We have many times through these columns urged the Justice Srikrishna Committee which is drafting the new Data Protection law for India to ensure that an “Umbrella Protection” is provided to Indian Companies from being unfairly targeted under EU GDPR by EU Companies and EU data protection regime.
As we approach the D-Day, 25th May 2018 when GDPR will become operational, many companies in India are getting into a panic mode on the impact of GDPR on their business. The indications are that the companies think GDPR applies to all their activities and this is leading them to believe that they need to take many actions which they are not bound to do. Partly this panic is being induced by US companies who engage Indian Data Processors for part of their processing activities. In the process many of the Indian companies are revising their business contracts to meet the GDPR requirements as they perceive endangering their own and the country’s business interests.
These contracts typically contain indemnity obligations which includes compensation payable for any loss caused to the vendor. Since this is likely to include the administrative fines under GDPR, Indian companies may be forced to underwrite the GDPR obligations of international companies though their revenue share is only a part of the entire industry revenues.
There is a national interest involved in ensuring that unfair and unconscionable liabilities are not introduced into the data processing contracts that Indian Companies are forced to enter into.
These contracts are “Dotted Line Contracts” and need to be fairly constructed. However, in practice, it is difficult to expect Indian companies to resist the signing of such contracts because of the business relationship considerations.
It is therefore necessary that Indian legislation provides a protection to such companies in the national interest.
One option available to us is that we are about to draft our own Data Protection laws and this will provide an opportunity to define a grievance redressal mechanism by which it should be made mandatory for international contracts for data protection to be pre-approved by the Indian Data Protection Authority without which no liability may be imposed on Indian entities.
GDPR itself recognizes that some of the member states may not permit imposition of administrative fines and has suggested that suitable alternate measures may be provided in the member state laws. [Refer Article 83(9)].
Indian Data Protection Act should also incorporate equivalent protection so that any payment of fines under GDPR data processing contracts shall be considered void unless it is approved by the Indian law.
Though the GDPR should be interpreted as a law applicable for “Activities in EU”, there is an attempt to interpret it as a “Global Law” and let EU determine the law for other sovereign countries. I am not sure if EU is really that arrogant to assume that in the 21st century, other countries will tolerate the EU legislate the activities that take place outside the EU even if the intention is laudable. But many in India are more loyal than the king and when required to bend are happy to crawl. This tendency should be resisted.
Though Article 2(2) clearly admits that
“this regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”
many analysts are interpreting as if under Article 3(2), Controllers and Processors not established in EU are also subject to the regulations without any restrictions.
Some non EU companies are falling into the trap of Article 24(3) and thinking that they need to appoint representatives in the EU without recognizing that the act of appointing a representative itself brings them under the EU jurisdiction even if otherwise they are not.
Indian Companies need to avoid voluntarily jumping into the jurisdiction of EU and dragging liabilities which EU law making body has no authority to make.
(Refer article here where the GDPR scope is discussed in detail by one analyst…. very informative and indicative of the perceptions of the global community)
Welcoming the Vasco Da Gama
Unfortunately, it appears that there is no adequate attempt made by NASSCOM or DSCI in advising the Indian Companies properly to ensure that their interests are protected.
On 25th May 2018, there is a high profile event organized in New Delhi as if Indian wants to celebrate the GDPR. EU commission representatives are expected to participate in this along with DSCI, NASSCOM and Government officials.
Even Justice Srikrishna is likely to attend this event and speak.
As a result of the participation of NASSCOM, DSCI, and Justice Srikrishna, it would appear as if India is endorsing GDPR.
To me this appears to be similar to Indians who welcomed Vasco Da Gama to India without realizing that it was the beginning of the colonial rule which extended for centuries there after with all kinds of economic pirates entering India including the French and the British.
Now, a similar danger seems to be in front of us in the form of GDPR. Indian companies need to be protected against unfair incidence of GDPR and prevent this being used for building an economic colony in India by EU companies.
Even if at present GDPR appears to be only a Privacy protection legislation and a good “Standard” which can be adopted as an industry practice, we must realize that adoption of GDPR will be followed by GDPR Codes and Certifications approved by the Supervisory authorities of EU countries.
These GDPR Certification process will replace ISO standards and create a huge business potential for GDPR related security services and products.
I must disclose that I could be one of the beneficiaries of such a development since I may be providing consultancy and educational programs in the area and also is working on a patent pending software which should help Indian companies in compliance. However, in the interest of the community, it is necessary to raise a red flag against GDPR turning out to be an instrument of exploitation of Indian Business interests.
I request that EU should refrain from projecting itself as the Privacy saviour of the world community and avoid going overboard with the “Extra Territorial Jurisdiction” of its laws. If they desire to use GDPR for expanding their business network, then they need to enter into a Business treaty with Indian Government ensuring that there is a fair exchange of mutual benefits.
Since it appears that our IT Ministry might not have realized what Indian data processing industry is walking into in the guise of GDPR, I urge Justice Srikrishna to step in and introduce suitable provisions in the proposed Data Protection Act so that our national interests are not undermined with the application of GDPR directly or indirectly to the IT operations in India.