Thinking about the proposed amendments to ITA 2008, my attention was today drawn to the “General Data Protection Regulation (GDPR)” which is the new Data Protection Regime being promoted by the European Union. Europe is known to be in the forefront of protecting the “Privacy” of individuals and has often crossed swords with even US when it comes to enforcing its Data Protection Regime in the information world.
The GDPR which is replacing the EU Data Protection regulation of 1995 has already come into existence with its adoption in 27th April 2016 and application from 25th May 2018 after a two year transition period.
The GDPR attracts attention across the globe and particularly the Indian community in view of its unrealistic penalty regime and the arrogance with which it is sought to be enforced.
For example, it is proposed that “Non Compliance” could result in penalties of upto 4% of Global Turnover of a company or €20 million (approx Rs 146 crores) whichever is greater. The regulation applies if the data controller or processor or the data subject is based in EU. If the regulation had used the term “if the data controller, the processor and the data subject” are all based in EU, it would have been a reasonable regulation. But expecting the regulation to be applicable to companies outside EU is inviting international litigation that could cause extreme disruption in global business.
Indian IT Companies should be more worried about this than the changes in immigration laws that may be brought in by the new US President.
Even if there are any doubts about the jurisdiction of EU Courts on non EU country resident companies, it is evident that contractual obligations between EU Companies and the non EU entities will hoist liabilities and indemnities for non compliance and hence if any Indian Company wants to do business with EU countries involving processing or storing or transmission of personal data from the EU residents, GDPR would be considered applicable. Hence the 4% Global turnover penalty will loom large on such companies.
This tendency of one country trying to impose its law on another country is most relevant for the borderless Cyber Economy. We have seen how US has imposed its jurisdiction on Dmitry Sklyrov of ElcommSoft and innumerable litigations on cross border Cyber crimes. While the need for controlling Cyber Crimes and Cyber terrorism has established the need for cooperation between multiple countries with or without underlying treaties, there is a tendency in the IPR and Data Protection regulation to use the international jurisdiction to unreasonable levels.
GDPR is emerging as the next threat in this direction.
I therefore urge the ITA 2000 amendment committee to recognize that we cannot allow unrestricted international hegemony to play over the Indian regime and threaten the growth of E Business in India.
I therefore propose that in the new ITA 2000, a proposal is made to establish an ” International Cyber Law Regulator for India” who will be the sole authority to adjudicate if in any specific instance international jurisdiction should be allowed. This regulator need to work as a gateway to ensure that unreasonable international regulation does not hurt Indian interests while at the same time not preventing any reasonable compliance regulations promoted by international organizations to be complied with even in India.
The authority should register Indian players who would like to be protected under any international regime passing laws that may affect the Indian entities and manage the information flow in respect of all “Compliance related regulations”. At the same time, it should be mandated that any international organization that wants to take legal action against an Indian Citizen or Organization should have first registered their international legislation with the authority and obtained its consent to make it applicable to Indians and also route any complaints of non compliance entirely through this regulator.
This regulatory authority can be a multi member authority and not the CERT IN. It should have people who know Cyber law and International Law besides Technology and the compliance regime.
This authority would be a protective umbrella that provides some relief to the Indian entrepreneurs to focus on their business rather than watching over their shoulders for all the international laws many of whom are only meant to be self serving for the advanced countries to build their colonies of influence using information technology as an excuse.