We’ve covered the European Union’s General Data Protection Regulation in a series of posts over the last couple of weeks. You can read our summary of the Regulation here, and our post on the important features of the Regulation here. In this post, we’ll be taking a look at the effect that the GDPR will have (and has already had) in the Indian context.

Data Transfer

As mentioned in our earlier article on the key features of the GDPR, one of the major changes brought in are the restrictions placed on exporting of personal data. Under the GDPR, personal data cannot be exported outside the European Economic Area unless the export jurisdiction has been certified by the European Commission to have appropriate data protection measures, or specific export mechanisms have been put in place.

As of today, only a handful of countries have been deemed to have adequate protections, and India is not one of them. While it is still too early to quantitatively determine the exact impact that this would have had on Indian businesses, it is almost certain to have had adverse effects. The EU is the world’s largest single market, and specifically the second largest market for the Indian IT sector after the US. Restrictions on data transfer to Indian companies would certainly affect that industry’s performance, or at the very least make it less attractive to potential international customers.

Increased compliance obligations

As also mentioned in our previous article, in the absence of an adequacy decision, European companies would have to ensure that any data transfer to Indian entities is also accompanied by appropriate safeguards. The European Commission has already approved a number of standardized clauses for use in commercial contracts, and there have also been codes of conduct drawn up by organizations representing the interests of categories of data controllers or processors.

European companies are likely to insist on stringent GDPR compliant standards from their Indian partners, due to the significant penalties attracted by non-compliance. For Indian companies, some of these would include:

  1. Obtaining clear, explicit, and purpose-specific consent – We’ve written about this requirement of the GDPR at length, but its importance cannot be overstated. Indian companies handling personal data would also be required to ensure that their terms of use comply with this requirement, so as to ensure that they don’t incur the heavy penalties associated with its non-compliance.
  2. Increased safeguards – Indian organizations would also have to make the various structural changes implied by GDPR to ensure data minimization, transparency, and breach reporting mechanisms.
  3. Pseudonymisation – One major advancement that organizations have implemented since the introduction of GDPR is the pseudonymization of user data. Pseudonymization is the term in the GDPR to describe the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information. Pseudonymized data is subject to more relaxed standards of data protection under GDPR than other personal data (for example, pseudonymized data does not require a second instance of consent to be used for a purpose different from the purpose for which the data was originally collected). Indian organizations would also do well to ensure that they have the appropriate systems in place to ensure satisfactory pseudonymization of user data to maintain competitiveness within the global ecosystem.
  4. Data Protection Officers – Many Indian entities have already moved to appoint DPOs, one of the key mandates in the GDPR. This appointment adds legitimacy to organizations and shows a commitment to ensuring compliance with GDPR obligations.

From the above, it is evident that there are significantly increased compliance obligations under GDPR. Naturally, this would result in increased compliance costs, which could be substantial for smaller organizations (and startups in particular).

Impact on Indian businesses

In spite of the increased costs and compliance obligations, a 2019 report compiled by Cisco showed that India ranks 6th globally (admittedly, out of 18 countries surveyed) in terms of GDPR compliance. Perhaps this is not surprising, as the EU (and therefore EU citizens/residents) constitute a very important market to India’s key IT and manufacturing industries.

Another interesting takeaway from the above-mentioned report are the benefits that organizations (including Indian ones) reported with GDPR compliance. These included faster sales turnaround times, fewer data breaches and less system downtime, and significantly lower costs associated with data breaches. While more data is required to reach a satisfactory conclusion on the correlation between these, it appears as though strong privacy protection protocols are an important consideration for customers in 2019, and therefore companies that have strong privacy protections in place would have a clear advantage over competitors.

Further, while the costs associated with GDPR may certainly work to the detriment of Indian entities, it’s interesting to note that the Indian government may soon bring its own data protection law, which by all accounts would have similar compliance requirements. Therefore, it may only be a matter of time before the structural changes brought on by GDPR compliance are looked at simply as a natural cost of doing business.

Home-grown legislation

Perhaps the most significant impact of the GDPR on India is not in the corporate sphere, but its impact on the average citizen. After the GDPR’s announcement in 2016 and the Supreme Court’s 2017 decision holding privacy to be a fundamental right, a draft Personal Data Protection Bill was formulated in 2018. While the Bill has yet to be tabled in Parliament, the text of the Bill is publicly available.

A perusal of the Bill shows the strong GDPR influence, as many of the rights of citizens, and obligations on companies appear to have a significant overlap. The Indian Bill also adds certain interesting provisions, such as the imposition of criminal penalties for breach, and the creation of a “fiduciary” relationship between data subjects and controllers/processors.

While the mere fact that there is such a Bill is a welcome advancement, there are a number of questions around it as well. We will be taking a more in-depth look at the provisions of the Bill in a subsequent post.