Indian Corporate world exposed to any form of data processing involving a member of the European Union including the countries which have exited recently (Like Britain) or those who may exit in due course (Say France?) are keenly watching the impact of the General Data Protection Regime (GDPR) which has come into force as a replacement of the well known “Data Protection Act” of these countries. GDPR has been enacted as a “Regulation” and will be applicable from 25th May 2018. We are therefore in the transition period where the Companies in EU as well as those who are in India and processing the personal data of EU citizens either with a direct interaction with EU based companies or with US companies working in EU are re writing their data processing contracts to be in line with the GDPR.
25th May 2018 is not too far considering the criticality of the task and the need to check and double check whether the companies are on the right track.
Indian Companies get exposed to GDPR firstly through their data processing contracts and secondly through their own activities. The data processing contracts are expected to have performance requirements meeting the standards of GDPR and also an indemnity to compensate the vendor company for losses arising out of non compliance. If the Indian Company is directly operating in EU then it is directly exposed to the compliance requirements through its office in the EU.
Additionally, we expect that India will have its own Data Protection Act by 25th May 2018 which will impose responsibilities similar to GDPR and will also endorse the need to uphold the contractual obligations as if it is a legal obligation in India. This provision already exists in ITA 2000/8 and with or without a reiteration in the new proposed Indian Data Protection Act, the agreement with an international vendor to comply with GDPR becomes a statutory obligation under ITA 2000/8 also.
It is in this context that we need to take a serious look at two of the Articles of GDPR and understand how GDPR may apply to Indian Companies.
The first article that we need to observe closely is Article 3, which is on Territorial Scope of GDPR.
The Article states as follows.
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The first clause of this article is relatively straight forward. This states that “In the context of activities of an establishment” which involves processing of personal data, the regulations are applicable whether the processing itself takes place in the EU or not. This means that even when the data is outsourced or the establishment itself maintains a processing center outside EU, it is still under the scope of this regulation. Such an organization is therefore exposed to the possibility of imposition penalties that the GDPR envisages which as we know extends upto 4% of global turnover of the company.
Such companies will therefore impose clauses in their outsourcing contracts which will require the sub contractors indemnify the company for any losses caused by them due to the non compliance of GDPR. The contracts will be deemed to also impose the responsibilities of a “Data Controller” as envisaged in the GDPR on the Indian Sub Contractor whether it is explicitly stated or implicitly meant.
Considering the huge liabilities envisaged in the GDPR, an open indemnity may be a proposition that will drive any Indian Company including the bigger and the biggest of them to insolvency if any major data breach occurs that results in imposition of penalties under GDPR.
Indian Companies need to therefore check what are the compliance requirements and how they should plan to implement them. They should also check if there are any exemptions and how they need to handle the conflicting aspects of Indian law under which they operate such as the existing ITA 2000/8 or the proposed Indian Data Protection Act. Additionally, they need to obtain appropriate Cyber Insurance that will add to their costs by at least 1 to 1.5% of the potential liability. Since the potential liability is indifferent to the value of the contract the cost of insurance in terms of the revenue generated by the contract can be many times more than 1.5% of the contract benefits.
Hence the Indian companies need to take the impact of GDPR seriously before taking up EU contracts. If the risk is not worth it, smaller companies need to withdraw from the contracts that impose indemnity against GDPR liabilities. Larger companies like Infosys or Wipro or TCS need to fight it out with the vendors for at least covering the Cyber Insurance costs.
Additionally, according to Article 3(2), any Indian Company which offers goods or services to a data subject in EU or monitors their behaviour is directly liable under GDPR as a “Data Controller”.
“Offering” goods and services may occur if the Company maintains a website through which online services are offered which can be availed by EU citizens. “Monitoring” of behaviour may also occur in such cases and also by companies which are engaged in data mining on a global scale. If such companies have not taken the precaution of including the “GDPR Exclusion Clause” as proposed by Naavi in their web site policies and contracts, then they are open to being held accountable under GDPR.
Assuming that such companies have no office in EU nor any representative (Required to be designated under (Article 27), still action can be brought in India either under the existing ITA 2000/8 or under the proposed Indian Data Protection Act and hence the risk of GDPR penalties may have to be addressed even by them.
In case of non compliance of an Indian Company it would be liable for the consequences and is also answerable to its share holders.
Such Indian companies may process the data within India or outside India. If they are storing the data within India or even otherwise, they would be exposed to the possibility of an Indian law enforcement authority issuing/executing a search warrant for seizure of the data which may amount to “Disclosure”. In certain cases, Judicial authorities may order disclosure of some data which interalia involves disclosure of personal data belonging to the EU citizen.
In such cases, we need to also observe the impact of Article 48 which states as under.
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
What this Article implies is that a company subject to Indian law will be in conflict with the jurisdiction of the Indian Courts because of a contract it might have signed with its business partner who is bound by the EU regulation.
It may be noted that this Article is not simply a choice of “Jurisdiction” in a contractual agreement. On the otherhand it renders the Indian Courts impotent.
This Article also introduces a confusion since the general principle of Privacy does provide right to the law enforcement agency and Judiciary to intrude on certain circumstances.
GDPR does permit some exemptions under the “Right of a Data Subject” for reasons such as national security, criminal investigation etc. So it appears difficult to comprehend that Judiciary has no right even after a trial having been conducted and arriving at a judgement.
We therefore need to interpret this Article as applicable only if the data has to be released by an organization which is under the jurisdiction of the Eu Courts and not companies which are under the jurisdiction of the Indian Judiciary whether they process EU data or not.
Probably the confusion could have been avoided if the Article had specified that it is not applicable to data processors who are established outside the Union or that it was not in derogation of the rights of the Judiciary of the country in which the data controller operates.
The option now before the Indian authorities to reduce confusion is to introduce an appropriate clause in the proposed Indian Data Protection Act which is on the lines of Article 23 where the member nations are permitted to introduce laws that may impose restrictions on the rights of data subjects in cases of National Security, Defence, Public security etc.
Naavi advocates that a provision be made in the Indian Data Protection Act that
“No international agency can launch any legal action against an Indian company except through the Indian Data Commissioner.
This would be a protective umbrella for Indian companies to be protected from frivolous threats from outside India.
This is not to advocate that Indian companies need not follow privacy protection. In fact GDPR does have good provisions for Privacy protection which is good to be implemented even by Indian companies. However, it is desirable that the Indian Data Protection Commissioner takes the responsibility for disciplining the Indian Companies rather than a EU Data Commissioner. Hence it is necessary to provide a statutory protection for penal action to be restricted through the Indian Data Commissioner’s office only.
I request the MeiTy to take this into account while drafting the new law.