By Priyanka Anand and Vasudha Luniya, Clasis Law
The new European Union General Data Protection Regulation (GDPR) was adopted on May 24, 2016 and will come into effect on May 25, 2018, after a two-year transition period. This regulation stipulates that any and all businesses within the EU, or dealing with the EU, will have to comply with GDPR. This will make all businesses liable to protect any data that is categorised as “personal”. Once it takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
Applicability of GDPR to Indian companies that process data
Extraterritorial applicability of GDPR — Article 3 (Territorial scope) of GDPR makes it clear that these regulations will be applicable regardless of whether the processing takes place in EU or not. Therefore, an Indian company processing personal data in context of activities of an establishment of a controller or processer in EU, will fall within the ambit of GDPR.
The challenges that GDPR poses for India
The GDPR is a legally binding regulation, not a directive that brings service providers directly under its purview. It affects Indian companies that have expanded or plan to expand globally. Certain challenges have been enlisted herein below:
- The regulation will limit EU companies’ outsourcing options which will result in obvious opportunity losses for businesses in India;
- India’s comparatively feeble data protection laws makes India less competitive as outsourcing markets in this space where other economies are updating their regulatory practices to ensure smooth inter-state operability;
- Largely inflexible, GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU;
- The regulations target service providers directly who will have to face high costs such as investment in “cyber insurance” whilst adopting new technology; and
- Infringements of certain provisions of GDPR shall be subject to stringent penalties.
Obligations of Indian companies that process data
Prior to undertaking any processing activity, Indian companies will be required to enter into a contract with their customer (generally, a data controller). Such contract will, inter alia, stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects.
By way of such contract, a customer (the data controller) will seek from an Indian company a flow down of the following obligations:
- Implementation of appropriate organisational measures to ensure (i) pseudonymisation and encryption of personal data; (ii) confidentiality and integrity of processing systems; (iii) restoration of availability and access to personal data after a physical or technical incident; and (iv) regular testing and evaluation of such measures (Article 32);
- In the event of a personal data breach, the same must be notified to the customer without undue delay (Article 34); and
- Carry out a data protection impact assessment prior to commencement of the processing activity (Article 35).
Guarantee of an adequate level of protection of data
The bedrock of GDPR, in terms of Article 45, is the stipulation of ‘adequacy requirements’, which curbs the transfer of personal data to any third country or international organisation that does not “guarantee an adequate level of protection”. In doing so, the European Commission considers whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data.
In India, the current legal framework pertaining to data privacy and protection is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which is far from being adequate. The recent landmark judgment of the Hon’ble Supreme Court in the case of Justice KS Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors, declaring the right to privacy as a fundamental right has provided the much-needed impetus to introducing a long-awaited, all-encompassing data protection legislation in India.
Conclusion
GDPR is an excellent opportunity for India to update its regulatory practices and effectively implement the fundamental right to privacy. Indian companies, should use this as a stepping stone to move up the value chain by strengthening its automation portfolio and make the industry more competitive in the global market.
E: priyanka.anand@clasislaw.com
E: vasudha.luniya@clasislaw.com
T: (91) 11 4213 0000
F: (91) 11 4213 0099