Data Privacy And Cybersecurity Landscape For GCCs In India: Key Considerations.
In part VII of our series on global capability centres (“GCCs”), we discuss key emerging data privacy and cybersecurity considerations that impact GCCs in India.
Given the long standing “protected” status of the Information Technology Enabled Services (“ITES”) sector, GCCs may be tempted (and all too common) to consider themselves as “low touch” organisations primarily providing “back office” services that deal entirely with “foreign data”.
This means that the GCCs, the foreign entities setting them up (“Foreign Entity”)[1], as well as the offshore group entities they service (hereinafter “Groups”), often place Indian law privacy considerations very low on their lists of key priorities.
While historically this approach may have worked, the advent of “Techade[2]” and the transformation of GCCs from back offices and cost-arbitrage centres to centres of excellence and growth mean that India’s evolving privacy and cybersecurity landscape may soon become an important consideration for GCCs.
Mapping typical data flows in relation to GCCs
Broadly GCCs act in one or both of the following two capacities:
- As Data Processors[3]: The core purpose of GCCs is to render services (and thereby process data) on behalf of the Foreign Entity/ their Groups, possibly operating in jurisdictions with stringent regulatory regimes, like Europe and the USA. In order to do so, they process large volumes of highly-protected or sensitive data (such as healthcare or financial data), particularly under regimes such as EU’s General Data Protection Regulation (“GDPR”) and USA’s Health Insurance Portability and Accountability Act, 1966 (“HIPAA”). In addition to the Foreign Entity/ their Group employee data, the GCCs also process their customers/ client’ data. In some situations (such as GCCs of a Foreign Entity/ their Groups with India touchpoints) the GCC may eventually end up providing services on the data relating to Indian customers of its Foreign Entity/ their Groups (“Loop Back Data”).
- As Data Fiduciaries[4]: GCCs are large employers with extensive business operations in India, and often determine the “purpose and means” of processing personal data relating to thousands of employees, contractors, service provider and vendors in their day-to-day operations. Apart from obvious “purposes” such as monitoring employee safety, and attendance management, they are also engaging in “innovative” processing such as “managing” employee productivity as well as work-from home or remote work situations.
Graphically, these types of data flows can be categorised in the following three ways:
Key considerations under the extant Indian privacy regime
The current data privacy regime in India[5] requires all private entities that process personal data (especially sensitive personal data or information[6]) within India, or use computer networks in India[7], must do so with explicit consent and in accordance with public privacy policies.[8]
When this regime was implemented, India’s ITES providers protested that they would not be able to comply with these requirements given that did not have any contact with the individuals whose data they processed.
Consequently, reacting to fears that this regime would destroy India’s then nascent, but highly critical outsourcing industry, the Ministry of Communications and Information Technology issued a clarification (“Clarification”) on August 24, 2011 to the relevant parts of the SPDI Rules, which, somewhat confusingly read as follows:
“These rules are regarding sensitive personal data or information and are applicable to the body corporate or any person located within India. Any such body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is not subject to the requirement of Rules 5 & 6. Body corporate, providing services to the provider of information under a contractual obligation directly with them, as the case may be, however, is subject to Rules 5 & 6.”[9]
Notwithstanding the multiple possible interpretations, the above-mentioned clarification has widely been read to exempt processing of SPDI received by GCCs from jurisdictions outside India under any Group or third-party arrangements.
Since then, the Foreign Entities setting up GCCs in India were largely required to ensure compliance only with the GDPR or regimes like California Consumer Privacy Act, 2018 (“CCPA”) and putting in place appropriate data transfer arrangements for cross border transfers.
The Court of Justice of the European Union[10] invalidated the “EU-U.S. Privacy Shield”, which historically facilitated transatlantic data flows. This, combined with a growing focus on “interception and monitoring”, has firmly shifted the attention towards carrying out transfer impact assessments and ensuring that the Group’s and GCC’s data transfers are examined on a case-by-case basis to provide for sufficient additional safeguards.
Incoming regulatory overhaul: Key considerations under the evolving privacy and cybersecurity landscape in India
Background to the incoming Digital Personal Data Protection Act, 2023
India is currently in the middle of its “GDPR” moment. The Digital Personal Data Protection Act, 2023 (“DPA”), having received presidential assent, has been notified for information purposes and the rules thereunder will soon be published for consultation. Thereafter, the DPA will be brought into force in an as-yet uncertain timeline.
While it has similarities to the GDPR, the DPA is distinct in several key ways,[11] because it promises to be one of the most consent-centric privacy regimes globally,[12] creates a dedicated body for enforcement of its provisions,[13] and provides for significant penalties (up to USD 30 million) for violations of distinct Indian obligations (such as the universal breach notification).
Given this background, the DPA can potentially impact GCCs in India. The DPA governs processing of digital personal data within India and even outside India when the goods or services related activities are offered in India.[14]
The obligations for compliance with the DPA lie on the data fiduciary, i.e., the entity which determines the purposes and means of processing. Additionally, data fiduciaries are responsible for ensuring compliance with the provisions of the DPA by data processors (entities that process data on behalf of the data fiduciary) they engage with.[15]
Processing of personal data of non-Indians by the GCC received pursuant to a contract: Understanding the new outsourcing exception
Under the DPA the processing of “personal data of individuals based outside India by any person in India pursuant to a contract” is exempt from most material requirements, save for the obligation to maintain reasonable security standards.[16]
This exception, while enshrined in a statute and much clearer than the Clarification, differs from the language of the Clarification in a manner that may potentially have far reaching consequences.
The exclusion pertains to data of “individuals based outside India”, and does not apply to processing of personal data by GCCs pertaining to individuals in India (such as employees of the Group/ GCC/ Foreign Entity based in India, or Indian customers of the Group/ Foreign Entity who contract with it offshore). Further, it is paramount to note here that this requirement is linked to “residency” and not “citizenship” or “nationality”’ of the client/ employee/ customer.
Additionally, historical transfer impact assessments by GCCs may need re-evaluation, as while the DPA includes several provisions which are largely aligned with the erstwhile regime, there are certain changes inter alia, how the government accesses Personal Data.[17]
Processing of personal data of Indians by the GCC: Understanding the norm
Where the datasets, being processed by GCCs for the Foreign Entity and/or its Group, contain data of Indian persons, the DPA’s consent and notice requirements become mandatory. This nature of “Loop Back Data” is increasingly common given India’s position as the world’s fastest growing digital economy.
In such cases, the processing of “Indian” data by GCCs, as a processor for the Foreign Entity and/ or Group, becomes open to the full brunt of onerous consent among the other compliance requirements of the DPA:
- Where the GCC and the Foreign Entity/ Group entity independently determine the purposes and means of processing (such as where the GCC uses Indian data provided by the Group for general research and product improvement), both entities will be data fiduciaries under the DPA. In such cases, DPA may be directly applicable to the GCC and it may be called upon to demonstrate consent for such processing.
- Where the Foreign Entity/ Group entity solely determines the purpose of processing, the GCC will be a data processor on behalf of the Group entity. Practically, while the consequences of a breach of the DPA may lie with the Group entity outside India, the GCC’s presence in India may make it a ripe location for regulatory scrutiny, particularly in case there is a largescale breach of unconsented data.
Another concerning matter is that Loop Back Data is often commingled with purely “offshore” datasets which enjoy the Outsourcing Exemption. Therefore, it is important that the contractual arrangements clearly delineate the role that each entity will be playing in relation to items of personal data, the manner in which personal data is processed by GCCs be examined, and the source of such personal data is examined carefully.
GCCs as ‘Data Fiduciaries’ under the DPA
As of FY 2022–23,[18] there are over 1,580 GCCs housing approximately 1.66 million employees, and can be counted among some of the most significant employers in India. These GCCs collect and determine the purposes of processing of personal data of their workforce. The DPA permits private entities to process personal data primarily on two bases: (i) consent, obtained after provision of a privacy notice in the format to be prescribed under the rules, and (ii) legitimate use[19].
With respect to employee data, the DPA provides the following legitimate use:
“the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee”[20].
Where GCCs are able to clearly demonstrate that processing is necessary for: (i) the purposes of employment (payroll, employee training, maintenance of employee records), or (ii) safeguarding the employer from liability (implementing security measures such as access controls, encryption and user authentication, or conducting security audits on company network and system), or (iii) providing benefits sought by the employee (such as gratuity, provident fund, healthcare benefits, insurance coverage, or wellness programmes), they can seek to undertake such processing under legitimate use.
For activities that falls outside the scope of the prescribed legitimate use or where the data does not relate to employees, explicit consent will have to be obtained (and maintained) from employees/ such other individuals against a valid privacy notice[21]. Further, pertinently when the data collection pertains to non-employees i.e., consultants and service providers, then consent will have to be taken since such data collection will not be covered under the employment “legitimate use”.
Conclusion
In the backdrop of the exponential expansion of GCCs in India and the evolving data privacy and cybersecurity landscape, it is pertinent for GCCs to identify ways to navigate the forthcoming regulatory overhaul in a cost and time effective manner. Thus, ensuring that their processing is limited to demonstrable “offshore” data sets, or at least distinguishable “onshore” and “offshore” data sets, in clearly delineated capacities as data processors or data fiduciaries, may prove essential for GCCs in India.
Blog Series on Global Capability Centres
[1] For more information on how a GCC can be set up, you can read our detailed post on the same here – Strategic structuring and modelling Global Capability Centres (GCCs) in India: How to set up | India Corporate Law (cyrilamarchandblogs.com)
[2] ‘Techade’ is a word coined by Narendra Modi, the Prime Minister of India, to describe the technology-dominated decade.
[3] Section 2 (k) of the DPA defines a ‘data processor’ as “any person who processes personal data on behalf of a Data Fiduciary”.
[4] Section 2(i) of the DPA defines a ‘data fiduciary’ as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”.
[5] Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”).
[6] Rule 3, SPDI Rules.
[7] Section 1 read with Section 75 of the IT Act.
[8] Rule 4 of the SPDI Rules.
[9] Clarification on Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under section 43A of the Information Technology Act, 2000, dated August 24, 2011, available at Government of India (meity.gov.in).
[10] Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (16 July 2020), Case C-311/18, Court of Justice of the European Union (“Schrems II”).
[11] For a comparison between the two regimes, please refer to our blog post here: India’s New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses? | India Corporate Law (cyrilamarchandblogs.com)
[12] For a comparison between the DPA and the US data privacy laws, please refer to our blog post here: Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws | India Corporate Law (cyrilamarchandblogs.com)
[13] Section 18 of the DPA.
[14] Section 3 of the DPA.
[15] Section 8(1) of the DPA.
[16] Section 17(1)(d) of DPA.
[17] Global capability centres go big on hiring gig employees – The Economic Times (indiatimes.com)
[18] ‘GCC 4.0 | India Redefining the Globalization Blueprint’, NASSCOM-Zinnov, (June, 2023) Accessible here – GCC 4.0 | INDIA REDEFINING THE GLOBALIZATION BLUEPRINT | nasscom
[19] Section 4 of the DPA.
[20] Section 7(i) of the DPA.
[21] For more details on the requirements surrounding consent, please refer to our detailed blog post here – Of Consent and Lawful Uses:Where the Rubber meets the Road | India Corporate Law (cyrilamarchandblogs.com).
