Trending: Call for Papers Volume 4 | Issue 4: International Journal of Advanced Legal Research [ISSN: 2582-7340]

Data Privacy in India: In Light of The EU – USA Privacy Shield Invalidation


In our day to day life, we find ourselves among various situations where we have to share some data or information that are many times private. After the expansion of technologies and easy availability of the facility of Internet, this personal information is just one click away from being shared with the rest of the world. In this case, the rest of the world means the companies who store our data and sometimes share them with third parties.


“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.” – Bruce Schneier

This has led to global consciousness to protect the privacy of the people. Most countries have implemented specific acts in order to protect the interests of its citizens. Moreover, some countries have entered into an agreement in order to enhance the data protection strategy like the privacy shield between the European Union and United States or the Swiss – US Privacy Shield.
However, India is yet to enact an act for the protection of personal data of its citizens, else it might give rise to serious security risk to an individual or Organization’s confidential information as well as identity.

Recently, the privacy shield program between the European Union and the United States of America was declared as invalid. This has been speculated to cause a good amount of impact not only upon the European – US scene but also on the rest of the world including India. It has caused a certain level of uncertainty regarding business in cross – border data transfers outside EU. After all, in this digital age, it is of utmost importance that the interests of all the participating countries are protected equally as many industries closely conduct business with the European markets and the United States, especially the IT industry.


Data Privacy or Information Privacy is a branch of data protection which ensures that all data or information, notably sensitive personal data are safely handled by the concerned authority or corporations.

Data has been categorized into two forms: Public Data and Personal Data. Public data refers to the information that can be shared among the public like details of an Organizations, etc.
Personal Data refers to the data that are personal to an individual or organization and can’t be accessed by other persons without any prior permission. These data might include financial and family details, photographs, locations or travel history, and any other characteristics which might be confidential.

Data protection means ensuring important data or information are safe from corruption, loss or any unauthorized use[1].
It has been divided into 3 categories, namely;
1) Traditional Data Protection: Back Up/ Restore, Archiving, RAID & Erasure Coding, Data Retention, etc.
2) Data Security: Encryption, Authentication, Threat Monitoring. Data Loss Prevention, etc.
3) Data Privacy: Legislation, Policies, Data Governance, Global Variations, etc.


The Privacy Shield Program of European Union (EU) and United States of America (US) was adopted on 12 July 2016 as a mechanism to regulate the transatlantic trade of Private data for commercial purposes. The program was regulated by the International Trade Administration (ITA) under the United States Department of Commerce. This framework came into existence after the European Court of Justice declared the International Safe Harbor Privacy Principles as invalid. This judgment is known as Schrems I.

Its main objective was to protect the citizens of European Union by mandating the US corporations to operate under the privacy laws of EU while receiving any personal data of any organizations or individuals from the European Union. It imposed strong data protection responsibility upon the companies receiving data, and also restricted access by the US government. Both EU and US had agreed to hold joint review annually in order to oversee that all guidelines are properly implemented. Privacy shield was proposed to help in smooth and safe transferring of data to the companies in USA. However, it was heavily criticized by many Europeans who were skeptical of the proposed privacy shield. They were worried whether their privacy and interest will be properly protected or not. There was a huge demand for easy redressal system and a transparency scheme to make sure that their personal data doesn’t befall into wrong hands.

After a long conflict and the failure to do its supposed purpose, this mechanism of Privacy shield was challenged in the court. This case was Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems (Schrems-II), where, the European Court of Justice (ECJ) delivered a landmark ruling by declaring the privacy shield between the European Union and the United States of America as invalid, though the participants would have to follow the “Standard Contractual Clauses”, equal to the provisions provided under the General Data Protection Regulation (GDPR).

The United States would still commit to ensure that there is no breach in the privacy protections and the U.S Department of Commerce will continue to work closely with the European Commission and European Data Protection Board. Moreover, European Data Protected Board has stated that an enhanced framework will be introduced in the following years that will comply with the European Data Protection laws.


 In India, Data Privacy is complicated as India has neither been a part of any convention on data protection nor has any specific legislation for the protection of its citizen’s privacy, except for the UDHR[2] and the International Covenant on Civil and Political Rights[3].Only act that caters to the issue of data protection and privacy is the Information Technology Act, 2000, also known as the IT Act; and Information Technology Rules, 2011 (“the IT Rules”). Under the IT Act, Sections 43A and 72 A provide for the right to compensation in case of any unauthorized disclosure of personal information. The rules specified in the IT Act, 2011 imposed some requirements upon commercial as well as business organizations in relation to retaining and disclosure of confidential private data, which are somewhat alike to GDPR and the Data Protection Directive.

And under Section 69 of the IT Act, the Central government has the authority to block the online content as well as arrest the culprit. For example, recently there was a ban on Chinese Apps in the country, as per Section 69A[4].

The Article 21 of the Indian Constitution provides the ‘Right to Privacy’. It is regarded as one of the most important rights given to the citizens. It was recognized as a fundamental right with the landmark ruling in the case K.S Puttaswami & another Vs. Union of India. The Supreme Court observed that Information or Data privacy as an aspect of right to privacy and the protection of People’s privacy should be considered as a necessity.

The Court also recognized the “Right to be Forgotten” as an important part of the Article 21 of the Indian Constitution. This refers to the right to restrict, erase, or correct disclosure of personal information on the Internet that is misleading, humiliating, or irrelevant.

Moreover, a committee was constituted by the government in order to draft a statue on data security which will be India’s 1st law regarding safeguards for private data. This statue was termed as Personal Data Protection Bill 2019 (PDP Bill). After its enactment, Section 43A of the IT Act will be repealed. Currently, the draft is undergoing revision by a Joint Parliamentary Committee. According to this Bill, incidents related to cyber security would have to be reported to the Indian Computer Emergency Response Team (“CERT-In”) as per Section 70B of the IT Act. It also specifies the provision to seek compensation from the data processor penalties in case there is any breach of disclosure.


Every person is entitled to protect their privacy and not disclose their personal information under any circumstances unless there is a chance that such non disclosure could cause harm to another individual or organization. With the popularization of online shopping, financial business like transactions, or online games, etc, the risk to data security has increased a lot. And with the invalidation of the EU – US privacy shield, the question arises as to when India will be an efficient data processing destination. To curb this issue, it is essential that the government take the adequate measures along with enacting a specific act on Data Protection. Therefore, we have to see whether this PDP Bill will prove to be step closer to achieving that goal or not.

[1] “What is Data Protection”, Storage Networking Industry Association (SNIA) < https://www.snia.org/education/what-is-data-protection>
[1] Universal Declaration of Human Rights, 1948.
[1] 1966.
[1] Information Technology Act, 2000.

Image Source  
 Author: Shruti Sudha Samantaray, University Law College, Bhubaneswar, Odisha.

1 thought on “Data Privacy in India: In Light of The EU – USA Privacy Shield Invalidation”

Leave a Comment

Your email address will not be published. Required fields are marked *