As the D-day for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time in the future and impose liabilities.
GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.
Article 3 of GDPR has created extra territorial jurisdiction as follows.
GDPR is applicable “regardless of whether the processing takes place in the Union or Not”
1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union
2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union
This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.
However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.
Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .
If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.
GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.
From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.
So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks. If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence the potential liability cannot be swept under the carpet.
Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.
We need to wait and see whether these companies will be compliant to this requirement or not.