India

Screen Shot 2018-06-12 at 4.39.37 PMBy Priyanka Anand and Vasudha Luniya, Clasis Law

 

The new European Union General Data Protection Regulation (GDPR) was adopted on May 24, 2016 and will come into effect on May 25, 2018, after a two-year transition period. This regulation stipulates that any and all businesses within the EU, or dealing with the EU, will have to comply with GDPR. This will make all businesses liable to protect any data that is categorised as “personal”. Once it takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).

Applicability of GDPR to Indian companies that process data
Extraterritorial applicability of GDPR — Article 3 (Territorial scope) of GDPR makes it clear that these regulations will be applicable regardless of whether the processing takes place in EU or not. Therefore, an Indian company processing personal data in context of activities of an establishment of a controller or processer in EU, will fall within the ambit of GDPR.

The challenges that GDPR poses for India
The GDPR is a legally binding regulation, not a directive that brings service providers directly under its purview. It affects Indian companies that have expanded or plan to expand globally. Certain challenges have been enlisted herein below:

  • The regulation will limit EU companies’ outsourcing options which will result in obvious opportunity losses for businesses in India;
  • India’s comparatively feeble data protection laws makes India less competitive as outsourcing markets in this space where other economies are updating their regulatory practices to ensure smooth inter-state operability;
  • Largely inflexible, GDPR reduces the extent to which businesses can assess risks and make decisions when it comes to transferring data outside the EU;
  • The regulations target service providers directly who will have to face high costs such as investment in “cyber insurance” whilst adopting new technology; and
  • Infringements of certain provisions of GDPR shall be subject to stringent penalties.

Obligations of Indian companies that process data
Prior to undertaking any processing activity, Indian companies will be required to enter into a Screen Shot 2018-06-12 at 4.53.14 PMcontract with their customer (generally, a data controller). Such contract will, inter alia, stipulate the subject-matter and duration of processing activity, its nature and purpose and the type of personal data and categories of data subjects.

By way of such contract, a customer (the data controller) will seek from an Indian company a flow down of the following obligations:

  • Implementation of appropriate organisational measures to ensure (i) pseudonymisation and encryption of personal data; (ii) confidentiality and integrity of processing systems; (iii) restoration of availability and access to personal data after a physical or technical incident; and (iv) regular testing and evaluation of such measures (Article 32);
  • In the event of a personal data breach, the same must be notified to the customer without undue delay (Article 34); and
  • Carry out a data protection impact assessment prior to commencement of the processing activity (Article 35).

Guarantee of an adequate level of protection of data
The bedrock of GDPR, in terms of Article 45, is the stipulation of ‘adequacy requirements’, which curbs the transfer of personal data to any third country or international organisation that does not “guarantee an adequate level of protection”. In doing so, the European Commission considers whether the legal framework prevalent in the country to which the personal data is sought to be transferred, affords adequate protection to data subjects in respect of privacy and protection of their data.

In India, the current legal framework pertaining to data privacy and protection is governed by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which is far from being adequate. The recent landmark judgment of the Hon’ble Supreme Court in the case of Justice KS Puttaswamy (Retd.) & Anr. Vs. Union of India & Ors, declaring the right to privacy as a fundamental right has provided the much-needed impetus to introducing a long-awaited, all-encompassing data protection legislation in India.

Conclusion
GDPR is an excellent opportunity for India to update its regulatory practices and effectively implement the fundamental right to privacy. Indian companies, should use this as a stepping stone to move up the value chain by strengthening its automation portfolio and make the industry more competitive in the global market.

 

Clasis Law Logo

 

 

W: www.clasislaw.com

E: priyanka.anand@clasislaw.com
E: vasudha.luniya@clasislaw.com

T: (91) 11 4213 0000
F: (91) 11 4213 0099

 

Related Articles by Firm
India going all out to woo foreign companies moving out of China
A silver lining of the Covid-19 crisis is the potential of becoming an attractive alternative to China.
Doing business and ease of doing business in India
VIDEO BRIEFING: The government has taken numerous steps to give an impetus to foreign investment, but a lot remains to be done.
MCA introduces e-form DIR-3-KYC for directors with approved DINS
This compliance exercise seems to be a checkpoint for only genuine individuals acting as directors in a legitimate capacity.
A wide net of ineligibilities for being a resolution applicant
Almost two years after the Bankruptcy Law Reforms Committee submitted its report, the Insolvency and Bankruptcy Code is still a work in progress.
Insolvency in India: Section 29A…
A wide net of ineligibities for being a Resolution Applicant ...
DISHA — India’s probable response to the law on protection of digital health data
Sensitisation and protection of people’s right to privacy and security of their data are the bedrock of DISHA.
The Admiralty (Jurisdiction and Settlement of Maritime Claims) Act, 2017
This much-awaited piece of legislation brings clarity to various deadlocks in Indian jurisprudence.
Metro projects likely to drive India's infrastructure sector
Metro Rail projects in India have picked up pace and are likely to catalyse substantial opportunities over the next few years.
Handling disciplinary proceedings by employers
Breach of an employment contract by an employee often results in disciplinary action leading up to termination in cases of serious misconduct.
Clasis Law Newsletter
The latest legal news from India, including recent court judgments, changes to corporate/commercial law and updates on projects and IP.
Initial Coin Offerings: Another brainteaser in the virtual currency bandwagon
The position of virtual currencies and ICOs in India remains murky.
ONGC vs Sime Darby consortium
An unsuccessful party cannot possibly apply for interim relief in aid of what it lost before the arbitral tribunal.
The Fugitive Economic Offenders Bill 2018
The bill aims to provide an effective, expeditious and constitutionally permissible deterrent to ensure that such actions are curbed.
Understanding The Maharashtra Shops And Establishments Rules 2018
The Act regulates the employer–employee relationship and service conditions such as hours of work, payment of wages, overtime, leave, holidays, etc.
Supreme Court gives clarity on Section 26 of the Arbitration and Conciliation (Amendment) Act, 2015
In Board of Control for Cricket in India vs Kochi Cricket, the Supreme Court has clarified some issues surrounding the Act.
Delhi High Court resolves uncertainty between two conflicting clauses in contracts
The settled principle of contra proferentem has been re-affirmed by the Court in a case involving Delhi Metro Rail and Voestalpine.
India: Supreme Court update
Supreme Court refers the question to determine the liability of the consignee or steamer agent in respect of ground rent charges to be paid to the port trust to a larger bench ...
Corporate Social Responsibility
There is a growing realization among the corporates that business growth along with positive community/social impact is now an expected goal ...
India: Execution Proceedings for Enforcement of Arbitral Award
Recent Supreme Court judgement resolves certain issues and requirements ...
India: Impact of the Companies (Amendment) Act, 2017
With the assent of the President on January 3, 2018, the much-awaited Companies (Amendment) Act, 2017 (Amendment Act), which provides for simpler provisions but stringent penalties, has finally seen the light of the day ...
Voluntary Liquidation in India
Winding up under Insolvency and Bankruptcy Code, 2016 ...
Strike Off of Companies in India
Over the years, many companies have been lagging behind in filing of annual documents such as annual returns, financial statements etc ...
India: Valuation by Registered Valuer
“Price is what you pay, Value is what you get” ...
India: Amendments Under Master Directions on Issuance and Operation of Prepaid Payment by RBI
Digital wallets such as PayTM, along with debit and credit cards, are expected to reduce (if not completely replace) the use of paper currency …
India: Institutional Arbitration – Need of the Hour
The need to promote and encourage institutional arbitration for commercial disputes in India ...
India: Supreme Court settles the law: Major relief for foreign operational creditors
Clasis Law recently represented Macquarie Bank in two civil appeals before the Supreme Court of India ...
India: Consumer Protection
NCDRC’s ruling on ‘Voluntary Consumer Association’ under the Consumer Protection Act, 1986 ...
India: Foreign Exchange Management Regulation
Significant changes for transfer or issue of security to a person resident outside India ...
India: Directors' duties and liabilities under the Companies Act, 2013
Directors must be aware of their role, responsibilities and duties towards the company and its shareholders ...
India Update for December 2017
This edition brings to our readers a featured article titled “The Tourism and Hospitality Sector 2017 — The Year Gone By!!”
India: RBI issues Directions on Peer to Peer Lending Platform
Online lending transactions are in their nascent stage in India and given the increase in peer-to-peer (P2P) lending through e-commerce marketplace it is of extreme importance to regulate such transactions ...
INDIA: Right to privacy and data protection in India
The concept of data protection and privacy has not been addressed in any exclusive comprehensive legislation in India ...
India: Protection against groundless threats under Indian IP laws
Rapidly growing awareness of intellectual property (IP) rights and a well-structured statutory regime protecting IP has allowed rights owners to assert and enjoy the limited monopolies conferred on them ...
Corporate compliance: Necessity and implication
The Companies Act of India is the primary legislation governing the functioning of companies established in India during their lifecycle....
India update from Clasis Law
Including briefings on the national food processing policy, projects and energy, and intellectual property.
RBI intervenes in patching up of Tata and DoCoMo’s joint venture
Background to the joint venture: Tata DoCoMo, an Indian mobile network operator, was set up as a joint venture between Tata Teleservices (TTSL) and NTT DoCoMo in November 2008...
Regulatory challenges for Vodafone Idea merger
Vodafone India is in discussions with Idea Cellular for an all-share merger. It appears that the intense competition the Indian telecom industry is facing due to freebies offered by the new entrant, Reliance Jio, has ...
India Update, inc: Regulatory challenges for Vodafone Idea merger
This months India newsletter from Clasis Law includes an article on the “Regulatory challenges for Vodafone Idea merger”, plus updates in Projects, Energy, IP and Banking & Finance ...
Investment conditions and restrictions for venture capital funds
Venture capital funds (VCFs) are contributing considerably to India’s economic growth. The amount of investment directed to venture capital has grown in recent years due to the pro-business environment and ...
India’s bid to become a hub for international commercial arbitration
As one of the world’s fastest-growing economies, India is a party to many international commercial arbitrations and the government is making efforts ...
Brands – Role and liability of celebrity endorsers
The marketing and advertising industry has grown as an organised industry using innovative ideas that are designed to ...
Related Articles
Related Articles by Jurisdiction
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
The impact of General Data Protection Regulations on Indian companies
Extraterritorial applicability of GDPR makes it clear that these regulations will be applicable regardless of whether the processing takes place in EU or not.
Latest Articles