Conditions require licensed telecom operators in India to provide
facilities and co-operation to protect the security and sovereignty of the State and to enable lawful
interception of communications. With respect to lawful interceptions, Clause 39.2 of the UL requires
licensees to retain all “commercial records/ Call Detail Record (CDR)/ Exchange Detail Record (EDR)/
IP Detail Record (IPDR) with regard to the communications exchanged on the network.” While these
terms are not defined, they could include all information pertaining to the endpoints in the network.
For instance, Call Data Records could include personal information such as phone numbers and
location of a European citizen who may make a call to India. The provision requires the storage of
such data for a period of at least one year and thereafter destroyed, unless the Government requires
the information for security purposes. Similarly, the OSPs Guidelines require business process
outsourcing operator, as the data processor to store Call Data Records for a period of one year.
Analysis: The Telegraph Rules have been incorporated by reference under the Interception Rules
under the IT Act. Resultantly, the Review Committee instituted under the Telegraph Rules is also
tasked with discharging its functions under the Interception Rules, and associated procedural
safeguards under the Telegraph Rules, are equally applicable to the IT Act, the Interception Rules
97
See, Unified License Agreement, Available at URL: https://dot.gov.in/sites/default/files/Unified%20Licence_0.pdf
(Last accessed on 12 July 2021); In addition to the UL, the Department of Telecom also issues a ULVNO license for
Virtual Network Operators. However, ULVNO license holders are dependent on UL operators to provide their
services. Furthermore, the terms of the ULVNO license are identical in terms of interception and monitoring.
Therefore, our assessment of the licenses has been limited to the UL alone.
98
Guidelines for OSPs, 23 June 2021, Available at URL:
https://dot.gov.in/sites/default/files/Revised%20OSP%20Guidelines.pdf (Last accessed on 12 July 2021).
23 | P a g e
and the IT Blocking Rules. Therefore, our analysis of the IT Act and Rules are equally applicable to
the Telegraph Act and the Telegraph Rules.
Criminal Procedure Code, 1973
Significance: The Criminal Procedure Code 1973 (CrPC) is a procedural law detailing all aspects of
criminal investigation, prosecution, and sentencing, along with The Indian Evidence Act and The
Indian Penal Code (IPC). LEAs must adhere to procedures laid out in the CrPC while investigating
criminal complaints and undertaking any type of investigative work that involves access to
evidence/surveillance of Indian residents.
Applicability to EU ‘imported’ data: The CrPC does not differentiate between domestic and
foreign data. Government agencies/LEAs may seek any data as may be required by them for the
purpose of investigation. This could include data about EU residents that has flown into India.
Process under law: Section 91 empowers a court to issue a summons, or a police officer-in-charge
of a police station to issue a written order, to any person to produce a document. The court/police
officer can do so if production of the document is ‘necessary’ or ‘desirable’ for any investigation,
inquiry, trial, or other proceeding. Additionally, Section 93 of the CrPC sets out the procedure for
the issue of a search warrant by a court when it has reason to believe that the person to whom
request under Section 91 was served, will not comply with the request. It also explicitly permits
general warrants where the information sought is not known to be in the person’s possession or if it
is considered to be relevant to the purpose of investigation/trial, which is not the case in comparable
procedural rules in other jurisdictions such as UK. 99
Takeaway – Specific Concerns Exist
CrPC sections 91 and 93 do not contain minimum safeguards or limitations and are unlikely to
meet the proportionality threshold or the requirement of clear and precise rules. Also, if in
practice, Section 91 is routinely used by police officers to seek data from organisations, without
sufficient individualised application of mind, there is high risk of adverse view from EU authorities.
Detailed analysis:
Principle Analysis
Clear, Precise and Legal basis: The power to seek production of documents is set out in statute (the
Accessible Rules CrPC). And so, the legality threshold is met.
Clear, Precise and Accessible: The provision does not offer much by way of
procedures. It does not set out the minimum details required per EDPB guidance, as
to duration of surveillance, rules for storage and access, precautions while
communicating the data to others. Although the individual order/summons under the
provision may provide this, we understand that that is often not the case in practice.
Do note, that our research did not reveal any documented study to provide evidenc e
of practical experience. Given the reliance on actual experience under the EDPB’s
guidance and the new SCCs, such evidence might be crucial to any evaluation.
99
Rules 17.5 and 17.6, Criminal Procedure Rules, 2015, Available at URL:
https://www.legislation.gov.uk/uksi/2015/1490/contents/made (Last accessed on 12 July, 2021); The requirement to
produce a document pursuant to summons is exercised exclusively by Courts upon an application and assessment as
to the relevance and existence of such documents by the Courts. Moreover, the Court is empowered to allow
objections to the production of such documents on the grounds of applicable duties and rights, including the right
of confidentiality, of the person served with such summon.
24 | P a g e
Principle Analysis
Necessity and No minimum safeguards: Section 91 does not set out details on duration of
Proportionality interception, etc. It also does not require LEAs to balance the intended objective and
the intrusion, but there is one qualification, that the document must be ‘necessary’ or
‘desirable’.
The safeguards contained in the provision are that:

i a ‘written’ order is required when it is issued by a police officer,
ii the provision allows courts to issue summons (typically, this will involve LEAs
approaching courts for issuing such summons- thereby bringing in an
additional level of oversight), and
iii orders can be issued only if information is ‘necessary or desirable’.
In Om Parkash Sharma v. CBI, the Supreme Court observed that the language of
Section 91 would indicate “the width of the powers to be unlimited” but t he in-built
limitation inherent in it takes its colour and shape from the stage or point of time of its
exercise, commensurately with the nature of proceedings as also the compulsions of
necessity and desirability, to fulfil the task or achieve the object”. This indicates the
requirement of application of mind to an individual case.
Necessity: Section 91 notes that only information “necessary or desirable” is

summoned. So, there is a connection required to be established between the data in
question and the objective.
However, in practice, this provision appears to be invoked routinely by Indian police100

to seek data from organisations, with no accompanying limits to duration of access,
how the accessed data will be stored or used, etc. This is likely to make it difficult to
meet the proportionality and strict necessity threshold.
Independent No independent oversight: There are two ways in which documents can be sought
Oversight under this provision.
When a court issue summons, there is independent oversight over the police officer.
However, a police officer can also directly seek information through a written order.
We gather that this is the most common way of invoking Section 91. 101 The provision
is therefore used to obtain information and pass orders without any independent
oversight.102 (Since there is a written order, it may be challenged in court under regular
criminal process or under a court’s writ jurisdiction, discussed below).
Effective Statutory remedies: No effective remedy exists in the provision itself or a specific
Remedies provision for appeal in the CrPC against such orders. Typically, police officers file a
report/ charge sheet after investigation. Magistrates take cognizance based on this
and the trial commences. The magistrate can consider the police report and
accompanying documents and declare that the charge is groundless. 103 In this
assessment, since there is a written order, t he order may be challenged before the
100
See, India-US data sharing for law enforcement, Observer Research Foundation and Georgia Tech Institute for
Information Security and Privacy, 2019, https://www.orfonline.org/wp-content/uploads/2019/01/MLAT-Book-
_v8_web-1.pdf (Last accessed on 12 July 2021).
101
See, Zafarul told to join probe over controversial post, The Hindu, 16 June 2020,
https://www.thehindu.com/news/cities/Delhi/zafarul -told-to-join-probe-over-controversial-
post/article31837365.ece (Last accessed on 12 July 2021); See also, Meghalaya Police Issue ‘Notice’ to News Portal,
Seeking Source of Report on Ex-CM, The Wire, 14 August 2019, https://thewire.in/media/meghalaya-police-notice-
news-report. (Last accessed on 12 July 2021).
102
See, Freedom in the Net, Sflc.In, 19 March 2013, https://sflc.in/s91-crpc-omnipotent-provision (Last accessed on 12
July 2021).
103
See, Section 239, CrPC.
25 | P a g e
Principle Analysis
concerned magistrate. In any case, the order can be challenged under writ
jurisdiction.
Other remedies: There are remedies under writ jurisdiction for violation of the right
to privacy. Right to privacy stems from Article 21 (right to life and personal liberty) of
the Constitution of India as was held by the Indian Suprem e
Court in K.S. Puttaswamy. It affords non-citizens the opportunity to approach Indian
courts for infringement of their fundamental rights. Therefore, even though there are
no specific remedies available, EU data subjects would be able to move the Suprem e
Court under its writ jurisdiction (Article 32) for violation of their right to
privacy. Additionally, the powers of a Constitutional Court of the High Court/Suprem e
Court are wide enough to allow the passing of an order requiring grant of access
to the individual or to permit rectification/erasure of that data.
The Personal Data Protection Bill, 2019

Significance: The PDP Bill requires all entities to abide by certain requirements when handling
personal data. It extends to processing by both private and public sector organisations. However, it
does not replace the current IT Act processes for interception or for access to data. It has two notable
exceptions:
i The PDP Bill allows the central government to exempt any of its agencies from all or any
provisions of the law.104 For certain purposes including security of state, friendly relations
with other states, public order, etc.
ii The PDP Bill exempts data processing for investigation and prosecution purposes. 105
However, this is not a blanket exemption (See Part III of the paper).
The PDP Bill is currently pending the review and opinion of the Joint Parliamentary Committee (JPC).
The report of the JPC may contain a significant number of material amendments to the PDP Bill as
tabled in Parliament in December 2019. The JPC report is likely to be tabled in the Winter Session
of the Parliament in 2021. Therefore, any review and assessment of the provisions of the PDP Bill
must be treated as provisional and subject to material changes upon the enactment of the data
protection law.
Applicability to EU imported data: The PDP Bill does not have enabling provisions for government
access to data- in that the power to seek data will still be derived from the IT Act, Telegraph Act or
CrPC provisions. But this is relevant to the analysis since the law adds certain obligations to
government agencies when processing data for any purpose. At the same time, it also provides
exemptions that could take away any additional protections. In this analysis, we discuss the
exemptions. The analysis is incomplete since certain procedures and safeguards will be laid down
under rules.
104
105
26 | P a g e
Analysis:
Principle Analysis
Clear, Precise and Legal basis: The law allows the government to issue orders exempting any
Accessible Rules government agency from the data protection requirements. Statutory orders are
considered ‘law’ for the purpose of intrusions into privacy in Indian law. 106 And as long
as they are ‘legally binding’, 107 will meet the EU legality threshold.
Clear, Precise and Accessible Rules: The provision leaves the procedure, safeguard,
and oversight mechanism up to rules prescribed by the government. Such minimum
requirements are not set out in the law. These can be evaluated only once prescribed
by the government.
Necessity and Minimum safeguards, to meet proportionality: The procedures, safeguards and
Proportionality oversight mechanism are not set out in the law, and the rules framed must be
evaluated. The law has some safeguards: the reasons must be recorded in writing, and
the order must be subject to the safeguards prescribed. However, the law allows
exemption from ‘all or any’ provisions of the law- a sweeping exemption that may be
viewed adversely.
Necessity: The law allows the government to order exemptions when ‘necessary or
expedient’ in the interests of sovereignty and integrity of India, the security of the State
and public order, and other grounds. It can be argued that it allows the government
to access data strictly for fulfilling these legitimate state aims. Privacy advocates have
argued that these grounds are wide and far-reaching.108 However, similar broad
purposes have been found by EU authorities to meet the standards before. For
instance, French law allows bulk foreign surveillance for a broad range of purposes,
including ‘major interests of French policy’ or the ‘major economic, industrial or
scientific interests of France’. Also, in comparison to FISA, that requires no link to
criminality or objective grounds, the law does set out grounds that are consistent with
restrictions recognised in the Indian Constitution. And this may help meet the
necessity threshold.
Independent Independent oversight: The oversight mechanism for individual orders under this
Oversight provision will be prescribed by rules.
Effective Statutory remedies: Individuals can pursue remedies with the data protection
Remedies authority under the law. But Section 35 allows the government to exempt an agency
from ‘all’ provisions of the law. If blanket exemptions are granted, then individuals lose
the option of approaching the data protection authority for redressal- which could
potentially provide a direct remedy, making the case for meeting EU standards
stronger.
Other remedies: There are remedies under writ jurisdiction for violation of the right
to privacy. Right to privacy stems from Article 21 (right to life and personal liberty) of
the Constitution of India as was held by the Indian Suprem e
Court in K.S. Puttaswamy. It affords non-citizens the opportunity to approach Indian
courts for infringement of their fundamental rights. Therefore, even though there are
no specific remedies available, EU data subjects would be able to move the Suprem e
Court under its writ jurisdiction (Article 32) for violation of their right to
privacy. Additionally, the powers of a Constitutional Court of the High Court/Suprem e
Court are wide enough to allow the passing of an order requiring grant of access
to the individual or to permit rectification/erasure of that data.
106
Supra Note. 84.
107
Supra Note 85.
108
` Supra Note. 91.
27 | P a g e
PART – III: CONCLUSION AND WAY FORWARD
The EDPB essential guarantees and the new SCCs offer some comfort to organisations trying to
understand the fallout of Schrems II on transfers to third countries.109
First, the new SCCs clarify timelines for transition. Existing contracts using the old SCCs can continue
until 27 December 2022. Organisations must transition to the new SCCs after that date.
Second, under the new SCCs, organisations must conduct a case-by-case assessment of Indian data
access laws and practices before transferring data.110 In this assessment, organisations can factor in
actual practice as well, i.e., the kind and actual number of requests received from public authorities
and under which law. This risk-based approach rather than a theoretical apprehension of data access
offers some relief because the actual requests received for government access to ‘imported’ data
may be limited. Therefore, in carrying out this case-by-case assessment, organisations may be able
to narrow down the set of laws to be analysed to those actually invoked in practice and relevant to
data ‘import’ situations. In our mapping and analysis in Part III, we suggest the universe of ‘key laws’
that may be relevant to data import situations. Data importers may supplement this with their
experiences to identify the set of laws relevant to their sector.
Third, while our analysis of the key laws throws up some specific concerns arising out of general
procedural laws, and applicable telecom and IT laws, overall, Indian law fares better than US
surveillance law. For instance, Indian law does not differentiate between Indian and foreign citizens
when it comes to approaching courts under their writ jurisdiction. This could help meet the threshold
of ‘effective remedy’.
In addition, critics of Schrems II argue that the CJEU chose to apply the strictest set of standards to
US law, which even EU member states may not be able to meet.111 EU courts’ application of standards
is not entirely consistent and may allow for some margin. For instance, EU law does not prohibit bulk
surveillance per se. As noted above, in Big Brother Watch, the ECtHR acknowledged bulk
surveillance to be an essential intelligence capability.112 While the programme was eventually found
inadequate, that was because of lack of sufficient oversight over certain processes and inadequacy
of safeguards,113 and not because of bulk collection per se.
Two other developments may strengthen the Indian case: (i) the decision in Puttaswamy; and (ii)
inclusion of additional safeguards through India’s data protection law.
Puttaswamy and limits to state action
As noted briefly in Part III, the Indian Supreme Court recognised the fundamental right to privacy in
Puttaswamy,114 with detailed opinions on different aspects of privacy, such as informational privacy
and government access to data. While recognising that the state could restrict an individual’s right
to privacy, the Court laid down a three-part test to decide if such state action was valid. It was held
that any intrusion into privacy should meet the requirements of –
(i) Legality – that the intrusion should be on the basis of valid law;
109
See Infra Part I(A) of the Paper.
110
We have identified a narrow set of data access laws from our mapping exercise. For Methodology, See Infra.
111
See, Geopolitical Implications of the European Court’s Schrems II Decision , Kenneth Propp and Peter Swire, 17 July
2020, https://www.lawfareblog.com/geopolitical-implications-european-courts-schrems-ii-decision (Last accessed
on 12 July 2021).
112
113
114
See, Puttaswamy, Supra Note 20.
28 | P a g e
(ii) Necessity – that the intrusion should be accurately reflected in the law as being a legitimate
state aim; and
(iii) Proportionality – that there must be a rational nexus between the objective for such intrusion
and the methods employed to achieve it.115
A government order under any existing law must: first, abide by the procedures and safeguards
contained in that law, and second, meet the three-part test laid down by the Court in Puttaswamy.
The Bombay High Court in the case of Vinit Kumar v. Central Bureau of Investigations and Ors.116
dealt with the validity of intelligence agencies issuing orders under the Telegraph Act to monitor the
petitioner’s phone calls. The Bombay High Court applied the tests laid down in Puttaswamy, holding
that the interception orders satisfied none of the three tests in Puttaswamy and therefore these
orders were set aside.
Theoretically, the test is not too far away from the EU essential guarantees in certain respects. A
common minimum that emerged from different opinions issued in Puttaswamy was that the
requirement of derogations from Article 21 must be fair, reasonable and just. In the context of
surveillance and LEA access, any restriction on the right to privacy needs to be:
(i) backed by a law passed by the Parliament;
(ii) limited to achieve legitimate state aims;
(iii) proportionate to the aim sought to be achieved; and
(iv) accompanied by oversight and procedural safeguards to keep a check on the powers of the
State.117
But its actual application and limits will evolve through more cases on this, as more government
orders under existing laws are judged against this test. In any case, Puttaswamy helps lower the risks
associated with some of the key laws. For instance, one key concern with the Interception Rules is
the possibility of routine orders for bulk interception, without application of mind by an independent
authority. Puttaswamy requires an assessment of lesser intrusive measures for the same objective,
calling for the kind of individualised case-by-case application of mind, that EU standards lean
towards.
The Data Protection Law
India is in the process of finalising its data protection law. The law sets out data protection obligations
for all private and government bodies to follow. If applied to all bodies, including LEAs, this could
bolster the case for Indian law meeting EU standards. However, as discussed in the analysis above,
the draft law has certain wide exemptions that take away any protection granted, and which in fact,
may attract an adverse view from EU authorities.
The draft law allows the government to exempt any agency from the application of ‘all or any’
provisions of the law.118 Such exemptions can be granted through reasoned orders for purposes
such as security of the State, friendly relations with other states, public order, etc. Privacy advocates
have called the exemptions wide and imprecise,119 especially since the safeguards, procedures, and
oversight mechanism for this will be prescribed by rules.
115
See, Judgment Sanjay Kishan Kaul, Para 71, Puttaswamy.
116
See, W.P. 2367/2019; Para 19.
117
See, An Analysis of Puttaswamy: The Supreme Court's Privacy Verdict Bhandari, Vrinda; Kak, Amba; Parsheera, Smriti;
Rahman, Faiza, https://www.ssoar.info/ssoar/bitstream/handle/document/54766/ssoar -indrastraglobal-2017-11-
bhandari_et_al-An_Analysis_of_Puttaswamy_The.pdf?sequence=1 (Last accessed on 12 July 2021).
118
119
See, Personal Data Protection Bill 2019 And Surveillance: Balancing Security And Privacy , Inc42, 11 July 2020,
https://inc42.com/resources/personal-data-protection-bill-2019-and-surveillance-balancing-security-and-privacy/
(Last accessed on 12 July 2021).
29 | P a g e
The draft law also carves out an exemption for any data-processing for investigations, trials,
prevention, and detection of crime. Unlike Clause 35, this is not a blanket exemption. Certain limited
aspects of the law will continue to apply:
(i) Even when processing data for investigations, one must ensure that processing is for a ‘clear,
specific and lawful purpose’.120 This means LEAs are still ‘data fiduciaries’ under the law and
must be able to demonstrate that the processing is for a specific and ‘lawful’ purpose.
Arguably, one could read the Puttaswamy tests into this requirement of ‘lawful’ purpose.
(ii) The provisions establishing the data protection authority apply to investigations. These
include procedures for inquiry and investigations. Arguably, this could mean that individuals
can also approach the DPA if they suspect their personal data is processed ‘unlawfully’ by
LEAs.
The data protection law could play a key role in strengthening India’s data access framework. Some
proposals that could help strengthen the Indian case:
(1) Extending principles such as purpose limitation, retention safeguards, data minimisation to
government access to data adding additional layers of safeguards, above the ones set out
in existing laws. This will strengthen the case that Indian laws meet proportionality, by
demonstrating sufficient safeguards, and requiring individualised application of mind for
data collection, access, and storage.
(2) Allowing individuals to challenge state action before an independent data protection
regulator. A key concern in Schrems II was the absence of effective remedies for EU data
subjects.
(3) Strengthening the independence of the regulator. The CJEU rejected the privacy shield
ombudsperson as ‘independent’ oversight mechanism since she could be considered part
of the state department.
120
30 | P a g e
ANNEXURE I
List of laws in the BFSI sector and Health Care that allow the Indian government or
authorities to access data, which could include ‘foreign data’
A. BANKING AND FINANCE LAWS
1. The Prevention of Money Laundering Act, 2000 (PMLA):121
Significance: The PMLA is India’s principal legislation to combat money laundering. It

requires banks, financial intermediaries, and financial institutions (“reporting entities”)
to collect certain information from their clients. 122 The law considers such clients to
either be direct customers of the reporting entities or the ultimate beneficiaries of such
customers (e.g., controlling shareholders of a company) of the reporting entities.123 The
identity of clients and their beneficiaries need to be verified through their identity
documents. The PMLA also sets out powers of LEAs to seek access to such client data
to investigate money laundering and other financial crimes. Reporting entities are
required to retain a broad swath of information pertaining to clients. This includes: (a)
identity information to verify the client, and (b) transaction information (nature of
transactions, parties, date, amount, etc.) for some specified transactions, such as
foreign wire transfers above INR 500,000, that could enable the reconstruction of
individual transactions, and (c) storing all business correspondence with its clients.
Relevant provisions: Section 12A of the PMLA empowers the Director (appointed as an
enforcement authority under Section 49 of the PMLA) to seek from a reporting entity
‘any information’ that may be necessary for the purpose of an investigation. The
Director is directly appointed by the Central Government. The scope of information
that can be sought has not been specified and could also include the personal
information of EU subjects that may be in the possession of data processors suspected
of wrongdoing in India. LEAs can survey and seek information from any party, including
entering premises if necessary (Section 16). Such information can be sought if the
authorities have a ‘reason to believe’ as a result of ‘material’ in their ‘possession’ without
specifying minimum standards of such material that an offence under the PMLA is
being committed at that premise.
Applicability to EU ‘imported’ data: Under the PMLA, it is highly unlikely that the data
of an individual EU data subject would need to be disclosed to an Indian government
121
Available at URL:
https://enforcementdirectorate.gov.in/PreventionOfMoneyLaunderingAct2002.pdf?p1=117211488412800032 (Last
122
Section 2(wa), PMLA.
123
Section 2(ha), PMLA.
31 | P a g e
authority, by an Indian data processor. However, there is a scenario where an Indian
reporting entity may be required to disclose its business correspondence with its
European clients, and such correspondence could include information of EU data
subjects. The PMLA also gives the investigating authorities wide latitude to seek
information and records from suspected wrongdoers, who could include Indian data
processors processing the individual data of EU data subjects. This is particularly
significant as foreign banks from Europe operating in India such as BNP Paribas,
Deutsche Bank, Societe Generale etc. are not separately incorporated in India, but are
subject to the PMLA and they may have in their possession data relating to their
European customers. The PMLA does not limit its operation with respect to foreign
banks to the bank’s customers in India.
2. Payment and Settlement Systems Act, 2007 (PSS Act):124
Significance: The PSS Act supervises and regulates payment systems operating in
India. The PSS Act also codifies the duty of a payment system to maintain confidentiality
of data and act in accordance with legal and regulatory frameworks that have been
established to protect individuals and their data.
Relevant provisions: Section 10 empowers the Reserve Bank of India (RBI) to determine
standards for payment systems, including terms and conditions and forms and
methods for payment systems. The RBI may call for returns, documents or any other
information from payment system providers and owners under Section
12. Additionally, section 13 explicitly asserts RBI’s right to access any information
relating to the operation of, providers of and participants in a payment
system. Sections 14 and 16 empower the RBI to enter and inspect any premises in the
course of its functions to inspect and audit under the Act.
Applicability to EU ‘imported’ data: It does not differentiate between Indian and foreign
entities as long as they satisfy the RBI’s criteria to operate a payment system in India. In
such a situation, the personal data of the EU data subject could be disclosed to Indian
regulators
3. Banking Regulation Act, 1949 (BR Act): 125
Significance: The BR Act provides the legal and regulatory framework to cover
commercial banking in India. It applies to Sec. 591 companies and therefore only sets
out minimum requirements and procedural standards for Indian and foreign entities
that are operational in India under relevant and applicant law.
124
Available at URL: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/86706.pdf (Last accessed on 12 July 2021).
125
Available at URL: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/BANKI15122014.pdf (Last accessed on 12 July
2021).
32 | P a g e
4. Income Tax Act, 1961:126
Significance and relevant provisions: The Income Tax Act sets out provisions dealing
with the levy, administration, and all connected aspects of Income Tax regime in India.
The definitions clarify who a foreign company/non-resident individual is for the
purpose of taxation and the type of incomes that triggers taxation in India. The
provisions also clarify the application of Minimum Alternate Tax (MAT) at 15% of book
profit if the foreign company is originating from a country, which does not have a
Double Taxation Avoidance Agreement (DTAA) with India. The triggers for taxation
under these provisions only arises out of showing proof of income accruing in India
and for foreign companies, they should establish some proof of residence in India.
India has been applying an equalization levy of up to 6% on entities offering digital
advertising services in India through S. 165A. Through a 2018 amendment to tax laws,
India introduced the concept of Significant Economic Presence (SEP) in its tax laws and
specifically targets digital entities. In March 2020, Parliament passed an amendment to
the Finance Bill which will impose a 2% equalization levy on entities selling goods and
services in the e-Commerce space.127 The levy will apply to entities that sell, but do not
have a permanent entity in, the Indian market and have a turnover > INR 2 Crore in the
previous financial year. The taxation regime therefore depends on the foreign entity’s
relationship with India – either advertising/selling data to Indians, having a presence in
India and/or deriving some income in India. It therefore pertains to data generated in
India and doesn’t concern itself with importing data from the EU.
5. Foreign Exchange Management Act, 2000 (FEMA):128
Significance: FEMA was enacted to regulate foreign exchange transactions in India and
facilitating external trade and payments. It is applicable to foreign exchange and
securities, the export and import of any commodity and/or service amongst other
aspects of sale, purchase and exchange. FEMA applies to authorised agencies for
foreign exchange management abroad but not to foreign nationals abroad. There is
no import of data of EU Citizens as it pertains to foreign exchange from Indian currency
and not vice versa.
Relevant provisions: Section 7 requires all exporters of goods to provide ‘such other
information’ as may be required for the purpose of ensuring the realisation of export
proceeds by such exporter. Additionally, section 12 empowers any officer of the RBI to
inspect the authorised person for the purpose of verifying particulars of information
supplied or to ensure compliance with the Act.
126
Available at URL: https://www.incometaxindia.gov.in/pages/acts/income-tax-act.aspx (Last accessed on 12 July
2021).
127
Available at URL: https://egazette.nic.in/WriteReadData/2020/218938.pdf (Last accessed on 12 July 2021).
128
Available at URL: https://legislative.gov.in/sites/default/files/A1999-42_0.pdf (Last accessed on 12 July 2021).
33 | P a g e
6. The Reserve Bank of India Act, 1934 (RBI Act):129
Significance: The RBI Act sets out the powers and functions of the Central Board – a
group of persons appointed to govern and oversee the RBI’s operations, and
monitoring and regulation of payment systems, Banks, Non-Banking Financial
Companies and further elaborates reporting procedures, auditing and inspection
powers of the RBI and Central Board and offences and penalties.
Relevant provisions: The RBI Act applies to companies under Section 591(1) in The
Companies Act, 1956 - companies incorporated outside India but which have an
established place of business in India. It does not therefore concern itself with
imported data, but data generated in India. Foreign Banks that intend to carry on
operations in India must set up wholly owned subsidiaries in India 130 and adhere to all
applicable banking laws and regulations.
7. RBI Master Direction - Miscellaneous (Updated as on 12 November

2018):131
Significance and relevant clauses: This direction was issued to clarify the aspects
relating to the sharing of information with the Special Investigation Team (SIT) to assist
in the investigation in India or foreign jurisdictions. Para 6 of the direction details the
procedure for sharing such information. As the direction explicitly mentions assistance
for investigation in both India and foreign jurisdictions and there is no limitation of
scope of information sought Indian LEAs may access to foreign data.
8. RBI Direction on Data Sharing with Directorate of Revenue Intelligence

dated 3 May 2018:132
Significance and relevant clauses: This circular extends to Authorised Dealer banks and
refers to Sections 108 A and 108B of the Customs Act, 1962. These sections empower
any Central government officer to summon or cause the production of any
document/piece of information from anyone as deemed necessary. This
information/document will be in pursuance of investigation as to under valuation or
under reporting of imports/exports. They must be read in conjunction with The
Customs (Furnishing of Information) Rules, 2017. As this circular pertains to the
Customs Act and the import/export of products there is a possibility that the
129
Available at URL: https://rbidocs.rbi.org.in/rdocs/Publications/PDFs/RBIA1934170510.PDF (Last accessed on 12 July
2021).
130
Available at URL: https://m.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=2758 (Last accessed on 12 July 2021).
131
Available at URL:
https://rbidocs.rbi.org.in/rdocs/notification/PDFs/14MDM1120153F2FD5CC455640E78D139304BC7C080F.PDF
132
Available at URL: https://rbi.org.in/Scripts/NotificationUser.aspx?ID=11271 (Last accessed on 12 July 2021).
34 | P a g e
information sought by the empowered officer may entail foreign data. There is no
clarity on the limits of the information sought.
9. RBI Master Direction - Monitoring of Frauds in Non-Banking Financial

Company (NBFC) (Reserve Bank) Directions, 2016:133
Significance and relevant clauses: This direction sets out the obligations and duties of
NBFCs in the reporting of frauds to the RBI and to the Police. It further specifies the
mechanism for annual and quarterly reporting of frauds [Chapter IV-VIII]. There is a
potential for investigation to involve foreign residents’ data.
10. RBI Master Direction - Information Technology Framework for the NBFC
Sector dated 8 June 2017:134
Significance and relevant clauses: This direction sets out the frameworks for IT
Governance in the NBFC sector and prescribes certain minimum standards in the form
of IT Policies and adverse event handling. It has a form that sets out the particulars of
cyber security incident reporting. It is likely that the information of foreign residents’
data could be the subject of an adverse event.
11. RBI Master Direction - Non-Banking Financial Company - Account

Aggregator (Reserve Bank) Directions, 2016 (Updated as on 22
November 2019):135
Significance and relevant clauses: This direction requires account aggregators to

conduct self-assessment of outsourcing arrangements but does not otherwise involve
importation of EU data subjects’ data (Para 7.1).
12. RBI Master Direction - Non-Banking Financial Company Returns (Reserve

Bank) Directions dated 29 September 2016:136
Significance and relevant clauses: This direction requires NBFCs to report on their
overseas investments in quarterly returns to the RBI. The form is detailed in an annexure
to the direction. It is unlikely that these returns will contain any information about EU
data subjects, but it may be pertinent to note (Para 12).
133
Available at URL:
https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD49F29092016392149B3597145A1ACADCF520A1D1A97.PDF
134
Available at URL:
https://rbidocs.rbi.org.in/rdocs/notification/PDFs/MD53E0706201769D6B56245D7457395560CFE72517E0C.PDF
135
Available at URL: https://rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598 (Last accessed on 12 July 2021).
136
Available at URL: https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10620 (Last accessed on 12 July
2021).
35 | P a g e
13. RBI Master Direction – Direct Investment by Residents in Joint Venture
(JV) / Wholly Owned Subsidiary (WOS) Abroad (Updated as on 24 June
2021):137
Significance and relevant clauses: This direction pertains to vetting of investments by

(Indian) residents abroad and does not involve the import of EU data subjects’ data as
such. However, the pre-approval by the RBI requires the submission of foreign and
Indian track records of the investor which could involve some foreign investors’ data
(Para B.8).
14. RBI Master Direction - Establishment of Branch Office (BO)/ Liaison Office
(LO)/ Project Office (PO) or any other place of business in India by foreign
entities (Updated as on 18 May 2021):138
Significance and relevant clauses: This direction lists the criteria and reporting norms
for foreign entities desirous of establishing LO/BO/PO in India. It is information that is
routinely provided to the regulator and there is no unauthorised access or opportunity
for the same.
15. RBI Master Direction – Import of Goods and Services (Updated as on 28

October 2020):139
Significance: This direction prescribes reporting requirements for imports and

prescribes the form and manner of information stored in relation to imports. This
includes a mechanism for Import Data Processing and Monitoring System (IDPMS).
Relevant information such as Bills of Entry must be verified and retained by internal and
external auditors and in accordance with the AD Bank’s cybersecurity policy. There is
a possibility that these disclosures may involve foreign residents’ data.
16. RBI Master Direction – Export of Goods and Services (Updated on as 08

January 2021): 140
Significance: This direction prescribes requirements for Authorised Dealer (AD)

category Banks to comply with ‘Know Your Customer’ (KYC) and Anti-Money
Laundering (AML) provisions. As such, it does not specify any reporting requirements
that would impact EU data subjects or the importation of EU data into India.
137
Available at URL: https://m.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10637#C14 (Last accessed on 12 July
2021).
138
Available at URL: https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10404#2 (Last accessed on 12 July
2021).
139
Available at URL: https://m.rbi.org.in/scripts/BS_ViewMasDirections.aspx?id=10201 (Last accessed on 12 July 2021).
140
Available at URL: https://m.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10395 (Last accessed on 12 July 2021).
36 | P a g e
17. RBI Master Circular on Money Transfer Service Scheme (2015):141
Significance: This Master Circular pertains to quick money transfer from abroad to
beneficiaries in India and can be utilised for personal payments to Indian nationals and
to foreign tourists in India. Please note that outward remittance from India is not
possible under the money transfer service scheme. There are due diligence
requirements for the appointing of Indian Agents in overseas offices for this purpose
but no specific provision impacting EU user data/importation of their personal data.
18. RBI Notification dated 6 April 2018 regarding storage of payment

system data [Issued under Section 10(2) read with Section 18 of Payment
and Settlement Systems Act 2007]: 142
Significance and relevant clauses: The notification states that in order to ensure greater
supervisory control, all payment system providers must store all data in India and must
include the complete end-to-end transaction details. The foreign leg of the transaction
may be stored in that country. Compliance must be reported to the RBI and periodic
audit will be undertaken to ensure the same (Para 2).
19. RBI Master Circular – KYC Guidelines – AML - 'Prevention of Money

Laundering Act, 2002 – Obligations of NBFCs in terms of Rules notified
thereunder’ dated 1 July 2015:143
Significance: These guidelines were Issued to revise the KYC framework following the
recommendations of the Financial Action Task Force (FATF) on AML and combating
the financing of terrorism (CFT). It contains detailed procedures for conducting KYC
for different types of account-holders and the obligations on NBFCs under the PMLA.
It also details the manner in which monitoring, and investigation should take place.
20. Securities and Exchange Board of India Act, 1992 (SEBI Act): 144
Significance and relevant provision: The SEBI Act applies to foreign institutional
investors. Section 11C empowers the Board to call for the production of any
information, documents, records as may be necessary for the purpose of investigation
into transactions. There is no metric for the type of data that the investigating authority
141
Available at URL: https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10404#2 (Last accessed on 12 July
2021).
142
Available at URL:
https://rbidocs.rbi.org.in/rdocs/notification/PDFs/153PAYMENTEC233862ECC4424893C558DB75B3E2BC.PDF
143
Available at URL: https://www.rbi.org.in/Scripts/BS_ViewMasCirculardetails.aspx?id=9914 (Last accessed on 12 July
2021).
144
Available at URL: https://www.sebi.gov.in/sebi_data/attachdocs/1456380272563.pdf (Last accessed on 12 July
2021).
37 | P a g e
may seek. However, foreign data may be impacted indirectly as the Act applies to FIIs
and portfolio managers who act on behalf of foreign investors.
21. Securities and Exchange Board of India - Guidelines for Seeking Data,
2018:145
Significance: These guidelines are principle-based and enacted to ensure seamless

process for data sharing, adherent to the latest principles of purpose limitation,
confidentiality and non-disclosure and shall be anonymised and at least 2 years old.
These may function as best practices for data handling.
22. SEBI (Prohibition of Insider Trading) Regulations, 2015:146
Significance: The SEBI Prohibition of Insider Trading Regulations lays down necessary
actions to prevent insider trading, powers to call for records and information and
conduct inspections for the purpose of investigation and the manner of compiling
findings to take action for insider trading under the SEBI Act. It might open access to
foreign data from government agencies investigating these instances.
Relevant Provisions: Regulation 7A allows an individual (informant) to submit to SEBI

information regarding alleged violation of insider trading laws. SEBI has the authority
to verify the identity and contact details of the informant [Regulation 7B (2)]. Unless
otherwise required by SEBI, it is obligated to maintain the confidentiality of the
informant during investigation, inquiry and examination as well as during any
proceedings before SEBI (Regulation 7H). The informant may be a foreign national – in
which case, the government/SEBI may access details about such an individual.
23. SEBI (Foreign Venture Capital Investors) Regulations, 2000:147
Significance and relevant provision: The regulations set out the eligibility criteria and
application processes for registration of foreign venture capital investors. It further
establishes the powers to call for records and information and conduct inspections for
the purpose of investigation (Regulations 13 and 16).
145
Available at URL: https://www.sebi.gov.in/pdf/guidelines-of-data-sharing-final.pdf (Last accessed on 12 July 2021).
146
Available at URL: https://www.sebi.gov.in/legal/regulations/apr-2021/securities-and-exchange-board-of-india-
prohibition-of-insider-trading-regulations-2015-last-amended-on-april-26-2021-_41717.html (Last accessed on 12
July 2021).
147
Available at URL: https://www.sebi.gov.in/sebi_data/commondocs/fvci_updated_21December2010.pdf (Last
38 | P a g e
24. SEBI (Depositories and Participants) Regulations, 1996:148
Significance: The regulations prescribe powers to call for records and information for
the registration as a depository, commencement of business and to register as
participants. It prescribes the manner for keeping records and empowers SEBI to
conduct inspection to ensure that all depositories, beneficial owners, agents and
participants are adhering to the law applicable to securities in the country.
25. SEBI (Foreign Portfolio Investors) Regulations, 2014: 149
Significance: The SEBI Foreign Portfolio Investors (FPI) Regulations prescribe powers
to call for records and information for the registration as an FPI. It prescribes the
manner for keeping records and empowers SEBI to conduct inspections suo-moto or
on the basis of complaints it receives.
26. SEBI Guidelines on AML Standards and Combating the Financing of

Terrorism (CFT) /Obligations of Securities Market Intermediaries Under
the Prevention of Money Laundering Act, 2002 and Rules Framed
thereunder dated July 2018: 150
Significance: The guidelines were Issued to strengthen the detection and enforcement
mechanism for money laundering and related transactions occurring in the securities
market. The directive sets out procedures for intermediaries to execute their
responsibilities under the PMLA.
Relevant provisions: All registered intermediaries (RI) must have a system in place for
identifying, monitoring, reporting, and disclosing suspected money laundering or
terrorist financing transactions to law enforcement authorities (Paras 1.3.2.2 and
1.3.2.3). Additionally, RIs are required to maintain records to enable reconstruction
of individual transactions (including the amounts and types of currencies involved)
to provide evidence for prosecution of criminal behaviour (Para 2.3.2). They must
ensure that all client and transaction records and information is made available to
investigating authorities on a timely basis (Para 2.3.4). RIs are required to retain
records for such time as may be prescribed and in such a manner that allows quick
and easy retrieval of data/ including domestic and international transactions, as and
when required by the competent authority (Paras 2.5.1 and 2.5.3).
148
Available at URL: https://www.sebi.gov.in/acts/dpregu.pdf (Last accessed on 12 July 2021).
149
Available at URL: https://www.sebi.gov.in/legal/regulations/apr-2017/sebi-foreign-portfolio-investors-regulations-
2014-last-amended-on-march-6-2017-_34690.html (Last accessed on 12 July 2021).
150
Available at URL: https://www.sebi.gov.in/web/?file=https://www.sebi.gov.in/sebi_data/attachdocs/jul -
2018/1530683670247.pdf#page=1&zoom=page-width,-16,792 (Last accessed on 12 July 2021).
39 | P a g e
27. Securities Contracts (Regulation) (Stock Exchanges and Clearing
Corporations) Regulations, 2018: 151
Significance: The regulations provide for the recognition of stock exchanges and
clearing corporations, and their functioning. The Regulations allow SEBI to access
information regarding and conduct inquiries on the recognised stock exchanges and
clearing corporations.
Relevant provisions: The Regulations allow a foreign stock exchange, depository,

banking company, insurance company, commodity derivatives exchange to have
limited shareholding in a recognised stock exchange [Regulation 17(3)] or clearing
corporations (Regulation 18(3)).Regulation 47 empowers SEBI to call for information
regarding any stock exchange, clearing corporation, and any of its directors or
shareholders. Further, Regulation 48 empowers SEBI to undertake inspection and
conduct inquiries on any recognised stock exchange or clearing corporation or its
shareholders at any time. This may include information about EU data subjects being
shareholders in a recognised stock exchange/clearing corporation.
28. SEBI Guidelines for participation/functioning of Eligible Foreign

Investors (EFIs) and FPIs in International Financial Services Centre (IFSC),
2017152
Significance: The guidelines allow SEBI, RBI, and other authorities to access details of
eligible foreign investors available with recognised stock exchanges.
Relevant provision: Recognised stock exchanges in IFSC are required to maintain, at all
times, the necessary details of Eligible Foreign Investors (EFIs), which may be sought
by SEBI/RBI or any other authority. (Para 2(e))
29. Foreign Exchange Management (Mode of Payment and Reporting of

Non-Debt Instruments) Regulations, 2019 (Amended up to June 15,
2020):153
Significance: These regulations were issued to set out reporting requirements for
investment in India by a person resident outside India. It also specifies the mode of
payments and penalties for delays in reporting.
151
Available at URL: https://www.sebi.gov.in/web/?file=https://www.sebi.gov.in/sebi_data/attachdocs/mar -
2021/1617192087438.pdf#page=1&zoom=page-width,-16,842 (Last accessed on 12 July 2021).
152
Available at URL:
https://www.sebi.gov.in/web/?file=https://www.sebi.gov.in/sebi_data/attachdocs/1483509795386.pdf#page=1&zo
om=page-width,-16,792 (Last accessed on 12 July 2021).
153
Available at URL: https://rbi.org.in/Scripts/BS_FemaNotifications.aspx?Id=11723 (Last accessed on 12 July 2021).
40 | P a g e
B. Healthcare laws:
1. Drugs and Cosmetics Rules, 1945: 154
Significance: The Rules provide for the registration and licensing of manufacturers,
clinical trials, and the regulatory mechanism to implement the provisions of the Drugs
and Cosmetics Act, 1940. It covers reporting requirements, oversight of clinical trials
and testing and approval of drugs and cosmetics. The scope of information that the
inspector can access under the Act is unclear, however it is unlikely to include the data
of foreign nationals.
Relevant provisions:
• Rule 67G(3) requires the licensee (any person /organisation holding a license to
sell, stock, or distribute homoeopathy medicines) of a premises to allow the
Inspector to inspect the premises and provide any additional information
required in order to ascertain if the provisions of the Drugs and Cosmetics Act
(D&C A) and the Rules are complied with. Similarly, Rule 85H(c) allows the
inspector to inspect records or registers of a person holding a license to
manufacture homoeopathy medicines to ensure compliance with the D&CA and
Rules.
• Rule 122B (approval to manufacture new drugs), Rule 122DAC (permission to

conduct clinical trials) read with Schedule Y: Sets out requirements and
guidelines for permission to import and/or manufacture of new drugs for sale or
to undertake clinical trials. The application for permission to import or
manufacture new drugs for sale or to undertake clinical trials (for drugs
discovered in or outside India) needs to be accompanied with human clinical
pharmacology data, which includes data from other countries. Further, during
the clinical trial, the sponsor of the clinical trial is required to submit a summary
report periodically to the Licensing Authority (LA). A summary report is also
required to be furnished in case a trial is prematurely discontinued, or in case of
any serious or adverse events that occur during the clinical trial to the head of
the institution where the trial is conducted and the Ethics Committee, along with
the LA. The Committee is bound by confidentiality safeguards, under Rule
122DD and Appendix VIII. The sponsor is also required to carry out post
marketing surveillance for approved drugs, which includes collecting data from
patients or subjects and forwarding the same to the Licensing Authority. Human
pharmacology data from other countries that has to be furnished to the Licensing
Authority on clinical trials may or may not include personal data of foreign
nationals.
154
Available at URL: https://cdsco.gov.in/opencms/export/sites/CDSCO_WEB/Pdf-
documents/acts_rules/2016DrugsandCosmeticsAct1940Rules1945.pdf (Last accessed on 12 July 2021).
41 | P a g e
2. The Epidemic Diseases Act, 1897:155
Significance: The Act empowers the State and Central Government with broad powers
to take measures necessary to prevent the outbreak and spread of dangerous epidemic
diseases. It also allows the governments to inspect people travelling to India, including
foreign nationals.
• Section 2 empowers the State government to take special measures to prevent

the outbreak of an epidemic, including measures to regulate the inspection of
persons travelling by railway or otherwise, and the segregation, in hospital,
temporary accommodation or otherwise, of persons suspected by the inspecting
officer of being infected with any such disease.
• Section 2A empowers the Central Government to take such measures for the
inspection of any bus or train or goods vehicle or ship or vessel or aircraft leaving
or arriving at any land port or aerodrome in India and for detention of any person
intending to travel or arriving.
3. Transplantation of Human Organs and Tissues Act, 1994 156 and the
Transplantation of Human Organs and Tissues Rules, 2014 157
Significance: The Act governs the transplantation and storage of human organs and
tissues for therapeutic purposes. It provides for the registration and regulation of
hospitals undertaking transplantation and storage of organs and tissues and for the
constitution of authorities to administer the provisions of the Act. The Rules provide for
the administration of the provisions of the Act, composition of the various authorities
under the Act, and powers of the authorities that allow access to data. The scheme of
the Act suggests that the government may have access to foreign data.
• Section 9 allows transplant between a donor and a recipient who are near
relatives (where either of the parties is a foreign national). To evaluate the
relationship between the donor and recipient, the Authorisation Committee
(Rule 18) has the power to examine documentary evidence of their relationship
such as birth certificates, marriage certificate, or documentary evidence of
identity, passport or PAN card or bank account, among other things. Similarly, if
the transplant is between a married couple (where either the donor or recipient
155
Available at URL: https://www.indiacode.nic.in/bitstream/123456789/15942/1/epidemic_diseases_act%2C1897.pdf
156
Available at URL: https://legislative.gov.in/sites/default/files/A1994-42.pdf (Last accessed on 12 July 2021).
157
Available at URL: https://notto.gov.in/WriteReadData/Portal/images/THOA-Rules-2014.pdf (Last accessed on 12 July
2021).
42 | P a g e
is a foreign national), the Committee will have the power to assess documentary
evidence to evaluate the factum of their marriage [Rule 18(5)].
• The Act also allows transplant between a donor or a recipient (where either of
the parties is a foreign national) who are not near relatives. Such a transplant is
subject to the approval of the Authorisation Committee (Rule 19).
• Section 13-B empowers the Appropriate Authority (constituted by the

Government) to call for the production of any information or summon persons in
possession of information to furnish the same, when such information or
documents relate to the violation of the provisions of the Act. The Authority can
exercise the powers of a civil court in this regard.
• Section 13-D provides for the creation of a National Registry of donors and
recipients of human organs and tissues.
• Rule 32 provides for setting up of a National Registry of organs transplants. The

registry contains information such as demographic data about patients and
donors. The data maintained by each hospital regarding every transplantation
with reasonable detail is also accessible by officials authorised by the Central or
the respective State Government. The organ donation registry contains
information such as demographic and physiological information about the
donor, medical illnesses, details of the person requesting the donation, and
others. And, the tissue registry will contain information on the tissue donor, site
of tissue donation, primary cause of death in case of deceased donor, relevant
laboratory tests, and others. The Rules specify that the registry will be available
online, but identities of persons cannot be put in the public domain, and
measures shall be taken to maintain security of all the information collected.
43 | P a g e
ANNEXURE II
List of laws studied for the report on the impact of the Schrems II judgement on EU-
India data transfers
Table depicts whether the laws reviewed include any provisions/sections that allow the
government/authorities in India to access data, which could include foreign data.
Laws analysed in the main study

Laws listed in Annexure I - laws where the likelihood/ risk of government access to EU
imported data is low
Access
to
S.No. Sector Relevant Law
foreign
data
1. General Code of Criminal Procedure, 1973 Yes
Laws
2. IT/Telecom Information Technology Act, 2000 Yes
3. Information Technology (Procedure and Safeguards for Yes

Interception, Monitoring and
Decryption of Information) Rules, 2009
4. Indian Telegraph Rules, 1951 Yes
5. Indian Telegraph Act, 1885 Yes
6. Unified Licensing Agreement and Unified License Virtual Yes

Network Operator (ULVNO)
7. Guidelines for Other Service Providers Yes
8. Healthcare The Drugs and Cosmetics Act, 1940 No
9. The Drugs and Cosmetics Rules, 1945 Yes
10. The Epidemic Diseases Act, 1897 Yes
11. The Registration of Births and Deaths Act, 1969 No
12. The Persons with Disabilities (Equal Opportunities, No

Protection of Rights and Full Participation) Act, 1995
13. The Pre-conception and Pre-natal Diagnostic Techniques No

(Prohibition of Sex Selection) Act, 1994
52 | P a g e
Access
to
foreign
data
14. The Pre-Natal Diagnostic Techniques (Regulation and No
Prevention of Misuse) (Advisory Committee) Rules, 1996
15. The Pre-conception and Pre-natal Diagnostic Techniques No

(Prohibition of Sex Selection) Rules, 1996
16. The Clinical Establishments (Central Government) Rules, No

2012
17. The Medical Device Rules, 2017 No
18. The Mental Healthcare Act, 2017 No
19. The Mental Healthcare (Central Mental Health Authority and No

Mental Health Review Boards) Rules, 2018
20. The Mental Healthcare (State Mental Health Authority) Rules, No

2018
21. The Transplantation of Human Organs and Tissues Act, 1994 Yes
22. The Transplantation of Human Organs and Tissues Rules, Yes

2014
23. The Clinical Establishments (Registration and Regulation) No
Act, 2010
24. The Indian Aircraft (Public Health) Rules, 2015 No
25. The Pharmacy Act, 1948 No
26. The Narcotic Drugs and Psychotropic Substances Act, 1985 No
27. The Mental Healthcare (Rights of Persons with Mental No

Illnesses) Rules, 2018
28. The Medical Termination of Pregnancy Rules, 2003 No
29. The Medical Termination of Pregnancy Act, 1971 No
30. The Mental Healthcare (State Mental Health Authority) Rules, No

2018
31. Banking Prevention of Money Laundering Act, 2002 Yes
and
Finance
32. The Reserve Bank of India Act, 1934 Yes
33. Banking Regulation Act, 1949 Yes
34. Income Tax Act, 1961 Yes
35. Foreign Exchange Management Act, 2000 Yes
36. Credit Information Companies (Regulation) Act, 2005 No
37. Payment and Settlement Systems Act, 2007 Yes
53 | P a g e
Access
to
foreign
data
38. The Factoring Regulation Act, 2011 No
39. Master Direction - Monitoring of Frauds in NBFCs (Reserve Yes

Bank) Directions, 2016
40. Master Direction - Information Technology Framework for Yes

the NBFC Sector dated 8 June, 2017
41. The Electronic Trading Platforms (Reserve Bank) Directions No

(2018)
42. Notification dated 6 April, 2018 regarding storage of Yes
payment system data [Issued under Section 10(2) read with
Section 18 of Payment and Settlement Systems Act 2007]
43. Prepaid Payment Instruments (PPIs) – Guidelines for No

Interoperability dated 16 October, 2018
44. Master Circular – Policy guidelines on issuance and No

operation of pre-paid payment instruments in India
(Updated as on 17 December, 2020)
45. Master Directions on Access criteria for payment systems No
dated 28 July, 2021
46. Master Direction - Residuary Non-Banking Companies No
(Reserve Bank) Directions dated 22 February, 2019
47. Master Direction - Standalone Primary Dealers (Reserve No

Bank) Directions, 2016
48. Master Direction - Residuary Non-Banking Companies No

(Reserve Bank) Directions dated 22 February, 2019
49. Master Direction - Exemptions from the provisions of RBI No

Act, 1934 (Updated as on 31 May, 2018)
50. Master Direction - Core Investment Companies (Reserve No

Bank) Directions, 2016 (Updated as on 7 June, 2018)
51. Master Direction - Non-Banking Financial Companies No

Acceptance of Public Deposits (Reserve Bank) Directions,
2016 (Updated as on 5 October, 2018)
52. Master Direction - Non-Banking Financial Company - No
Systemically Important Non-Deposit taking Company and
Deposit taking Company (Reserve Bank) Directions, 2016
(Updated as on 31 May, 2018)
53. Master Direction - Non-Banking Financial Company – Non- No
Systemically Important Non-Deposit taking Company
(Reserve Bank) Directions, 2016 (Updated as on 31 May,
2018)
54 | P a g e
Access
to
foreign
data
54. Master Direction - Non-Banking Financial Company - Yes
Account Aggregator (Reserve Bank) Directions, 2016
(Updated as on 22 November, 2019)
55. Master Direction - Non-Banking Financial Companies No
Auditor’s Report (Reserve Bank) Directions dated 29
September, 2016
56. Master Direction - Non-Banking Financial Company Returns Yes
(Reserve Bank) Directions dated 29 September, 2016
57. Master Directions - Mortgage Guarantee Companies No

(Reserve Bank) Directions, 2016 (Updated as on 25 May,
2017)
58. Master Directions - Non-Banking Financial Company – Peer No
to Peer Lending Platform (Reserve Bank) Directions, 2017
(Updated as on 23 February, 2018).
59. Master Direction - Fit and Proper Criteria for Sponsors - No
Asset Reconstruction Companies (Reserve Bank) Directions
dated 25 October, 2018
60. Master Direction on Levy of Penal Interest for Delayed No
Reporting/Wrong Reporting/Non-Reporting of Currency
Chest Transactions and Inclusion of Ineligible Amounts in
Currency Chest Balances dated 20 July, 2016
Reporting/Wrong Reporting/Non-Reporting of Currency
Currency Chest Balances dated 12 October, 2017
62. Master Direction on Currency Distribution & Exchange No
Scheme (CDES) based on performance in rendering
customer service to the members of public dated 3 July,
2018
Reporting / Wrong Reporting / Non-Reporting of Currency
Currency Chest Balances dated 3 July, 2018
64. Master Direction – Export of Goods and Services (Updated Yes
as on 08 January, 2021)
65. Master Direction – Reporting under Foreign Exchange No

Management Act, 1999 (Updated as on November 20, 2018)
66. Master Direction - Money Changing Activities (Updated as No

on 8 December, 2017)
67. Master Direction – Opening and Maintenance of No

Rupee/Foreign Currency Vostro Accounts of Non-resident
Exchange Houses (Updated as on 31 August, 2018)
55 | P a g e
Access
to
foreign
data
68. Master Direction - External Commercial Borrowings, Trade No
Credit, Borrowing and Lending in Foreign Currency by
Authorised Dealers and Persons other than Authorised
Dealers (Updated as on 22 November, 2018)
69. Master Direction - Miscellaneous (Updated as on 12 Yes
November, 2018)
70. Master Direction – Direct Investment by Residents in Joint Yes
Venture (JV) / Wholly Owned Subsidiary (WOS) Abroad
(Updated as on 24 June, 2021)
71. Master Direction - Establishment of Branch Office (BO)/ Yes
Liaison Office (LO)/ Project Office (PO) or any other place of
business in India by foreign entities (Updated as on 10 May,
2018)
72. Master Direction – Import of Goods and Services (Updated Yes
as on 28 October, 2020)
73. Master Direction - Insurance (Updated as on 17 November, No

2016)
74. Master Direction – Money Transfer Service Scheme (MTSS) Yes
dated 22 February, 2017
75. Master Direction – Foreign Investment in India (Updated as No

on 6 April, 2018)
76. Master Direction - Risk Management and Inter-Bank No
Dealings (Updated as on 2 April, 2018)
77. Master Direction on Money Market Instruments: Call/Notice No

Money Market, Commercial Paper, Certificates of Deposit
and Non-Convertible Debentures (original maturity up to
one year) dated 7 July, 2016
78. Master Direction - Regional Rural Banks - Priority Sector No
Lending – Targets and Classification dated 7 July, 2016
79. Master Direction - Priority Sector Lending – Targets and No

Classification (Updated as on 4 December, 2018)
80. Master Direction – Reserve Bank of India (Relief Measures by No

banks in areas affected by Natural Calamities) Directions
dated 3 July, 2017
81. Master Direction - Lending to Micro, Small & Medium No
Enterprises (MSME) Sector (Updated as on 25 April, 2018)
82. Master Direction – Ownership in Private Sector Banks, No

Directions, dated 12 May, 2016
83. Master Direction - Reserve Bank of India (Financial Services No

provided by Banks) Directions, 2016 (Updated as on 25
September, 2017)
56 | P a g e
Access
to
foreign
data
84. Master Direction - Reserve Bank of India (Financial No
Statements of All India Financial Institutions - Presentation,
Disclosure and Reporting) Directions dated 23 June, 2016
85. Master Directions on Frauds – Classification and Reporting No

by commercial banks and select FIs (Updated as on 3 July,
2017)
86. Master Direction - Reserve Bank of India (Financial No
Statements of All India Financial Institutions - Presentation,
Disclosure and Reporting) Directions, 2016
87. Master Direction – Operational Guidelines for Primary No

Dealers (Updated as on 22 November, 2018)
88. Master Directions on Relief/Savings Bonds 2 July, 2018 No
89. Deendayal Antyodaya Yojana – National Urban Livelihoods No

Mission (DAY-NULM) dated 6 December, 2018
90. Master Circular - Kisan Credit Card (KCC) Scheme dated 4 No

July, 2018
91. Master Circular – Deendayal Antyodaya Yojana - National No
Rural Livelihoods Mission (DAY-NRLM) dated 3 July, 2018
92. Master Circular - Credit Facilities to Minority Communities No

dated 2 July, 2018
93. Master Circular – Lead Bank Scheme dated 2 July, 2018 No
94. Master Circular on SHG-Bank Linkage Programme dated 2 No

July, 2018
95. Master Circular – Mobile Banking Transactions in India – No
Operative Guidelines for banks
96. Master Circular – Policy Guidelines on Issuance and No

Operation of Pre-paid Payment Instruments in India
97. Mobile Banking Transactions in India - Operative Guidelines No

for Banks dated 4 May, 2011
98. Master Circular – Prudential Guidelines for the Primary No

Dealers in Government Securities Market dated 1 July, 2015
99. Master Circular - Capital Adequacy Standards and Risk No

Management Guidelines for Standalone Primary Dealers
dated 1 July, 2015
100. Master Circular on Conduct of Government Business by No
Agency Banks - Payment of Agency Commission dated 2
July, 2018
57 | P a g e
Access
to
foreign
data
101. Master Circular – Requirement for Obtaining Prior Approval No
of RBI in Cases of Acquisition / Transfer of Control of NBFCs
1 July, 2015
102. Master Circular – The Non-Banking Financial Company - No
Factors (Reserve Bank) Directions, 2012 - 1 July, 2015
103. Master Circulars - Miscellaneous Instructions to NBFC- ND-SI No

(2015)
104. Master Circular on Remittance Facilities for Non-Resident No
Indians / Persons of Indian Origin / Foreign Nationals (2015)
105. Master Circular on Acquisition and Transfer of Immovable No

Property in India by NRIs/PIOs/Foreign Nationals of Non-
Indian Origin (2015)
106. Master Circular – 'Know Your Customer' (KYC) Guidelines – Yes
Anti Money Laundering Standards (AML) - 'Prevention of
Money Laundering Act, 2002 - Obligations of NBFCs in
terms of Rules notified thereunder’ dated 1 July, 2015
107. Master Circular - Miscellaneous Instructions to all Non- No
Banking Financial Companies
108. Notification as amended up to June 30, 2015 - The No

Securitisation Companies and Reconstruction Companies
(Reserve Bank) Guidelines and Directions, 2003
Amended as of 1 July, 2015
109. Master Circular - Returns to be submitted by NBFCs No
110. Notification as Amended upto June 30, 2015 - Change in or No

Take Over of the Management of the Business of the
Borrower by Securitisation Companies and Reconstruction
Companies (Reserve Bank) Guidelines, 2010
111. Master Circular on Compounding of Contraventions under No
FEMA, 1999 (2015)
112. Master Circular – Collection of Direct Taxes- OLTAS No
113. Real Time Gross Settlement (RTGS) System - Implementation No

of Positive Confirmation dated 15 November, 2018
114. Basic Cyber Security Framework for Primary (Urban) No

Cooperative Banks (UCBs) dated 19 October 2018
115. Data Sharing with Directorate of Revenue Intelligence 3 May, Yes

2018
116. Risk Management and Inter-Bank Dealings – Simplified No
Hedging Facility (2017)
117. Risk Management Systems – Role of the Chief Risk Officer No

(CRO)
58 | P a g e
Access
to
foreign
data
118. Export Data Processing and Monitoring System (EDPMS) No
Issuance of Electronic Bank Realisation Certificate (eBRC)
Dated 15 September, 2017
119. Securities and Exchange Board of India Act, 1992 Yes
120. Securities Contracts (Regulation) Act, 1956 No
121. Securitisation and Reconstruction of Financial Assets and No

Enforcement of Security Interest Act, 2002
122. Securities and Exchange Board of India (Depositories and Yes

Participants) Regulations, 1996
123. Securities and Exchange Board of India (Central Database of No

Market Participants) Regulations, 2003
124. Securities and Exchange Board of India (Central Database of No

Market Participants) (Amendment) Regulations, 2004
125. Securities and Exchange Board of India - Guidelines for Yes

Seeking Data, 2018
126. SEBI Master Circular for Commodities Derivatives Market, No
2018
127. Master Circular for Stock Brokers, 2018 No
128. SEBI Master Circular for Stock Exchange and Clearing No
Corporation, 2016
129. SEBI Master Circular for Depositories, 2016 No
130. SEBI Master Circular for Stock Exchange and Clearing No

Corporation, 2015
131. SEBI Master Circular for Depositories, 2021 No
132. Master Circular for Stock Exchanges/ Cash Market, 2012 No
133. Master Circular for Stock Exchange - Cash Market, 2013 No
134. SEBI Clarification One on Securities and Exchange Board of No

India {KYC (Know Your Client) Registration Agency}
Regulations (2011), 2012
135. SEBI Circular in Centralized Database for Corporate No

Bonds/Debentures, 2013
136. SEBI Circular on Guidelines for Functioning of Stock No
Exchanges and Clearing Corporations in International
Financial Services Centre (IFSC), 2016
137. SEBI Circular on Online Registration Mechanism for Mutual No
Funds, 2017
59 | P a g e
Access
to
foreign
data
138. SEBI Circular on Amendment to Investor Grievance No
Redressal System and Arbitration Mechanism, 2017
139. SEBI Circular on Review of Guidelines for Co- No

Location/Proximity Hosting Facility Offered by Stock
Exchanges (2016), 2017
140. SEBI Circular on Measures to strengthen Algorithmic No
Trading and Co-Location/Proximity Hosting Framework,
2018
141. SEBI Circular on Enhanced Monitoring of Qualified No
Registrars to an Issue and Share Transfer Agents, 2018
142. SEBI Circular on Cyber Security & Cyber Resilience No

Framework for Stock Brokers/Depository Participants, 2018
143. Master Circular for Stock Brokers, 2018 No
144. SEBI Master Circular for Commodities Derivatives Market, No

2018
145. Securities Exchange Board of India (Substantial Acquisition No
of Shares and Takeovers) Regulations, 2011
146. SEBI (Issue of Capital and Disclosure Requirements) No

Regulations, 2009
147. Securities and Exchange Board of India (Stock-Brokers and No
Sub-Brokers) Regulations, 1992
148. Securities and Exchange Board of India [KYC (Know Your No

Client) Registration Agency] Regulations, 2011
149. Securities and Exchange Board of India (Foreign Portfolio Yes

Investors) Regulations, 2014
150. Securities and Exchange Board of India (Credit Rating No

Agencies) Regulations, 1999
151. Securities and Exchange Board of India (Prohibition of Yes

Insider Trading) Regulations, 2015
152. Securities and Exchange Board of India (Master Circular) - Yes

Guidelines on Anti-Money Laundering (AML) Standards and
Combating the Financing of Terrorism (CFT) /Obligations of
Securities Market Intermediaries under the Prevention of
Money Laundering Act, 2002 and Rules framed there under
153. Securities and Exchange Board of India (Alternative No
Investment Funds) Regulations, 2012
154. Securities and Exchange Board of India (Bankers to an Issue) No

Regulations, 1994
60 | P a g e
Access
to
foreign
data
155. Securities and Exchange Board of India (Buy-back of No
Securities) Regulations, 2018
156. Securities and Exchange Board of India (Certification of No

Associated Persons in the Securities Markets) Regulations,
2007
157. Securities and Exchange Board of India (Collective No
Investment Schemes) Regulations, 1999
158. Securities and Exchange Board of India (Custodian of No

Securities) Regulations, 1996
159. Securities and Exchange Board of India (Debenture No

Trustees) Regulations, 1993
160. Securities and Exchange Board of India (Issue and Listing of No

Debt Securities) Regulations, 2008
161. Securities and Exchange Board of India (Delisting of Equity No

Shares) Regulations, 2009
162. Securities and Exchange Board of India (Disclosure and No

Investor Protection) Guidelines, 2000
163. Securities and Exchange Board of India (Foreign Venture Yes

Capital Investors) Regulations, 2000
164. The Forward Contracts (Regulation) Act, 1952 No
165. The Forward Contracts (Regulation) Rules, 1952 No
166. Securities and Exchange Board of India (Informal Guidance) No

Scheme, 2003
167. Securities and Exchange Board of India (Infrastructure No
Investment Trusts) Regulations, 2014
168. Securities and Exchange Board of India (Intermediaries) No

Regulations, 2008
169. Securities and Exchange Board of India (International No
Financial Services Centres) Guidelines, 2015
170. Securities and Exchange Board of India (Investment No

Advisers) Regulations, 2013
171. Securities and Exchange Board of India (Investor Protection No

and Education Fund) Regulations, 2009
172. Securities and Exchange Board of India (Interest Liability No

Regularisation) Scheme, 2004
61 | P a g e
Access
to
foreign
data
173. Securities and Exchange Board Of India (Merchant Bankers) No
Regulations, 1992
174. Securities and Exchange Board of India (Mutual Funds) No
Regulations, 1996
175. Securities and Exchange Board of India (Issue and Listing of No
Non-Convertible Redeemable Preference Shares)
Regulations, 2013
176. Securities and Exchange Board of India (Framework for No
Rejection of Draft Offer Documents) Order, 2012
177. Securities and Exchange Board of India (Ombudsman) No

Regulations, 2003
178. Securities and Exchange Board of India (Portfolio Managers) No
Regulations, 1993
179. Securities and Exchange Board of India (Public Offer and No

Listing of Securitised Debt Instruments) (Amendment)
Regulations, 2018
180. Securities and Exchange Board of India (Real Estate No
Investment Trusts) Regulations, 2014
181. Securities and Exchange Board of India (Registrars to an No

Issue and Share Transfer Agents) Regulations, 1993
182. Securities and Exchange Board of India (Research Analysts) No

Regulations, 2014
183. Securities Appellate Tribunal (Procedure) Rules, 2000 No
184. Securities Appellate Tribunal (Salaries, Allowances and No

Other Terms and Conditions of Presiding Officer and Other
Members) Rules, 2003
185. Securities Transaction Tax Rules, 2004 No
186. Securities and Exchange Board of India (Self-Regulatory No

Organizations) Regulations, 2004
187. Securities and Exchange Board of India (Settlement of No

Administrative and Civil Proceedings) Regulations, 2014
188. Companies Prospectus and Allotment of Securities Rules, No

2014
189. Companies (Share Capital and Debentures) Rules, 2014 No
190. Securities and Exchange Board of India (Issue of Sweat No

Equity) Regulations, 2002
191. Securities and Exchange Board of India (Underwriters) No

Regulations, 1993
62 | P a g e
Access
to
foreign
data
192. Securities and Exchange Board of India (Prohibition of No
Fraudulent and Unfair Trade Practices Relating to Securities
Market) Regulations, 2003
193. Securities and Exchange Board of India (Form of Annual No
Statement of Accounts and Records) Rules, 1994
194. Securities and Exchange Board of India (Procedure for No

Board Meetings) Regulations, 2001
195. Securities and Exchange Board of India (Procedure For No

Holding Enquiry By Enquiry Officer and Imposing Penalty)
Regulations, 2002
196. Securities and Exchange Board of India (Procedure For No
Holding Inquiry and Imposing Penalties by Adjudicating
Officer) Rules, 1995
197. SEBI (Issuing Observations on Draft Offer Documents No
Pending Regulatory Actions) Order, 2006
198. Securities and Exchange Board of India (Regulatory Fee on No

Stock Exchanges) Regulations, 2006
199. Securities and Exchange Board of India Code on Conflict of No

Interests for Members of Board
200. Securities and Exchange Board of India Code of Conduct for No

Investor Associations (IAs), 2010
201. Securities and Exchange Board of India (Aid for Legal No

Proceedings) Guidelines, 2009
202. Securities and Exchange Board of India (Terms and No

Conditions of Service of Chairman and Members) Rules,
1992
203. Securities and Exchange Board of India (Listing Obligations No
and Disclosure Requirements) Regulations, 2015
204. Securities Contracts (Regulation) Rules, 1957 No
205. Securities Contracts (Regulation) (Procedure for Holding No

Inquiry and Imposing Penalties by Adjudicating Officer)
Rules, 2005
206. Securities Contracts (Regulation) (Stock Exchanges and Yes
Clearing Corporations) Regulations, 2018
207. Securities Contracts (Regulation) (Manner of Increasing and No

Maintaining Public Shareholding in Recognised Stock
Exchanges) Regulations, 2006
208. The Securities Contracts (Regulation) (Appeal to Securities No
Appellate Tribunal) Rules, 2000
63 | P a g e
Access
to
foreign
data
209. Securities Contracts (Regulation) (Stock Exchanges and No
Clearing Corporations) Regulations, 2012
210. Guidelines on Disclosures, Reporting and Clarifications No

Under AIF, 2014
211. Operational, Prudential and Reporting Norms for Alternative No
Investment Funds (AIFs), 2013
212. Guidelines on Overseas Investments and Other No

Issues/Clarifications for AIFs/VCFs, 2015
213. Participation of Category III Alternative Investment Funds No

(AIFs) in the Commodity Derivatives Market, 2017
214. SEBI Guidelines for Credit Rating Agencies, 2010 No
215. Sharing of Information Regarding Issuer Companies No

Between Debenture Trustees and Credit Rating Agencies,
2013
216. SEBI Guidelines for Dealing with Conflict of Interest for No
Investment/ Trading By CRAs, Access Persons and Other
Employees, 2013
217. Securities and Exchange Board of India(Custodian of No
Securities) (Second Amendment) Regulations, 2006
218. Securities and Exchange Board of India(Issue and Listing of No

Debt Securities By Municipalities) Regulations, 2015
219. SEBI Guidelines for Issue and Listing of Structured Products/ No

Market Linked Debentures, 2011
220. Depositories Act, 1996 No
221. Depositories (Appeal to Securities Appellate Tribunal) Rules, No

2000
222. Depositories (Appeal to Central Government) Rules, 1998 No
223. Depositories (Procedure For Holding Inquiry and Imposing No

Penalties By Adjudicating Officer) Rules, 2005
224. The Depositories Scheme, 2014 No
225. Companies (Issue of Global Depository Receipts) Rules, No

2014
226. RBI Guidelines on Exchange Traded Interest Rate No
Derivatives, 2003
227. Securities and Exchange Board of India (Share Based No
Employee Benefits) Regulations, 2014
228. Revised Euro Issue Guidelines Issued by January, 2000 No
64 | P a g e
Access
to
foreign
data
229. SEBI Guidelines for Issuance of ODIs, with Derivative as No
Underlying, by the ODI Issuing FPIs, 2017
230. SEBI Guidelines for Due Date Rate (DDR) Fixation for No
Regional Commodity Derivatives Exchanges, 2016
231. SEBI Broad Guidelines on Algorithmic Trading for National No

Commodity Derivatives Exchanges, 2016
232. SEBI Guidelines for Public Issue Of Units of InvITs, 2016 No
233. SEBI Guidelines on Outsourcing of Activities by No

Intermediaries, 2011
234. SEBI Guidelines for Participation/Functioning of Eligible No
Foreign Investors (EFIs) and FPIs In IFSC – Amendment, 2017
235. SEBI Guidelines for participation/functioning of Eligible Yes

Foreign Investors (EFIs) and FPIs in International Financial
Services Centre (IFSC), 2017
236. SEBI Guidelines for functioning of Stock Exchanges and No
Clearing Corporations in International Financial Services
Centre (IFSC), 2016
237. SEBI Guidelines for Liquidity Enhancement Schemes (LES) No
in Commodity Derivatives
Contracts, 2018
238. SEBI Guidelines For Market Makers, 1993 No
239. SEBI Guidelines for Market Makers on Small and Medium No

Enterprise (SME) Exchange/Separate Platform of Existing
Exchange Having Nationwide Terminal, 2010
240. Securities and Exchange Board of India (Mutual Funds) No

(Amendment) Regulations, 2017
241. SEBI Guidelines for Public Issue of REITs, 2016 No
242. SEBI Guidelines for Fair Practices Code of Conduct for No

Public Representative and SEBI Nominee Directors, 2003

Other Conditions of Service of the Officers and
Employment) Rules, 2003
Other Terms and Conditions of Presiding Officer and Other
Members) Rules, 2003
245. Tribunal, Appellate Tribunal and other Authorities No
(Qualifications, Experience and other Conditions of Service
of Members) Rules, 2017 (struck down by the Supreme
Court)
65 | P a g e
Access
to
foreign
data
246. Chapter VII of Finance (No. 2) Act 2004 – Securities No
Transaction Tax
247. SEBI Comprehensive Guidelines on Offer for Sale (OFS) of No
Shares by Promoters through the Stock Exchange
Mechanism, 2012
248. Securities And Exchange Board Of India (Payment Of Fees No
And Mode Of Payment) (Amendment) Regulations, 2017
249. SEBI General Guidelines for Dealing with Conflicts of No

Interest of Intermediaries, Recognised Stock Exchanges,
Recognised Clearing Corporations, Depositories and their
Associated Persons in Securities Market, 2013
250. Securities and Exchange Board of India (Annual Report) No

Rules, 1994
251. Securities Exchange Board of India (Appeal to Central No
Government) Rules, 1993
252. SEBI Circular on the Securities and Exchange Board of India No

(International Financial Services Centres) Guidelines, 2015 -
IFSC Banking Units (IBUs) Acting as Trading Member or
Professional Clearing Member on Stock Exchanges/Clearing
Corporations in IFSC, 2017
253. Securities Appellate Tribunal (Salaries and Allowances and No
Other Conditions of Service of the Officers and Employees)
Rules, 1997
254. Foreign Exchange Management (Current Account No
Transactions) Rule, 2000
255. Foreign Exchange Management (Permissible Capital No
Account Transactions) Regulations, 2000
256. Foreign Exchange Management (Transfer or Issue of any No

Foreign Security) regulations, 2004
257. Foreign Exchange Management (Foreign currency accounts No

by a person resident in India)Regulations, 2000
258. Foreign Exchange Management (Acquisition and transfer of No

immovable property in India) regulations, 2018
259. Foreign Exchange Management (Establishment in India of No

branch or office or other place of business) regulations,
2000
260. Foreign Exchange Management (Manner of Receipt and No
Payment) Regulations, 2016
261. Foreign Exchange Management (Export of Goods and No

Services) regulations, 2000
66 | P a g e
Access
to
foreign
data
262. Foreign Exchange Management (Realisation, repatriation No
and surrender of Foreign Exchange) regulations, 2000
263. Foreign Exchange Management (Possession and Retention No

of Foreign Currency) Regulations, 2000
264. Foreign Exchange ( Adjudication Procedure and Appeals) No

rules,
265. Foreign Exchange Management (Borrowing and Lending) No
Regulations, 2018
266. Foreign Exchange Management (Cross Border Merger) No
Regulations, 2018
267. Foreign Exchange Management (Transfer or Issue of No
Security by a Person Resident Outside India) Regulations,
2017
268. Foreign Exchange Management (Remittance of Assets) No
Regulations, 2016
269. Foreign Exchange Management (Deposit) Regulations, 2016 No
270. Foreign Exchange Management (Establishment in India of a No

branch office or a liaison office or a project office or any
other place of business) Regulations, 2016
271. Foreign Contribution (Regulation) Act, 2010, No
272. Foreign Contribution (Regulation) Rules, 2011 No
273. Foreign Exchange Management (Non-debt Instruments) Yes

Rules, 2019.
67 | P a g e
ANNEXURE III
Overview of EDPB’s Recommendations on Supplementary Measures158
Steps Measures
Know your • Controllers and processors should implement legal, technical,

transfer and organisational measures that ensure data protection.
• Organisations must build records of processing activities

in compliance with Article 30 of the GDPR. 159
• Mapping data transfers and any onward transfers can help with
maintenance of records. 160
Verify the Relevant data transfer tools as listed under the GDPR should be
transfer tools identified. These include:
• The European Commission’s adequacy decisions, which are

published periodically. 161
• In the absence of an adequacy decision, exporters may select

one of the transfer tools under Article 46 of the GDPR, ensuring
that, overall, the transferred personal data will have the benefit
of an essentially equivalent level of protection: SCCs, Binding
Corporate Rules (BCRs), certification mechanism, codes of
conduct, or ad hoc contractual clauses. 162
Law or practice To assess the law of the third country- companies should
of the third check if the legislation governing the access to data by public
country authorities is ambiguous or not publicly available. In the absence
of a legislation, companies should look into other relevant and
objective factors:
• If a transfer mechanism under Article 46 of the GDPR

(specified above) is relied on, then data exporters should
assess whether the mechanism affords a level of protection in
the third country that is 'essentially equivalent' to that
guaranteed in the EU. 163
158
Available at URL:
159
Ibid., para 9, page 8.
160
161
162
163
Ibid., paras 29-30, page 12.
68 | P a g e
Steps Measures
• Data exporters should conduct due

diligence on publicly available legislation, reported
precedents, practice. 164
• EDPB Recommendations on European Essential Guarantees

for surveillance measures can be used for assessing the
importing third country laws. 165
Supplementary Data exporters and importers must adopt supplementary

measures measures to ensure that the data transferred to the third country is
afforded the same level of protection as within the EU. These
include:
• Considering the format of the data to be transferred (i.e., in

plain text/ pseudonymised or encrypted).
• Identifying the nature of the data to be transferred.
• Considering the length and complexity of data processing

workflow.
• Accounting the possibility that the data may be subject to

onward transfers from the third country to another third
country. 166
In instances where data exporters are not able to implement

effective supplementary measures then the transfer of data must
not take place. 167
Procedural Formal procedural steps may be required to put in place if case
steps organisations have identified effective supplementary
measures. 168
Re-evaluate Data exporters must periodically re-evaluate the measures

adopted, laws of the importing third country, accountability
principles in the GDPR etc.169
164
165
166
167
168
169
Ibid., paras 62-63, pages 18-19.
69 | P a g e
ADDRESS CONTACT
Plot 7 to 10, Email: [email protected]
Sector 126, Noida – 201303 Website:
Uttar Pradesh, INDIA www.nasscom.in
Twitter:
© 2021 NASSCOM

NASSCOM Schrems II Study

Uploaded by

Copyright:

Available Formats

NASSCOM Schrems II Study

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NASSCOM Schrems II Study

Uploaded by

Copyright:

Available Formats

Implication of Schrems II on EU-

India Data Transfers

EXECUTIVE SUMMARY ...................................................................................................... 5

EDPB ‘Essential Guarantees’ and the new SCCs ............................................................. 7

Objective and Structure of the Study.............................................................................. 8

Methodology and Limitations......................................................................................... 9

(A) Schrems II on SCCs and practical guidance to data exporters/importers ........... 11

(B) Principles for Analysing Foreign Country’s Law and Practice.............................. 14

PART – II: ANALYSIS OF INDIAN LAW .............................................................................. 18

PART – III: CONCLUSION AND WAY FORWARD.............................................................. 28

ANNEXURE III .................................................................................................................. 68

EDPB ‘Essential Guarantees’ and the new SCCs

• first, the ‘essential guarantees’ or principles to be met by the recipient country’s

Objective and Structure of the Study

Methodology and Limitations

(A) Schrems II on SCCs and practical guidance to data exporters/importers

• EU data protection authorities could suspend transfers in case of inadequate

• Consequences of not observing the requirements under SCCs : In cases where

EDPB’s practical guidance to exporters, including supplementary transfer tools:

The New SCCs

• notifying the exporter in case it receives a request for data access;

i. US Foreign Intelligence Surveillance Act (FISA);

• Government’s access to data should be proportionate and strictly necessary to the

• Independent oversight: The privacy shield had an ombudsperson framework to enforce

European Data Protection Board’s recommendations on ‘essential guarantees’ 64

1 Processing • Is there a legal basis for the intrusion? 65

Specific Concerns Exist

Potential Concerns Exist

Aligned with European Essential Guarantees

In a nutshell, Indian surveillance law is primarily found in:

Information Technology Act, 2000 and Rules

Takeaway – Potential Concerns Exist

Other remedies: Interception of messages by the government infringes the fundamenta l

Takeaway – Specific Concerns Exist

The safeguards contained in the provision are that:

Necessity: Section 91 notes that only information “necessary or desirable” is

However, in practice, this provision appears to be invoked routinely by Indian police100

The Personal Data Protection Bill, 2019

The Data Protection Law

A. BANKING AND FINANCE LAWS

1. The Prevention of Money Laundering Act, 2000 (PMLA):121

Significance: The PMLA is India’s principal legislation to combat money laundering. It

2. Payment and Settlement Systems Act, 2007 (PSS Act):124

3. Banking Regulation Act, 1949 (BR Act): 125

5. Foreign Exchange Management Act, 2000 (FEMA):128

7. RBI Master Direction - Miscellaneous (Updated as on 12 November

8. RBI Direction on Data Sharing with Directorate of Revenue Intelligence

9. RBI Master Direction - Monitoring of Frauds in Non-Banking Financial

11. RBI Master Direction - Non-Banking Financial Company - Account

Significance and relevant clauses: This direction requires account aggregators to

12. RBI Master Direction - Non-Banking Financial Company Returns (Reserve

Significance and relevant clauses: This direction pertains to vetting of investments by

15. RBI Master Direction – Import of Goods and Services (Updated as on 28

Significance: This direction prescribes reporting requirements for imports and

16. RBI Master Direction – Export of Goods and Services (Updated on as 08

Significance: This direction prescribes requirements for Authorised Dealer (AD)

18. RBI Notification dated 6 April 2018 regarding storage of payment

19. RBI Master Circular – KYC Guidelines – AML - 'Prevention of Money

Significance: These guidelines are principle-based and enacted to ensure seamless