The first question that an Indian Company needs to satisfy for itself is whether it is at all exposed to the provisions of the dreaded GDPR and if so whether there is need to respond.
It must be clarified that Indian Companies appreciate the principle of Privacy and the need to protect privacy in data form as a part of the protection of human rights of any global citizen. What is however creating a resentment is the obnoxious level of penalties that GDPR is empowering itself to impose on companies which are actually not established in EU. This is seen as an attempt to build an hegemony in the Data Processing market across the globe. It is also perceived that the GDPR is trying to re-write the jurisdictional laws as is understood in the “Border less Cyber Society”.
There is a need for the authorities implementing GDPR to abrogate the clause of “percentage of global turnover” in article 83. The financial limits of 10 or 20 million Euros is not an issue but an open ended turnover based penalty is unreasonable and smacks of an arrogance that needs to be challenged. This should however be done by organizations such as NASSCOM which should discuss it with countries such as USA and Australia to form a global forum to protect the interest of the industry bodies.
At present, it is not however completely clear how the GDPR penalty clause will play out in the Indian market.
The GDPR recognizes two main roles for IT Companies namely
- Data Controller
- Data Processor
A “Data Controller” is one who has the power to decide on how the “personal Information” will be processed. “Data Processor” is the one who processes the information as determined by the Data Controller. The “Data Processor” is therefore a “Sub Contractor” to the “Data Controller” and does not have the contractual power to act independently.
A similar issue also exists under HIPAA-HITECH Act where the Business Associates (BA) are presently directly under the regulation of HHS in terms of the audits and imposition of penalties.
However, in the case of HIPAA-HITECH Act, the jurisdiction boundaries are well defined and a company which has no legal establishment in USA but works as a Business Associate is more appropriately recognized as a “Sub Contractor” bound only by the Business Associate Contract which may have an indemnity clause to protect the liabilities arising on the Covered Entity or another BA in USA which has outsourced the business to the Indian Sub Contractor.
The GDPR has however tried to establish its control even over companies established outside EU through some of its provisions which needs a close watch.
Under Article 3 (1),
“GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Under Article 3(2),
“GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
Under Article 3(3)
“GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
Article 3(3) obviously applies to countries under some kind of a Treaty or Convention which includes the protection of Privacy of EU citizens.
Article 3(1) applies to Data Controllers or processors who have an establishment in the EU including those who outsource the data processing to another entity outside the EU or use Cloud for certain part of its services.
It is Article 3(2) which tries to include extra-territorial jurisdiction to the regulations and contains two sub clauses.
The first sub clause is directed to Data Controllers or Processors which are not established in the Union but “Offer services of goods and services” to data subjects in the Union.
The second sub clause is directed to Data Controllers or Processors which are not established in the Union but “Monitor the behaviour of EU Citizens to the extent that it takes place within the EU”.
It may be noted that the definition of a “Data Controller” is that he is one “” who determines the purposes and means of the processing of personal data”.
A person who collects the data is not included as a “Data Controller” though he may come under the category of a “Data Processor”.
Indian Companies who have direct IT contracts with EU Companies like Infosys, TCS or Wipro may be “Data Controllers” but most other companies will be “Data Processors” since they may be only sub contractors.
However, most of the Indian Companies may not be “Offering Services” to EU data subjects though they may be offering services to “EU based companies”. In such cases, it is possible interpret Article 3(2) as not being applicable to such Indian Companies.
This interpretation also goes with the ITA 2000/8 where in defining the due diligence under Section 79, the Government of India has clarified that the obligation of obtaining “Consent” from data subjects lies with the “person collecting the information from the data subject” and not the company which receives the personal information of data subjects from another company which has collected it.
In Other Words, ITA 2008 recognizes the “Collector of Personal Information from the data subject” as the “Data Controller” (though this terminology is not used) and every body else becomes a “Sub Contractor”. GDPR has knowingly or unknowingly created a class of a “Recipient of Data” who is the first party to interact with the Data subject but may not be a “Data Controller”. The “Recipient” could be a sub contractor of a Data Controller and hence a “Data Processor”. Subsequently, under the directions of the Data Controller, the Recipient may transfer the data to another “Data Processor” who may actually have a contract with the Data Controller and not have direct relationship with the “Recipient”.
Indian Companies which are not receiving personal data from the data subjects and not having an establishment in EU are purely “Data Processors who are not established in EU and not offering services to EU data subjects”. Their liability for GDPR implementation is therefore only through the Contract with the Data Controller who may be an establishment in EU or one who may not have establishment in EU but determines how the data is to be processed.
The “Indian Sub Contractors” are therefore bound by ITA 2000/8 which of course defines reasonable security practice as what is contained in the contract with the data supplier. The Data Controller is therefore well within his rights to state in the contract that the data processor in India has to follow all the security measures indicated under GDPR. He can also put an indemnity obligation that if any loss is caused due to his action or inaction, it should be reimbursed to the extent of a stated limit.
The open ended contract which makes an Indian Company liable to pay a foreign entity may actually be a violation of the FEMA and hence is ultravires the Indian law. The “Turnover based penalty” can therefore not be applied on Indian Companies nor accepted by Indian companies.
As regards websites of Indian Companies or mobile Apps which may be used globally, it is essential for the companies to include a “GDPR Exclusion Clause” on the lines of what is proposed under the privacy policy of Naavi.org which states as under.
QUOTE:
GDPR Exclusion
It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail. In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites. Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.
UNQUOTE
It is also possible to consider that the act of visiting a website established from the shores of India and availing any of its services is like “Virtually visiting Indian shores” and hence does not constitute an “Activity of the Data Subject in the EU”.
Hence I would like Indian Companies on the web and the App developers to review their privacy policies and include a “GDPR Exclusion Clause” so that they are not unnecessarily becoming liable under GDPR for a stray visitor who may come from EU.
Naavi