With digital and cross border transactions growing at an exponential rate, protection of personal data has become a critical issue with multi-jurisdictional implications. The recent and most significant example of protection of personal data being that of the European Union's ("EU") regulation on protection of natural persons with regard to processing of personal data and free movement of such data ("General Data Protection Regulation" or "GDPR") that came into force from May 25, 2018 onwards. GDPR on account of its extra-territorial applicability has given rise to certain significant questions on its implications on non-EU organizations, which I have attempted to address below.
Does GDPR apply to Indian Companies?
One of the key underlying principles of GDPR is to ensure that when personal data of persons staying in EU is transferred to non-EU countries, the GDPR's data protection safeguards goes with such data. To put it simply, GDPR has an extra-territorial application and even applies to processing by entities situated outside EU, of personal data of persons of EU in relation to offering of goods or services to such persons or monitoring their behaviour in so far as it takes place within EU.
Consequently, Indian entities who are acting as either a 'controller' (i.e. the person who determines the purposes and means of the processing of data) or a 'processor' (i.e. the person who processes the personal data on behalf of the controller), of personal data of EU residents, become subject to GDPR. GDPR therefore is likely to have significant impact on the technology/data processing Indian companies operating in say the information technology, international e-commerce, outsourcing sectors.
When is cross-border data transfer to non-EU countries (like India) permitted?
Adequacy Decision: GDPR permits international data transfer to non-EU countries, subject to European Commission's ("EC") decision that they ensure an adequate level of protection. However, so far, the EC has granted such 'adequacy decision' to only a handful of countries and India is not one of them.
Alternative Appropriate Safeguards: In the absence of an adequacy decision, for cross-border transfers of personal data to India, the 'controller' or 'processor' should provide for appropriate safeguards, such as adoption of pre-approved (GDPR compliant) binding corporate rules by multinational companies for transfer of personal data to their group companies in India; making use of standard data protection clauses adopted by the EC or supervisory authority;1 or adoption of pre-approved codes of conduct drawn up by associations/ bodies representing categories of controllers or processors.
Other Exceptions: Cross-border transfer of data can also take place in certain specified situations such as where explicit consent of the data subject (after being informed of the possible risks) has been obtained or where transfer is necessary for reasons such as performance of contract between data subject and controller; public interest; for establishment, exercise or defence of legal claims; for protecting vital interests of data subject or other persons, or where the data subject is physically/legally incapable of giving consent, etc.
What are the Key Implications for Indian Companies?
It has become imperative for Indian entities handling personal data of EU residents, to implement the data protection requirements stipulated in GDPR within their systems, particularly as their EU counterparts are likely to insist on compliance with the GDPR as part of their standard contractual clauses given the heavy penalties associated with GDPR non-compliance and regulations governing cross-border transfer of personal data.2
GDPR compliance for Indian companies can entail a significant overhaul and re-writing of their privacy policies and contractual arrangements with EU counterparts and data subjects and internal data protection protocols and systems to make them GDPR compliant. Depending on the role of the Indian entities vis-à-vis the obligations imposed on 'controllers' and 'processors' under GDPR and their applicability, this may inter alia include:
- Provision of additional rights to data subjects as available under GDPR such as fair and lawful processing of data (which inter alia requires that the data subject be informed of the existence of the processing operation and its purpose); rights to obtain rectification of inaccurate personal data, right to obtain from the controller the erasure of personal data concerning without undue delay in prescribed circumstances, right to data portability, to be informed if the data is to be processed for other purposes, etc.
- Obtaining of consent which is specific, informed and unambiguous. While, this could include ticking a box when visiting an internet website, but silence, pre-ticked boxes or inactivity would not constitute consent. If the processing has multiple purposes, consent should be given for all of them.
- Implementation of other appropriate technical and organizational measures to inter alia ensure security and safety of data; meet the principles of data protection by design and by default (such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising3 personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features); due reporting of data breaches within a specified time period; appointment of data protection officers and carrying out of data protection impact assessment where applicable.
The operational compliance burden and associated costs with GDPR may prove to be substantial, particularly, for smaller companies (especially startups operating on shoestring budgets). That said, the Indian Government is seeking to further strengthen its regulatory framework for data protection and privacy (and Shri B. N. Srikrishna Committee's new data protection bill is currently under discussion), the data protection compliances are likely to become a matter of utmost significance for all Indian companies in the future (and not just with companies having business interests in EU).
 Till date, the EC has issued three sets of standard data protection clauses – two for data transfers from EU data controllers to non-EU data controllers and one set for data transfers from EU controllers to non-EU processors.
2 Please note that failure to comply with the GDPR requirements can attract administrative fines of up to EUR 10,00,000 or 20,000,000, or in the case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the nature of provisions breached.
3GDPR defines 'Pseudonymisation' as processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Pseudonymised data is subject to more relaxed standards of data protection under GDPR than other personal data.
Disclaimer: LexCounsel provides this e-update on a complimentary basis solely for informational purposes. It is not intended to constitute, and should not be taken as, legal advice, or a communication intended to solicit or establish any attorney-client relationship between LexCounsel and the reader(s). LexCounsel shall not have any obligations or liabilities towards any acts or omission of any reader(s) consequent to any information contained in this e-newsletter. The readers are advised to consult competent professionals in their own judgment before acting on the basis of any information provided hereby.