By Devanshi Kothari
GDPR and India’s Right to Privacy: Implications for
The new EU General Data Protection
Regulation (EU GDPR), will come into effect on 25 May 2018. This regulation
stipulates that any and all businesses within the European Union, or dealing
with the EU will have to comply with GDPR. This will make all the businesses
liable to protect any data that is categorised as “personal”. For Indian
businesses, this can be a serious setback as the EU is India’s largest trading
Simply put, data privacy is obtaining
consent of the individual to collect personal data, being transparent as to why
it is being collected, and deleting it when consent is withdrawn. A fine line
separates implicit consent (withdrawing) or explicit consent (allowing).
Protecting data involves active steps to prevent breaches and leaks.
does the EUGDPR pose for India?
The EUGDPR is legally binding regulation,
not a directive that brings service providers directly under its purview. It
also affects Indian companies that have expanded or plan to expand
internationally, such as SBI and Flipkart. Since the EU has been one of the biggest
markets for the Indian IT/BPO sector, the Indian government has been concerned
about the potential implications this will have for its national security
policies, business opportunities and trade. Due to the differences in
regulatory practices, the legal parameters have been ambiguous which make
compliance more complex and difficult to achieve. The Indian government has
concerns with regard to the following issues:
- The Indian IT/BPO industry requires an increased free flow of data to be
transferred from the EU
- The regulation will limit EU companies’ outsourcing options which will
result in obvious opportunity losses for businesses in India
- India’s relatively weak data
protection laws make India less competitive as outsourcing markets in this
space when other economies are updating their regulatory practices to ensure
seamless inter-state operability
- Largely inflexible, GDPR reduces the extent to which businesses can
assess risks and make decisions when it comes to transferring data outside the
- The regulations target service providers directly who will have to face
high costs such as investing “cyber insurance” whilst adopting new technology. Non-compliance will result in severe penalties.
India’s Right to
In a landmark
judgement announced on 24th August, 2017, the Supreme Court of India
declared that ‘Right to Privacy’ was a fundamental right that is applicable for
all 134 crore citizens of India. This decision encompasses all aspects of
civilian life under its purview- from sexual autonomy to data proliferation.
government, having recently undertaken a gargantuan digital transformation
journey of going cashless and paper-less is collating citizen biometric data through
‘DigiLocker’ for the ‘Aadhar’ scheme. It is also developing an e-governance
platform called ‘Digital India’ and a cashless delivery service under
‘IndiaStack’. The consecutive implementation of demonetisation and the Goods
and Services Tax will require all businesses to maintain electronic invoices
online. The government will have to tighten its security practices and enforce
greater compliance by all web applications that offer digital transaction
services. By drawing upon the regulatory practices of GDPR, India could develop
an over-arching data protection regime that would extend to all government and
business practices as this will only boost growth in the long run.
What is the way
When it comes to designing data protection
for businesses in India, the stakes are high, emphasizing the need for businesses,
organizations and governments to adopt comprehensive data protection practices
at all levels. This can be ensured through the following ways:
- A risk-based approach to data privacy can significantly reduce the
potential of non-compliance violations or a breach.
- Adoption of smart cost-efficient ways to address cyber security.
- End-to-end Encryption to ensure compliance
- A provision for Indian citizens to claim penalties if businesses fail to
obtain clear consent
- Distinguishing between personal and sensitive data. Individual names and
email IDs are personal but freely available. However, a person’s sexuality,
race, net worth or investment decisions are sensitive data which require
- Clear rules regarding portability of customer data- what can or cannot
be shared with or without consent.
- Professional training for employees to acquire specific skill sets to
develop a stronger data protection regime
GDPR is an
excellent opportunity for India to update its regulatory practices and
effectively implement the fundamental right to privacy. The IT/BPO sector should use this as a
stepping stone to move up the value chain by strengthening its automation
portfolio and make the industry more competitive in the global market.
About the author
Devanshi Kothari is a member of Information Services team at MitKat and is studying Global Affairs at Jindal Global University.
Disclaimer: Any views or opinions represented in this blog are of the author and do not represent those of MitKat. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.