In our previous article, we had discussed about the impact of General Data Protection Regulations (“GDPR”) on Indian businesses, which comes into effect this Friday, May 25, 2018. We had ended on a note that although GDPR might not be applicable to Indian businesses which do not meet the GDPR long-arm criteria, it would still be prudent for all Indian businesses to analyze and review their current IT policies and practices, in the light of the upcoming changes in the Indian regime as it’s best to err on the side of caution. As they say, “Do it today or regret it later“.
Before we dive deep into the discussion on GDPR and the current Indian Data Protection Regime, let’s take a quick glance at the highlights of GDPR:
- GDPR is replacing the earlier EU data protection directive from 1995 with the intention of giving more control to individuals over their personal data.
- GDPR applies to every entity to the extent that it processes or controls the processing of personal data relating to individuals residing in the EU. It does not matter if the processing is done from within the EU or outside.
- GDPR introduces stricter conditions for consent; a broader definition of sensitive data; new provisions for protecting children’s privacy; mandatory obligation to report a breach, and the inclusion of the “right to be forgotten”.
In this article, we attempt to compare the requirements under GDPR with the Indian data privacy regime as its exists under the current Information Technology Act, 2000 (“IT Act”) as well as where it is likely to go with and the proposed data privacy law, the shapes of which can be seen in the White Paper of the Committee of Experts on a Data Protection Framework for India (‘Upcoming Data Privacy Law”).
From the IT Act to the Upcoming Data Privacy Law
The IT Act, under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, imposes certain duties on businesses on handling sensitive personal data, such as passwords; bio-metrics; medical records; financial details and sexual orientation. Broadly, they cover:
- Obtaining written consent from persons providing information.
- Ensuring that the purpose, usage, intended recipients of information etc. are made known to persons providing such data.
- Ensuring that the information collected is used only for lawful purposes.
- Collecting and using information solely for the purpose for which it is collected.
- Obtaining fresh consent for processing information for any purpose apart from the original purpose for which it was collected.
- Retaining information only till the time it is required for fulfilling the purpose for which it was collected.
- Providing persons with an opportunity to review the information provided by them and to make necessary amendments if required.
The principles governing data privacy in India under the IT Act are going to become a lot more stringent once the Upcoming Data Privacy Law comes into effect, which is more comprehensive and in line with the principles covered under GDPR.
If we analyze the intricacies of the Upcoming Data Privacy Law, the number of commonalities with GDPR is quite evident. Concepts like Data Controller and Processor, Personal Data, Consent of Children, Right to restrict processing etc., which were unique to GDPR are also covered within the ambit of the Upcoming Data Privacy Law.
Principles laid down in the Upcoming Data Privacy Law
The Upcoming Data Privacy Law lays down the following key principles, which should form the basis of data protection framework in India –
- Need for informed consent: The law must ensure that the consent is ‘informed, genuine and meaningful’, leaving no room for vagueness or ambiguity. The reasons for data collection must be clearly stated and only the required information for processing should be sought.
- Minimal data processing: Data must be processed solely for the purpose for which consent is sought. For further processing of data, separate consent must be taken.
- Liability of the data controller: The data controller must define the means and purposes of processing data and will be answerable for any data breach, irrespective of the fact whether the processing was done by itself or by any third parties. The security levels and protocols of third parties must also be checked by the controller.
- Enhanced penalties: The law must introduce adequate and enhanced penalties to ensure deterrence for wrongful processing. For instance, quantum of civil penalties must be imposed if data controllers or processors violate their obligations under a data protection law.
A comparative look at the IT Act, GDPR, and the Upcoming Data Privacy Law
The following pictorial chart provides the key points of comparisons among the subjects covered under these legislation/s. It illustrates the scope of the following legislation/s and does not intend to imply that subjects covered under each of the legislation/s is exactly the same.
It has now become crucial for organizations to structure their business processes in compliance with the proposed regulations in the Upcoming Data Privacy Law, so that once enacted, it does not take a toll on their business. In the words of Charles Darwin, “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change”.
The conclusion to be drawn from the above discussion is that the Upcoming Data Privacy Law seeks to remedy some of the present drawbacks in the IT Act by filling in the gaps through the introduction of newer concepts in relation to the collection, processing and handling of personal data. It also reinforces stricter standards and more stringent norms for data protection by revamping the existing regime to match global standards. It is, therefore, imperative for Indian businesses to set up tighter processes and internal controls to deal with personal data of individuals at the earliest. It does not really matter if GDPR applies to you today, for a regime quite similar to GDPR is likely to be a part of your life very soon.
For further queries or clarifications pertaining to compliance under the IT Act and GDPR, please feel free to contact us at email@example.com
- Himanshu Daga (Senior Associate-Legal Operations)
- Vivek Chattopadhyay (Associate, Legal Operations)
- Sharanya Mukherjee (Associate, Legal Operations)
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. The Blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement, are Copyright 2018, Lexplosion Solutions Private Limited or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.