The General Data Protection Regulation (“GDPR”) is an EU wide Regulation implemented to ensure more stringent rules and stricter control over organizations processing personal data. This is a significant Regulation in data protection law and is expected to affect organizations not just within the EU but across the world.
In view of protecting fundamental human rights, especially the right to privacy, the GDPR sets out strict requirements and rules that organizations handling personal data must adhere to. Organizations must maintain a record of and monitor personal data processing activities and data may only be transferred to GDPR compliant organizations or to those within jurisdictions that are deemed “adequate”. The GDPR imposes a penalty of EUR 20 million or 4% of global turnover (whichever is higher) in cases of non-compliance. Further, the GDRP has provided more rights for data subjects, including the right to be forgotten, the right to data portability and the right to object to profiling. It has also been stipulated that consumer consent must be given freely. Thus, it can be understood that it is of utmost importance for organizations to be GDPR compliant and data protection has become a major concern while data processors become more conscious of their practices.
What does GDPR mean for companies in India?
Regardless of their location, organizations processing personal data of individuals from the EU or organizations having a presence in the EU must be GDPR compliant. Article 3(1) of the GDPR clearly states that:
“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Therefore organizations outside the EU, including in India will also need to upgrade their technology as well as practices and introduce data encryption modules. Most organizations will need to, if they haven’t already, update their privacy policies and implement sufficient safeguards, as required under the GDPR. They will also need to understand the rights of the data subject and adhere to practices keeping these rights in mind.
Need for reform?
The GDPR has ushered a new data protection and privacy regime and has set a model for jurisdictions across the globe to follow. There is a growing need to recognize the fundamental need to protection of privacy and data and with the changing times, all jurisdictions must reform their laws in this regard. The GDPR clearly had worldwide implications and jurisdictions across the world are likely to follow along similar lines, including India.
In India, there is a growing need to create more awareness amongst companies and organizations that may be processing personal data, especially sensitive personal data. Currently, the Indian privacy law is based upon Article 21 of the Constitution which confers the right to privacy and the Information Technology (Amendment) Act, 2008, which amended the Information Technology Act, 2000 (“the Act”). Section 43A of the Act deals with implementation of “reasonable security practices” for sending personal data or information and provides for the compensation to the person affected by wrongful loss or wrongful gain. However, considering technological advancement and in order to keep up with the times today, there is definitely need for reform in this area with clear and concise legislation setting out the laws on data protection, including the rights of a data subject and good data handling practices as well as penalties for any breaches.
It is worth pointing out that presently, Indian nationals have already indirectly benefitted from the GDPR because many Indian companies have adopted more stringent data protection and privacy policies in order to keep up to date and ensure GDPR compliance. They are implementing safeguards that are globally accepted and thus, as a result of their attempts to be pragmatic, Indian nationals are also benefitting from better policies. However, since there are no privacy laws as such in this regard, their protection will only be limited to contract law for now. Therefore, any protection available would be through claiming breach of contract and the currently available law on privacy in India, which is inadequate.
Following the Supreme Court’s verdict on the fundamental right to privacy, a data protection framework for the Data Protection Bill has been proposed by the Srikrishna Committee, however, it remains to be seen to what extent this framework will resemble and satisfy the GDPR criteria. It is worth noting that the Committee has identified seven principles of data protection law, including technology agnosticism, where it has been stated that data protection law must be flexible to include technological changes with the times. Thus, this seems to be a step in the right direction and we look forward to the Data Protection Bill being introduced in Parliament and further developments taking place in this regard.
The GDPR has revolutionised the law on data protection and has paved the way for jurisdictions across the globe not only to follow similar practices but to also ensure GDRP compliance if in case they are processing data of EU residents. While there is a need for Indian data protection law to resemble global standards, Indian businesses are already taking measures to comply with the same. A Data Protection Bill is underway and should form part of the law soon.