India: GDPR Vis-À-Vis Indian Data Protection Laws

Privacy, as is known, is the biggest concern of the entire world. Is it a myth, or can there actually be some? This is a question which haunts citizens all around the globe. Companies take advantage and sell their products, claiming that they will ensure your privacy. Legislators are trying to get hold of data violators by defining the laws. Yet, due to the increase in innovation and technology, it has become difficult to address issues concerning breaches and violations.

The personal information of a person, their day-to-day activities over the internet, their habits, etc. have become a commodity for big corporate giants as they use such information for their benefit. This breaches the privacy of the public at large and makes them susceptible to hacking, fraud, misuse of personal information and whatnot. Therefore, to protect their citizenry governments and international organizations around the world are hustling to curate the right laws to protect their citizenry and create an onus upon the companies to safeguard sensitive information from any type of confidentiality breach. One such law that has come up and is very stringent is the General Data Protection Regulation (hereinafter referred to as "GDPR"). The GDPR was adopted by the European Union in April 2016 and it replaced the old 1995 data protection directives and came into full effect in all the EU countries after 2 years. GDPR protects the EU citizenry's data and their privacy, within EU territory and also from data exportation. The law has easy compliance as it requires one standard to be complied with by the companies that fulfil all the compliances in all 28 EU member countries.

GDPR AND ITS IMPORTANT PROVISIONS

The GDPR is a regulation that governs the collection and processing of the personal & sensitive information of the citizenry in the EU. The regulation puts a mandate upon the companies providing services in the EU or via any intermediator to know let their EU consumers about the data that the website is collecting and processing and the control lies with the consumers themselves. These regulations apply to every website that is operational in the EU or can be accessed by any person in the EU nonetheless the website is based in.

The regulation encompasses provisions which regulate the personal information that a company can collect and how can it use that information, thus constraining the companies and terminating the chances for the companies to mislead the consumers through several tactics that the companies used earlier.

Article 5.1 and 5.2 of the regulation provides for several principles that are the concrete pillars for data protection via GDPR, being lawful, transparent, accurate, limitation on data storage, confidentiality, accountability, etc. are some such principles. The new regulation has also recognized several new rights for the consumers in the EU, being the right to be informed, the right to object, the right to restrict, etc.

GDPR AND ITS COMPLIANCE

• WHO NEEDS TO COMPLY?

All those companies that operate in the EU and stockpile and process the private information of EU consumers (citizens) have to comply with GDPR. It is also inclusive of the companies that do not have a presence in the EU but the website is accessible in the EU. GDPR creates an onus on the following companies for the compliance of law:

1. Any company having operation/presence in the EU.
2. Any company not having operation/presence in the EU but stockpiles and uses information of EU citizenry.
3. The employee strength should be more than 250.
4. Less than 250 employees, yet its data processing affects data subjects' rights and freedoms, is ongoing, or involves certain sensitive personal data.

The compliance is thus for every company directly or indirectly involved in stocking and using the information of the citizens of the EU.

• WHAT ARE THE MAJOR COMPLIANCES THAT COMPANIES HAVE TO COMPLY WITH?

There is one standard that every company eligible under GDPR has to comply with. There are several compliances, some of the major compliance are as follows:

1. Visitors to the website are informed of the data collection.
2. By clicking a button or taking another action, visitors voluntarily consent to this information collection.
3. If any of the personal data held by a website is ever compromised, the site promptly notifies its visitors.
4. An evaluation of the website's data security is required.
5. Whether a current employee may fulfil this role without needing to hire a dedicated Data Protection Officer (DPO).¹

There are various ways for businesses to comply with GDPR. Auditing personal data and maintaining a record of all the data they gather and process are some of the crucial tasks. Additionally, businesses must ensure that all website visitors see updated privacy notifications and that any database problems are corrected.

• COMPLIANCE AUTHORITY FOR THE COMPANIES

The data controller, the data processor, and the data protection officer are among the roles that the GDPR specifies as being in charge of ensuring compliance (DPO). The person who controls how and why personal data is processed is known as the data controller. The controller must also ensure that external contractors follow the rules.

INDIA AND GDPR - SIMILARITIES AND DIFFERENCES

In India, the Information Technology Act, 2000 (hereinafter referred to as the IT Act) and the Information Technology Rules, 2011(hereinafter referred to as the IT Rules) govern online data protection. The act was enacted to provide legal recognition for the digital transactions of electronic data transfer and other electronic communication techniques². The IT Act provides for both criminal and civil liabilities for unauthorized access to any computer or computer system under Section 66 and Section 43 of the act respectively. The amendment in the year 2009 brought companies (body corporate) under the ambit and the onus was created upon them as well.³

SIMILARITIES AND DIFFERENCES BETWEEN IT ACT AND GDPR

1. The IT Act and GDPR both have an object to control and regulate the transferring of data for e-commerce. On the other hand, the GDPR is more concerned to safeguard the EU citizens and their rights, however the same is missing in the Indian IT Act.
2. Both the GDPR and IT Rules under Article 5 and Rule 5 state that:

1. Data collection should be done with legal justification.
2. The collection should be required to achieve the stated goal.

However, the GDPR's guiding principles apply to data processing. On the other hand, the principles outlined in the IT Act apply to the gathering and use of information. Processing is not stated. Data integrity, protection from unauthorised processing, accountability, fairness, and transparency are among the principles stated in the GDPR but not included in the IT Act.

3. Under IT Rules and GDPR, respectively, consent from the information provider or the data subject is required for information collection and processing. However, The IT Act does not have a clause that directly addresses the "lawfulness" of processing, in contrast to the GDPR. The GDPR gives the Member States the authority to set special processing requirements and list five additional conditions on the necessity of processing. The IT Act does not entail upon such requirements.
4. Both regulations require consent before data collection and give providers the option to revoke such consent.

However, in contrast to GDPR, the IT Act does not:

1. Define consent
2. Specify conditions for children's consent
3. Demand that the data controller provide evidence of consent.

5. Both rules classify sexual orientation, health information, and biometric data as sensitive data. Additional sensitive personal data categories that are not covered by the two regulations are defined by the IT Act and GDPR separately.
6. Some provisions of Section 43A of the IT Act roughly align with GDPR rights. These are the rights to rectification, to information, and to revoke consent.

The IT Act does not utilise the word "Right" like the GDPR does. The IT Act does not refer to some significant rights stated in the GDPR. These include the rights to access information, to limit processing, to data portability, to object, to delete, and to rights concerning automated decision-making and profiling. The GDPR provides extensive details about the Rights. On the other hand, several of these rights are only loosely described in the IT Act.

WAY FORWARD AND CONCLUSION

The particular institutional decisions India makes regarding data protection are expected to have a big impact on the country's economy. These repercussions could be direct (such as elevated compliance expenses) or indirect (the potential stifling of innovation and overall productivity losses). Even if the numerical figures stated may not always be accurate about India, they do show the various effects that a GDPR-style data privacy regulation might have on different segments of the Indian economy.

Footnotes

1 Jake Frankenfield, General Data Protection Regulation (GDPR) Definition and Meaning, https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp, (Last Accessed on 08/11/2022).

2 The Information Technology Act, 2000.

3 Aditi Chaturvedi, GDPR and India, https://cis-india.org/internet-governance/files/gdpr-and-india (Last accessed on 08/11/2022).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.