There is a mis-perception prevailing in some sections of IT industry in India that “GDPR is applicable to India” without recognizing that its applicability is subject to certain conditions. This needs to be dispensed with at the earliest.
One of the frequent questions asked is
if we encounter an EU Citizen in India and its business, am I liable for GDPR?
If so should I appoint a representative in EU?
The answers to these questions are to be given only with reference to the context and not absolutely.
For example, GDPR is applicable to EU Citizens in the context of their activities in EU. In the case of EU Citizens in the context of their activities in India, GDPR is not applicable.
If a company in India is monitoring the behaviour of an EU Citizen in respect of his/her activity in EU, or offering any goods and services to the EU Citizens in EU, then GDPR may be applicable. But if the processing involves an “Occassional Interaction” with the EU Citizen, then GDPR is not applicable.
Therefore, If an EU citizen walks into a mall in Bangalore and gives his credit card for buying a product, it is not a case that falls under GDPR. If an Indian maintains a website and a EU person visits it, then also it should not ordinarily fall under GDPR. Only when a service is specifically targeted to an EU person, GDPR may become relevant.
The above inference can be drawn from the following articles:
Article 2(2): This Regulation does not apply to the processing of personal data… in the course of an activity which falls outside the scope of Union law;
Article 3(1) : This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of
data subjects who are in the Union
by a controller or processor not established in the Union,
where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
In the case of data processors in India who process data sent to them by another entity established in the EU, that entity would be the Data Controller and is liable for compliance of GDPR. The Indian entity is only liable to it’s contractual bindings with the data supplier.
GDPR is badly drafted in this respect as it uses the ambiguous words “Data Subjects in the Union” without specifying if it is restricted to EU Citizens or every body else who at the time of collection of data are within the boundaries of EU.
However, those who are not “Residents” of EU cannot be considered as coming under GDPR since their encounter with the data collector will be only “Occasional”. Since the power of EU and the mandate is to make laws for Eu Citizens, it is unclear how it can extend to other citizens. Similarly when a EU Citizen is travelling in another country under a VISA and is bound by the laws of that country, it is unclear how GDPR can extend to his activities outside the EU>
UK DPA 2018
UK DPA 2018 extends the GDPR blindly, and therefore also extends the unclear aspects of GDPR. But when defining the direct incidence of DPA 2018, UK DPA is a little bit more clear.
Article 207 of UK DPA 2018 states as follows:
207 Territorial application of this Act
(1) This Act applies only to processing of personal data described in subsections (2) and (3).
(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or
not the processing takes place in the United Kingdom.
(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United Kingdom.
(4) Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.
(5) Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).
(6) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).
(7) In this section, references to a person who has an establishment in the United Kingdom include the following—
(a) an individual who is ordinarily resident in the United Kingdom,
(b) a body incorporated under the law of the United Kingdom or a part of the United Kingdom,
(c) a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and
(d) a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom, and references to a person who has an establishment in another country or territory have a corresponding meaning.
In the above article, para 3(a) states as follows:
(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
This provision is ambiguous since it does not specify clearly that it refers to the Controller or Processor who is established in EU and gets his data processed elsewhere. DPA 2018 is not a law which is directly applicable to a company established in another country under a different law and this has to be recognized while reading this article.
Para (7) is however welcome as it explains which are the organizations which are considered as “Established in EU”.
Section 3(b) also clarifies that “In the UK” is to be interpreted as “At the time of processing”.
It is unfortunate that both GDPR and the UK DPA are drafted inadequately and puts needless doubts in the mind of technical persons not well versed in the legal aspects. It is not clear if this is deliberate.
I presume that Indian DPA will provide the necessary clarification when it is drafted and establish the sovereignty of the Indian Government to make laws for its companies and not allow EU and UK to think that India is still their colony.