Legal Advice for Indian Companies for their General Data Protection Regulations (GDPR) & Compliances | IP Attorney in Delhi NCR | IP Lawyer in Delhi NCR |
IP Lawyer in Delhi NCR | IP Lawyer in Delhi | IP Lawyer in Noida | IP Lawyer in Gurugram | IP Attorney in Delhi NCR | IP Attorney in Delhi | IP Attorney in Noida | IP Attorney in Gurugram | IP Legal Services in Delhi | IP Legal Solutions for Foreign Companies in India | IP Legal Services in Noida | IP Legal Services in Gurugram | IP Legal Services in India | IP Legal Solutions for Foreign Companies in India | IP Legal Solutions for Foreign Companies in Gurugram | IP Legal Solutions for Foreign Companies in Noida |
General Data Protection Regulations (GDPR), which came into existence in May 2018 is regarded as the toughest data privacy legislation so far. The GDPR, in a nutshell provides a legal framework that set rules for the collection and processing of personal information of residents staying in the European Union (EU). It is applicable for any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.
It casts upon all entities, a responsibility to use personal data with consent, for a specific purpose, for a limited period, maintaining the confidentiality and using technologies that pseudonymize data, offering the highest level of data protection. The GDPR in the process of institutionalising data sanctity, data security, with provisions of consent at all stages, including the right to be forgotten, also calls for accountability at all stages and strict penalties in instances of default.
There are certain terms that the companies must understand before adapting themselves to GDPR. As per the GDPR parlance, “Personal data” refers to any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are personal data. Personal data can also include location information, race, gender, biometric data, religious beliefs, browser cookies, and political attitudes. Pseudonymous data can also be included if it is pretty easy to identify someone from it.
The act of “Data Processing” would mean any action performed on data, whether automated or manual. The examples include collecting, recording, organizing, structuring, storing, using and erasing data. The same has to have the consent of the subject at all stages
“Data Subject” would mean the person whose data is processed. These could mean the customers or anybody who visits the site.
The “Data controller” would mean the person who decides why and how personal data will be processed. The data controller could be the owner or employee in your organization who handles data.
“Data Processor” would mean a third party, that processes personal data on behalf of a data controller. For certain persons and organisations, the GDPR has particular rules. They could include back offices like those of IBM managing telecom majors or email service providers who act as intermediaries.
In the Indian context, the economic implications for Indian companies doing business with the EU, either in the form of goods and services will be significant. The business outsourcing model of several Indian IT&ITES Companies, which largely depends on unrestricted data flow between the EU and Indian companies, will be severely hampered. Similarly, those exporting goods to the EU will face a strict regime of compliances and penalty. The overall exports to the EU will decline at a faster pace unless something is done rapidly to maintain their competitive advantage by being GDPR compliant. It would be apt to say that, with GDPR in place, almost every major corporation in the world needs a GDPR compliance strategy.
How Indian Laws are coping up with General Data Protection Regulations (GDPR)
Although GDPR applies to those who offer products and services to EU residents whether operating from Europe or outside, the idea has been slowly gaining ground with the authorities around the world. Three interesting developments have happened in an almost coterminous manner. The first development pertains to The Government of India having introduced the Personal Data Protection Bill 2019 in the Lok Sabha. The Bill attempts to protect individuals’ data and establishes a Data Protection Authority for that purpose. The Bill covers the processing of personal data by the following entities:
- the government
- companies present in India, and
- foreign based companies dealing with the “personal data” of Indian citizens.
Personal data, as per the Bill, pertains to information about an individual’s qualities, qualities, or attributes that can be used to identify them. The bill spells out the obligation of a data fiduciary, rights of the individuals, grounds of processing personal data, social media intermediaries, data protection authority, transfer of data outside India, exemptions, offences and so on.
The second development pertains to the case of Justice K.S.Puttaswamy (Retired). vs Union of India And Ors. (Writ Petition (Civil) NO. 494 OF 2012). In the instant case, a retired High Court Judge K.S. Puttaswamy filed a petition against the Union of India in 2012 before a nine-judge bench of the Supreme Court, questioning the constitutionality of Aadhaar because it violates the right to privacy, which also was established on reference from the Constitutional Court to evaluate whether or not, the privacy rights were guaranteed as an independent fundamental right under the Indian constitution. The nine-judge bench in their landmark judgment set the tone for creating a legal framework of privacy protection in India. The judgement addresses all issues and establishes that privacy is a fundamental inalienable right inherent in human dignity and liberty under Article 21 of the Indian Constitution.
Hence, it is a matter of time that Personal Data Protection Bill 2019 gets its presidential assent on similar lines of GDPR requiring Indian companies to adhere to the same.
In the third development, WhatsApp has recently filed a petition in the Delhi High Court, against the Union Government challenging the applicability of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, which calls for messaging platforms to identify the first originator a message. There is a feeling that the right to privacy and free speech would be undermined.
Hence, it is under these contentious issues that Indian Companies have to prepare for a GDPR compliances.
Checklist & Legal Advice for Indian Companies with respect to General Data Protection Regulations (GDPR)
The GDPR’s entire purpose to protect the personal data of EU citizens and residents. As a result, the law applies to firms that handle such data regardless of whether they are based in the EU or not, a concept known as the “extra-territorial effect.”
The GDPR applies to enterprises based in the EU, even if the data is stored or used outside of the EU, according to Article 3.1.
Article 3.2 goes even further, extending the rule to non-EU organisations if two requirements are met: the organisation provides goods or services to EU citizens, or the company monitors their online activities.
Article 3.3 deals with more exceptional cases, such as those that occur in EU embassies.
Therefore, Indian companies dealing with the data of EU citizens are ought to comply with the checklist provided by the EU and those are as follows:
- Records of Processing Personal Data Activities: Article 30 of the Regulations elaborates on the details that must be recorded when processing personal data. The information to be recorded by the controller and processor is listed in paragraphs 1 and 2 of the Article. Both of these lists are extremely detailed and impose strict recording requirements on both the controller and the processor. According to paragraph 3, these records must be in writing. They must also make the record available to any supervisory authority upon request. The information to be recorded under paragraphs 1 and 2 specifically points to disclosures made when personal data is transferred to third countries or international organisations, and the identification of such third countries and international organisations, as well as the safeguards taken to ensure the safety of personal data in such cases, should be made. The term “personal data” has a broad definition, but it must be determined to notify persons about the type of personal data being gathered. The term “personal data” refers to any information about a recognised or identifiable natural person. An identifiable person can be identified, directly or indirectly, through the use of an identifier such as a name, identification number, location data, online identifier, or one or more factors unique to that individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
- Determination of a company as data processor or a Data Controller: It is highly crucial to determine whether a corporation is a data processor and the data controller, both to exempt the company from its responsibility and to hold the corporation to account. Further, it merely distinguishes the controller and the processor based on who is in charge of the data and who is responsible for processing it. However, the Regulation is highly comprehensive and gives the controller and processor-specific responsibilities and duties. Therefore, whether a firm, is a controller firm or processor company is very important. The controller has the following powers, to be more accurate:
a) Determining which data subject should be collected.
b) How data obtained can be stored.
c) What purpose the obtained data will serve, and what fraction of the data will be used.
d) To establish guidelines for the data processor to adhere to while processing the data.
Whereas, the data processor will only be able to process data by the terms of the contract between them and the data controller. They will have no authority to alter the data in any way, and any activities they do must be compliant. - Updating the privacy policy with privacy notices and consent: To be GDPR compliant, Indian businesses must change their internal procedures. One of the methods that they must follow is providing notices and obtaining consent from data subjects. Articles 12-14 and 19 contain these provisions.
- Update the security incident management processes: The GDPR guidelines place a premium on ensuring the protection of personal data belonging to EU citizens. Article 33 states that in the event of a personal data breach, the controller must notify the supervisory authority as soon as possible (within 72 hours). The controller is required to document data breaches, their consequences, and the corrective action is taken. When there is a breach of personal data, the controller is required by Article 34 to notify the data subjects without undue delay. Certain exclusions are also provided under Article 3, paragraph 3.
- Working of the Data Protection Impact Assessment (DPIA): The controller conducts a data protection impact assessment to assess the impact of data processing, particularly if a new processing technique is used then again the risk to natural persons’ rights and freedoms is increased. Article 35 of the Regulations contains procedures for assessing the effects of data protection. The instances in which such an assessment will be required are listed in paragraph 3 of the Article. Paragraph 7 specifies what the entire assessment should include. Article 36 requires the controller to consult the supervisory authority before processing if there is a higher risk present.
- Appointment of a Data Protection Officer: The provisions dealing with the appointment of the data protection officer are found in Articles 37, 38, and 39. Article 37 requires the controller and processor to appoint a data protection officer. According to Article 38, the Controller and the Processor must make it easier for the Data Protection Officer to carry out the tasks outlined in Article 39. The duties of the Data Protection Officer are provided. As a result, if an Indian company meets the criteria, whether it is a controller or a processor, it must appoint a Data Protection Officer.
- Displaying legitimate interest as to why the Personal Data is being collected and how the company intends on using it: Data processing is illegal under the GDPR unless you can justify it under one of the six conditions listed in Article 6. Articles 7-11 contain additional provisions relating to children and special categories of personal data. Examine these provisions, select a legal basis for processing, and document your reasoning. You must inform people that you are collecting their data and why as per Article 12. You should explain how the data is processed, who has access to it, and how it is safeguarded. This information should be included in your privacy policy and made available to data subjects at the time their data is collected.
- Transferring personal data outside the European Economic Area (‘EEA’): If personal data is transferred outside the EEA, the data controller must notify individuals in the privacy policy and specify the systems that will be used to secure it.
- Policy language: Individuals with no knowledge of privacy law should be able to understand privacy policies that are clear and simple. If the website is intended for users from different countries, a translation of the policy into the relevant local language should be made available.
Consequences for Non-Compliances with General Data Protection Regulations (GDPR)
There is a tendency for Indian businesses to believe that the GDPR is a European notion and hence that does not apply to them. However, as soon as an Indian corporation handles or processes data about Europeans, it is responsible and accountable for it. Although no Indian companies have been punished so far, it may pose reputational harm in the future. Some Large corporations are ahead of the curve and attempting to be compliant yet, the prevailing belief is that Indian businesses can work around these obstacles. Since India does not yet have privacy laws, Indian businesses must currently comply only with the Information Technology Act, but with the increasing clamour for privacy laws, the Personal Data Protection Bill 2019 may soon be an Act to comply with. For the software development that takes place in the outsourcing model, the impact of GDPR will be highest on IT/ITES industries. Before outsourcing contracts to India, EU corporations would conduct due diligence on the outsourced business’ compliance with GDPR and determine otherwise. Hence it is important that Indian businesses dealing with EU, develop a GDPR Compliant Strategy at the earliest.
Legal Challenges for the Indian Companies for becoming General Data Protection Regulations (GDPR) Compliant
There are certain challenges that the Indian enterprises will face while complying with the GDPR policies:
- Weak Data Privacy Laws: India’s data privacy laws are weak. India’s outsourcing business, valued over 150 billion dollars, accounts for almost 9.3% of the country’s GDP. India’s relatively weak data privacy rules make us less competitive than other outsourcing economies in this arena, and the EU has been one of the main customers for the Indian outsourcing sector.
- Cross-border Constraints: The GDPR is mostly inflexible, limiting organisations’ ability to assess risks and make decisions when moving data beyond the EU. To move personal data outside of the EU, Indian enterprises would have to build adequate safeguards, as required by the GDPR, raising compliance costs even higher.
- Risk of Penalties & Litigation: Article 3 of the GDPR (Regional scope) states that the law will apply whether or not the processing takes place in the EU. This means that Business organizations that do not comply with the GDPR would lose revenue, while those that do will face significant compliance costs and the danger of facing severe penalties if they do not.
Apart from some challenges, there are also an ample amount of opportunities that the companies might have their hands on after complying with the GDPR Regulations:
- Business Opportunity: GDPR compliances will be a business opportunity rather than a compliance burden for Indian IT companies serving the EU market, which is their second largest after the US. Instead of seeing this as an additional regulatory burden, Indian businesses should see it as a big economic opportunity knocking on their door.
- Technology Skills: Over the years, India has evolved into a technology hub with deep expertise and a competent resource pool. The GDPR may provide an opportunity for Indian businesses to distinguish themselves as leaders in providing privacy compliant services and solutions. This will give the companies in India to stand out from the rest.
- Supporting Regulatory Ecosystem: The GDPR’s “adequacy requirements” allow the European Commission to consider whether the legal framework in the country to which the personal data is sought to be transferred provides adequate protection to data subjects in terms of privacy and data protection. The Srikrishna Committee Recommendations to developed a data protection framework in light of current developments and the recent Supreme Court decision, point to a supporting regulatory ecosystem. It will be interesting to see how the upcoming law takes shape and whether it is in tandem to the GDPR Regulations.
Although, challenges are there, typical of any new developments, in the long term the opportunities available far outweigh the costs.
Legal Advice for Indian Companies General Data Protection Regulations (GDPR)
Indian Businesses operating in the EU or providing good and services to EU residents need to carry out the following tasks in achieving a GDPR compliant status
- Carrying out Data Impact Assessment: The organisation, is required to carry out a data impact assessment wherein there is a review of the existing data security requirements in place (AS-IS), the new GDPR requirements (TO-BE), and the resources (human skills, funds, intellectual facilitation) required to bridge the gap. Based on the above findings, a clear cut action plan with milestones needs to be put in place.
- Ensuring Data Protection Compliances: Internally, designate a person or group, to ensure compliance with data protection regulations. The data collected with consent in writing, for a specific period and a particular cause, needs to be stored or transmitted, to third parties for processing following all data security protocols. The data controller will be held accountable for all such transactions.
- Training of Personnel: All staff should receive annual privacy and security training. Data privacy is more than just complying with legislation. Building a security culture in the organisation will result in having an easier time obtaining buy-in for full-scale business certification. Holding annual or semi-annual data privacy training for workers and contractors to ensure that everyone is on the same page when it comes to securing confidential information that flows through your organisation is necessary. In the unlikely event of a data breach, the residents have to be informed about it within 48 hours and corrective action taken thereof
- Making and following a Document Retention Policy: Framing of a document retention policy (DRP), that establishes a structure for dealing with sensitive materials throughout their full life cycle—from production through destruction is required. It will ensure accountability and dependable record-keeping, as well as establishing a record of the company’s compliance with various regulations. DPRs are common in legal firms, but any business would benefit from the order they provide. Creating an incident response plan in the event of a data breach is also required.
- Implementing a Mobile Device Policy: Protects and limit the use of sensitive data is required. Smartphones and tablets, especially with the prevalence of remote work, is sometimes with perceptible security concerns. Creating a policy for your staff to follow and ensure that data privacy and client information, is only accessed on trustworthy networks, via VPNs, and with maximum privacy protection in place is required.
- Investing in Privacy Shield Certifications: An impartial third party is required. Privacy Shield is a governmental framework for the United States and Europe that certifies an organisations’ GDPR compliance. A listing on the Privacy Shield list of authorised companies, demonstrates the company’s dependability and adherence to the highest security requirements. However, one may get a head start on the process by tasking the data-compliance team with implementing a Privacy Shield self-certification. One aspect of this is establishing the organization’s independent recourse mechanism, which is the procedure by which European citizens can report compliance issues or data breaches and have them remedied for free.
- Setting up a Supplier Security & Privacy Assurance Programme: If the organisation exchanges personal data with a subcontractor or vendor, which is often the case, then a check on the third parties’ data security, privacy policies, and procedures for GDPR compliance is required regularly. Organizations can accomplish this by developing a Supplier Security and Privacy Assurance programme that assures their suppliers adhere to established data protection criteria. These compliance programmes assess the risk of a data breach and offer solutions and tactics based on that assessment.
Landmark Cases under the General Data Protection Regulations (GDPR)
- Hamburg Commissioner for Data Protection and Freedom of Information v. Hennes & Mauritz Online Shop A.B. & Co KG(H&M), The Data Protection Authority of Hamburg, Germany, fined apparel company H&M €35,258,707.95 on October 5, 2020, making it the second-largest GDPR punishment ever. The “monitoring of several hundred employees” was one of H&M’s GDPR breaches. H&M appears to have breached the GDPR’s data minimization principle, which states that personal data, particularly sensitive data like people’s health and beliefs, should not be processed unnecessary.
- Google v. CNIL, (Case C-507/17), Despite the fact that Google’s sanction was issued in 2019, the business filed an appeal. Judges at France’s top administrative law court denied Google’s appeal in March 2020, upholding the draconian punishment and levied a fine of €50 million.
Legal Remedies under the General Data Protection Regulations (GDPR)
One must understand that GDPR does not make any kind of differentiation between companies, for compliance as such. However, Articles 85-91 deal with situations where GDPR do not apply, these situations are as follows:
a) Freedom of Expression
b) Information dealing with official documents
c) Personal data pertaining an employee of the firm/organization
d) Data that is being used for scientific research
Even if GDPR does not apply in these situation, one should not under any circumstances take advantage of it. Rather it is advisable to the data processor not to exploit the data and keep it safe be it with compliance requirements of GDPR.
Accordingly, if a company be it small/big is falling under one of the exemptions of the GDPR then it is advisable to go inspect and go through the exemption thoroughly in all way possible in order to avoid heavy penalties.
Keeping in mind the legal latin maxium “ubi jus ibi remedium” i.e. where there is a right, there is a remedy the GDPR laws provides remedies to Data Subject who feel that their privacy rights are violated due non-compliance.
- Right to Complain to a Data Protection Authority (DPA): Data subjects who think their rights have been violated have the right to request that the data controller rectify the situation. If the data subject does not obtain a satisfactory response from the data controller, he or she may register a complaint with the appropriate national DPA. Under Recital.141 and Article 77, Data Subjects have the right to file a complaint with a DPA in the Member State where they live or work, or in the Member State where the violation occurred, over the processing of personal information. The DPA must keep the data subject updated on the status and conclusion of the complaint.
- Right to a Judicial Remedy: If the data subject is dissatisfied with the DPA’s response to his or her complaint, he or she has the right to file a complaint with a national court. Under Recital.143; Articles 78-79, Data subjects have the right to an effective judicial remedy if a DPA makes a decision that affects them; if a DPA fails to deal with or react to a complaint within three months; or if a controller or processor unlawfully processes their personal data. The data subject may also file a suit for damages, over and above the claim for penalties in a civil court.
- Compensation & Liability: In the case of any illegal processing of personal data, controllers, processors should be obliged to pay compensation to data subjects, according to EU data protection legislation. therefore Recital.146-147; Article 82(1)(2)&(4) if a data subject who has incurred injury as a result of the controller’s or processor’s illegal processing of his or her personal data has the right to compensation from the controller or processor. Both controllers and processors are now liable for violations of EU data protection legislation under the GDPR.
- Penalties & Criminal Sanctions: Member states of the EU may also establish their own standards for criminal penalties for GDPR violations. On a practical level, as was the case under the Directive, there are likely to be some discrepancies in the implementation of sanctions due to differences in national legislation of Member States. Depending on how Member States interpret and exercise that power, the potential introduction of criminal consequences for unlawful processing of personal data poses a considerable danger to organisations. Under Recital 149, 152; Article 84 a Member States may impose extra penalties for any breach of EU data protection law that is not subject to administrative fines. Member States choose the penalties that apply to GDPR violations, particularly those violations that are not subject to administrative fines.
GDPR compliance has become especially crucial in light of the severe fines associated with its non-compliance. Failure to comply with GDPR requirements can result in administrative fines of up to EUR 10,00,000 or 20,000,000, or, in the case of a business, up to 2% or 4% of total worldwide annual turnover for the preceding fiscal year, whichever is greater, based on the nature of the provisions violated. This is apart from the compensation claims to be paid for data breach. It is very much likely that Indian companies, that operate with EU companies, insistence of EU GDPR compliance, would be a part of their standard contractual clauses.
We should perhaps note that the Indian government is also working to establish a stronger regulatory framework for data protection and privacy. Maybe the time has come for human life to exist with data dignity. We couldn’t be any farther from the truth.
Authored By: Adv. Anant Sharma & Swayamsiddha Das