GDPR and its impact on Indian firms

Last Updated 30 October 2018, 08:47 IST

The implementation of General Data Protection Regulations (GDPR), 2016 by Europe with effect from May 25, 2018, to protect its citizens’ rights to data privacy, is likely to impact India’s trade surplus in services with the European Union.

Following the Cambridge Analytica data hacking case reported in March 2018, the European Union (EU) enacted the GDPR 2016. As a result, ecommerce companies registered in non-European jurisdictions are subject to a legal framework on par with these regulations. To enforce such legislation, India’s ecommerce companies need to have a similarly stringent legislation besides infrastructure and technologies in place.

Clearly, the GDPR would impact the services sector, especially sectors like data entry, customer care, advertising, banking and IT, among others. These services cannot be provided to a European client unless the Indian data protection laws are considered adequately rigorous by EU standards or on par with GDPR.

Even if Indian companies do not directly interact with European citizens, they would still require GDPR compliance. This is so because personal data of European citizens have the potential to be exploited for other related data processing activities. If so Indian companies would attract heavy penalty for non-compliance.

For instance, if an Indian company uses data of former European customers, it would be liable for penalisation under the GDPR.

Accordingly, the differences between the existing legal framework in India and the EU on data privacy merits consideration. Both government agencies and trade bodies like FICCI and NASSCOM would have to formulate a regulatory regime to accomplish synergy between Indian and EU data protection regimes to promote India-EU trade to its full potential.

Data protection directive

Europe has a track record of stringent rules that govern how companies could use its customers’ personal data. It has treated privacy, which includes data privacy, as a human right. To protect that right the European Parliament adopted the General Data Protection Regulations (GDPR) in April 2016, to replace an outdated 1995 data protection directive.

The GDPR carries provisions that require business entities to protect personal data and privacy of EU citizens for transactions that occur within EU member states. The Regulations provide for adequate laws in countries that would import data of European citizens. This adequacy requirement decides whether an entity can carry out data exchanges with European citizens.

The GDPR also regulates the exportation of personal data outside the EU. This is where Indian ecommerce entities tread on thin ice as personal data is integral to ecommerce.

The GDPR requires a company, that stores or processes personal information, about EU citizens within EU states, to comply with the regulations, even if they do not have a business presence within the EU geography. Specific criteria for companies to comply are:

Presence in an EU country
No presence in the EU, but it processes
Personal data of European residents
More than 250 employees

Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

Thus, the GDPR remains applicable to Indian ecommerce companies which conduct transactions with European citizens. Companies that store data of a subject, such as Flipkart, Jabong or those business entities that provide tele-medicine services such as Vidmed, Rejuven India or World Health Partners, store some data that belongs to subjects.

Though these services have the potential to grow, they cannot prosper unless the Indian legal framework meets the GDPR protection standards.

Today, the Information Technology Act, 2000 (amended in 2008) provides for data protection through Sections 43A, 72 and 72A. These provisions, along with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011, provide the legal framework to govern data privacy in India.

While it provides the norms for data collection and its use, it lacks elaborate guidelines for data storage techniques, user consent as well as norms to process data.

On the other hand, the GDPR specifically confers protection to citizens and rights to decide on how their data is processed which is not expressed in the IT Act. Also, the principles stated in the GDPR apply to data processing norms. However, the principles under the IT Act 2000 apply to collection of information and its use. Principles listed in the GDPR but not mentioned in IT Act are data integrity, protection from unlawful processing, accountability, fairness and transparency.

India to enact new law

Therefore, to address these differences the Indian Draft Personal Data Protection Bill, 2018 would be presented in the coming session of Parliament. This legislation has borrowed several provisions from the GDPR to ensure that data protection laws do not hamper ecommerce transactions between India and EU member countries.

Apart from the convergence between the GDPR and Indian Data Protection Bill 2018, the divergence relates to issues like data localisation or data stored in an Indian server is mandatory.

This provision is similar to the Chinese data protection laws which provide their government control over data which the western industrial democracies criticise as a means for state surveillance. How far, would EU member countries be agreeable to data localisation remains to be seen?

Fear of losing business

Due to India’s relatively weak data protection laws Indian e-services industry would become less competitive and loose its European markets. Indian companies would be required to implement sufficient safeguards, as per the GDPR, to prevent transfer of personal data outside EU geographies.

This would further increase compliance costs. The GDPR has its application outside EU which means that Indian companies not aligned with GDPR cannot do business with EU entities.

The ‘adequacy requirements’ under the GDPR permits only countries with adequate protection to data subjects, in respect of privacy and protection of their data subjects, to receive data of Europeans. Therefore, India is also propagating stronger data protection laws as was evident in the Supreme Court’s ruling on the right to data privacy.

(The writer is an Assistant Professor with the School of Law, Christ Deemed to be University, Bengaluru)

(Published 28 October 2018, 16:07 IST)

Follow us on