Federal Court deems university’s use of room scans within the home unconstitutional

I. Summary

A federal court recently ruled that a public university’s use of room-scanning technology during a remotely proctored exam violated a student’s Fourth Amendment right to privacy. The decision in Ogletree v. CSU is the clearest indication to date of how courts will treat Fourth Amendment challenges to public higher education institutions’ use of video room scans within students’ homes. Schools, test administrators, and professional licensure boards often use proctoring technologies in an effort to dissuade cheating by remote test takers. These technologies take a variety of forms and may involve live proctors observing test takers via webcam, eye-tracking technology, artificial intelligence, recording via webcam and microphone, plug-ins that disable a test taker’s computer from accessing third-party websites or stored materials, and room scans. At issue in this case was a room scan of a student’s bedroom workspace. 

Since the start of the COVID-19 Pandemic, more schools have incorporated remote proctoring software into testing procedures. The increased use of such technology in both K-12 and higher education settings has led to widespread discussion about the resulting privacy implications, including whether remote proctoring practices violate students’ privacy rights. In August, the US District Court for the Northern District of Ohio offered some clarity–as well as new questions–when it granted summary judgment to college student Aaron Ogletree (“the student”), in his Fourth Amendment lawsuit against Cleveland State University (“CSU,” or “the university”). The Court determined that the room scan amounted to a Fourth Amendment search because: (1) CSU is a public institution and thus a state actor; (2) the student had an intuitive expectation of privacy within the bedroom of his home; and (3) the student’s expectation of privacy was reasonable and one generally accepted by society. The Court further found that CSU’s Fourth Amendment search was unreasonable by weighing four factors: (1) the student’s privacy interest; (2) the nature of the search; (3) the government concern; and (4) efficacy. Finding only one factor (the government concern) weighed in favor of CSU, the Court deemed the search unreasonable and thus unconstitutional.

While the Court’s decision is not dispositive of many interesting issues, it offers clarity on some and poses new questions about others. Some of the takeaways from the decision include:

II. Analysis

The student in this case sued his university after he was asked to complete a room scan of his bedroom workspace before a remote exam, alleging that the practice violated his Fourth Amendment rights. The Fourth Amendment of the United States Constitution states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Court’s opinion first determines that CSU’s room scan amounted to a Fourth Amendment search, and second, rules that the search was unreasonable. While Fourth Amendment decisions are highly fact-specific, the Court’s analyses of these two factors indicate how other courts may evaluate similar cases in the future.

The Room Scan was a Fourth Amendment Search

In the first stage of its analysis, the Court determined that the room scan did in fact amount to a Fourth Amendment search. Fourth Amendment searches involve government action that violates “a subjective expectation of privacy that society recognizes as reasonable.” Because CSU is a public institution, it is a government actor. As such, the Court had to determine whether the student possessed a subjective expectation of privacy when he took the remote test, and if so, whether his expectation of privacy was one reasonably recognized by society. The Court determined both of these elements were met. 

Much of the Court’s analysis hinges on the location where the room scan took place: the student’s bedroom within his home. The Court acknowledged that privacy within the home is a cornerstone of the Fourth Amendment jurisprudence and that there is little question as to whether the student had a subjective expectation of privacy in his bedroom. The Court further found this expectation to be one reasonably understood by society as there is widespread agreement that privacy interests exist within one’s home. 

In arriving at its conclusion that a Fourth Amendment search occurred, the Court rejected multiple arguments from CSU. For example, since proctoring services commonly include room scans and students routinely use them, the university argued that the student’s expectation of privacy was unreasonable. The Court was not persuaded by this argument, noting that a practice can be commonly used but still implicate a privacy interest. A lack of opposition from other students does not invalidate the inherent expectation of privacy that exists in the home. The Court explained: 

Though schools may routinely employ remote technology to peer into houses without objection from some, most, or nearly all students, it does not follow that others might not object to the virtual intrusion into their homes or that the routine use of a practice such as room scans does not violate a privacy interest that society recognizes as reasonable, both factually and legally.

CSU also cited case law regarding routineness and plain view. Here, the university attempted to equate room scans to activities that courts have declined to characterize as Fourth Amendment searches. Specifically, these precedents involve routine practices that employ modern technologies to observe what is openly visible. Once again, the Ogletree Court rejected the university’s arguments, holding: “[r]oom scans go where people otherwise would not, at least not without a warrant or invitation.” As such, the routine use of room scans for remote exams does not make the student’s expectation of privacy in his bedroom unreasonable. 

The Court also rejected the notion that a room scan is not a Fourth Amendment search simply because the technology that room scans use is publicly available. Here, the opinion notes:

While cameras might be generally available and now commonly used, members of the public cannot use them to see into an office, house, or other place not publicly visible without the owner’s consent.

Moreover, the Court was not persuaded by the university’s invocation of Quon or Wyman – two Supreme Court cases that involved arguably similar searches. While the Ontario v. Quon decision involved similar facts and found a government search to be lawful, the case centered around employee monitoring software, not remote proctoring room scans. The Ogletree Court declined to apply Quon and subsequent case law beyond an employment context. The Court also engaged in a lengthy discussion about the precedent from Wyman v. James. Wyman is a Supreme Court case finding that mandatory home inspections to qualify for government benefits are not Fourth Amendment searches. The Court examined many factors in its analysis of Wyman’s applicability to the case at hand. Ultimately, however, the Court determined that the circumstances in the Wyman case were fundamentally different from the Ogletree facts and could not be equated to support the university’s argument.

The Fourth Amendment Search was Unreasonable

Having determined that the room scan was a Fourth Amendment search, the Court then moved to its second analysis, the reasonableness of the search. This analysis employs a balancing test whereby a court weighs the “intrusion on the individual’s Fourth Amendment interests against its promotion of legitimate governmental interests.” 

The room scans at issue in this case can be characterized as suspicionless searches, in that they were not conducted because of specific suspicion of a single student. While suspicionless Fourth Amendment searches are generally unconstitutional, the Ogletree Court acknowledged the exception for searches in which the government has “special needs beyond the normal need for law enforcement.” The test for this exception–and the test the Ogletree Court used in its analysis–considers four factors:

  1. The nature of the privacy interest affected; 
  2. The character of the intrusion; 
  3. The nature and immediacy of the government concern; and 
  4. The efficacy of this means of addressing the concern

Factor 1: The Privacy Interest

For the first factor, the Court reiterated the well-understood privacy interest that existed within the student’s bedroom. The high value that society and Fourth Amendment jurisprudence place on privacy within the home worked in favor of the Plaintiff in this case. CSU argued that students have different Fourth Amendment rights in a school setting given the unique custodial relationship that exists. Relying on case law involving public K-12 institutions, CSU suggested that the student had lesser privacy interests at the time of the room scan. The Court rejected this assertion, however, pointing out that CSU’s argument rested on precedent involving minor students whose school attendance is required. Here, the student was an adult who voluntarily enrolled in a higher education institution. The Court made this distinction and explained:

Mr. Ogletree was an adult at the time of the search at issue and enrolled at Cleveland State by choice. Although this setting might affect the nature of the privacy interest at stake to some degree, it is difficult to see how enrollment in a higher educational institution would limit the core protections of the home under the Fourth Amendment on the facts and circumstances of this case.

Factor 2: The Intrusion

For the “character of the intrusion” factor, the Court relied heavily on factors from the case record. The Court discussed the lack of alternatives the student had when taking the test given the COVID-19 Pandemic and his inability to take the exam anywhere other than his bedroom. The Court noted that even before the Pandemic, it would be difficult for students to weigh their privacy interests when deciding on a testing location given the university’s policy of leaving remote testing decisions to the discretion of individual instructors. Here, the Court acknowledged:

In normal times, a student might be able to choose another college or among classes with different options for tests and assessments. A student who valued privacy more might opt for courses with in-person tests, while another who prefers convenience might tolerate an intrusion of the sort at issue here. Cleveland State’s policies and practices make such choices and tradeoffs opaque, at best. Faculty members have discretion on how to implement remote testing.

The Court further pointed out that the student only had two hours of notice of the room scan because of policy changes.

The Court’s analysis for this part of the four-part test also included factors that favored CSU, including the fact that the room scan was minimally invasive in that it lasted less than a minute and was in the student’s control. Moreover, the Court acknowledged that some privacy interests might be traded away for the exchange of a good or service, such as an education or degree. However, the Court maintained that regardless of any tradeoffs, the student kept his constitutional rights. When weighing the factors that favored the student against the factors that favored the university, the Court ultimately concluded that “the core protection afforded to the home, the lack of options, inconsistency in the application of the policy, and short notice of the scan weighed in Plaintiff’s favor.”

Factor 3: The Government Concern

The third factor, “nature and immediacy of the government concern” weighed in the favor of CSU as the parties and the Court agreed that the university had a legitimate interest in preventing academic dishonesty. The room scans were ultimately employed to help meet this interest.

Factor 4: Efficacy

The Court then turned to the fourth and final prong of the test: the efficacy of the school’s means to address its concern. For this factor, in particular, it is important to remember that this case deals with one form of proctoring: room scans. Here, the Court considered the alternative options that existed to achieve the university’s goal of deterring academic dishonesty. 

In his argument against the effectiveness of room scans, the student pointed out that the school has many proctoring methods at its disposal, including technology that prevents a test taker from accessing the internet or saved documents during an exam, hiring proctors to monitor students during the duration of a test, and AI detection for plagiarism.  In support of his argument about the various alternatives that existed, the student pointed out that the university’s policy left proctoring methods to the discretion of individual educators. The student also argued against the efficacy of room scans by discussing different ways a student who is required to complete a room scan before an exam could still access prohibited materials during the testing period.

In contrast, the university argued that a room scan is an effective method to achieve the university’s interests in preventing academic dishonesty. To support its argument that other proctoring features do not offer the same detection and deterrent functions that room scans do, the university suggested that such programs “are not effective at achieving these functions and that sometimes they are inappropriate for students with disabilities.” Here, the university’s argument seemed to hinge on the ineffectiveness of other methods of remote proctoring. 

The Court was ultimately persuaded by the student’s arguments against efficacy and concluded that “a record or sporadic and discretionary use of room scans does not permit a finding that room scans are truly, and uniquely, effective at preserving test integrity.” Not only did other safeguarding methods exist, but the Court also pointed out the existence of alternative evaluation methods–such as a final project or term paper–that do not require remote proctoring at all. This section of the Court’s analysis is especially interesting given the efficacy critiques that often arise in the public discourse surrounding remote proctoring technology. 

As three of the four factors (nature of the privacy interest affected, character of the intrusion, and efficacy of means) weighed in favor of the student, and only one of the factors (nature and immediacy of the government concern) weighed in favor of the university, the Court concluded that the Fourth Amendment search was not reasonable. 

Having determined that the room scan amounted to a Fourth Amendment search and that the search was unreasonable, the court found the Plaintiff’s Fourth Amendment rights had been violated.

Procedurally, it is notable that the District Court granted the student’s motion for summary judgment. Summary judgment requires a party to show that there is “no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” Moreover, a grant of summary judgment requires a court to consider the evidence “in the light most favorable to the party opposing the motion.” That means the Court in Ogletree not only determined that the student was entitled to judgment as a matter of law, but it arrived at this determination by viewing the evidence in a light that favored the university.

Impact on Remote Proctoring

The Court’s decision to grant Ogletree’s motion for summary judgment is the clearest indication to date of how federal courts may treat Fourth Amendment cases involving the use of room scans in remote proctoring software. Nonetheless, it is too soon to tell whether other courts will follow suit or what this decision will mean for remote proctoring generally. Regardless, schools that use remote proctoring software, and more specifically, deploy room scan features, should be mindful of the decision in this case and the Court’s reasoning.  

Fourth Amendment cases are especially fact dependent. As such, it is very possible that the case could have had a different result had the circumstances been even slightly different. For example, because of the unique relationship between schools and K-12 pupils, there remains ambiguity as to whether the Court would have arrived at the same result in a case about an elementary or high school student. Moreover, this case focused specifically on room scans; it is unclear whether other forms of remote proctoring, such as ongoing monitoring when a student takes a remote test in their home, would amount to a Fourth Amendment violation under this Court’s efficacy and reasonableness analyses. Nonetheless, this case is a win for student privacy and an indicator of how other courts may rule in future cases. 

Regardless of the questions that still exist, interested parties–including schools, students, boards of licensure, and proctoring companies–should be aware of this decision. Entities that employ proctoring software should be mindful of the Court’s reasoning and consider potential legal risks and privacy implications before employing proctoring technologies or requiring room scans within the home.

New Infographic Highlights XR Technology Data Flows and Privacy Risks

As businesses increasingly develop and adopt extended reality (XR) technologies, including virtual (VR), mixed (MR), and augmented (AR) reality, the urgency to consider potential privacy and data protection risks to users and bystanders grows. Lawmakers, regulators, and other experts are increasingly interested in how XR technologies work, what data protection risks they pose, and what steps can be taken to mitigate these risks.

Today, the Future of Privacy Forum (FPF), a global non-profit focused on privacy and data protection, released an infographic visualizing how XR data flows work by exploring several use cases that XR technologies may support. The infographic highlights the kinds of sensors, data types, data processing, and transfers that can enable these use cases.

XR technologies are powered by the interplay of multiple sensors, large volumes and varieties of data, and various algorithms and automated systems, such as machine learning (ML). These highly technical relationships enable use cases like shared experiences and expressive avatars. However, these use cases often depend on information that may qualify as sensitive personal data, and the collection, processing, and transfer of this data may pose privacy and data protection risks to both users and bystanders.

“XR tech often requires information about pupil dilation and gaze in order to function, but organizations could use this info to draw conclusions—whether accurate or not—about the user, such as their sexual orientation, age, gender, race, and health,” said Daniel Berrick, a Policy Counsel at FPF and co-author of the infographic. These data points can inform decisions about the user that can negatively impact their lives, underscoring the importance of use limitations to mitigate risks.

FPF’s analysis shows that sensors that track bodily motions may also undermine user anonymity. While tracking these motions can help map a user’s physical environment, it can also enable digital fingerprinting. This makes it easier for parties to identify users and bystanders while raising de-identification and anonymization concerns. These risks may discourage individuals from fully expressing themselves and participating in certain activities in XR environments due to their concerns about retaliation.

Moreover, FPF found that legal protections for bodily data may depend on privacy regulations’ definitions of biometric data. It is uncertain whether US biometric laws, such as the Illinois Biometric Information Privacy Act (BIPA), apply to XR technologies’ collection of data. “BIPA applies to information based on ‘scans’ of hand or face geometry, retinas or irises, and voiceprints, and does not explicitly cover the collection of behavioral characteristics or eye tracking,” said Jameson Spivack, Senior Policy Analyst, Immersive Technologies at FPF. Spivack was also a co-author of the infographic.

This highlights how existing laws’ protections for biometric data may not extend to every situation involving XR technologies. However, protections may apply to other special categories of data, given XR data’s potential to draw sensitive inferences about individuals.

xr infographic

Download the Infographic

Meet David Sallay, FPF’s new Youth & Education Privacy Director

FPF is thrilled to announce the new Director of our Youth & Education Privacy Program, David Sallay. David comes to FPF from the Utah State Board of Education, where he previously served as the Chief Privacy Officer and the Student Privacy Auditor at the Utah State Board of Education, where he worked with schools and districts on implementing Utah’s state student privacy law. 

img 1882

Before focusing on privacy, he worked in education as a teacher of English as a Foreign Language at Qatar University and high schools in Hungary. He holds a Master’s in Public Policy from the University of Utah and a Master’s in Education from the University of Pittsburgh. 

Learn more about David in the Q&A below.

  1. You started out as a teacher–how did you get involved in student privacy?

I was in the right place at the right time. I worked for the Utah State Board of Education as the assessment data specialist when Utah passed its student privacy law, which created several new positions. It seemed like an exciting new area to work in, so I applied and got the job.

  1. What’s one thing that you wish more teachers understood about student privacy?

I wish more teachers knew that student privacy doesn’t have to be a zero-sum game. We shouldn’t have to make trade-offs where you can’t teach as well or use helpful tools in the classroom to achieve security or privacy. Still, since privacy is unfortunately rarely the default setting, we’ll want to work together to ensure our use of technology and data in the classroom is a true win-win where students learn better while having their data protected.

  1. A lot is going on in youth & education privacy today…What’s one thing that you are optimistic or encouraged about?

I am encouraged by the move to age-appropriate design codes in some jurisdictions since it should lead to more products mapping better to the expectations of parents, educators, and children.

  1. What’s one thing that you are worried or concerned about?

On the flip side, I am also worried about age-appropriate design codes if they don’t strike the right balance, and it can be really hard to find that Goldilocks zone of just right.

  1. What’s something that you think is flying under the radar?

Many of the most damaging privacy harms are small in terms of the number of students they impact and likely won’t appear on the front page of a newspaper. If you see a lot of the privacy complaints that go to the US Department of Education or that we investigated in Utah, they were very often one individual at the school doing something with a record that harmed one or two students. So I think it’s important to look at both big-picture issues as well as the smaller ones.

  1. Utah’s approach to student privacy has been held up as a model for other states to follow (including by FPF!). What advice do (or would) you give another state looking to replicate your approach?

One of the things I think our legislature and state board did well was gathering stakeholders together to study the issue instead of adopting a one-size-fits-all approach. The other thing is to put someone in charge full-time (e.g., a chief privacy officer) to provide adequate support.

  1. What are you reading/listening to lately for work (related to youth privacy)?

I’ve been reading Privacy’s Blueprint by Woodrow Hartzog since it focuses a lot on design as a way to build trust and will hopefully help me better wrap my brain around the new design codes being proposed.

  1. What are you reading/listening to lately for fun?

I’m really drawn to anything about other Hungarian-Americans. Since it’s October, I’m reading a biography of Béla Lugosi that is interesting (there was a lot more to him than just playing Dracula). Also, every October, I try to listen to every Oingo Boingo album since that gets me in a proper Halloween mood.

  1. Do you remember the first time you heard about FPF? What made you want to join the team officially? What is your top priority?

I first heard about FPF when I started working on privacy in Utah. We didn’t know how to build our program and quickly discovered FPF as a resource. At that time, the FPF youth and education team was just one person, so it’s been really neat to see the program grow. A lot of the appeal in joining was being able to work on privacy problems beyond the borders of Utah and beyond education (i.e., in youth privacy). So far, it’s been really good to meet everyone on the team. My top priority right now is to get to know the team better and understand their interests and goals so I can figure out the best way to support them so that collectively we can provide the most value for our stakeholders and ultimately make a real impact for students and youth.

Interested in learning more about FPF’s Youth & Education Privacy work? Visit Student Privacy Compass to learn more.

Indonesia’s Personal Data Protection Bill: Overview, Key Takeaways, and Context

The authors thank Zacky Zainal Husein and Muhammad Iqsan Sirie from Rajah & Tann Indonesia for their insights.

Overview

On September 20, 2022, Indonesia’s House of Representatives passed the Personal Data Protection Bill (PDP Bill) (note: linked Bill is in Indonesian). This is the first step towards enactment of the PDP Bill as law. The second step was Presidential assent, which happened on October 17, 2022, and signifies the enactment and coming into force of the law. 

Prior to the passage of the PDP Bill (from hereon referred to as the “PDP Law”) (Act No. 27 or 2022), Indonesia lacked a comprehensive personal data protection law. Instead, provisions on personal data protection were distributed across more than 30 different laws and regulations. A first draft of the PDP Law was released for public comment on January 28, 2020. Between January 2020 and September 2022, the PDP Law underwent numerous rounds of consultation and amendment, culminating in the release of a near-final draft on September 5, 2022, and a final draft on September 20, 2022. 

The PDP Law establishes responsibilities for the processing of personal data and rights for individuals in a manner similar to other international data protection laws. Many of its core aspects, including definitions of covered data and covered entities, lawful grounds, processing obligations, accountability measures, and controller-processor relationships, share some overlap with other laws around the world – most notably the EU’s General Data Protection Regulation (GDPR). However, there are a few notable components unique to the Indonesian context. For instance, the PDP Law includes a broad exterritorial scope provision that will apply to organizations as long as their processing activities have legal consequences in Indonesia or cover Indonesian citizens outside of Indonesia. 

Additionally, the PDP Law broadly exempts the financial services sector, imposes stricter requirements on controllers such as broad record-keeping obligations for processing activities, and has unique provisions on the use of facial recognition technologies. Special categories of data (what the PDP Law refers to as “specific personal data”) explicitly include children’s data and personal financial data. For specific data subject requests, such as access, rectification, and restriction, organizations only have 72 hours to respond.

Data localization, which was introduced in a previous draft, has been replaced by the general obligation for controllers to ensure data transferred across borders remains protected to a standard commensurate with the PDP Law. As for enforcement and sanctions, the PDP Law includes a large spectrum of avenues – from a private right of action for any violations of the law, to administrative fines and criminal penalties. For instance, the law sanctions “intentionally creating false data” with a criminal sentence of up to six years.

Lastly, the structure and function of the data protection authority (DPA), which will be set up after the PDP Law comes into force, may carry unique features, as many details of its operation will be issued at a later date. 

While authorities will need to clarify key provisions in subsequent regulations, the PDP Law creates a comprehensive foundation to govern data processing activities in Indonesia. As Indonesia is one of the largest countries in the world, the PDP Law will likely have an impact on data protection both in the regional context of the Asia-Pacific and the global context. Organizations will have a two-year transition period to comply (except for the criminal provisions that will come into force immediately) once the PDP Law goes into effect, which will occur when it receives Presidential assent or when the time window for receiving assent expires.

1. Scope, Covered Actors, Broad Extraterritorially

The PDP Law applies to persons, public bodies, and international organizations that process personal data or otherwise perform legal acts recognized under the law in the jurisdiction of Indonesia (Art 2). Persons refer to both natural individuals and corporations (natural and legal persons), while public bodies are organizations that fulfill core administrative functions and receive some funds from state budgetary agencies. Non-governmental organizations (NGOs) may also be considered public bodies if part or all of their funds come from the state. International organizations refer to bodies that are recognized as subjects of international law and have the capacity to make international agreements. 

Like other data protection laws inspired by the GDPR, the PDP Law applies extraterritorially to covered actors outside of Indonesia (Art 2). However, unlike other laws, this extraterritorial effect applies as long as the processing of personal data has legal consequences (i) in Indonesia or (ii) for personal data subjects of Indonesian citizens outside of Indonesia. This applicability covers more processing activities than typically seen in other data protection frameworks. 

Similar to other data protection laws, the PDP Law distinguishes between “Personal Data Controllers” and “Personal Data Processors.” “Controllers” refer to any person, public body, or international organization acting individually or together to determine the purpose and exercise control of personal data processing. Article 1 defines a processor as the party that processes personal data on behalf of the controller. 

Much like other data protection laws, the PDP Law requires processors to perform the processing based on an agreement with the controller under its supervision. However, the PDP Law leaves the ultimate responsibility for data processing with the controllers unless processing occurs outside the agreement, in which case it is the responsibility of the processor. Notably, some obligations of the controllers extend to processors following specific provisions in the PDP Law (see Section 5).

Article 51(4) explicitly permits processors to engage other organizations in sub-processing arrangements – but requires that they obtain written consent from the controller before involving other processors. It is unclear if generalized consent to the use of sub-processors would satisfy this requirement, though this may be clarified in forthcoming regulations.

Normative Grounds of the Law and Data Processing 

Added in the final draft of the PDP Bill, Article 3 provides normative grounds for processing, as well as indicates the high-level principles policymakers had in mind when promulgating the law. These include a principle of “Protection” (this is clarified in the explanatory section of the PDP Law to mean that every instance of processing of personal data should be carried out by “providing protection to the personal data subject for his/her personal data and the personal data from being misused”), legal certainty, public interest, expediency, prudence, balance, accountability, and confidentiality. The bases provide insight into the enforcement goals of the PDP Law and ground its provisions in specified rationales and objectives. 

The PDP Law applies primarily to the processing of personal data, which refers to the “collection, analysis, storage, improvement and renewal, announcement, transfer, dissemination, disclosure, and deletion of data” (Art 16). This definition shares broad congruence with definitions of data processing seen in other laws. Note the law seems to provide a closed list of what constitutes processing and does not include an open reference to information as such or provide examples.

2. Covered Data: Broad definition of “personal data” and novel categories of “specific data”

In the PDP Law, “personal data” is defined broadly and refers to data which, independently or in combination with other data, identifies or can identify an individual, whether directly or indirectly or through electronic or non-electronic systems. Note the Explanatory Memorandum clarifies that this includes both mobile numbers and IP addresses. This definition is similar in scope to equivalent definitions in other major data protection laws internationally, including the definition of “personal data” in Article 4(1) of the GDPR.

Like many global data protection frameworks, the PDP Law distinguishes between personal data of a general nature and categories of sensitive personal data, which the PDP Law terms “specific personal data” and defines as personal data which, if processed, may result in a greater impact (including harm and discrimination) to the personal data subject (Art. 4).

Notably, unlike other personal data protection frameworks, the PDP Law also identifies a number of categories of “personal data of a general nature” which, by definition, would not qualify as specific personal data. These include a person’s full name, gender, citizenship, religion, and marital status, as well as data that is combined with other data to identify an individual.

The categories of specific personal data include:

The PDP Law imposes additional safeguards for processing of specific personal data, including mandatory data protection impact assessments (DPIAs) and data protection officers (DPOs) for large-scale processing (see Section 4 below). 

3. Lawful Grounds for Processing and Consent Requirements

Article 20 of the PDP Law establishes six legal bases for processing personal data (whether specific or of a general nature), namely:

These bases are similar to those in Article 6 of the GDPR and, like their equivalents in that law, are placed on an even level – no single legal basis takes precedence over any of the others.

Consent Requirements

The PDP Law also contains detailed requirements for controllers to demonstrate that they have obtained valid consent. A request for consent must be accompanied by certain prescribed information, clearly distinguishable from other matters, and in a format that is easily understandable and accessible. The consent itself must be explicit, informed, specific to a purpose, and recorded.

The PDP Law also contains specific provisions for consent in several contexts where the personal data subject may lack legal capacity. Consent for processing a child’s personal data must be obtained from the child’s parents or legal guardians. Note the Law does not provide an age for defining a child. Further, consent for processing the personal data of a person with disabilities may be obtained either from the person or from the person’s guardian. The PDP Law recognizes that further requirements for such processing may be found in future regulations.  

In addition to requiring a legal basis for processing of personal data, the PDP Law also requires controllers to adhere to enumerated data protection principles. In particular, organizations must process personal data in a limited, specific, transparent, and lawful manner. Additionally, a specific purpose for processing must be identified and communicated to the data subject, and processing must be accurate, secure, transparent, and responsible. Articles 20-49 of the PDP Law provide further details as to how personal data controllers should operationalize these principles (see Obligations of controllers below). 

4. Obligations of Controllers

Data controllers must abide by a series of obligations outlined in the PDP Law, including adhering to lawful grounds for processing and notification requirements, following data protection principles, responding to data subject requests, and implementing accountability and security measures. 

As an overarching requirement, data controllers must identify an appropriate legal ground for processing personal data. If they rely on consent, further obligations apply (see Section 3 above). Article 21 requires the controller to provide information to data subjects on the legality, the purposes, the type, and the relevance of processing. Additionally, the controller must be able to show that consent is valid (Art 24) and, if withdrawn, end any processing operation in a specified time period (Art 40). If consent is withdrawn, the controller has to also delete the personal data (Art 43).

Data Protection Principles

Controllers must process data in accordance with data protection principles (some of which reflect the Fair Information Practice Principles – “FIPPs”) which outline the following obligations:  

While the Principles are similar to those in other comprehensive data protection laws, including the GDPR and its Article 5, the Law does not have an explicit principle to data minimization. However, a certain correspondence for it can be found in the requirements that personal data must be processed in a limited, specific manner. The list of principles in the PDP Act also misses some form of the principle of fairness.

Data Subject Access Requests

Subject to notable exceptions, controllers must respond to data subject access requests and uphold other data subject rights (see Section 7 below). When a data subject requests access, the controller must give the subject access to the personal data, as well as provide a track record of the processing operations related to the subject (Art 32). With respect to requests to delay or restrict processing, the data controller must notify the data subject of this action (Art 41) unless an exception applies or a written agreement with the subject specifies otherwise. For access, rectification, and delaying requests, the controller has 72 hours from receiving the request to respond to the data subject.  Notably, while the right of the data subject to access their own data is provided for in Article 7, the conditions under which access must be provided are listed separately in Chapter VI, which is dedicated to the obligations of the controller.

In cases when the data subject requests to end processing, the processing has reached the retention period, or the purposes have been achieved, the data controller must end the processing operations (Art 42). Additionally, controllers must delete or destroy personal data if the data subject requests it or has withdrawn consent, when the personal data is no longer necessary for the original purpose of processing, or when controllers process data through unlawful means (Art 43). In both cases of deletion or destruction of personal data, the controller has to notify the data subject (Art 45). 

Accountability Measures, DPIAs, and DPOs

Data controllers have additional obligations such as those to supervise each party involved in the processing of personal data that is under the controller’s control (Art 37), notify in writing both the data subject and the DPA in the case of unauthorized disclosure of the data and thus failure to protect it (Art 46), and notify the data subject before the controller (in the form of a legal entity) proceeds with any mergers, separations, acquisitions, consolidations, or dissolutions (Art 48). Finally, data controllers are obliged to implement the DPA’s order in the context of implementing the PDP Law.

Controllers also carry internal reporting obligations, such as the requirement to keep a track record of all processing obligations to facilitate data subjects exercising their rights. Under Article 34, controllers must conduct a data protection impact assessment (DPIA) whenever processing of personal data has a high risk of harming the data subject, which includes:

Article 53 of the PDP Law also contains obligations for organizations to appoint a data protection officer (DPO) in specified conditions. These include when (i) processing personal data for public services, (ii) the core activities of the controller require regular and systematic monitoring of personal data on a large scale, or (iii) the core activities of the controller consist of large-scale processing for specific personal data or data related to criminal offenses. 

The PDP Law does not contain any requirements for choosing DPOs except that they must be a professional and have knowledge of the law. DPOs must advise the controller on compliance, monitor and ensure that processing falls within the ambit of the PDP Law, assess the impact of processing, and act as a contact person for issues related to the processing.

Security and Data Breach Notification

Article 35 specifies security measures organizations must adopt to protect personal data, including preparing and implementing technical, operational measures and employing a risk-based approach to determine the level of appropriate security for data. Controllers likewise have a duty to prevent personal data from being accessed unlawfully (Art 39). Note that the PDP Law does not specify further security measures but instead defers to future regulations to fill out additional detail. 

In the event of a security breach, controllers must submit written notification no later than three days to the affected data subject and the DPA. The notice must contain the personal data involved in the breach, when and how the breach occurred, and any remedial measures taken by the data controller to mitigate harm (Art 46). Finally, controllers may have to notify the public of the breach in certain cases. Like other substantive provisions of the PDB Law, future regulations will specify additional information and trigger events.

Exceptions to Processing Obligations

Similar to the case of data subject rights, Article 50 sets the conditions that exempt certain processing activities from obligations under the law when such activities involve (i) national defense or security interests, (ii) law enforcement, (iii) public interests in the context of state administration, or (iv) the financial services sector, monetary and payment systems, and financial system stability carried out in the context of state administration. This last exception is a unique feature of Indonesian data protection law. 

The Explanatory Memorandum provides additional detail as to the circumstances that trigger these conditions. For instance, the law enforcement exception applies primarily to investigation and prosecution processes, while public interests include the implementation of census administration, social security, tax, customs, and licensing services. 

While these exceptions may be construed broadly, the PDP Law limits them to the following processing activities in an exhaustive list of specific cases. Note that many of these obligations relate to data subject rights. In the case of certain exempt processing obligations, data controllers are not obliged to:

5. Some Controller obligations extend to Processors

Article 52 attaches a number of data controller obligations to processors as well, including:

Finally, processors share the obligation to appoint a DPO if the processing activity meets the qualifying criteria (described above). Article 53(3) specifically notes that a DPO “may come from inside and/or outside the personal data controller or the personal data processor.”

FPF Training: The EU’s Proposed AI Act

The EU’s Artificial Intelligence (AI) Act is in the final stages of adoption in Brussels, and will be the first piece of legislation worldwide regulating AI. Join us for an FPF Training virtual session to learn about the act’s extraterritorial reach, the legal implications for providers and deployers of AI, and more.

Register today!

6. Specific Processing Restrictions (Facial Recognition, Children’s Privacy, Persons with Disabilities, ADM)

The PDP Law restricts the processing of personal data in specific circumstances.

Facial Recognition Technology – Article 17 requires controllers that use facial recognition technology or install visual data processing devices in public places to do so only for the purposes of security, disaster prevention, or traffic information analysis. Additionally, organizations must notify the public that such technology is in use in areas where they have installed devices and do not use facial recognition to identify a person. However, these requirements do not apply to the activities of law enforcement or the prevention of criminal offenses. 

Children’s Data – Article 25 states that controllers must process children’s personal data in a special manner and obtain the consent of the child’s parent or guardian. Note the law does not specify an age threshold for children. Rather, regulators will likely promulgate rules on children’s data in future regulations.   

Persons with Disabilities – Article 26 states that controllers must also process the data of persons with disabilities in a specified manner and obtain the consent of the person or the guardian to conduct processing activities. Additional regulations will specify further conditions, including how and through what means controllers must communicate with persons with disabilities. Note that the law does not define persons with disabilities.

Automated Decision-Making – Article 10 specifies that data subjects have the right to object to ADM, including profiling that gives rise to legal consequences or has a significant impact on the data subject. This language, which mirrors the GDPR, does not seem to be construed as a general prohibition against qualifying ADM. The PDP Law does not define when its use creates legal consequences or carries a significant impact on individuals. The use of ADM may also trigger a DPIA.

7. Nine Data Subject Rights: From Access to Delay of Processing, to Portability

The PDP Law enumerates nine personal data subject rights and obligates controllers to guarantee those rights as a fundamental data protection principle under the law (Arts 5-15). These rights include: 

Data subjects must submit a registered request to the controller to exercise the rights to rectify data, to have access and obtain a copy of the data, the right to end the processing and delete or destroy personal data, the right to withdraw consent, the right to object to automated decision measures based solely on automated processing, and the right to delay or restrict processing (Article 14).

Similar to general processing obligations, the PDP Law also includes a number of exceptions to the rights (Art 15(1)) (see Section 4 above). While these exceptions kick in under similar conditions, such as for the purposes of national security, law enforcement, or public interests, the PDP also recognizes an exception for statistical and scientific research purposes, which it does not define or further clarify (Art 15). Finally, note that Article 33 stipulates controllers must refuse a rectification or access request if it endangers the security, physical, or mental health of the data subject or other persons.

8. Cross-Border Data Transfers: Possible to jurisdictions with equal or higher level of protection, or on the basis of consent

Article 56 of the PDP Law governs transfers of personal data outside of Indonesia. Similar to other data protection laws with international data transfer requirements, the PDP Law requires controllers to ensure that the country where the data recipient is located has a level of data protection equal to or higher than the PDP Law. 

The PDP Law further requires that controllers, where the law of the recipient country does NOT provide an equal or higher standard, “ensure that there is adequate and binding Personal Data Protection.” The specifics of how this might be achieved are not set forth in the Bill, but Article 56(5) notes that further provisions regarding the transfer of personal data will be included in a separate regulation. It remains to be seen whether this forthcoming regulation will include standardized contractual language or whitelist particular data processing activities such as pseudonymization and encryption for data transfer purposes. 

The PDP Law includes a broader consent exception to its “adequacy” requirement than many other laws. Article 56(4) requires organizations to “obtain the consent of the personal data subject” for transfers where neither the destination country’s laws nor the controller can guarantee an equivalent or higher level of data protection to the PDP Law, but does not explicitly restrict the use of this exemption. In contrast, Article 49 of the GDPR and other similar laws expressly limit the circumstances under which a controller may rely on a data subject’s consent to transfer personal information to a non-adequate jurisdiction without “appropriate safeguards” and impose additional transparency requirements on controllers seeking to do so.

9. Enforcement – Data Protection Authority, Processes, and International Cooperation

Articles 58-61 of the PDP Law cover the establishment of the Indonesian data protection authority (DPA) and its roles and responsibilities. While relatively brief, these articles are important for setting out the identity and contours of the Indonesian DPA. Art 58 provides that the DPA will implement the PDP Law and report to the Indonesian President, which will create the institution within the Executive branch of the government. While the PDP Law specifies some of the function, competence, and processes of the DPA, further details will be set in future regulations (Art 58(5)). 

The Indonesian DPA will have four key functions: (i) policy, strategy, and guidance formulation; (ii) supervision of the implementation of the PDP Law; (iii) administrative law enforcement against violations; and (iv) facilitating out-of-court dispute resolution. Article 60 specifies the bounds of the Indonesian DPA’s authority and competence, which in broad terms include:

Further details as to procedures and processes for implementing these powers will be provided in future regulations (Art 61). 

Finally, Article 62 stipulates that the Indonesian Government (and not just the Indonesian DPA) will have the ability to conduct international cooperation activities on personal data with other governments and international organizations. Such international cooperation shall be carried out as provided under the laws, regulations, and principles of international law. This indicates that Indonesia will engage with other governments on key data protection issues, including possible negotiations around cross-border data flows and cybercrime.

10. Penalties, Civil Liability, and Criminal Liability

The PDP Law imposes a tiered system for administrative sanctions, including civil and criminal penalties that increase depending on the severity of the penalty. In addition to provisions prohibiting the unlawful collection, use, or disclosure of personal information that may harm data subjects, individuals and organizations must not create false personal data that benefits them at the harmful expense of others.

Administrative Sanctions and Civil Liability

Under the PDP Law, the DPA may issue the following administrative sanctions: (i) a written warning; (ii) temporary suspension of processing activities; (iii) forced deletion of personal data; and/or (iv) administrative fines of a maximum of 2% annual revenue or sales of the data controller. The PDP Law does not stipulate a detailed fine structure for organizations’ civil offenses beyond the 2% annual revenue ceiling nor provides guidance on the process for disputing or appealing a fine. Rather, the DPA will specify such procedures in subsequent regulations.

Criminal Liability

Courts will impose criminal liability on both individuals and organizations in two particular circumstances: when they intentionally collect, disclose, or use personal data that does not belong to them to benefit themselves at the harmful expense of others (Art 65), and when they intentionally create false personal data to benefit themselves or which may result in harm to others (Art 66).

While corporations may only be fined for criminal offenses, the PDP Law specifies that managers, high-ranking officers, or certain owners of the corporation could be incarcerated and personally fined for their actions (Art 70). However, corporations could receive a fine ten times the amount of the maximum fine imposed on an individual or corporate officer and be subject to other punishments including:

The PDP Law stipulates procedures and timelines for complying with a criminal penalty, including punishments for failing to pay or resolving disputes in auctioned property. 

As a reminder, individuals also have a “right to sue and receive compensation” in cases where controllers violate the law, according to Art 12 of the PDP Law (see Section 7). 

Concluding Notes

Indonesia’s new law expands comprehensive protection of personal data to approximately 275 million people. Substantively, the law fits well in the big picture that is becoming the Global Privacy landscape, with landmark features like lawful grounds for processing, principles of processing inspired by FIPPs, a strong set of data subject rights – including in relation to ADM, accountability, broad scope of application and extraterritoriality. However, it maintains some specificity, and it enriches the landscape with unique features, like specifically defining “personal data of a general nature” in opposition to “specific data”, or criminalizing the intentional creation of false data. 

Notably, the Indonesian Data Protection Law also shows that data localization proposals can also lose terrain, not only advance. The passing of the PDP Law is significant, and it proves that Asia Pacific is one of the most vibrant regions of the world when it comes to data protection and privacy regulation. The adoption of the PDP Law also comes as Indonesia is holding the Presidency of G20 this year – while the data protection world is keeping an eye on India and its back-and-forth efforts to pass a comprehensive data protection law as it prepares to take over the G20 Presidency next year.

FPF Releases Analysis of California’s New Age-Appropriate Design Code

FPF’s Youth & Education team is pleased to publish a new policy brief that builds on this first brief by providing a comparative analysis of the United Kingdom’s Age Appropriate Design Code (UK AADC) to the California AADC, which was modeled after the UK AADC. Learn more and download the UK and CA AADC Comparative policy brief here

New report outlines the key components of California’s Age-Appropriate Design Code Act and critical pending questions

As federal and state policymakers heighten their focus on protecting children’s privacy online, the Future of Privacy Forum (FPF) today released a new policy brief, An Analysis of the California Age-Appropriate Design Code. The new report outlines and analyzes Assembly Bill 2273, the California Age-Appropriate Design Code Act (AADC), a first-of-its-kind privacy-by-design law that represents a significant change in both the regulation of the technology industry and how children will experience online products and services.

Download An Analysis of the California Age-Appropriate Design Code here.

“While policymakers from both sides of the aisle are increasingly prioritizing efforts to secure new protections for children online, in the absence of federal action, California, as it did on consumer privacy, has taken a big step on its own,” said Chloe Altieri, Youth & Education Privacy policy counsel for FPF and an author of the report. “Big changes like this bring a lot of questions and there’s a lot we still don’t know – including exactly what services this bill would apply to. But as policymakers, online service providers, regulators, and others move towards implementation, we wanted to start with assessing what we do know – and flag some of the key unanswered questions.”

The California AADC is notable for extending far beyond the scope of the primary federal children’s online privacy law, the Children’s Online Privacy Protection Act (COPPA), in several key ways. For example, the California AADC raises the baseline age of protection to youth under age 18 (COPPA defines “child” as under age 13) and applies to online businesses with products, services, and features “likely to be accessed by a child,” casting a wider net than COPPA’s current standard of covering sites “directed to children” under 13.

The policy brief expands on those elements of the California AADC and others, including:

Click here to download the full policy brief.

“California has a long history of being a first-mover on consumer privacy protections in the U.S., and it seems very likely that we will start to see these types of child-centered design principles become an increasingly influential model for future legislation and regulation,” said Bailey Sanchez, Youth and Education Privacy policy counsel at FPF and an author of the report. “In fact, about a week after this bill was signed into law, we saw the first example of that, with a similar children’s code bill introduced in New York.”

Learn more about New York Senate Bill S9563, the New York Child Privacy and Protection Act, here.

FPF’s youth and education privacy team has closely tracked the progress of the California AADC; catch up on previous blog posts from June 28 and a September 1 update, and read our statement on the final bill here.

To access the Youth & Ed team’s child and student privacy resources, visit www.StudentPrivacyCompass.org and follow the team on Twitter at @SPrivacyCompass.

Are we there yet? The long road to nowhere: The demise of India’s draft data protection bill

In August 2022, the Government of India withdrew the country’s draft Personal Data Protection Bill from the Parliament’s consideration. This was a surprise move, coming after more than four years of consultations, as well as several statements from top officials that its passage was imminent and that there were no plans to scrap the Bill given the extensive deliberations undertaken.

With the withdrawal, India finds itself in a paradoxical position: privacy is a constitutionally protected right, but no meaningful statutory data protections or privacy protections exist. What could explain this volte-face by the Government, after it led four years of public consultation and ministerial deliberation to develop the draft Bill? How did India arrive at this point, and what lies ahead?

In this post, we canter through the history of India’s much-awaited (and now defunct) Personal Data Protection Bill (PDP Bill) and its withdrawal. We tease apart the reasons and realpolitik behind the withdrawal and consider what lies ahead for data protection in India.

How did we get here?

The PDP Bill was not the first time that attempts had been made to create a comprehensive national privacy legislation for India.

A decade ago, attempts were made to create privacy legislation following the release of the Government’s 2010 Approach Paper on the Legal Framework for Privacy. The paper identified the need for privacy and data protection legislation given the privacy risks of several largescale national ICT-based programs being initiated, especially India’s universal digital identity program called Aadhaar. The Government then constituted a Committee of Experts (chaired by Justice AP Shah) to consider these issues, who in their final report of 2012 also recommended the creation of privacy legislation for India. Three versions of proposed privacy legislations were “leaked” between 2011 and 2014, but these efforts stalled during an election year and were never resurrected.  

The public and legal debate around privacy, however, continued in this period, coming to a head in 2017—once again in connection with Aadhaar. The Supreme Court of India had been hearing a raft of petitions that challenged the constitutionality of the Aadhaar system on the basis that it infringed on Indians’ right to privacy. A central question facing the Court was whether privacy was a fundamental right in India. The reference to this question was made to a nine-judge constitutional bench to definitively settle the question in Indian law.

In the 2017 decision of Justice K.S. Puttaswamy v Union of India, the Supreme Court affirmed that privacy (including informational privacy) was protected under the Constitution of India. More practically, the decision played a role in forcing the hand of the Executive to create legislation on privacy and data protection.

In the background of the debates around the Puttaswamy matter, the Government had created a Committee of Experts (chaired by Justice BN Srikrishna) in 2017 to suggest a draft data protection law. The Supreme Court specifically referred to the efforts of this Committee and noted its expectation (see para 185, page 260 of the lead judgment) that the Government would create a data protection regime. This renewed process to create a data protection law for India resulted in widespread discussion around the substantive principles that India should operationalize into a law.

The Srikrishna Committee undertook public consultations to produce its White Paper in 2017 and Final Report in 2018, presenting the first draft of the draft PDP Bill in 2018. A further round of public consultation with the Ministry followed in 2018.

In December 2019, following internal ministerial consideration, an updated draft of the PDP Bill was introduced into the lower house of Indian Parliament. It was referred to a Joint Committee of Parliamentarians in the Upper and Lower House, who considered the Bill for two years before presenting their final report in December 2021.

So 2022 dawned with much excitement that the next (and potentially final stage) for the Bill would arrive, with its re-introduction into Parliament for further consideration or passage.

So why was the PDP Bill withdrawn?

The Government’s reported reason for the withdrawal of the PDP Bill was that the changes suggested by the Joint Parliamentary Committee were so numerous, that it was deemed fit to remove and replace it with a new over-arching legislative package. The Joint Committee’s report proposed over 80 changes to the text of the Bill. However, commentators have noted that many of these could have been incorporated into the draft if the Government had the will. Few expected that these changes would result in wholesale eschewing of the Bill. So what could be the reason for this unexpected withdrawal?

A closer look at the unresolved issues in the PDP Bill at the time of its withdrawal, and responses from certain stakeholders, provide some clues to interests behind the move.

First, a key issue facing resistance related to cross-border data flows. Broadly, the PDP Bill sought to put in place (soft) data localization with a “green lighting” system overseen by the Central Government, which had been a major source of discomfort for many global industry players with major commercial and foreign policy implications for India. This opposition was also reflected in the involvement of the US Government, including flagging the “harms” of the PDP Bill in the United States Trade Representative’s Special 301 report in 2022.  

Second, the PDP Bill was squarely in the crosshairs of the broader stand-off between the Indian Government and US-based large technology companies, especially social media intermediaries, given their perceived role in a range of recent political and social events. The traditional “safe harbour” from liability for content for intermediaries is being questioned and revisited. We wrote about new rules for intermediaries passed in 2021, to which amendments are already being considered. The remit of the PDP Bill had expanded during its evolution to include norms for a category of “social media intermediaries” with provisions for additional oversight over their data processing which had faced pushback.

The withdrawal of the Bill is seen by some as the result of this dynamic.  Within industry in India, reactions to the withdrawal were mixed, with many disappointed at being thrown back into legal uncertainty after years of engagement and preparation for the Bill.

A third major issue that had been a source of concern related to the unprecedented exemptions for Government agencies from the provisions of the supposedly “horizontally-applicable” data protection framework. These exemptions were so wide that they risked setting up a “two-speed” data protection law, with widely varying obligations and standards for public and private sector entities. These exemption had raised concerns in India of both industry players and civil society. Outside India, a 2021 report commissioned by the European Data Protection Board on government access to personal data in third countries called out the Indian proposals for their wide exemptions and differential data protection obligations for the Indian government.

However, it is unclear whether the withdrawal of the Bill signals a recognition—or subversion—of these concerns. The Joint Parliamentary Committee failed to recommend constraints to draft section 35 of the PDP Bill that enabled blanket exemptions to Government, despite six of the Committee members filing dissent notes to mark their concerns with the provision.

Lastly, an overarching concern was that the PDP Bill’s mandate had grown unmanageably in the course of its negotiation. The Bill faced the “kitchen sink” problem: a range of issues that are not traditionally in the remit of data protection regulation were added into the draft legislation through its various iterations. A flavor of some of the additions to this “kitchen sink” were:

The widening of the ambit of the Bill seemed to have led it astray from its early mandate of protecting informational privacy and providing a data protection framework for a fair digital economy in India.

Apart from creating tensions and dissonances within the Bill, this over-extension also ultimately seems to signal the difficulties for the Government to consider wider digital economy issues independently of a data protection framework. As the view of personal data as a national asset to be harnessed for growth and innovation takes deeper roots among decision-makers, it seems clear that any future data protection regime for India will necessary evolve only alongside broader frameworks around data accessibility and use.

What happens next?

While withdrawing the PDP Bill, India’s Minister for Information Technology, Ashwini Vaishnaw stated that Government is planning a new, comprehensive legislative package. The Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has made several statements regarding plans for a new “Digital India Act” to re-vamp India’s broader Information Technology Act 2000.

Legal commentators closely following these developments, such as technology law firm Ikigai Law, have noted the exceptionally wide range of issues that this new package is set to cover: from cybercrime to emerging technologies, intermediary regulation, and digital competition issues. This reflects the broader position of the Indian Government, as it seeks to keep its regulatory options open even while it evolves a coherent stance on various aspects of technology government.

Especially in the post-pandemic environment, there has been increased appetite among policymakers to see data as an asset that can propel growth and innovation. The trend is seen in other jurisdictions, too, including the direction in recent European proposals flowing from the European data strategy. However, the concern is that the accent on data use and monetization for growth could limit the political will to introduce privacy protections. Old narratives that pitch privacy protections in opposition to innovation and private-sector business opportunities are re-emerging. Meanwhile, the underlying issue of carve-outs for the State’s data use, and state surveillance in the aftermath of the Pegasus scandal in India are yet to be substantively addressed by Government and policymakers.

The withdrawal of the PDP Bill comes as an increasing number of countries adopt comprehensive data protection legislation. Others in India’s neighborhood, including China, Indonesia, and Bangladesh, have enacted – or are very close to enacting, their data protection laws. Even traditional outliers like the US have made moves towards considering a federal data protection regime, making it increasingly hard to defend the absence of a robust data protection regime in India in the global arena.

With India assuming the presidency of the G20 in December 2022, the Government’s approach to existing G20 efforts, such as the Data Free Flow with Trust initiative (spearheaded by Japan), will be sharply back in focus. In the past, India has opposed and deferred joining such efforts, on the basis that it is in the process of preparing its regulatory frameworks on data protection and e-commerce. With the withdrawal of the PDP Bill, the Government’s real intent to create clarity on these frameworks will be scrutinized in the international community and locally.

Reports now suggest that the Government plans to introduce the new package of legislation on data governance in the Winter session of Indian Parliament (which generally begins in November each year). Senior Ministers are once again promising that new data privacy legislation will be created for India. The waiting game begins again for watchers of technology policymaking in India, with the recognition that when it comes to data governance frameworks: truth is often stranger than fiction!

FPF Statement on White House Executive Order to Implement the European Union-U.S. Data Privacy Framework

October 7, 2022 Statement from Future of Privacy Forum’s CEO Jules Polonetsky:

With this step, the U.S. puts in place practical surveillance limitations, oversight, and individual redress that are unmatched almost anywhere else in the world in the context of national security. Leading democracies are converging on surveillance standards with this progress. Constitutional limitations prevent a U.S. system that is identical to the European Union, but the Court of Justice of the EU has helped bring about U.S. reforms that will significantly protect privacy in the context of national security. Although there are important legal discussions to have about the exact nature of the judicial redress and the oversight mechanism, as well as the restrictions on bulk collection, this is a momentous achievement.  

Particularly important is the reciprocity requirement for redress, which requires any country to implement safeguards for US citizens’ data to benefit from this system and will help advance global standards.

Read the White House Executive Order here and the White House Fact Sheet here.

FPF’s VP for Global Privacy, Dr. Gabriela Zanfir-Fortuna, spoke about the EO at an IAPP LinkedIn Live on ‘The EU-U.S. Data Privacy Framework & Next Steps for Data Transfers’ on Friday, October 7. Watch it here.

Judge declares Buenos Aires’ Fugitive Facial Recognition System Unconstitutional

On September 7, a trial judge declared the implementation of the Fugitive Facial Recognition System (SRFP, for its name in Spanish) by the Government of the City of Buenos Aires unconstitutional. The decision set an important precedent for risks associated with privacy and intimacy in public spaces in the context of public surveillance for law enforcement purposes. Remarkably, this is also one of the very few known judicial decisions in the global privacy space that clearly looks at the rights to privacy, intimacy and data protection as rights having collective relevance rather than merely individual rights. The decision revealed multiple violations of individuals’ privacy, and instances of abuse of authority by system operators. 

The SRFP was implemented in 2019 as part of the Video Surveillance System of the capital of Argentina and was previously the subject of a government suspension order in April 2020 due to reduced system efficacy caused by pandemic-related masking. The system consisted of facial recognition software installed in selected video surveillance cameras already distributed in Buenos Aires. The Urban Surveillance Center of the Police Department was responsible for visualizing and processing the images and checking them against a national database containing capture orders for fugitives of the justice system (the CONARC database). Upon finding a match, the system issued an alarm and dispatched officers to detain the alleged fugitive. 

Following the announcement of the SRFP, many civil society organizations criticized the risks to privacy and other fundamental rights (such as freedom of association) posed by the system, as well as its potential for abuse due to its wide scope and nature. In December 2020, the Observatorio de Derecho Informatico Argentino (ODIA), joined by other civil society organizations, filed an amparo1 lawsuit before an administrative court against the Government of the City of Buenos Aires for i) issuing Resolution 398, which created the SRFP; ii) approving Law 6.339, which incorporated the SRFP into the local public security law (Law 5.688); and iii) implementing the system without adequate mechanisms.

The court agreed with ODIA and declared the SRFP unconstitutional, prohibiting its operation until control and oversight mechanisms required by law are put in place.

1. Privacy as a collective right, redressable through constitutional mechanisms

The first element of the decision analyzed the standing of the ODIA to bring the lawsuit, and whether the amparo action was the appropriate way to do so. As an initial matter, the court determined the ODIA had standing to sue because the ODIA alleged a violation to the fundamental rights to privacy, intimacy, and protection of personal data. Argentinian courts recognize three categories of procedural standing rights: i) individual rights, ii) rights of collective incidence in regard to collective goods, and iii) rights of collective incidence in regard to homogeneous individual interests. The court determined the rights to privacy, intimacy, and data protection fall under the second category – rights of collective incidence in regard to the collective good. For litigation relying on such rights,  a plaintiff’s identity is not relevant, as long as the case is related to a collective incidence affecting citizens of Buenos Aires. The relevant question is whether the plaintiffs are or represent citizens, whose presence in the city makes them susceptible to a privacy violation.

The court also considered whether an amparo action was the appropriate redress for the alleged harm. The court determined that an amparo is permitted as long as the plaintiff is able to demonstrate i) an actual or imminent injury, restriction, alteration or threat to constitutional rights; ii) a manifest illegality or arbitrary actions by the authority; and iii) the possibility of judicial redress within a reasonable time. In this case, because of how the SRFP was implemented, and the risks it posed to fundamental rights, the court concluded an amparo action would provide an effective and timely remedy, as opposed to the contentious administrative procedure set forth in the Administrative and Tax Code. Additionally, as a constitutional recourse, an amparo action allowed the court to study the constitutionality of the incorporation of the SRFP into Buenos Aires’ public security law, in light of the rights and obligations in the national Constitution and applicable international treaties, such as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).

2. Lack of control and oversight

The second element of the court’s decision focused on the failure of the Government to adopt safeguards to counteract the risks posed by the SFRP’s implementation. Resolution 398, which approved the implementation of the system, authorized the Ministry of Justice and Security of Buenos Aires (“the Ministry”) to issue additional regulations for its “effective implementation” and invited the Public Defender’s Office to audit the system. In March 2020, the Public Defender signed a collaboration agreement with the Ministry in the context of Resolution 398, but noted that beginning in 2019 it had documented “serious flaws” in the functioning of the SFRP leading to unlawful detentions. 

The decision found several inconsistencies between the local government and Public Defender’s assertions regarding unlawful detentions arising from SFRP “false positives.” When asked about the number of detentions due to “false positives,” the government claimed there had been no wrongful detentions after the implementation of the SFRP, and that any false alarm or wrongful detention arose from potentially erroneous information in the CONARC fugitive database. Contrary to those claims, the Public Defender verified that unlawful detention of individuals due to SRFP “false positives” had occurred. These “false positive” cases were also confirmed by the National Directorate of the National Reincidence Registry of Argentina, which mentioned in certain detentions officers failed to validate the order’s information with the individual’s DNI (national document identity) or their biometrics, indicating the police were relying on the system’s alarms although they could be triggered by inaccurate information. 

The decision highlighted a pattern of unlawful detentions lasting one to three hours, where individuals were mistakenly identified as fugitives. The court noted that in several cases, the SRFP system correctly identified an individual but issued an alarm based on invalid or expired orders in the underlying CONARC system. In one example, a man was mistakenly intercepted at a metro station due to an alarm issued by the system; after some time, the officers noticed the capture order contained a different name from the one appearing in the individual’s DNI, which was provided by the SFRP registry, and later that the individual’s DNI could still be linked to the capture order within the SRFP, despite a formal request for deletion. In another example, a woman’s July 2019 interception and arrest by eight policemen at a railway station resulted from a years-old expired CONARC capture order.

Separately, the court also documented the government’s failure to implement other legally required oversight mechanisms. The public security law of Buenos Aires mandated all video surveillance systems, including the SFRP, to be included in a Registry providing operational status information for each system. The law also required the Ministry to send an annual report to a Special Committee for the Monitoring of Video Surveillance Systems (Special Committee) and the Public Defender’s Office describing the technical specifications of the software used by the SRFP, any modifications, and the criteria for the installment of video surveillance cameras in certain points of the City. However, almost two years after its implementation, the databases were never registered and the Committee never established.

3. An unreliable database

Throughout the decision, the court emphasized the problematic nature of the system’s source of information. The SRFP operated through the CONARC database, which has information about capture orders issued by national and local courts. However, according to the officials in charge of its operation, the CONARC database has “serious flaws” that, when used for the SRFP, could lead to “false positives” resulting in unlawful detentions, several of which the court described in detail. Updates to the database are usually affected by delays related to the overall functioning of the judicial system, as well as errors linking the information of a fugitive with biometric data, since the latter is provided by the National Registry of Persons (RENAPER).  

Ultimately, the court held that the SFRP is contrary to the principle of presumption of innocence. Almost anyone in the City could be erroneously identified as a fugitive and thus detained by the police. The court found that, contrary to the local government’s assertions, this risk was ongoing and widespread, and it had been this way since the system was first implemented, as demonstrated by the Public Defender’s documentation. Additionally, the judge determined that although some flaws are rooted on the CONARC database, the SRFP could not be considered lawful per se since its operation exclusively relied on that database. The court indicated that the “mere possibility” of adverse consequences, in addition to the absence of adequate control and oversight mechanisms, demonstrated that the SFRP posed a “serious risk” of a breach of the citizens’ privacy.

4. Abuse of authority findings

The decision also noted several inconsistencies in the government’s description of the system’s operation following its implementation. The Ministry argued the SRFP was a completely automated process that left no space for discretionary or arbitrary human intervention. Under the law, the SFRP could only rely on the information provided by the CONARC database, and the public security law of Buenos Aires specifically prohibited the incorporation of data from individuals that are not included in that database.  As a result, the number of records in the system should have matched the number of registries in the CONARC fugitive database. However, after obtaining the lists of registries in the CONARC database and the number of requests to the RENAPER for biometric information, the Court noticed the numbers did not match.

Comparison of CONARC and RENAPER records revealed that, including periods of time when the SRFP system was allegedly suspended, the government made 9,392,372 requests to access biometric data, in excess of the number of active fugitives within the CONARC database, which only had up to 35,000 registries. These requests demonstrate the government accessed biometric data from individuals that were not fugitives and whose information the authorities had no legitimate purpose to access. Specifically, the Court verified that at least 15,459 search records in the SRFP were about individuals that were not included in the CONARC registries. This verification, the court concluded, indicate the government of Buenos Aires had misused the SFRP. 

The Court ultimately determined the actions of the Buenos Aires Government were contrary to the data protection legal system in Argentina. The final factor in the court’s decision turned on the lack of accountability for high-level users of the SFRP system. The court found it unreasonable that seventeen unidentifiable “admin” users had unrestricted access to the sensitive information of millions of individuals, while also free to manipulate and/or erase data without any meaningful transparency or accountability mechanisms in place. The court determined that at least 356 search records for individuals whose biometric data was incorporated into the SFRP were manually erased, making it impossible to assess whether those searches were legally justified. 

Finally, the court noted that while the SFRP relied on the processing of sensitive information, an impact assessment was never performed by the system owners.

Conclusion

The court declared the implementation of the SFRP unconstitutional. The court was specific that unconstitutionality arose from the specifics of the SFRP’s implementation and not on the system itself; as a result, the system could potentially be put into operation again if authorities comply with the requirements of the judicial mandate. The court specifically noted that “when the system is implemented again” it will be mandatory that i) the Special Committee for the Monitoring of Video Surveillance Systems be established and that the Public Defender must be able to effectively exercise its oversight obligations; ii) the Registry of the surveillance systems be created; iii) a data protection impact assessment on the system be performed, and iv) the public must be consulted regarding the implementation of the SFRP. Importantly, although the court criticized the reliance of the SFRP on the CONARC database, it did not seem to prohibit the system’s reliance on it in the future.

Critically, in addition to preserving the SFRP system writ large,  the decision did not declare the law creating the SFRP and incorporating it in the public security law unconstitutional. In fact, the court did not question the law’s constitutionality under Argentina’s constitutional and conventional framework of fundamental rights and freedoms. This is a key point because the amparo action specifically enables a judge to perform this analysis. If the SFRP is implemented once again, it will be interesting to see whether the constitutionality of the law is reviewed under an amparo lawsuit and if specific instruments protecting privacy and personal data, such as Convention 108, play a significant role in the analysis.

Finally, this decision should be seen as part of a larger and decentralized push to oppose government use of facial recognition technologies growing globally over the past years. While in the European Union, the European Data Protection Supervisor, the European Data Protection Board, and the European Parliament are moving towards requesting a ban on live facial recognition technologies in public spaces as part of the legislative process of the AI Act, in the U.S. a bill was recently introduced with the objective to place “strong limits and prohibitions on law enforcement use of facial recognition technology,” limiting its use to situations when a warrant has been obtained. 

It is also important to mention that this decision could be reversed under appellate review if the government decides to appeal. Nevertheless, the trial court’s decision has been celebrated in Argentina as an important precedent for the protection of personal data and privacy, and because it exposed an abuse of authority long accused by ODIA and other organizations since the SFRP system began to operate. 

Editor: Lee Matheson

1 The amparo is recognized as a right in Article 43 of the Argentinian Constitution. It is a process or trial through which citizens can challenge the constitutionality of laws, as well as actions or omissions from authorities that affect constitutionally recognized rights and freedoms.

What Happened to the Risk-Based Approach to Data Transfers?

The following is a guest post to the FPF blog from Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security Council member. This blog is a summary of a longer academic paper which can be downloaded here.

The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.

Introduction

In my earlier FPF guest blog on the geopolitics of trans-Atlantic data transfers, I flagged that Schrems II companies increasingly find themselves in a catch-22. Frustrations are running high as companies work towards Schrems II compliance by executing measures to mitigate the risk that US government entities can access their data. Yet, EU data protection authorities (DPAs) continue to block their way. The DPAs increasingly adopt an absolutist approach, whereby mitigating measures are disregarded irrespective of the actual risk for data protection after transfer, triggering a debate on what happened to the risk-based approach of the GDPR (RBA).  This has come to the fore in recent decisions of the DPAs as to the data transfers in the context of the use of Google Analytics. The Austrian DPA kicked things off by issuing a decision in a complaint of noyb against, i.e., Google (GA decision).1 In this decision, the Austrian DPA explicitly discards the applicability of the RBA as far as the data transfer provisions of the GDPR are concerned. In a Q&A issued by the CNIL concerning the use of Google Analytics, the CNIL also indicated that the RBA cannot be applied to data transfers.2

This is noteworthy, as, in legal literature, it is generally assumed that the RBA is incorporated in the ‘accountability principle’ of Article 24 GDPR and that this principle has a horizontal application throughout the GDPR and therefore also applies to the data transfer requirements.3 In this light, it is high time for an in-depth assessment of whether, and if so, to what extent the GDPR introduced the RBA, and specifically whether the RBA also applies to the data transfer requirements of Chapter V of the GDPR.

The conclusion will indeed be that the accountability requirement of Article 24 GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment. We will, however, also see that the EDPB is trying to rewrite the GDPR by applying the accountability principle of Article 5(2) GDPR (which does not include the RBA) rather than the accountability principle of Article 24, which does. By taking this position, the EDPB pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators in the GDPR.

1. Reasoning Austrian DPA in GA decision

In the GA decision, the Austrian DPA rejected Google’s arguments that a RBA should be taken when assessing the impact of the data transfers in the context of Google Analytics and that the Austrian DPA applies too strict a standard when considering that the mere possibility of access is relevant and not the actual risk of U.S. public authorities accessing the data.

Specifically, the DPA reasoned that such RBA could not be derived from the wording of Art. 44 GDPR. See the decision point D.4 (underlining by Austrian DPA in the original decision):

“Art. 44 GDPR – General principles of data transmission

Any transfer of personal data already processed or to be processed after their transfer to a third country or an international organization shall only be allowed if the controller and the processor comply with the conditions laid down in this Chapter and with the other provisions of this Regulation, including any onward transfer of personal data from that third country or international organization to another third country or international organization. All provisions of this Chapter shall be applied in order to ensure that the level of protection of natural persons ensured by this Regulation is not undermined.”

On the contrary, it can be deduced from the wording of Art. 44 GDPR that for every data transfer to a third country (or to an international organization), it must be ensured that the level of protection guaranteed by the GDPR is not undermined.

The success of a complaint of a violation of Art. 44 GDPR, therefore, does not depend on whether a certain “minimum risk” is present or whether U.S. intelligence services have actually accessed data. According to the wording of this provision, a violation of Art. 44 GDPR already exists if personal data are transferred to a third country without an adequate level of protection.

In connection with those provisions of the GDPR where a risk-based approach is actually to be followed (“the higher the processing risk, the more measures are to be implemented”), the legislator has also explicitly and without doubt, standardized this. For example, the risk-based approach is provided for in Art. 24(1) and (2), Art. 25(1), Art. 30(5), Art. 32(1) and (2), Art. 34(1), Art. 35(1) and (3) or Art. 37(1)(b) and (c) GDPR. Since the legislator has standardized a risk-based approach in numerous places in the GDPR, but not in connection with the requirements of Art. 44 GDPR, it cannot be assumed that the legislator merely “overlooked” this; an analogous application of the risk-based approach to Art. 44 GDPR is therefore excluded.”

The Austrian DPA further rejected the arguments of Google that the RBA was confirmed by the European Court of Justice (ECJ) in the Schrems II judgement4 and the EDPB’s Recommendations 01/2020 on measures to complement transfer tools to ensure the level of protection of personal data under EU law.5

The Austrian DPA further states that the GDPR:

“Unlike Chapter V – see below – Art. 5(2) in conjunction with Art. 24(1) GDPR now actually take a risk-based approach. The higher the risk associated with the data processing, the higher the standard for the evidence to be submitted in order to prove compliance with the GDPR.”

2. Questions of law to be investigated

Based on the GA decision, there are a number of questions of law to be investigated:

  1. Does the RBA apply to the accountability requirements in Article 24 only, in the sense that the standard of evidence (i.e., the required accountability measures, like policies, training requirements, etc.) scales with the risk of the relevant processing rather than that the RBA applies also to the underlying obligations of the controller set out in other provisions of GDPR?
  2. Is the position under 1) supported by the fact that where the EU regulator intended to implement the RBA, this is explicitly expressed in the relevant provisions only? [which seems to be the position of the Austrian DPA]
  3. If the position under 1) is not correct, and RBA in Article 24 GDPR must be considered to constitute a horizontal provision applying a RBA also to the underlying obligations of the controller, does the RBA then relate to the obligations of controllers in Chapter IV only, or to all data protection obligations of controllers, including those of Chapter V?
  4. Does Article 5(2) indeed take a RBA for the accountability principle? [which seems to be the position of the Austrian DPA]
  5. Is the position under 1) confirmed by the ECJ in the Schrems II judgment?
  6. Is the position under 1) confirmed by the EDPB Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Recommendations)?6

3. Summary Conclusions

Based on an analysis of the wording of the GDPR (see Section 5), the legislative history of the GDPR (see Section 6), the Schrems II judgment (see Section 7), and the EDPB Recommendations (see Section 8) the conclusions are:

4. Interpretation of Article 5 and 24 GDPR

According to the settled case law of the ECJ, the interpretation of a provision of EU law requires that account be taken not only of its wording and the objectives it pursues but also of its legislative context and the provisions of EU law as a whole. Also, the origins of a provision of EU law may provide information relevant to its interpretation.8

Textual analysis

Article 24 is the first provision of Chapter IV (Controller and processor) Section 1 (general obligations). Reviewing the language of Article 24 GDPR, it resembles that of Article 25 (Data protection by design and by default) and Article 30 (Security). The heading of Article 24 is “Responsibility of the controller,” and the provision starts with the qualifier “taking into account the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall….” It is not under discussion that this implies the RBA.

The question then is whether the RBA applies to the standard of evidence (the accountability measures) or also to the underlying obligations of the controller under the GDPR themselves. The text of Article 24 reads that the controller must “ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Where the controller explicitly has to ensure compliance by taking a RBA, it is difficult to see why the RBA in Article 24 would only apply to the level of standard of evidence (i.e., to be able to demonstrate compliance) and not to the underlying controller obligations themselves. The obligation further explicitly refers to all requirements under the Regulation.

That being said, not all provisions of the GDPR are formulated as obligations of the controller. For example, the general processing principles listed in Article 5(1) are not formulated as obligations of the controller but as absolute principles. In Article 5(2) it is subsequently provided that “the controller is responsible for, and shall be able to demonstrate compliance with paragraph 1 (“accountability”).” Noteworthy here is that this accountability requirement is not in any manner qualified, taking a RBA similar to Article 24. This seems to mean that the RBA does not apply to the material processing principles (why otherwise include Article 5(2) in the first place; in that case, Article 24 GDPR would have been sufficient).

The question then is, how does this apply to the data transfer rules of Chapter V? There is no indication whatsoever in the GDPR that the general obligation of the controller of Article 24 would not also apply to obligations of controllers under Chapter V (again Article 24 requires that controllers ensure compliance with the Regulation).

Rather, there are indications to the contrary. For example, the privacy-by-design requirements and security requirements (which also incorporate the RBA) remain applicable when transferring data (see explicitly Recital 108). In the same vein, also the accountability principle will be applicable when transferring data (provide the transfer rules are formulated as obligations of the controller rather than in absolute principles).

As the Austrian DPA notes, the general principle for transfers in Article 44 does indeed provide that “any transfer of personal data shall only take place in accordance with the conditions of this Chapter,” but (as omitted by the Austrian DPA) this general principle is explicitly made “subject to the other provisions of this Regulation.” This is logical; Chapter V on transfers cannot be considered on a standalone basis. The transfer rules aim to ensure that data receive a similar level of protection after being transferred to a third county that does not provide an adequate level of protection, not a higher protection. This is also expressed in the last sentence of Article 44:

“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

Article 46 GDPR (transfers subject to appropriate safeguards) is further formulated not as an absolute principle (like the general processing principles of Article 5(1)) but as an obligation of the controller where it allows data transfers “if the controller (…) has provided appropriate safeguards and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

The conclusions seem justified that the obligation of the controller “to provide appropriate safeguards” under Article 46 GDPR are indeed risk-based, with the exception of where Article 46(1) provides for the absolute requirements “that enforceable data subject rights and effective legal remedies for data subjects are available.”

5. Legislative history Article 5 and 24 GDPR

5.1 The EU Data Protection Directive

Historically, EU data protection legislation has been “rights-based,” and the requirements were to be applied irrespective of the level of risk involved and whether actual harm was created.9 As the WP29 (the predecessor of the EDPB) put it at the time, the EU data protection legal framework provides for a ‘minimum and non-negotiable level of protection for all individuals.’ 10 This is all the more so since the entry into force of the Treaty on the Functioning of the European Union in 2010, which granted the right to personal data protection the status of a fundamental right of the EU (see Article 8 of the EU Charter11 and Article 16(1) of TFEU12).

Noteworthy is that the protection of data transfers is not among those listed as a fundamental right. The EU transfer rules are not considered to be one of the material processing principles, as the transfer rules are a mechanism to ensure that these material processing principles will be observed, rather than being a fundamental processing principle itself.13 This being said, the transfer rules are crucial in their own right to guarantee the protection provided by the EU Data Protection Directive (Directive) and therefore are a key cornerstone of the Directive.14 This distinction is continued in the GDPR, where the material processing principles are listed in Article 5(1) GDPR (and do not include data transfer requirements), and the data transfer requirements are regulated separately in Chapter V.

5.2 Legislative reform

The Directive did not include an accountability principle, and it was only as part of the legislative review of the Directive that this principle was introduced. The main trigger for introducing the accountability principle was that the legislative review of the Directive by the EC showed that there was a widespread lack of compliance with the Directive, in particular also the data transfer requirements and that the enforcement tools of the DPAs were not sufficient to force compliance.15 On July 9, 2009, the EC launched a consultation on the EU data protection legal framework. As part of the consultation, the WP29 and EDPS issued a number of opinions, which basically advised the EC to introduce the accountability principle in the revised Directive. The proposals of the WP29 developed somewhat over time, but its last stance was adopted by the EC in its first proposal for a new Regulation.16

(a) WP29 Opinion on the accountability principle (July 2010)

In its Opinion on the accountability principle, the WP29 proposed the following concrete provision:

“Article X – Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2. The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.”

The provision refers to all principles and obligations of the revised Directive. The Opinion further reflects that the accountability measures (rather than the material principles themselves) should be scalable (see para. 53). As to the consequences of compliance with the accountability principle, the WP 29 (at p. 11) stresses that “fulfilling the accountability principle does not necessarily mean that a controller is in compliance with the substantive principles […], i.e., it does not offer a legal presumption of compliance nor does it replace any of those principles.”

(b) First EC proposal for a Regulation (December 25, 2012)

The EC’s first proposal for a Regulation basically implements the proposals of the WP29. According to the Explanatory Memorandum accompanying the EU Commission’s first proposal17 dated December 25, 2012, the provisions of Article 22 of the draft considered the debate on a “principle of accountability” and described in detail the obligation of responsibility of the controller to comply with the Regulation and to demonstrate compliance, by adopting internal policies and mechanisms for ensuring such compliance. The first draft of the EU Commission did not include a reference to the “accountability principle” and did not include a reference to scalability (RBA) of the accountability provisions.

Article 5 sub (f):
“processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation
“Article 22
Responsibility of the controller
The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation, including the assignment of responsibilities, and the training of staff involved in the processing operations.”
Recital (60):
Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.”

Note that Article 5(2) is based on Article 6(2) of the Directive, which embodied the original and narrower meaning of accountability as responsibility for compliance.

(c) Note of the Presidency to EU Council on implementation of RBA (March 1, 2013)

Further to a first examination of the EU Commission proposal, the Presidency reported to the EU Council18 that several Member States voiced their disagreement with the level of prescriptiveness of a number of obligations in the draft Regulation. Many delegations stated that the risk inherent in certain data processing operations should be the main criterion for calibrating the data protection obligations. Where the data protection risk was higher, more detailed obligations would be justified, and where it was comparably lower, the level of prescriptiveness should be reduced.19 The revised draft subsequently incorporated a ‘horizontal clause’ in Article 22 to incorporate the RBA:

“Taking into account the nature, scope and purposes of the processing and the risks for the (…) rights and freedoms of data subjects, the controller shall implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation (…).”20

Art. 5 sub (f) was changed into:

“processed under the responsibility (…) of the controller (…)

Therefore basically reverting the language back to the text of its predecessor Article 6 (2) Directive.

(d) WP29 Statement on the role of a RBA in data protection legal frameworks (May 30, 2014)21

In reaction to these developments in the EU legislative process, the WP29 issued a Statement on the role of a RBA in data protection legal frameworks. From this Statement, it can be derived that the WP29 was well aware that the changes proposed by the European Parliament and the Council constituted a major change as the RBA was now introduced as a core element of the accountability principle, also impacting the underlying obligations of controllers rather than (just) the accountability measures themselves, see p. 2:

“However, the risk-based approach has gained much more attention in the discussions at the European Parliament and at the Council on the proposed General Data Protection Regulation. It has been introduced recently as a core element of the accountability principle itself (Article 22).”

The WP29 further clarified in a number of crisp statements that the RBA should (i) not apply to the key rights granted to data subjects, which apply regardless of the level of risks incurred by the processing, and (ii) that there can be different levels of accountability obligations depending on the risk posed, but that controllers should always be accountable for compliance with the data processing obligations “whatever the nature, scope, context, purposes of the processing and the risks for data subjects are.”

(e) Final text GDPR dated April 8, 2016

The EU Council ignored the WP29 Statement and adopted the final version of Article 24 GDPR.22 The EU Council, in its accompanying statement (p. 4),23 explained that it had strengthened the accountability of controllers and processors to promote a real data protection culture and introduced throughout the Regulation a risk-based approach, allowing for the modulation of the obligations imposed on controllers.

5.3 Assessment based on the legislative history of the GDPR

Inclusion of Article 5(2) seems to be based on Article 6(2) of the Directive (“It shall be for the controller to ensure that paragraph 1 is complied with”), which embodied the original and more narrow meaning of accountability as responsibility for compliance. It was at the proposal of the European Parliament to maintain the original proposal of the EC and bring this provision more into line with accountability (‘be able to demonstrate’ rather than ‘demonstrate’) and the addition of the word ‘accountability’ in brackets at the end.24 The Council proposed instead to concentrate on responsibility.25 The resulting compromise was a combination in Article 5(2) of responsibility proposed by the Council and demonstrability and the label ‘accountability’ in brackets proposed by the Parliament. 26 There are no indications in the legislative history why the accountability element in Article 5(2) was first included, then deleted, and then reinstated but without the RBA. As this provision must have meaning (why otherwise reinstate it), it seems justified to conclude that the RBA does not apply to the material processing principles of Article 5.

The actual principle of accountability, as inspired by the proposals of the WP29 found its way into Article 22 (now 24). It is unclear why the EC declined to use the term accountability principle in the text or heading of Article 22 itself. It is only in the Explanatory Memorandum (at para. 3.4.4) that it is explained that Article 22 [now 24] “takes account of the debate on a ‘principle of accountability’”. The heading further referred to the “responsibility of the controller,” which fitted more the compliance notion of Article 5(2). It is clear that the EC, in its first draft proposal for the Regulation included the accountability principle as advocated by the WP29, whereby the provision applied to the standard of evidence only and not also to the underlying obligations of the controller. Based on the legislative history it is however undisputable that subsequent changes to the initial Article 22 were introduced by the Council in order to incorporate a horizontal provision applying the RBA for all obligations of the controller, and specifically also for the data transfer obligations.

6. Assessment of Schrems II

Reviewing the ECJ judgment in Schrems II,27 the Austrian DPA is correct that the ECJ does not refer to the accountability principle or the RBA under the GDPR. The conclusion of the Austrian DPA, however, that the ECJ (therefore thus) does not take a RBA to data transfers cannot be based on this judgment. What the ECJ did in the Schrems II was raise the bar for international data transfers based on Article 46 (transfers based on appropriate safeguards) to the so-called essentially equivalent level; this in reference to the general principle for transfers of Article 44 and the EU Charter of fundamental rights (see para. 131 – 134). In the absence of an adequacy decision, the ECJ considers it the responsibility of the controller to make a transfer assessment before a transfer can take place on the basis of appropriate safeguards, which also includes an assessment of the laws and practices of the country or countries where the data are flowing to (see para. 126: where the ECJ explicitly refers to “the law and practices in force in the third country concerned” and requires “(…) ensuring, in practice, the effective protection of personal data transferred to the third country concerned.”28 The controller should then take measures to compensate for any lack of data protection by way of appropriate safeguards. It is important to note that the Court does not require that additional safeguards provide a 100% guarantee that access to data by third parties can never occur, but rather that they constitute “effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law…” (para. 137). Though the ECJ did not explicitly refer to the accountability principle of Article 24, this transfer assessment obligation of the controller seems in line with the RBA of the accountability principle of Article 24.

This is also confirmed by the dictum of Schrems II. The dictum provides that the relevant aspects of the legal system of the third country need to be taken into consideration, therefore not only the law of the relevant third country but also its practices, as also follows from para. 126 of Schrems II. The ECJ refers to relevant aspects to the non-limitative list of elements in Article 45(2) GDPR, which the EC needs to consider when performing an adequacy assessment of a third country. The list of Article 45(2) shows that the EC, in its assessment, not only needs to assess the law of the country but also “the effective functioning” of the law. In other words, all relevant aspects of the legal system are in practice.29

7. Assessment EDPB Recommendation

The EDPB in the Recommendation30 reflects the Schrems II judgment in a similar manner. The EDPB indicates that the Schrems II judgment “reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes,” that “the Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent,” that the “Court also upholds the validity of standard contractual clauses, as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries,” but that these “do not operate in a vacuum” and that:

“controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.

It is noteworthy that the EDPB explicitly refers to the accountability principle of Article 5(2), but does not in any way refer to the accountability principle of Article 24. The EDPB in para. 1 of the Recommendations explicitly considers that the accountability principle of Article 5(2) GDPR31 also applies to data transfers “since they are a form of data processing in themselves.”32 I recall (see sub 7.1 above) that the Article 5(1) lists the general processing principles, but that these do not include the data transfer principles. The EDPB is correct in considering a transfer a processing, but this then entails that the material principles apply to transfers, but this cannot carry the conclusion that transfers are thus a material principle in themselves. This goes against the system of the GDPR where the transfer rules have their own Chapter V. The underlying reason for the EDPB to find this ‘work around’ is that the accountability principle of Article 5(2), as I also concluded, does not have the RBA as to compliance of the material principles, where the accountability principle of Article 24 does have the RBA for compliance of the obligations of controllers. By taking this position, the EDPB pushes its own version of the accountability principle as proposed by the WP29 at the time for revision of the Directive, which was, however, ultimately not adopted by the EU regulator. Noteworthy is, however, that despite the reference to Article 5(2) GDPR, the final version of the Recommendation does include language (however nominally) to allow for a RBA of data transfer assessments, though the threshold seems high. A more kind interpretation is that the EDPB is confused by the fact that Article 5(2) does include the reference to “accountability,” while Article 24 does not (see sub 4 above). I, however, do not believe the EDPB is confused here, but actually pushes its version of accountability principle as it advocated from the start, while normally covering its basis by including a nominal RBA into the Recommendations itself in line with Schrems II. That the RBA is indeed (though somewhat nominally) included in the Recommendations can be derived from the changes made by the EDPB in the initial version after consultation.

The initial consultation version of the Recommendations,33 did not take a RBA as to the transfer assessment. The consultation version even specifically indicated that organizations should “not rely on subjective [factors] such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards” (see para 42). Following the consultation phase, whereby many stakeholders provided input that the EDPB had wrongfully ignored the RBA of the GDPR, the above statement was no longer included in the final version. Instead, the EDPB (somewhat nominally, and without any explicit acknowledgment) included the RBA approach, though the threshold to do so is very high. This is reflected in the text by including in a number of places that the transfer assessment should not only include the laws, but also the practices in the relevant third country (see in particular para. 43),34 but most importantly by allowing controllers to proceed with the transfer without supplementary measures if they have no reason to believe that the relevant legislation will be applied in practice (see para. 43.3).

8. Conclusion

The conclusion is that the accountability requirement of Article 24 GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment. The EDPB is trying to rewrite the GDPR by applying the accountability principle of Article 5(2) GDPR (which does not include the RBA) rather than the accountability principle of Article 24, which does. By taking this position, the EDPB pushes its own version of the accountability principle as proposed at the time for revision of the Directive, which was, however, ultimately not adopted by EU regulators in the GDPR.

1  https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_DE_bk_0.pdf. See for English translation: Standarderledigung Bescheid (noyb.eu)

2 The CNIL also issued a Q&A concerning the use of Google Analytics: https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises-en-demeure-de-la-cnil-concernant-lutilisation-de-google-analytics The last question of the Q&A refers to the use of RBA by controllers by taking into account the likelihood of data access requests. The CNIL indicates that the RBA approach cannot be applied and explains that as long as the access to the transferred data is possible and the safeguards governing the issuance of requests for access to data do not guarantee a level substantially equivalent to the one guaranteed in the EU, it is necessary to take additional technical measures to make such access impossible or ineffective. 

3 See, specifically on the applicability of the RBA to data transfer requirements after the Schrems II judgement: Paul Breitbarth, “A Risk-Based Approach to International Data Transfers,” EDPL, 2021, p. 547; Christopher Kuner, ‘Schrems II Re-Examined’ (VerfBlog, August 25, 2020) , https://verfassungsblog.de/schrems-ii-re-examined/; and Christopher Kuner, Lee Bygrave and Christopher Docksey, The EU General Data Protection Regulation: A Commentary. Update of Selected Articles. Oxford University Press, 2021, p. 113. Other authors discuss the RBA of the GDPR, but not specifically in the context of data transfers and the ECJ judgement in the Schrems II case.

4 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559 : CURIA – Case information (europa.eu).

5 edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf (europa.eu).

6 Ibid.

7 See for a similar reference also para. 158.

8 ECJ judgment of December 10, 2018, Wightman and Others, C-621/18, EU:C:2018:999, paragraph 47 and the case-law cited: CURIA – Case information (europa.eu)

9 See, Amann v Switzerland App No 27798/95 (ECtHR, February 16, 2000) §70: in order to determine whether a processing constitutes an interference, the fact that the data subject may ‘have been inconvenienced in any way’ is irrelevant: AMANN v. SWITZERLAND (coe.int).

10 Art. 29 WP, ‘Opinion 1/98 Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS) , (1998), p. 2: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp11_en.pdf.

11 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT

12 https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12012E/TXT:en:PDF

13 This is evidenced by the fact that in the Directive the EU transfer rules are not included in Chapter II (The General Rules on the Lawfulness of the Processing of Personal Data), but in a separate Chapter IV (Transfer of personal Data to third Countries). For a similar separation of the basic principles and the transfer rules see the Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (Madrid Draft Proposal for International Standards), as adopted on November 5, 2009 at The International Conference of Data Protection and Privacy Commissioners in Madrid by the participating data protection authorities, to be found at https://edps.europa.eu/sites/edp/files/publication/09-11-05_madrid_int_standards_en.pdf, where the transfer rules are included in Section 15 and the basic principles of data protection in Part II.

14 See WP 12, Working Document on Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, July 24, 1998 (WP 12), at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/1998/wp12_en.pdf, where the Working Party 29 lists “six content principles” of which the 6th is: “restrictions on onward transfers – further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e., the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the directive.” Since a restriction on onward transfers was at the time missing from Convention 108, the Working Party 29 considered the protection provided by the countries that had at the time ratified Convention 108 was insufficient (see WP 12, at 8). This led to adoption of a transfer rule similar to the Directive in Article 2 of the Additional Protocol to Convention 108.

15 Rand Europe, Review of the European Data Protection Directive, Technical Report dated May 2009 (Rand Report) at https://www.rand.org/pubs/corporate_pubs/CP1-2009.html. Other reviews showed similar results: see Douwe Korff, EC Study on implementation of the Data Protection Directive, Comparative study of national laws, September 2002, Human Rights Centre University of Essex, at 209, to be found at <http://papers.ssrn.com>, notes that “the powers now vested in the data protection authorities, as currently exercised, have not been able to counter continuing widespread disregard for the data protection laws in the Member States.”

16 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp168_en.pdf, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf 

17 https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0011:FIN:EN:PDF

18 https://data.consilium.europa.eu/doc/document/ST%206607%202013%20REV%201/EN/pdf.

19  See para. 5 at https://data.consilium.europa.eu/doc/document/ST%206607%202013%20REV%201/EN/pdf.

20 See p. 23 at https://data.consilium.europa.eu/doc/document/ST-8004-2013-INIT/en/pdf

21 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf

22 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52016AG0006%2801%29.

23 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_5419_2016_ADD_1&from=EN.

24 See Amendment 99, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52014AP0212&from=EN.

25 See p. 83 at https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf.

26 Cf. supra n. 3, p. 113.

27 Cf. supra n.4.

28 Ibid. see para. 126.

29 Cf. supra n.5.

30 Cf. supra n.5.

31 See para. 3 where the EDPB refers to the accountability principle and includes in footnote 12 again a reference to Article 5(2) GDPR only. See also para. 5, footnote 18; para. 48, footnote 58; and para. 76, footnote 77. The only reference to Article 24 can be found in footnote 22, which seems an oversight more than intentional.

32 The EDPB refers to para. 45 of Schrems II. However, in this paragraph the ECJ just indicates that a transfer is a processing (which is correct), but this is not in any way related to how Article 5(1) GDPR should be interpreted.

33 Cf. supra n.5.

34 Cf. supra n.4.

Call for Nominations: 13th Annual Privacy Papers for Policymakers

The Future of Privacy Forum (FPF) invites privacy scholars and authors with an interest in privacy issues to submit finished papers to be considered for FPF’s 13th annual Privacy Papers for Policymakers (PPPM) Award. This award provides researchers with the opportunity to inject ideas into the current policy discussion, bringing relevant privacy research to the attention of the US Congress, federal regulators, and international data protection agencies.

The award will be given to authors who have completed or published top privacy research and analytical work in the last year that is relevant to policymakers. The work should propose achievable short-term solutions or new means of analysis that could lead to real­ world policy solutions.

FPF is pleased to also offer a student paper award for students of undergraduate, graduate, and professional programs. Student submissions must follow the same guidelines as the general PPPM award.

We encourage you to share this opportunity with your peers and colleagues. Learn more about the Privacy Papers for Policymakers program and view previous year’s highlights and winning papers on our website.

FPF will invite winning authors to present their work at an annual event with top policymakers and privacy leaders in spring 2023 (date TBD). FPF will also publish a printed digest of the summaries of the winning papers for distribution to policymakers in the United States and abroad.

Learn more and submit your finished paper by October 21st, 2022. Please note that the deadline for student submissions is November 4th, 2022.