European Union: Privacy Laws Of Digital India: Need To Gear Up To EU's GDPR

Last Updated: 27 March 2018
Article by Mansi Airi Gambhir

1. Introduction

"Privacy" has become the buzz word these days. From the recent Cambridge Analytica scandal or Aadhar linkage to third party sharing of users' data by WhatsApp, every issue related to invasion of privacy is making news. Innumerable transactions require extensive personal information. Data banks are increasingly being created and used to understand the market in the most optimum way. In fact, the way market is shaping up, a lot of personal information is available with various disconnected businesses. Globally too, economic and social integration of markets require substantial amount of cross-border flow of data. So, when data has become such an integral part of day to day dealings, there is need for laws to protect privacy. The current laws dealing with technology is Information Technology Act, 2000 and the different rules framed thereunder. One such set of rules are contained in the stand-alone Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Regulations") which have a very limited scope; they only protect an individual's "sensitive personal data." In the newsletter of February 20171, this issue was discussed where it was highlighted that it is high time when India takes a cue from the EU's exhaustive General Data Protection Regulations ("GDP Regulations").

This newsletter gives a brief overview of the GDP Regulations and underscores how the legal framework of India is deficient as compared to these regulations.

2. Brief overview

The GDP Regulations harmonize various data privacy laws across Europe and reshape the way organizations, including those in India, will have to approach data related to people in the EU.2 They were approved and adopted by the EU Parliament on April 27, 2016 and will come into effect after a two-year transition period i.e., from May 25, 2018. Basically, EU's current data protection regime is set out in directives which are akin to guidelines which require member states to interpret and transpose them into their laws. Inevitably, multiple interpretations by different member states has created inconsistency with respect to data protection compliances across the continent and organizations doing business in the EU find it difficult to deal with such complexities. GDP Regulations address this issue by removing the need for national implementation and introduce an element of consistency in EU's data protection regime.

Article 3(1) of the GDP Regulations limit their scope to processing personal data of people in the EU and in the context of any commercial activity in the continent. This means that the regulations protect personal data of people3 in the EU and extend protection to data within EU. So, for instance if an EU citizen gives his credit card details for a transaction in the US, the GDP Regulations will not trigger. However, if a U.S citizen in the EU gives his credit card details for a transaction in the EU, then the company taking his information will have to ensure that the privacy of the details is maintained as per the GDP Regulations. In other words, in this instance the situs of the company assumes importance. The Regulations prescribe a heavy penalty of up to USD 2.4 million4 or up to 4% of the total global annual turnover of the preceding financial year, whichever is higher for any breach of data privacy of EU citizens.

3. GDP Regulations vs. IT Regulations

Both GDP and IT Regulations are supposed to safeguard data of people from misuse by the companies who collect or deal with such data. The former is a much better drafted piece of legislation. Some differences between the two regulations are discussed below.

3.1 Definition of personal data and its ambit

The Preamble to the GDP Regulations states that "...the principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data."

The GDP Regulations treat the right to protection of personal data as a fundamental right and, therefore, to safeguard this right in the most optimum manner, the definition of "personal data"5 is kept quite vast. Almost every kind of information with which a person can be identified viz. name, national identification number, location, online identifiers (such as IP address, cookies, radio frequency, information on social media), identification tags etc. health records, sexual orientation, biometric6 or genetic data,7 bank details etc. is covered. Basically, the GDP Regulations do not protect a person's data which has no connection with some professional or commercial activity. In fact, Article 18 specifically excludes data processed in the course of a personal or household activity. However, there is some data which though not connected to professional or commercial activity, is still accorded protection under the GDP Regulations. Article 9 states that data relating to a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership information, and data concerning sex life shall be treated as sensitive data.

On the other hand, under the IT Regulations, the definition of protected data does not have as wide a scope as the GDP Regulations, even though there are some similarities. The IT Regulations only protect "sensitive personal data" of a person in India. Section 7 defines sensitive personal data as information regarding password, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, biometric information or any other related information provided to a body corporate. This leaves Indians vulnerable since there is no legal protection against leakage of their data that is outside the purview of sensitive personal data. The Supreme Court has time and again stressed on the need for the state to protect privacy rights of people which must culminate into codified laws. Enactment of appropriate amendments to the law that caters to the evolving business methods will not happen overnight as the legislative process has to be followed. In short, the need for widening the scope of protected data cannot be ignored. In the context of e-transactions at least, consumers must be given an option to either allow the sellers to retain their information or direct them to erase it after every transaction.

3.2 Data subjects

Under Article 30(5) of the GDP Regulations, the mandate of protecting the privacy of personal data of EU citizens is on every organization in the EU which has 250 or more employees. These also apply to organizations with less than 250 employees provided (i) the data controlling or processing8 by companies with less than 250 employees is not occasional; or (ii) the processing may pose a risk to the rights and freedoms of data providers in the EU; or (iii) they process sensitive data or data relating to criminal convictions and offences. In India, there is no such employee headcount limit under the IT Regulations which are binding on every company which deals in sensitive personal data. The GDP Regulations do not explain the ambit of anticipated risk to data privacy rights or what would occasional processing mean. Further, there seems no logic behind categorizing the applicability based on employee head count. Putting a blanket obligation on an organization with 250 employees, but limiting the obligations when employees are below that figure and the organization collects personal data occasionally, appears to be unreasonable. Loss of personal data puts a person in a vulnerable position, be it by a company with 250 or 100 employees.

3.3 Extra territorial scope

As per Article 3(1) the GDP Regulations, organizations outside the EU too are obligated to protect personal data of people in the EU. So, organizations in India too, who either control or process personal data of the EU people, will have to adhere with them. The legislative intent of GDP Regulations is to protect personal data of people in the EU irrespective of their nationality or residence; every person in the EU is protected. The IT Regulations do not have extra territorial scope. They only regulate companies in India who collect and process sensitive personal information of Indian citizens. They exclude foreigners living in India, which seems rather strange. Given the impetus on promoting medical tourism there is no reason why their medical records should not be protected. Similarly, an Indian e-wallet company could have data of Indian citizens as well as expats. Unless there is a legal mandate, companies will not come forward and execute contracts to impose obligations on them for protecting data of foreigners living in India. It is, therefore, essential to extend the same protection to all persons in India, regardless of nationality.

3.4 Pre-conditions for data processing

Under rule 5, the IT Regulations mandate that the data subjects must know the reason and end purpose for such collection. However, once the data is collected the information providers do not know if the data can be used for any other purpose apart from the one informed to them. They also do not have any idea on the intended recipients of their data. The GDP Regulations treat "consent" in a more responsible manner and go a few steps ahead of the IT Regulations. These enlist principles for data collection under Article 5. These provide that at the time of taking consent, the data controller must provide its ID and contact details along with the identity of the data recipients or category of the recipients, the period for which the personal data will be stored and the criteria for determining that period and information on the right to lodge a complaint with a supervisory authority in case the information provider anticipates breach of their data privacy rights. So, the consent is sought for every stage; be it for collection, recipient's identity, purpose of collecting data, forwarding to other recipients etc.

3.5 Child's consent

The IT Regulations having nothing specific with respect to seeking consent of children before collecting their data. In contrast, Article 30 the GDP Regulations mandate that consent from the holder of parental responsibility over the child is sought and reasonable efforts are made to verify that such holder has tendered consent on the child's behalf. But, the word "reasonable" is very subjective; and, the regulations do not explain what "reasonable efforts" would mean. It is left to the interpretation of data collectors and processors. This is a very tender issue and both the regulations need to address the issue in an effective manner.

3.6 Right to be forgotten

Rule 5 of the IT Regulations gives an option to the information provider to withdraw consent for using his data. The company cannot, thereafter, use the information of such provider. So, right to give consent for usage of certain information comes with the right to withdraw such consent too. The GDP Regulations also provide for this. Additionally, Article 17 grants a right to the information provider to ask the controller to erase his data from the company's records without any undue delay. This ensures that the controller cannot retain the data any longer with it and rules out access to the same to any third party in the future. The information cannot even be used for any purpose, including studying behavioral characteristics of a data subject.

4. Conclusion

The GDP Regulations are global in their scope and applicability. These have been drafted to ensure that the people in the EU are able to exercise their right to protection of personal data in the best possible manner and without any fritters. However, it is yet to be seen whether it would be practical to really enforce these in letter and spirit. For instance, ensuring that every entity who does business in the EU shall, regardless of its location, be equipped to take well informed consent in a uniform manner from EU subjects before seeking their personal data seems impractical. The regulations require that every entity must ensure that "appropriate technical and organizational measures" are implemented to secure personal data of "data subjects in the EU" but no parameters are prescribed with respect to these "measures." So, open issues remain. For instance, who will verify if a company doing business in EU has adequate tools to seek consent of the information providers, whether the data is really erased when consent is withdrawn, how will the high quantum of penalty for data breach be imposed, especially on a small enterprise who does not have that kind of worth to bear it, how will that penalty be collected, what are going to be the implications for non-payment of penalty etc. So far, these questions have no answer and the hope is, in due course, adequate clarity will be provided.

Footnotes

1 See http://psalegal.com/E%20Newsline%20February%202017.pdf

2 On March 29, 2017, UK notified EU of its intention to withdraw from the Union. As per European Commission's notification dated January 9, 2018, the GDP Regulations cease to apply to the United Kingdom from March 30, 2019

3 In this article, the word "people" refers to every data provider within the territory of EU, irrespective of their nationality and citizenship 

4 This is about INR 160 million, applying a rate of USD 1= INR 66

5 Under Article 4 of the GDP Regulations

6 As per Article 9 of the GDP Regulations, biometric data relates to personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a person, which provide their unique identification such as facial images, retina map etc.

7 Article 4 of the GDP Regulations define this a data related to inherited or acquired genetic characteristics of a person 

8 Basically, the regulations revolve around "controlling" and "processing" of personal data. As per Article 4 (2), data controlling refers to determining the purpose of processing data and data processing means any operation which is performed on personal data whether via automated means or otherwise. Article 4 (7) provides that activities like collection, recording, organizing, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction can be categorized as data processing. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Herbert Smith Freehills
 
In association with
Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Herbert Smith Freehills
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions