India has demanded that the E.U. award it data-secure status similar to the U.S. safe harbor agreement.
Under the E.U. Data Protection Directive, personal data cannot be transferred from an E.U. member state to a country not in the E.U. unless that nation’s laws are adequate.
To date, only a tiny number of countries have had their laws deemed adequate. Three weeks ago, Uruguay became the most recent country to get the sought-after status, joining Switzerland, Israel, Canada, Argentina, Guernsey, the Isle of Man and the U.S.
India is in bilateral trade agreement talks with the E.U., but local press reports say that India may refuse to sign any trade agreement unless its request for data-secure status is approved. “This request is being examined as per the process defined in E.U. legislation but is separate from the FTA negotiations,” said E.U. Trade Spokesman John Clancy.
“There is no adequacy agreement for India. But privacy issues more generally are indeed part of India’s trade negotiations with the E.U.,” said Mina Andreeva, the European Commission’s Justice spokeswoman. The Department of Justice in the Commission is responsible for overseeing data protection in the E.U.
Inclusion of intellectual property rights is one of the areas where talks have stalled. Because of its lack of data-secure status, India currently has no access to intellectual property or other sensitive information such as patient records required for telemedicine from E.U. countries (as well as EEA member countries Norway, Liechtenstein and Iceland). This hampers growth of India’s large outsourcing sector.
India has asked the E.U.’s trade commissioner’s office to send a technical team to inspect India’s data security provisions as soon as possible. However, achieving data-secure status is far from a quick process.
Europe’s national data protection commissioners (the Article 29 working party) must first draw up an opinion, then the Article 31 management committee must reach a majority decision on adequacy of the data security in the country not in the E.U. After that, the European Parliament has 30 days to scrutinize those opinions and only when it is satisfied can the decision to award data-secure status be adopted by the College of Commissioners. The next country due to be considered is New Zealand — that adequacy decision is expected in October.
India’s chances of meeting all these requirements could be hampered by news of yet another large data breach this week when the Indian website for Domino’s Pizza was hacked and the accounts of 37,000 customers potentially compromised.
However, this was not an isolated event. According to the government’s Indian Computer Emergency Response Team, 2,021 Indian websites were defaced in July, while 112 government websites in India were hacked between December and February.
Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to firstname.lastname@example.org.