Data Processor’s Association of India needed for Compliance without Destruction

The earlier article on GDPR entry into India being like a Vasco Da Gama discovery of India, has attracted some interesting reactions from some industry professionals.

While we may accept that the intention of GDPR is to protect the Privacy of natural persons and therefore there are “Data Subject’s Rights” including “Right to Erasure”, “Right to Access”, “Right to Data Portability”, “Right to Restrict processing”, “Right to Correct” etc., we must point out that any attempt to impose the regulation unilaterally on Indian Citizens is to be resisted because it is a question of the sovereignty of the Country.

I consider that GDPR has provisions which recognizes that other countries including the EU member countries may have over-riding provisions in their national interests, it is the intermediary analysts who are confused and spreading a message that GDPR is applicable to all companies and to citizens of all countries etc.

We need to therefore fight against the “Self Subjugation Mentality” of some consultants to give a larger than life importance to the EU legislation.

While laws can have extra territorial jurisdiction built into it as an “Enablement”, its implementation is subject to the acceptance of the other international Governments by way of a treaty.

Hence as long as there is no specific treaty between India and EU to implement GDPR, Indian Companies are not directly liable under GDPR.

However, ITA 2008 is a local law. DISHA 2018 would be another law of India and Data Protection Act of India when passed (Justice Srikrishna Law) would be a law of India which needs to be implemented in India.

At the present juncture, the GDPR provisions can be extended to Indian Data Processors only through the Data Processing Contracts that are signed between the Indian Data Processors and their international business partners. When Indian companies sign on blank indemnity provisions without  an upper limit to the liability, they would be confronted with contractual disputes in due course if there is any claim by the international partners. Additionally, under the provisions of GDPR, Data controllers are empowered to literally extract the trade secrets of the data processors and if the Data Processors donot realize and resist, they will be subject to business secret disclosures and searching technology audits by external agencies which will hurt the business interests in the long run.

Further many of the provisions of GDPR are simply un-implementable since they are not conceived correctly though some provisions to by-pass the un-implementatble provisions is built-in. However, when there is a conflict, EU Supervisors and Courts may take a partisan view against Non Resident Companies and disallow any attempt to use special provisions that may look like an attempt to bypass the popular perception of a privacy protection provision.

In such a situation, I would have expected industry bodies such as NASSCOM and DSCI to have come up with proper guidance to the Indian Companies particularly the SMEs in the Data Processing segment.

However, by organizing a “Welcome GDPR” event in Delhi on 25th May 2018, the Government of India has indicated that it may fail to show the required concern for the welfare of the Indian Data Processors particularly in the SME sector who donot have a voice in NASSCOM or DSCI.

There is a possibility however remote it is that GDPR will be used by EU based businesses to squeeze the sweat out of Indian processors without commensurate reward. One notice from the business partner to show cause why they should not invoke an indemnity provision in the contract would render an Indian processor succumb to any pressure to reduce the price to levels where data processing for EU data will no longer be sustainable.

Slowly, EU will impose its own Certification bodies and Approved Codes which Indian processors will be forced to buy and adopt and Indian Data Processing industry will be subjugated into a Data processing colony of EU.

US will be in a similar situation but will because of its economic muscle, wriggle out of the vice  grip of the EU GDPR through a new version of Safe harbor or Privacy Shield or Standard Contract clauses supported by the strong US Courts.

But in India we are unlikely to have similar support from the Government and the current industry associations. The only saviour I see is in Justice Srikrishna Law where some provisions can be incorporated which will not allow such international hagemony. Hence my earnest appeal to the Srikrishna Committee. I am aware that the committee is dependent again on DSCI and NASSCOM for advice but Mr Srikrishna should have an independent mind of his own and can see through any attempt to dilute the soverign rights of India in resisting the attempt of international regulations undermining the freedom of existence of Indian companies through unfair legislation and unfair implementation.

It is in this context that I urge the SMEs in the Data Processing Industry in India to secure their interests by forming their own association and develop a collective strength to be heard in India and abroad.

In case Justice Srikrishna Committee does not propose the necessary protective measures within the legislation, it would be necessary for the association to seek changes. Instead of waiting for the draft to be released before crying injustice, it is preferable that the industry moves now and before the imposition of GDPR on 25th May 2018, develop a collective strategy to ensure that the Indian Data Processing Industry is not unduly harassed. The Association should move towards developing its own “Privacy Protection Codes” for implementation in the Data processing environment for Indian Citizens and Non Indian Citizens and show to the world that India can respect Democratic norms without challenging the sovereignty of another country like what GDPR proposes to do.

If we donot act now, India will face self destruction of the Data Processing business segment in India and it will be happen with the help and assistance of many Indian industry establishments and associations who may think that they are globalizing the Indian data processing industry and cornering business opportunities.

I Request Justice Srikrishna as well as Mr Ravi Shankar Prasad to respond to the concerns expressed here and assure the citizens of India that their interests would not be undermined.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.