With the advent of the internet, privacy has become a much sought yet elusive luxury for people. Personal data of individuals is freely stored and shared globally, making the world more transparent than ever. I recall a speaker on Ted Talk comparing individuals on internet with ones walking naked on Chhatrapati Shivaji Terminus (CST), Mumbai.
Needless to say, such a brazen onslaught on personal privacy has perturbed the authorities world over. In an attempt to unify the personal data laws of the entire European Union and to lay down strict rules against sharing and improperly using personal data of individuals, the European Union (“EU”) formulated the General Data Protection Regulations (“GDPR”) in 2016.
A two-year transitioning time was given to organisations and governments to become GDPR compliant. The GDPR would come into force from 25th May, 2018. The GDPR imposes strict rules pertaining to data collection, transfer and utilisation when the personal data of an EU-based individual is transferred to a non-EU country. This has wide reaching implications for global businesses as data sharing is done by them in a wide variety of situations.
Let us discuss some key implications the GDPR may have on Indian businesses.
Key Features of GDPR
a) Important Definitions
Data Controller: Data controller is the one, which determines how the data is to be used. Typically, it is the party which shares the data. However, there could be a situation where both the parties involved in a data sharing transaction may be data controllers.
Data Processor: A data processor is the one which processes the data in accordance with the instructions given by the data controller.
Data Subject: A data subject is the one whose data is being collected.
Personal Data: Personal data is that information about an individual which helps to identify her/him. Hence, information such as name, contact details, address, identification number or any information which can be directly or indirectly be linked to the identity of the individual is treated as personal data.
b) Requirement to show Accountability
The GDPR has adopted the `stick’ method in order to ensure that these regulations are properly implemented and are not reduced to formalities. It has imposed requirements upon both the data controllers and the data processors to show that they are complying with the data protection principles. They are required to create and maintain data processing registers and adopt comprehensive measures to prevent data breaches. Such comprehensive measures inter alia include privacy impact assessments, technical safeguards etc. The data controllers are also required to inform the authorities within a stipulate time in the event of occurrence of any data breach.
c) Obligations on Data Processors
GDPR, in a first, imposes obligations on data processors. It requires data processors to implement sufficient security standards for data protection and promptly inform data controllers in the event of a breach. It also exposes them to punitive measures in the event of non-compliance.
d) Fines and Enforcement
GDPR has substantially increased the quantum of penalties. For the breach of record-keeping, security, breach notification etc. a penalty equal to the greater of €10 million or 2% of the entity’s global gross revenue may be imposed and for violation of obligations pertaining to data subject rights, cross border transfers etc, a penalty of the greater of €20 million or 4% of the entity’s global gross revenue may be imposed.
e) Data Protection Officer
Data protection officers are required to be appointed where the controllers/processors deal with large scale data of data subjects or are public authorities. These data protection officers are required to have expert knowledge of data protection law.
GDPR mandates consent of the data subjects prior to the collection of personal data. It defines consent as, “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;” The process of obtaining free consent should be demonstrable by the organisations. There is no bar on withdrawing one’s consent.
g) Data Subject Access Requests
Data subjects are now entitled to get more transparent views on how their data is being processed. The timeline for providing such access is one month from the date of request.
Implications of GDPR on Indian Corporates
Most of the corporate houses today have a global reach and invariably during the course of transactions, they do obtain or share personal data of individuals. Simplest of actions including obtaining the names of participants in a conference or sharing employees’ details with cab drivers also counts as collection and transfer of personal data. If such data belongs to a EU-based data subject and is shared or transferred to a non-EU country, the compliances required under GDPR would be triggered.
The enormity and severity of the penalties imposed under the GDPR would expose Indian conglomerates to a very high degree of risk if they are found non-compliant. Even violation of requirements such as maintenance of data processing registers entail a huge fine and hence, Indian companies need to tread cautiously insofar as GDPR is concerned. It is recommended that Indian companies as a rule have GDPR compliances inbuilt in their data protection policies. In order to safeguard against liability, a separate agreement mirroring all the requirements/compliances mandated under GDPR should be signed by the organisations, every time there is a risk of EU based data subjects’ personal data being transferred. A strong data protection framework would help in averting risks and would mitigate liability.
Bhumesh Verma, is a Corporate Lawyer with over 2 decades of experience in advising domestic and international clients, with a place in “The A-List – India’s Top 100 Lawyers” by India Business Law Journal. He keeps writing frequently on FDI, M&A and other corporate matters. With Research inputs by Soumya Shekhar