Territorial Scope of GDPR and UK DPA 2018

Posted on May 29, 2018 by Vijayashankar Na

There is a mis-perception prevailing in some sections of IT industry in India that  “GDPR is applicable to India” without recognizing that its applicability is subject to certain conditions. This needs to be dispensed with at the earliest.

One of the frequent questions asked is

if we encounter an EU Citizen in India and its business, am I liable for GDPR?

If so should I appoint a representative in EU?

The answers to these questions are to be given only with reference to the context and not absolutely.

For example, GDPR is applicable to EU Citizens in the context of their activities in EU. In the case of EU Citizens in the context of their activities in India, GDPR is not applicable.

If a company in India is monitoring the behaviour of an EU Citizen in respect of his/her activity in EU, or offering any goods and services to the EU Citizens in EU, then GDPR may be applicable. But if the processing involves an “Occassional Interaction” with the EU Citizen, then  GDPR is not applicable.

Therefore, If an EU citizen walks into a mall in Bangalore and gives his credit card for buying a product, it is not a case that falls under GDPR. If an Indian maintains a website and a EU person visits it, then also it should not ordinarily fall under GDPR. Only when a service is specifically targeted to an EU person, GDPR may become relevant.

The above inference can be drawn from the following articles:

Article 2(2): This Regulation does not apply to the processing of personal data…  in the course of an activity which falls outside the scope of Union law;

Article 3(1) :  This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Article 3(2);

This Regulation applies to the processing of personal data of

data subjects who are in the Union

by a controller or processor not established in the Union,

where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

In the case of data processors in India who process data sent to them by another entity established in the EU, that entity would be the Data Controller and is liable for compliance of GDPR. The Indian entity is only liable to it’s contractual bindings with the data supplier.

GDPR is badly drafted in this respect as it uses the ambiguous words “Data Subjects in the Union” without specifying if it is restricted to EU Citizens or every body else who at the time of collection of data are within the boundaries of EU.

However, those who are not “Residents” of EU cannot be considered as coming under GDPR since their encounter with the data collector will be only “Occasional”. Since the power of EU and the mandate is to make laws for Eu Citizens, it is unclear how it can extend to other citizens. Similarly when a EU Citizen is travelling in another country under a VISA and is bound by the laws of that country, it is unclear how GDPR can extend to his activities outside the EU>

UK DPA 2018

UK DPA 2018 extends the GDPR blindly, and therefore also extends the unclear aspects of GDPR. But when defining the direct incidence of DPA 2018, UK DPA is a little bit more clear.

Article 207 of UK DPA 2018 states as follows:

207 Territorial application of this Act

(1) This Act applies only to processing of personal data described in subsections (2) and (3).

(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or
not the processing takes place in the United Kingdom.

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.

(4) Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.

(5) Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).

(6) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).

(7) In this section, references to a person who has an establishment in the United Kingdom include the following—

(a) an individual who is ordinarily resident in the United Kingdom,

(b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom,

(c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and

(d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom, and references to a person who has an establishment in another country or territory have a corresponding meaning.

In the above article, para 3(a) states as follows:

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,

This provision is ambiguous since it does not specify clearly that it refers to the Controller or Processor who is established in EU and gets his data processed elsewhere. DPA 2018 is not a law which is directly applicable to a company established in another country under a different law and this has to be recognized while reading this article.

Para (7) is however welcome as it explains which are the organizations which are considered as “Established in EU”.

Section 3(b) also clarifies that “In the UK” is to be interpreted as “At the time of processing”.

It is unfortunate that both GDPR and the UK DPA are drafted inadequately and puts needless doubts in the mind of technical persons not well versed in the legal aspects. It is not clear if this is deliberate.

I presume that Indian DPA will provide the necessary clarification when it is drafted and establish the sovereignty of the Indian Government to make laws for its companies and not allow EU and UK to think that India is still their colony.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Are Privacy Laws Getting bigger than Cyber Crime Laws?.. Is Profiteering replacing deterrence principle in law making?

Posted on May 27, 2018 by Vijayashankar Na

GDPR has changed the landscape of Cyber Laws by redefining the priorities of Cyber Laws. So far the concern of the society was mostly on “Preventing Damage to a Citizen” through Cyber Crime laws. This was achieved by defining certain actions as “Contraventions” and/or “Offences” and imposing a “Civil Liability to pay compensation” or treat it as a “Criminal Offence” in which the perpetrator of the crime will “Pay penalty to the Government and face imprisonment”.

“Unauthorized Access” to data was therefore considered as a Cyber Crime and if the person who caused a wrongful loss through an act which contravened the law was asked to pay compensation for which the victim had to prove the extent of damage suffered. If the unauthorized access was intentional and had a “Malicious intent”, it was considered as a “Crime punishable with imprisonment and fine”. Criminal action was a state action and intended to be a deterrent. Civil action was meant to recover the loss suffered by the victim.

When unauthorized access was accompanied by “Data Theft”, “Data Deletion”, “Data Modification”, “Impersonation”, “Cheating”, “Profit making” etc, the crime was considered a higher order crime and the punishment could be harsher. But the civil damages always were based on the actual loss suffered by the victim which he was supposed to prove during the trial.

The Cyber Crime laws focused on providing deterrent punishments that were commensurate with the gravity of the crime and easy grievance redressal procedures through fast court systems, simplified procedures etc.

India provided such measures through ITA 2000 in which “Adjudication” was provided as a fast Court system to compensate the victims of cyber crimes. ITA 2000 was a representative of the first generation of Cyber Crime laws where the target was to provide protection to a victim of Cyber Crime.

Out of necessity, the first generation Cyber Crime laws did address the responsibilities of an “Intermediary” and need for the intermediary to take suitable “Due Diligence” steps to make it harder for criminals to benefit and if they do, provide suitable evidence to the law enforcement to bring the culprits to book. Section 85 and Section 79 in ITA 2000 were meant for this purpose.

In the second generation of Cyber Crime laws represented by ITA 2008 (Amended version of ITA 2000) apart from defining more Cyber Crimes, were fundamentally different from ITA 2000 since there was a greater emphasis on the role of “Information/Cyber Security”. For example, ITA 2008 introduced data protection clauses such as Sections 43A and 72A providing civil and criminal penalties if “Personal/Sensitive personal data” is not protected adequately by a data processor, which term included the Data Controller or Data Consumer or a Data Collecting agent. There were also Data Retention provisions under Section 67C, Regulatory powers to different authorities under Sections 69, 69A ,69B and 70B which represented the requirements of national security and law enforcement requirements.

ITA 2008 was stringent enough in terms of “Non Compliance” but the penalties were not in the form of huge financial penalties that the regulator would collect but in the form of huge imprisonment terms that the act provided for.

GDPR and UK DPA 2018 represent the third generation of Cyber Laws where more than the crime itself, prevention is considered as a greater responsibility and intermediaries will be subject to penalties that could be crippling.

GDPR raises a concern about the power of a “Supervisory Authority” to pursue penalties arising out of non compliance to the extent of 4% of Global turnover of an undertaking which has no relation to the actual damage that the data subjects might have suffered due to the non compliance.

ITA 2008 on the other hand has upto 7 years punishments in the case of Sections 69 and 69A, 3 years under Section 69B and 1 year under 70B. The penalties were in the range of upto Rs 1 lakh or left unstated.

Though the criminal punishments under ITA 2008 are huge, the Courts would evaluate the crime and arrive at the actual punishments both in terms of the imprisonment and the fine. Indian Courts provide enough opportunity for the accused to seek justice based on the actual facts of a case.

However, GDPR has now placed a power to impose a billion dollar fine on an executive and even in cases in which the non compliance can be technical and may not result in significant damage to the citizens whose privacy right is what the act tries to protect.

It appears as if the “Non Compliance” of a regulatory provision is a greater offence than an actual Cyber Crime in which some body is cheated of a million dollar.

This is a wrong prioritization in the justice system where the “Failure to implement Crime prevention” is considered a bigger crime than what the “Criminal” has committed.

An example is to impose an imprisonment of life term to a Security guard who forgot to lock the gates of the godown from which the thief stole some valuables while the thief himself is punishable for an imprisonment of two or three years.

EU authorities may justify their action by stating that the penalty provision in EU is just an enabling provision and would not be imposed in a manner that is unfair.

But there was no need to place such a stringent provision without any checks and balance?. It would have been better to leave the larger amount of penalty to the Courts instead of the executive. GDPR has failed in this regard to have a fair legislation.

We may recall that ITA 2008 has placed a Rs 5 crore cap on the power of the Adjudicator and left the higher penalties to the discretion of the Courts. But EU did not provide for such checks and balances before indicating a threatening level of penalties.

It appears that the Regulators have started considering the penalty provisions as an opportunity for “Profiteering” rather than as a deterrent.

This could well be the tendency of the new generation of Privacy Protection Laws which are actually one part of Cyber Crime laws applicable only to the mis-use of one type of data called “Personal data”. Every data theft is also a cyber crime and there is already a legal penalty for the same. The administrative fines are just one of the penalties that may be imposed on an intermediary in respect of a Cyber Crime and should not ideally be more damaging than the punishments meant for the cyber crimes.

Let’s forget the European Laws since EU is unmindful of the damage they are doing to their own business fabric through such crazy penalties. India is now considering its own Data Protection Law which Justice Srikrishna is in charge of drafting.

We need to watch and see whether Justice Srikrishna Committee would be falling into the trap set by GDPR and the UK DPA 2018 and make data protection legislation over power the Cyber crime laws or keep it as a subordinate law to the Cyber Crime law as it should normally be.

Many suggestions have been made to the Committee in this regard and we need to watch the developments so that India can show to the world of how to frame data protection laws which are fair to all stake holders.

India should also remember that GDPR is a terrorist friendly and Criminal friendly regulation and India cannot afford to toe its line. Hence Right of Erasure must be avoided and Right to restriction and correction should be moderated with appropriate data retention protections. These are required in the interest of national security which GDPR has ignored but we cannot.

Naavi

 

Posted in Cyber Law | Tagged , , | Leave a comment

GDPR Exclusion

Posted on May 26, 2018 by Vijayashankar Na

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail.

In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites.

Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

Naavi

Posted in Cyber Law | Leave a comment

Tame the monster of GDPR

Posted on May 26, 2018 by Vijayashankar Na

GDPR has come into effect since yesterday along with the UK Data Protection Act 2018. Together these legislation are completely changing the IT business landscape in India.

Already an Austrian Data Privacy Activist Max Schrems has launched three complaints worth a total of Euro 3.9 billion against Facebook, WhatsApp and Instagram through regulators in Austria, Belgium and Germany.

More such insane legal action will follow.

These actions elsewhere in the globe will also have ripple effects in India which is the back end processing center for a large part of personal data processing. To a corporate entity, they can be devastating. Defending such cases particularly in foreign countries could be expensive and it would increase the cost of doing business.

Indian Companies need to be therefore extremely concerned with the damage that motivated activists can do to their business both to boost their ego as well as an instrument of blackmail.

While it is the legitimate right of any individual or an activist to seek legal recourse for any grievance real or imaginary, Courts and Regulatory authorities need to remember that law is there for the benefit of people in general and that “People” include “Legitimate Business”.

But we have to admit that when a primafacie case is made out, the Courts have no option to launch a trial and that itself is a burden on the business.

The first line of defense for Companies is to present it’s case properly to the regulatory authorities so that unfair litigation is killed in the bud.

Knowledge is the tool for such defence and every company and the CEOs and Directors should themselves be reasonably aware of the provisions of data protection laws so that they can ensure that their legal teams find out appropriate solutions to problems that may arise.

I therefore urge the top management team in business to go through an awareness program for themselves before taking action on the basis of recommendations from different consultants and being swayed by the media which will sensationalize most of the issues.

In this direction, Naavi has launched a new online training program on GDPR through Apnacourse.com. I hope it would be of use to companies in first acquiring some basic understanding of GDPR as a regulation and then take steps in compliance.

This online program may not be an end in itself but can be the beginning of a journey in understanding the intricacies of data protection laws essential to protect the existential interest of business.

Naavi

 

Posted in Cyber Law | Tagged , , | 1 Comment

Today is GDPR Day… Love it or hate it, you cannot ignore it

Posted on May 25, 2018 by Vijayashankar Na

Today is 25th May 2018. EU is still waking up to this D Day while India is already awake. There is no doubt that today will be considered a historic day in the Data Protection industry since EU GDPR is coming into effect from today.

Two years back the regulations were announced and the dead line was set. But mot companies continued to be complacent. Naavi started actively urging the Indian industry to respond by first opening the Privacy Knowledge Center in September 2016, and following it up with the GDPR Knowledge Center in February 2017.

Since then several articles have been published under www.privacy.ind.in as well as www.naavi.org highlighting the positive and negative features of GDPR.

However, the industry woke up only in the last six months when they saw the potential impact of a huge penalty for non compliance envisaged under the Act and the perception that it may become applicable even for entities outside EU.

During the past one year, since India is itself discussing its own Data Protection law under the Expert Committee Chaired by Justice Srikrishna, I have been urging the committee to ensure that Indian Data Processing industry is provided a protective umbrella in terms of the unreasonable penalties that may be imposed consequent to GDPR and the contractual commitments that Indian Companies may undertake in their anxiety to preserve their business. I have also raised the concern that Indian shareholders of such companies may be adversely impacted if they sign uncapped indemnity clauses that may provide for transfer of liability of their business partners.

I have also expressed my displeasure that EU has drafted the regulations in such a manner that it can be mis-understood as a global law and create a sense of fear amongst the data processors outside EU.

To some extent this sense of fear may not be warranted and I am sure that if challenged, EU will defend and say their law does not impose itself on other countries. But the fact is that perceptions some time cloud the reality and if we do a survey of Indian companies, we find that most IT professionals think that GDPR is mandatory for them.

In the meantime, UK has come up with its own DPA2018 which is perhaps of a greater concern to Indian companies since most Indian companies have established physical presence in UK even to take up business in EU and hence DPA 2018 is applicable to a much larger number of Indian companies. UK law by trying to extend GDPR as part of its own law, creates some additional burden that is beyond GDPR.

All this means that the cost of IT business in India is going up and Indian Companies need to ensure that they donot take up GDPR compliance entirely at their cost and try to load part of it on their international customers.

While I have indicated that in order to effectively defend against the impact of GDPR (and now add UK_DPA2018), industry needs to organize itself and SME data processors as well as Data Protection Professionals need to create some sort of collective bargaining power by creating self interest groups, I have also recognized that GDPR will be also creating business opportunities of different kinds for professionals.

In all such situations, the first industry which will benefit is the Education Industry. Infact, the career of the undersigned itself took off with Cyber Law College when ITA 2000 was enacted and later added consultancy. Similarly, GDPR will also create opportunities for the training industry. Already we have seen people from EU and some enterprising local professionals conducting training programs and charging a bomb. The GDPR itself may give further boost to some of them by creating a “Certification Mechanism” which will provide a false sense of privilege to some organizations established in EU which can claim “Accredited with the Supervisory Authority of …”.

Naavi believes that what is important is “Education” in which we become more knowledgeable. Certifications will follow. Certification without transfer of knowledge is not going to benefit professionals and could actually create traps where a professional may grow to his level of incompetence as Peter’s Principle suggests.

Naavi’s Cyber Law College in association with Apnacourse.com will be launching a training program on GDPR which will go online today to mark the formal coming into effect of GDPR.

(A Link to the course is available here)

The Course will contain about 7 hours of video lectures spread over around 18 modules. Probably this needs to be updated from time to time since this space is dynamic. Even the interpretations under GDPR itself will undergo some changes once the EU Data Protection Board becomes more active. Just as we have updated the Cyber Law Course on Apnacourse.com when some major changes occurred, this course will also undergo some updations from time to time. Presently the Course is being presented for knowledge enhancement. In due course Cyber Law College may introduce a certification of its own to provide recognition of “Course Completion” and recognition of passing a “Basic Awareness Test”.

Cyber Law College and Naavi in association with Apnacourse.com and otherwise would be conducting offline corporate training programs also so that awareness of GDPR would not be a matter of deficiency in the Indian industry.

Implementation is ofcourse a choice that the industry players may have to decide based on their own risk appetite. But I would like to caution the industry that they should not allow the international competitors to use lack of awareness or compliance of GDPR as an excuse to shift outsourcing business from India to elsewhere. For this purpose they need to incorporate a plan of action where by they can provide confidence to all their customers that they are aware of and are compliant with GDPR though we may  assert our “legitimate Interests” and “Application of Local Laws”.

So… interesting days are ahead of us. Whether we like it or dislike it, GDPR is here and we cannot ignore it.

…..So happy GDPR day to all…

Naavi

 

Posted in Cyber Law | Leave a comment

UK Data Protection Act 2018 comes into force…

Posted on May 24, 2018 by Vijayashankar Na

Racing against time with the implementation of GDPR, UK authorities have completed the formalities in introducing the new version of Data Protection legislation effective from 25th May 2018 co-terminus with the applicability of EU GDPR. This will continue even after BREXIT.

UK-DPA 2018 should be considered as an extension of GDPR and entities to whom UK DPA 2018 is applicable may have to read both the DPA 2018 and GDPR side by side.

The office of ICO provides further information about the Act.  (Refer here).

A copy of the Data Protection Act is available here.

The DPA 2018 copy as released on 23rd may 2018 contains 215 articles divided into 7 parts and 20 Schedules.

While Data Protection Legislation advise Companies to make their consents “Simple” and expressed in easily intelligible language, UK’s DPA is as complicated as any legislation can be and alien to the principle of simplicity. It will take some time for the industry to fully digest the provisions and be confident of compliance.

As we have often highlighted, laws that are simple are more likely to be complied with and a complex law will have a lower level of voluntary compliance requiring rigid penalties and enforcement.

India is in the process of completing its Data Protection Act and I wish that Indian legislators donot make the law as huge and as complicated as the UK DPA and opt for a more simpler legislation which can be equally effective.

Law makers need to remember that laws are made not to show how knowledgeable the law maker is, but to ensure that the citizen understands it for compliance.

However we shall continue to try demystifying the UK DPA 2018 over a time.

The PDF version of the Act as made available is a 353 page document that requires a detailed study.

Some of the salient features for immediate consumption is given below:

Applicability:

Under Article 207, this act is applicable to

a) processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom

b) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United
Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United
Kingdom.

The Act is about “Processing of Personal Data” and Personal data is defined as ” any information relating to an identified or identifiable living individual”. The Act does not say whether it is the Personal data of a UK citizen or a citizen of other countries.

Jurisdiction of Courts

The Jurisdiction conferred on a Court under UK_DPA 2018 is excercisable in England and Wales, Northern Ireland and Scotland.

This effectively recognizes the limitations of the law making body which derives its powers from the sovereign Government that it represents. The EU GDPR ignored this limitation and arrogated itself the responsibility for protecting global citizens as if it is a global legislative body.

However as a humble servant of the EU which the majority of UK voters voted to exit, the legislators have vowed to legitimize GDPR within this legislation. Considering the details to which this legislation went, there was no need for making it a subordinate legislation to the GDPR but it appears that the UK legislators were under some thing like a “Stockholm Syndrome” and could not break themselves from expressing their past loyalties to EU by importing GDPR into its own legislation. UK seems to have lost its mental independence to stand up as an independent sovereign country and feels obliged to follow its EU masters.

Part 2 of the Act is devoted to supplement GDPR

Chapter 2 of this part applies to the types of processing of personal data to which GDPR applies by virtue of Article 2 of GDPR. Further the Act confirms that Chapter 2 has to be read with the GDPR.

Chapter 3 of Part 2 has some provisions which is defined as “Applied GDPR”.

Article 21 states

This Chapter applies to the automated or structured processing of personal
data in the course of—

(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (Coming under Treaties of EU),

The term “Outside the scope of European law” is a loose statement that is amenable to mis interpretation.

The Applicability of UK DPA 2018 cannot extend beyond the jurisdiction of Courts as defined under Article 180 and all other narrations represent legislative imperfections.

Penalties:

Penalties as specified in EU GDPR Article 83 are applicable under UK DPA 2018 also.

More Codes to follow

The ICO has to develop certain code of practice such as data sharing code, Direct Marketing Code, age appropriate designing code, Data Protection and Journalism Code etc., These codes need to be approved by the British Parliament and hence the industry needs to await for the codes which will be important from compliance point of view.

DPO

UK DPA 2018 mandates the designation of a DPO by all organizations other than a Court or a Judicial authority. (Article 69)

Principles and Rights

UK DPA 2018 re-states the Principles of Privacy and Data Subject’s Rights as in GDPR.

Cross Border Transfer of Data

Cross border transfer of data is subject to requirements similar to EU which includes “Adequacy Decision” (Article 74) or Safeguards (article 75). Adequacy is as decided by the EU and Safeguard includes a legal instrument that binds the recipient of the data for protection of personal data. Additionally special circumstances such as where the vital interests of the data subject, legitimate interests of the data subject (not the data controller… Ed: Could be a drafting error), public security, law enforcement and legal requirements.

Responsibilities of Controller and Processor

The Act re-states the responsibilities of the Controller and Processor as in GDPR.

Offences

UK DPA 2018 defines the following offences related to personal data

a) Unlawful obtaining of  personal data, selling personal data

b) Re-identification or de-identified personal data

c) Alteration to prevent disclosure

The person who commits the offence is liable for summary conviction to a fine. Prosecution may be instituted only by the Commissioner or with the consent of the Director of Public prosecutions.

The directors of a company maybe liable for offences committed by a body corporate if there is negligence on their part.

These are some preliminary observations and more discussions may follow in due course.

Naavi

 

Posted in Cyber Law | Tagged , | Leave a comment