One of the first and foremost challenges in implementing Data Protection regulations in the Indian scenario is to recognize which law is applicable to a particular processing.
The “Personal Data Protection Standard of India” (PDPSI) is the standard framework which has recognized this challenge in the multiple stake personal data scenario and tried to address it.
Typically a Company in India, say IN, receives a data processing assignment from Companies in different countries say AT in Austria, or US in USA. AT may have personal data of Austrian Citizens subject to GDPR. On the other hand, US may be a globally operating company and may have Data US-1 related to California, US-2 related to UK and US-3 related to France and may be US-4 related to India itself.
Both AT and US would be entering into a Data processing agreement incorporating SCC s obtaining an undertaking for compliance to GDPR and/or all applicable Privacy laws.
The term “All Applicable Privacy Laws” may include “applicable privacy, information security, data protection, and data breach notification laws and regulations”.
In such cases, we can recognize that being “GDPR Compliant” or following “ISO 27701 Certification” would not be sufficient to be in compliance.
PDPSI which is developed as a “Techno legal compliance framework for multiple legal stakes” therefore considers it extremely important to classify the subject personal data that we are trying to protect with a proper classification tag that identifies the applicable law.
For example in the above case, it is easy to tag all personal data received under the Contract with AT as “GDPR Stake”. But when we deal with US as a client, we cannot designate all personal data received under the contract as GDPR or CCPA or SHIELD or other laws. Without properly identifying the stake, there is no way we can evaluate the sufficiency of the Notice, Consent, Rights Management, Cross Border restrictions, DPO requirements etc.
At this point of time, there is also a necessity to be clear about the “Role Definitions” whether IN is a Data Processor alone or is a Controller or Joint Controller. This will also be determined by the contract which is signed between IN and AT or US and is part of the determination of the applicable law.
In case IN is a “Data Processor” alone, his liability under the contract is limited to the Contractual agreement. Hence the jurisdiction mentioned in the contract will determine the applicable law. Hence irrespective of whether the US data consists of data from multiple jurisdictions, the contract will have one jurisdiction for law and for courts/arbitration as agreed to in the contract which could be US or India. Similarly the Austrian contract may be in accordance with the Austrian law or Indian law and subject to arbitration or Court jurisdiction in Austria or India etc.
If however IN is not a “Data Processor” but a “Joint Controller”, then it will be subject to the individual laws of each of the countries of origin of the personal data. In certain cases we may not be able to determine the country of origin purely by technical means such as IP address resolution and we need to specifically ask the data subject providing the information through a consent form, to which privacy law regime he would subject himself to by choice. By default it could be the location of residence as declared in his residential address if collected or the location of the IP address from which he provides his information (Though this is not always the correct identification of the place of residence of the data subject).
The EDPB guideline 3/2018 dated 12th November 2019 provides the clarity that the territorial scope of GDPR must be determined on the basis of whether the data controller has a direct relationship with the data subject or is working through another entity which is the data controller. If the processor is not having direct interaction by directing his business to the data subjects in the EU, he is not a “Data Processor” coming under the definition of GDPR. He is only a sub contractor for processing and is bound by the contractual agreement with the data controller.
If in the case above IN wants to be a “Data Controller” and enters into such an agreement with US, then it will have to in most of the cases deal directly with multiple data protection authorities and may also have to have representative persons in many countries. He also has to implement his Privacy and Security Controls differently for different sets of data.
The proposed Indian PDPA has given an exemption for such processing from PDPA if the processing activity is properly notified but other laws have not provided such exemptions. But each law defines the material scope according to which it is applicable to the personal data of it’s citizens/consumers as defined in the said law.
One of the Standards in PDPSI is the “Law based scoping” that takes into account
the identification of the role of the implementation organization as to whether it is a “Controller” or a “Processor” or a “Sub contractor-processor” with relevance to the personal data set that is the subject matter of protection. At the same time, it will also tag the applicable law as to whether GDPR is applicable or any other law is applicable to the identified and separated data set.
Different instances of PDPSI such as PDPSI-IN or PDPSI-GDPR or PDPSI-CCPA take care of secondary level differences in the required compliance by adopting different sets of implementation specifications.
By adopting this flexible approach PDPSI has become a universal framework that can be applied to all data protection laws with appropriate changes in the Implementation specifications which are recorded by the implementer through a “Standard Variance Document”.
Cyber Law College will be shortly conducting exclusive training program for implementers who would like to explore PDPSI as an implementation framework in greater detail. As Naavi has explained earlier,this framework is part of the “Aatma Nirbhar or Self Reliance” program in Data Protection in India to reduce the dependence of MSME organizations on international frameworks.
Interested persons can contact naavi through e-mail to help scheduling of the program.