Is it safe to transfer personal data to China, India, or Russia?

Just before the New Year, the EDPB published a study on governments' access to personal data in third countries, with a particular focus on privacy in China, India, and Russia. The report has received surprisingly little attention in Norway.

The assessments in the study largely follow the reasoning of the Schrems II decision. However, Schrems II applies specifically to the transfer of personal data to the US, and many find it difficult to make similar assessments of the level of protection in other third countries.

The study was carried out by an external actor on behalf of the EDPB. It is not legally binding but is useful for businesses that wish to make use of suppliers in China, India, or Russia.  The study is likely to be particularly relevant for companies that outsource parts of their business to India, and it can be used as a tool when the outsourcing agreement is being negotiated. The study not only addresses the legislation of the third country, but it also addresses the likelihood of the authorities requesting access.

As for the assessment of India, the study points out that the right to privacy has not been recognized by India's Supreme Court until quite recently. In addition, privacy law has received more attention in India in general. Nevertheless, the study assumes that Indian authorities have infringed these rights several times. It is also noted that the conditions that need to be met in order for the authorities to access personal data are quite vague and widely worded. The authorities can access personal data if there is a need for  "national security" purposes. This applies to all personal data retained in Indian territory and may therefore include information regarding European citizens.

The study emphasises that there are, admittedly, several conditions that must be met if the authorities are to request access on the basis of India's "national security". However, the legal assessment of these conditions is not particularly transparent, and it is therefore difficult to verify that the conditions have actually been met. This is considered a worrying weakness, as Indian authorities often refer to "national security" without disclosing anything as to what actually necessitates the access to the personal data. The study therefore concludes that individuals' rights and freedoms can be highly restricted, and thus the level of protection is too weak.

In the assessment of Russia, it is stated that Russian privacy legislation is complicated. Although the regulations appear to be very good in terms of format, there are a number of deficiencies and concerns related to the application and enforcement of the rules, according to the study. In addition, it is pointed out that Russia has received a lot of attention for repeatedly violating human rights such as the freedom of expression. According to the report, the right to data protection and privacy is particularly limited when it is referred to national security interests. This has also been highlighted by the European Court of Human Rights in cases against Russia. Due to the close connection in the EU legal system, the transfer of personal data to Russia should therefore be considered carefully.

According to the report, some researchers argue that digitalisation has led to new types of surveillance and opportunities for censorship and information control. This is also reflected in the report's most important point regarding Russia, namely that the authorities tend to apply privacy laws to enforce political will, control the internet and protect the interests of the authorities. Consequently, the report concludes that the Russian authorities take a significantly negative approach to balancing fundamental rights in the digital world, and that the needs of the state are put ahead of the interests and rights of data subjects. In other words, the transfer of personal data to Russia is associated with a significant risk.

In the analysis of China, the study starts by reviewing the country's constitution. This review makes it clear that China is a dictatorship and that all power is with the Communist Party. In addition, the constitution shows that the authorities' access to personal data is not restricted in any way. The study assumes that this in itself illustrates that China does not have a legal system that facilitates real privacy and adequate protection of European citizens' personal data.

Furthermore, the analysis of China's other legislation also indicates that the authorities have great leeway when it comes to accessing personal data. The authorities have been given broad powers to make exceptions to data protection legislation if regarded necessary for national security interests or for general order. The study adds that national security and general order are interpreted much more widely in China than in Europe, and that these interests are a strong priority in China's political system. The report therefore concludes that Chinese data protection legislation gives the authorities almost unlimited access to personal data, and that it does not provide the necessary guarantees to safeguard the rights and freedoms of the individual under the GDPR.

In summary, it can be said that this was neither particularly surprising, nor particularly encouraging for businesses that want to use suppliers in China, India, or Russia. However, the study is useful when a data exporter in the EU/EEA is looking to assess a specific transfer and the level of protection in the third country in question. After all, it is necessary to know the circumstances in the third country in question to best determine which additional measures must be implemented in line with the Schrems II decision. In this respect, the study is a clarifying and helpful tool. Although the EDPB has not explicitly declared that they fully agree with the review, it is unlikely that the study would have been published if the EDPB thought it was fundamentally flawed.

Relevant additional measures such as encryption will be central to transfers to China, India, and Russia going forward. Businesses should use as strong encryption as possible without impairing the purpose of the transfer itself. Thus, as far as possible, the information should be encrypted both "in transit", when stored and when the information is in use. Furthermore, the encryption key must be handled in such a way that the measure works effectively against governmental requests for access. As always, it is essential that the business is proactive and implements all necessary measures to ensure compliance with the regulations in line with the principle of accountability in the GDPR Article 5.