WE BELIEVE IN KNOWLEDGE SHARING
AS ONE OF THE BEST ACQUISITIONS TODAY.

GDPR & It's India Implications

The General Data Protection Regulation (“GDPR”), enacted by European Parliament and the Council of the European Union, was implemented from 25 May 2018. The GDPR is a regulation on data privacy and protection for all individuals within the European Union and the European Economic Area, as well as covering the export of personal data outside European Union and the European Economic Area. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for business houses wishing to process such personal data. The GDPR aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. It is relevant to state here that the GDPR considers data privacy to be a fundamental right.

RELEVANCE OF GDPR GUIDELINES TO INDIA

In light of the burgeoning data privacy discussions in India, it will be relevant for Indian companies to be aware of the GDPR and ensure that they are GDPR compliant, especially if Indian companies are providing services through ‘data subjects’ in the EU or are tracking data subjects, belonging to the EU, through mobile applications or other tools/ mechanisms. The cost of being nonGDPR compliant- a fine of 20 million Euros or 4% of annual turnover, whichever is higher!!

In the background, it will be worthwhile to briefly examine the legal position of the data privacy in India. Currently, India has no sui generic law pertaining to data privacy. Instead, the law on data privacy is governed by the Information Technology Act, 2000 (“IT Act”) and the Rules promulgated there-under. An Expert Committee was constituted in early 2018 by the Central Government to examine the aspect of drafting a sui generic law for data privacy. In addition, there a few litigations pending before the Hon’ble Supreme Court of India on aspects of data privacy- such as the well covered Aadhar case. From a precedent standpoint, the right to privacy has been held to be a fundamental right in a landmark decision passed by the Hon’ble Supreme Court of India, in August 2017, in Justice K S Puttuswamy v. Union of India (Writ Petition (Civil) No. 494 of 2012). As a consequence of this judgment, the Government of India has an obligation both to ensure that its actions do not violate a citizen’s privacy and to ensure that such rights are not violated as a result of its inaction—including its failure to enact suitable legislation.

To ensure data privacy and protection in India, the Central Government promulgated the ‘The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011’ (“Data Privacy Rules”) pursuant to powers set-out in Section 43A of the IT Act. The Data Privacy Rules provides, inter alia, the obligations of entities to provide for policies for privacy and disclosure of information. The Data Privacy Rules provides for certain personal information to be ‘Sensitive personal data or information’, namely (i) password; (ii) financial information; (iii) physical, physiological and mental health conditions; (iv) sexual orientation; (v) medical records and history; (vi) biometric information. The Data Privacy Rules mandates that entities who collect, process, store data, should provide a privacy policy for handling personal information (including Sensitive personal data or information). Further, prior to collecting such sensitive personal data or information, the consent of the individual shall be obtained. The Data Privacy Rules further provides that entities collecting such personal information shall implement reasonable security practices and standards.

A comparison of the GDPR and the Data Privacy Rules does indeed show certain common provisions, though the GDPR does contain provisions that are absent from the Data Privacy Rules, such as the Right to be Forgotten, Right to Data Portability, Right to object to Profiling.

WHAT SHOULD INDIAN ENTITIES DO?

Given the fact that many Indian companies, especially engaged in the information technology and BPO sphere, have robust operations in Europe, compliance with GDPR is essential. While the Data Privacy Rules do not contain as robust and detailed compliance as the GDPR does, Indian companies, having business interests in Europe, and who are processing personal data, will have to ensure implementation of systems and processes that comply with a higher standard of required. While ensuring this high compliance is bound to increase operational and compliance costs, there is no other option for such Indian companieseither comply or pay up!!

The question that then arises is what steps should Indian companies take to be GDPR compliant? Indian companies should, inter alia, review their existing policies and privacy programmes; ensure training to employees on data privacy and review/ update contracts signed with third-party vendors. Further, Indian companies also need to ensure that they are sufficiently equipped, from a technology and process perspective, to deal with the audit process prescribed in the GDPR.

India has a booming digital economy, with the Government seeks to promote digital transactions and digital presence through programs and schemes such as Aadhaar (a biometric data platform), Digital India (an e-governance initiative) and DigiLocker (digitization of citizen’s documents). However, as India rapidly moves on its highway of digital revolution and expansion, the issue of data privacy and protection is pivotal and cannot become a road-block. The recent data leaks of Facebook, and indeed Aadhaar, are telling examples of how inadequate data privacy and protection mechanisms can turn public opinion against these digital platforms. For Indian companies, who conduct business with the EU and EU citizens, a higher level of compliance with GDPR can only be a good thing for the Indian economy as it would force Indian companies to adopt similar high standards for ensuring data privacy and protection of Indian citizens in India.