Being GDPR compliant doesn't necessarily make companies ready for India's upcoming data protection laws

Advertisement
Being GDPR compliant doesn't necessarily make companies ready for India's upcoming data protection laws
India's upcoming data protection laws have more terms and conditions than Europe's General Data Protection Regulations (GDPR)BI India

  • Being compliant with the European Union’s General Data Protection Regulations (GDPR) won’t necessarily mean that companies are compliant with India’s upcoming Personal Data Protection Bill (PDP).
  • The scope of the PDP is broader and will require companies to make changes to their data management policies in order to operate in India.
  • Once PDP comes into effect, GDPR compliant companies may only have to make a few changes but new laws will be a sea-change for companies who were only compliant to the existing Indian data protection laws.
India is ready to take a stab at formulating its first laws to govern data and it is using the European Union’s General Data Protection Regulations (GDPR) as the template. And, for companies operating in India, this could end up being a stick in the mud.

While GDPR and India’s Personal Data Protection Bill (PDP) are similar in many ways, the differences between them mean that a company which is compliant in Europe may not necessarily be compliant under the PDP.

“The PDP scope of application is broader than that of the GDPR as an entity will fall within scope merely by processing personal data in India when compared to that of GDPR,” Neeraj Dubey, a partner of corporate law at Singh & Associates told Business Insider.
Advertisement


A broader definition of sensitive personal data
Unlike the GDPR, the PDP has divided data into three categories — personal data, sensitive personal data, and critical personal data.

The latter is particularly important since there is no parallel for it in Europe’s laws and it comes with its own unique set of terms and conditions, like being obligated to data localisation.

Advertisement

Moreover, India has thrown a wider net over what constitutes sensitive personal data as compared to the GDPR. A company may have to comply even if it merely processes personal data in India, and doesn’t collect the data locally, according to law firm Covington and Burling.

For instance, financial data has been categorised under sensitive personal data. “This is an area of concern as processing of sensitive personal data involves greater compliance requirements. Consequently, the large innovations in fintech space, which is currently being observed in India, may get affected,” points out Supratim Chakraborty, a partner specialising in data privacy and protection at Khaitan & Co.

This means even if companies are GDPR compliant, they will have more sorting and more rules to abide by.

Advertisement
Government stronghold on critical personal data
Not only is critical personal data a new category altogether, companies have to make sure that it is exclusively stored and processed in India. In order to transfer any data that falls into that category outside of India, firms will need additional approval from the Data Protection Authority (DPA) and the Supervisory Authority.

“Therefore, compliance with the GDPR may not result in compliance with the PDP, since transfer outside India will depend on approvals and permissions, either by the DPA or the central government,” noted Ikigai Law.

Government intervention doesn’t stop there. The GDPR doesn’t lay out any terms and conditions to monitor anonymised data. The PDP, however, allows the central government to access non-personal data as long as it’s to frame policies in the interest of the ‘digital economy’.

Advertisement
For users, this a bigger question of privacy. Meanwhile, for companies, it implies that anonymisation standards may differ between the two frameworks.

“Given the current ambiguity in several key provisions of the PDP, the overreaching powers given to the executive, and the exemptions granted to it under the PDP, adequate safeguards and checks and balance are required to be built into the legislation to prevent any misuse of its provisions” said Namita Viswanath, a partner at IndusLaw.

The question of consent
While one can understand the requirement of having terms and conditions available to users in multiple languages, especially in a country as diverse as India — it means a lot more work for companies collecting data.

Advertisement
While firms only need to cough up consent in English under the GDPR, they will have to arrange for multiple languages under the PDP.

India’s data protection framework also proposes setting up ‘consent managers’ — a new type of entity of channelling consent. “Data principal [user] may give or withdraw consent through a “consent manager” whereas no such provision exists under GDPR,” explained Dubey.

Penalties under the Data Protection Bill, 2019:
OffencePenalty
Processing or transferring personal data in violation of the BillFine of ₹15 crore of 4% of annual turnover, whichever is higher
Failure to conduct a data auditFine of ₹5 crore or 2% of annual turnover, whichever is higher
Re-identification and processing of de-identified data without consentImprisonment of up to three years, or fine, or both

Advertisement
‘Legitimate interests’ versus ‘reasonable purposes’
The GDPR states that data can be retained for a longer time in cases of archiving, research and statistical analysis. The PDP, on the other hand, proposes that data can be retained for longer stretches of time if the user consents or if required in compliance with any obligation under the law.

India’s bill also allows companies to process data for ‘reasonable purposes’. However, unlike the GDPR’s ‘legitimate interests’ — which are clearly outlayed — a purpose will be deemed ‘reasonable’ only by the overarching authority, the DPA. This leaves companies with a lot of grey area, in which to operate.

“The term ‘reasonable purpose’ is extremely broad and has been left to the subsequent prescription by the DPA, while under the GDPR, the scope of ‘legitimate interest’ can be determined by data controllers on a case-to-case basis,” said Viswanath.

Advertisement
To tell or not to tell — who has the power?
Under the GDPR, all breaches are to be reported to supervisory authority and to the users as well.

India, however, won’t require users to be informed by law. In the case of a data breach, a data company will only have to inform the end users if the DPA deems it so.

“Many provisions under the PDP have been left open-ended and for the Central Government or the Data Protection Authority to notify subsequently, leaving a huge scope for potential misuse and room for ongoing regulatory uncertainty,” said Viswanath.

Advertisement
SEE ALSO:
Datacracy: Indian Prime Minister's 'data democracy' must avoid the flaws of the country’s political system

India’s new data protection bill makes a good show of user rights — but can it deliver on its promises?

Whatsapp, Signal and Telegram face a catch-22 situation as India’s new social media rules threaten encryption