The Impact Of General Data Protection Regulations On Indian Companies.

28 May, 2018

Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet. The companies that do the best job on managing a user’s privacy will be the companies that ultimately are the most successful.

The new European Union General Data Protection Regulation (“GDPR”) was adopted on May 24, 2016 and will come into effect on 25 May 2018, after a two year transition period. This regulation stipulates that any and all businesses within the European Union (EU), or dealing with the EU will have to comply with GDPR. This will make all the businesses liable to protect any data that is categorised as “personal”. For Indian businesses, this can be a serious setback as the EU is one of India’s key trading partners.

Simply put, data privacy is obtaining consent of the individual to collect personal data, being transparent as to why it is being collected, and deleting it when consent is withdrawn. A fine line separates implicit consent (withdrawing) or explicit consent (allowing). Protecting data involves active steps to prevent breaches and leaks.

With little time remaining before GDPR comes into force on May 25, 2018, this is a fitting time for several companies to reconsider their policies and procedures with respect to data privacy and protection and ensure preparedness ahead of time. Once it takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).

Applicability of GDPR to Indian companies that process data

The definition of data ‘processing’ under Article 4 (Definitions) of the GDPR has a very wide connotation. It has been defined to mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Extra territorial Applicability of GDPR – Article 3 (Territorial scope) of GDPR makes it clear that these regulations will be applicable regardless of whether the processing takes place in EU or not. Therefore, an Indian company processing personal data in context of activities of an establishment of a controller or processer in EU, will fall within the ambit of GDPR.

Lawfulness of processing data

In terms of Article 6 of GDPR, processing of data needs to be justified and proportional. Justifying lawful data processing can be done by ensuring the data is processed under the following rationale:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The challenges that GDPR poses for India

The GDPR is a legally binding regulation, not a directive, that brings service providers directly under its purview. It affects Indian companies that have expanded or plan to expand globally. Certain challenges have been enlisted herein below:

The regulation will limit EU companies’ outsourcing options which will result in obvious opportunity losses for businesses in India;
India’s comparatively feeble data protection laws makes India less competitive as outsourcing markets in this space where other economies are updating their regulatory practices to ensure smooth inter-state operability;
Largely inflexible, GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU;
The regulations target service providers directly who will have to face high costs such as investment in “cyber insurance” whilst adopting new technology; and
Infringements of certain provisions of GDPR shall be subject to a maximum administrative fine up to €20 million, or in the case of an undertaking, up to a maximum of 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Obligations of Indian companies that process data

Prior to undertaking any processing activity, Indian companies will be required to enter into a contract with their customer (generally, a data controller). Such contract will, inter alia, stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects. It being clarified here that a data controller controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used whereas the data processor does not control the data and cannot change the purpose or use of the data.

By way of such contract, a customer (the data controller) will seek from an Indian company a flow down of the following obligations:

Implementation of appropriate organisational measures to ensure (i) pseudonymisation and encryption of personal data; (ii) confidentiality and integrity of processing systems; (iii) restoration of availability and access to personal data after a physical or technical incident; and (iv) regular testing and evaluation of such measures (Article 32);
In the event of a personal data breach, the same must be notified to the customer without undue delay (Article 34); and
Carry out a data protection impact assessment prior to commencement of the processing activity, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons (Article 35).

One may feel that this does not change anything significantly as Indian companies even today have such contracts with their customers. The key difference here is that, the GDPR mandates that, the contract between data controller and processor should necessarily comprise of the obligations aforementioned. In addition to the foregoing, a processor (in the instant case an Indian company) carrying out data processing shall also be obligated to allow the customer to conduct an audit and inspection of its systems to demonstrate compliance with the above. Additionally, upon request, it shall be obligated to delete or return all personal data to the controller at the end of service contract. Further, the right of a data processor to subcontract their obligations has been curtailed and made conditional to the data controller’s approval (Article 28). Lastly, a processor a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards (Article 46). In terms of the above, the ability of an Indian company to refuse flow-down of contractual obligations has been impacted.

Guarantee of an adequate level of protection of data

The bedrock of GDPR, in terms of Article 45, is the stipulation of ‘adequacy requirements’ which curbs the transfer of personal data to any third country or international organisation that does not “guarantee an adequate level of protection.” In doing so, the European Commission considers whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data.

In India, the current legal framework pertaining to data privacy and protection is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which is far from being adequate. The recent landmark judgment of the Hon’ble Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors1, declaring the right to privacy as a fundamental right has provided the much- needed impetus to introducing a-long-awaited, all-encompassing data protection legislation in India. It will be interesting to see how the forthcoming legislation shapes up and whether it will fulfil and satisfy the criteria lay down under GDPR.

The way forward

When it comes to designing data protection for businesses in India, the stakes are high, emphasizing the need for businesses, organizations and governments to implement comprehensive data protection practices at all stratums. This can be ensured through the below mentioned means:

Assess gaps between your current compliance programme and the requirements of GDPR;
A risk-based approach to data privacy can significantly reduce the potential of non-compliance violations or a breach;
Adoption of smart cost-efficient ways to address cyber security;
End-to-end encryption to ensure compliance;
Ensure proper document processing activities and data flows;
Review third-party contracts, if any;
Create processes for privacy by design and privacy impact and risk assessments;
Incorporate clear rules regarding portability of customer data- what can or cannot be shared with or without consent; and
Impact professional training (by way of seminars or webinars) for employees to acquire specific skill sets to develop a robust data protection regime in compliance with the legal requirements.

GDPR is an excellent opportunity for India to update its regulatory practices and effectively implement the fundamental right to privacy. Indian companies, should use this as a stepping stone to move up the value chain by strengthening its automation portfolio and make the industry more competitive in the global market.

1Writ Petition (Civil) 494 of 2012

For further information, please contact:

Priyanka Anand, Associate Partner, Clasis Law

priyanka.anand@clasislaw.com

Vasudha Luniya, Clasis Law

vasudha.luniya@clasislaw.com

The Impact Of General Data Protection Regulations On Indian Companies.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Shifts Workers – A New Right To Reasonable Notice.

Hong Kong – Keepwell Deeds: A Workable Solution To PRC’s Foreign Exchange Control?

The Catch And Kill Of Non-Disclosure Agreements? New UK Guidance.

EU – Tightening The European Union’s Powers To Review Foreign Direct Investments.

Malaysia – General Average And Salvage.

- Philip Teoh - Azmi & Associates, Azmi & Associates

Role Of Technology In Legal Service Delivery.

Process Optimisation In Legal Teams: Improving Workflow Efficiency.

CONVENTUS LAW

OTHERS

The Impact Of General Data Protection Regulations On Indian Companies.

Register for your monthly Asia legal updates from Conventus Law

- Manisha Singh - Lex Orbis,

- Manisha Singh - Lex Orbis,

- Manisha Singh - Lex Orbis,

Footer

CONVENTUS LAW

OTHERS