The European Union’s General Data Protection Regulation (GDPR) is the latest shiny new regulation to address the issue of data privacy. The GDPR adopts a rights-based, consent-driven approach towards protecting the data of natural persons. It mandates the concept of ‘privacy by design and default’ and creates categories of data privacy compliance that never existed earlier.

The implementation deadline for the GDPR is May 25.

What difference does it make to you as an Indian company? Well, the GDPR is possibly directly applicable to you as well.

First off, it is important to note that, as a rule, the GDPR applies to any act of processing data. The scope of the term ‘processing’ is broad enough to cover any operation, from data collection to analysis, storage, transfer, erasure and others.

Secondly, the GDPR’s territorial applicability clause states that it can be applicable to you in one of three ways: You may have an establishment — a broad and flexible term — in an EU member-state. The presence of a single representative may be sufficient to constitute an establishment. Or you may offer goods or services to natural persons in the EU (not limited to EU citizens); or you may monitor the behaviour of natural persons in the EU, said behaviour taking place in the EU.

Onus on ‘processors’

The third point to consider is that the GDPR is not merely applicable to entities which collect or order the collection of data (referred to as ‘controllers’ under the GDPR) from EU natural persons for their own purposes, but also places liabilities on people who process this data on behalf of controllers (referred to as ‘processors’ under the GDPR). The GDPR also devotes an entire Chapter to the transfer of personal data to third countries or international organisations.

Finally, the GDPR has teeth. In addition to providing for compensation to natural persons whose privacy rights are violated, the GDPR empowers EU statutory authorities to impose administrative fines of up to €20 million or 4 per cent of total group turnover of a company, and to impose bans on data processing, ordering rectification, restriction or erasure of data and suspending transfers to certain countries.

In other words, any person processing data, whether on their own or on someone else’s behalf, having any kind of ‘establishment’ in the EU, or offering goods or services to natural persons in the EU, or monitoring the behaviour of natural persons in the EU, is subject to the GDPR. It is this factor that sets the GDPR up to become a new paradigm in global privacy regulation.

Needless to add, it will be potentially applicable to Indian establishments across a swathe of sectors. The GDPR may be as applicable to a single-person start-up offering customised e-cards to Indian diaspora as to global e-tailers offering products or services to customers in the EU. Any company offering back-end services to companies operating in the EU or elsewhere, if they are receiving EU resident data, may fall within the definition of a processor under the GDPR.

India rules

Under India’s existing data protection regime, only one legislation, the Information Technology Act, 2000 (the IT Act) has attempted to deal with data protection in a comprehensive manner. The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (The IT-RS Rules) under the IT Act seek to address data privacy issues. However, the granularity of detail at which the GDPR addresses data protection compliance is hard to compare to the approach taken by the IT-RS Rules.

The IT-RS Rules effectively commit a portion of a single provision to consent, Rule 5(1), requiring that consent be obtained in writing through electronic communication. The GDPR, in contrast, commits five detailed provisions (Articles 6 to 9 and 22) to the essentiality of lawful consent for processing data, factors to determine whether consent was lawfully obtained, conditions for consent, consent for children and heightened consent requirements for special categories of information and for data-based profiling.

Additionally, the language of the GDPR indicates that consent is interwoven through most of its important provisions, making it a key foundation of GDPR compliance.

There are certain aspects of the GDPR which are not reflected anywhere in the IT-RS, such as the adoption of a rights-based approach to data privacy. The GDPR makes it clear at the very outset that it protects the fundamental right to protection of data of natural persons, and goes on to establish, amongst others, rights to data access, rectification, erasure, restriction, portability and objection.

The GDPR is being adopted at a time where India is arguably at a cusp regarding data privacy. The August 2017 decision of the Supreme Court in Justice Puttusamy vs Union of India confirmed the existence of a fundamental right to privacy, recognised the concept of informational privacy and noted that legislation should be enacted to ensure enforceability against non-State actors (private entities).

Moreover, the Justice Srikrishna Committee, established to make recommendations for a proposed data protection legislation in India, released a white paper on Data Protection Framework in India which utilises much of the GDPR’s terminology and approach.

These are indications that a future data protection legislation in India will share several commonalities with the GDPR. From this perspective, GDPR compliance may be considered an opportunity for Indian companies to achieve early compliance with a potential Indian data privacy legislation.

The GDPR was announced on April 14, 2016, at which time the May 25, 2018 deadline for implementation was announced. Indian companies need to quickly determine their potential liability under the GDPR and take steps towards compliance. The GDPR’s provisions for ‘privacy by design’ mean that compliance with the GDPR is a techno-legal process, requiring revision of software code as well as legal documentation.

However, legal compliance is essential to the process. The broad steps that a company should take in this regard are: Diagnosis — determining their data flows and extent of statutory compliance requirements; creation or revision of internal policies such as codes of conduct or end-user facing agreements such as privacy policies; review or renegotiation of agreements with third-parties and, finally, future proofing through creating systems for audit, training and record-retention.

Indian companies need to quickly recognise GDPR’s potential significance to their operations and to take steps towards compliance.

The writer is a partner and Head-IP of the law firm, Samvad Partners. The views herein are personal and are not to be read as advice on any aspect of EU or Indian law.

comment COMMENT NOW