OP. ED.

In the present day modern digital era, privacy has attracted the attention of many policymakers, Judges, and scholars. The digital environment has granted access to the entire world on a click, but has also exposed us to snooping eyes of the government and private individuals. It is in this context that the right to privacy plays a crucial role. With the aim of having a regulatory policy in place to protect all European Union (EU) citizens from any violation of personal data and privacy, the EU Parliament enacted the General Data Protection Regulation[1] (GDPR) on 14-4-2016[2], repealing the previous Directive 95/46/EC (old Directive).

This article aims to discuss the provisions of the GDPR and explore the impact on the Indian businesses. GDPR is important to be studied in the Indian context carefully for two reasons. Firstly, it has extraterritorial application (discussed below), thereby, affecting the interests of several Indian businesses operating within the EU. Secondly, GDPR has set international standards with respect to data protection regime in the global digital era. The principles embodied in the GDPR have been referred extensively in the judgment of K.S. Puttaswamy v. Union of India (Privacy judgment).[3] Even the Data (Privacy and Protection) Bill, 2017[4] introduced in the Lok Sabha follows the same framework as the GDPR and can be seen as the “summary” of GDPR.

Justice Chandrachud, in his judgment, acknowledged the internet usage to have increased exponentially and the individuals leave “electronic tracks”.[5] The tracks (including food habits, preferences), even though “inconsequential”, he notes that disclose who the user is and his/her interests. The age of information and its concomitants such as cookies, big data, data mining, and has given birth to complex issues for privacy. He focused on the centrality of individual’s autonomy, consent, and transparency. Similarly, Justice Kaul stressed on increasing invasion of privacy due to new technology, and gave support to principle in GDPR with respect to restrictions on “profiling” and “right to be forgotten”.[6]

This article is divided into four parts. In Part I, we discuss the categories of information covered under the phrase “personal data” and protected under the GDPR. In Part II, we discuss the scope of the GDPR and how Indian businesses would be covered due to the extraterritorial application of GDPR. In Part III, we talk about the extensive number of obligations imposed on the covered entities. Finally, in Part IV, we analyse the other impacts of the GDPR on the non-EU businesses.

I. Information covered under “personal data”

GDPR affords protection to information that falls within the ambit of “personal data”. “Personal data” was given a very broad definition in the old direction and the same has been carried forward in the GDPR. It is defined as “any information relating to an identified or identifiable natural person”[7]. A person can be identified by way of “a name, an identification number, location data, an online identifier or … factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”[8]. The definition covers both “objective” (e.g., biometric data, presence of a substance in a patient’s blood) and “subjective” data (e.g., individual’s opinion, assessment of an employee, assessment of the reliability of borrowers). The data can be either false or true. It can be in any format (e.g. alphabetical, numerical, graphical, photographical or acoustic). For example, customer preferences, customer’s recorded voice in telephone banking, images taken by video surveillance, etc., they all constitute “personal data”. The only qualifier is that the data (or its combination) in the possession of the entity must be comprehensive enough to “identify” an individual. For instance, ordinarily, a very common family name might not to be sufficient to identify anyone, but the same family name used within a specific organisation (for example, a school) might be sufficient to identify the individual.[9] However, it is worth noting that anonymous or anonymised data is not “personal data” and hence is not covered by data protection regime, therefore, allowing free exchange of data where identification of individual is not possible.

II. Scope of GDPR

GDPR covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its “establishment[s]” (e.g. sales office or representative), and is processing the data of EU data subjects, irrespective of whether the processing is occurring in the EU or not, is covered under the ambit of the GDPR.[10] Under the extraterritorial application, a non-EU “established” entities, would be covered only if it is performing either of the following—

1.Offering goods and services to EU subjects

If a non-EU entity is directing its business activities towards the EU residents, and, in the process of doing so, is collecting personal data of the data subjects, then the entity would be covered under GDPR. The test is whether the entity envisages to offer goods and services to an EU resident. In deciding whether the activities are “directed” at EU residents or not, various factors would have to be considered, such as the intention of the non-EU entity, currency of the trade and the language used (with the possibility of placing the order in the local language of the target EU resident). Setting up a website merely accessible to EU residents is not covered.[11] This approach reflects the decision taken by the European Court of Justice in Weltimmo Sro v. Nemzeti Adatvédelmi és Informácioszabadsag Hatoság, where the Court factored in the use of the Hungarian language on the website.[12]

2. Monitoring behaviour of EU data subjects

This condition is, especially, designed to cover those entities that collect personal data on the internet for the purposes of profiling individuals, taking decisions regarding him/her, or for analysis or prediction of their personal preferences, attitudes and usage behaviours. As per the recitals of GDPR, under certain circumstances, personal data would also cover “cookie”[13] identifiers and IP addresses[14]. This can have widespread ramification for numerous entities that use cookies on their websites to gauge customer preference and usage pattern. A decision from the UK High Court in Vidal-Hall v. Google Inc. exemplifies similar understanding.[15] The Court in this case had held that browser-generated information (BGI) included IP addresses, websites visited, advertisements opened, among other things collected by Google through cookies constituted “personal data”.[16] This would have a huge impact on “how [businesses] collect, use and store private information, and what risk management controls are in place to protect them against potentially costly litigation”.[17]

III. Obligations on controller and/or processors under GDPR

GDPR classifies the entities into two categories — controller and processor. A controller is an entity that “determines the purposes and means of the processing of personal data”.[18] An entity processing the personal data on behalf of a controller is a processor.[19]

The majority of the obligations are imposed on the controller, however, it might be required to discharge these obligations through the processor. For instance, a controller employs another entity (processor) to process the consumer data collected by it. Now, if a data subject requests the controller to have access to the information relating to him, then the controller would direct the processor retrieve the data and send the same to the controller. The processor would be obliged to adhere to the controller’s directions.

Few of the important obligations that have been imposed on controller/processor to regulate privacy are mentioned below—

1. Strengthened consent requirements

GDPR has strengthened the requirements of consent, giving the data subjects control over whether or not their personal data will be processed. Consent from a data subject must be free, specific, informed, and with an explicit indication of their wishes (either by a statement or clear affirmative action).[20] The data subject has the right to withdraw their consent at any time,[21] and hence command a high degree of control. One of the major changes introduced is that it puts the burden of proof on the controller to prove that the data subject had given consent of data processing for a specified purpose.[22] Further, if the consent is obtained through a contractual agreement, then the consent for data processing must be distinguishable in appearance with the other parts of the agreement.[23]

2. Requirement of providing information to data subjects

If a controller is collecting information of a data subject, then an information notice must be provided to the latter. This notice must specify identity and contact details of the controller, purpose of data processing, period for which the data will be sorted, existence of various rights, recipients of the personal data, any other information necessary to guarantee fair processing of personal data, etc.[24] These conditions do not differ substantially from the old Directive.

3. Breach and notification

In case of personal data breach, the controller is responsible to report the matter to the appropriate supervisory authority without any delay and where feasible within 72 hours from the time of being aware of the same.[25] This obligation is not applicable if it is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach poses high risk to the rights and freedoms of the individuals, then the controller has the obligation to inform the data subjects regarding the same “without any undue delay” after first becoming aware of the data breach.[26]

However, an obligation to inform the data subjects does not arise in three cases.[27] First, where the controller adopts technological protection measures, rendering the information breached as incomprehensible to the unauthorised person. Second, when the controller has undertaken certain measures to eliminate the risk; for instance, the controller immediately identifies and takes an action against the person concerned.[28] Third, in case the controller is required to be involved in a “disproportionate effort” (indicative factors such as number of subjects and age of the data), then a public notice or similar measures must be issued to inform the data subjects of the breach.[29]

4. Stronger rights given to data subjects

GDPR has strengthened the existing rights of the data subjects and introduced new rights as well. The subjects have a right to access the data possessed by the controller. The controllers must, upon request, confirm if they are processing an individual’s personal data, provide a copy of the data, and provide supporting explanatory materials. In certain circumstances, the subjects have the right to object to specific types of processing such as for research/statistical purposes, and for direct marketing, among others. The subjects have a new right of data portability, making it easier to transmit personal data between service providers.[30] GDPR not only fortifies the right to be forgotten, as recognised in Google Spain case[31] but also expressly acknowledges the counterbalance aspects and factors such as freedom of expression.[32]

5. Duty to undertake data protection measures

The controller/processor is required to implement appropriate technical and organisational measures, such as pseudonymisation[33] and encryption[34], in an effective manner and to integrate necessary safeguards in the processing to comply with the GDPR obligations and protect the rights of data subjects.[35]

6. Data protection impact assessment

Similar to the old Directive, GDPR mandates the controller to conduct an impact assessment for new technologies that pose high risk to the rights and freedoms of data subjects. This obligation is triggered only in cases where there is a systematic and extensive processing activities based on automated processing, large scale processing of sensitive data or criminal convictions, and monitoring of public areas. The controller is obliged to conduct an impact assessment of the envisaged processing on the protection of personal data.[36]

7. Appointment of Data Protection Officer

The business entities (controllers and processors) covered under GDPR are required to appoint a Data Protection Officer (DPO). This obligation is triggered if, (i) the core activities of the entity (as defined below) involves processing operations engaged in regular and systematic monitoring of data subjects; or (ii) there is large scale processing of special categories of data or data regarding criminal conviction. The Working Party 29 Guidelines[37] indicate that the core activities also include businesses whose data processing operations are “inextricable” to its core activities (e.g. processing of patients’ information by a hospital). However, if the processing is merely “necessary” or “essential” to the organisation, then it does not have the obligation to appoint DPO (e.g. storing information of salaries of an organisation’s employees). The designated representative will be the point of contact for the organisation including being subject to enforcement proceedings in the event of non-compliance by the controller or processor. However, this does not mean that the DPO will be personally liable for non-compliance of the duties of controller/processor.

8. Obligations specific to the processor

The processors will have to abide by the contract with the controller and comply with any other EU or member State’s law. The contract between the two must state that the processor can only carry out processing activities on the basis of written instructions from the controller. Processor has the responsibility to see that the personnel authorised to process the data has signed confidentiality agreements. The contract obliges the processor to delete/return the data to the controller after expiry of the contract. The processor must also provide all requisite information to the controller for demonstrating compliance with all its obligations.

IV. Other impacts on non-EU (including Indian) businesses

1. Allowing businesses to expand across borders

GDPR will help Indian businesses to expand their business operations from one or few EU countries to other member States. Under the old Directive, if an Indian company having its operations in Germany wanted to expand to another member State such as France, then the proprietor would have to deal with different regulators, within the local laws (French), for various data processing activities. This would add costs of obtaining legal advice and possibly make changes to business models in order to enter the new market. This had a prohibitive effect, especially in cases where few member States required the businesses to pay notification fees for processing data.

To ease business operations, GDPR has implemented a “one-stop-shop” mechanism. If an entity is engaging in cross-border processing of personal data (i.e. processing or its effect on data subjects takes place in more than one member State), it would have to identify one “lead” supervisory authority for the purposes of compliance. This selection would depend on the place where the main decisions regarding purpose and means of processing is taken, constituting its central administration, that will act as the lead supervisory authority.[38]

2. GDPR will help in the growth of new and small entrants in the market

As per GDPR, the citizens have a right to data portability.[39] It will allow them to move their personal data from one service provider to another. For instance, earlier if a new business wanted to enter in a specific market where there were big corporations already in place, the consumers might not want to shift to the new service provider, as their entire data is registered on the previous existing service providers’ database. Due to the data portability right now being available, the consumers would be able to easily shift to new service providers.

3. GDPR will help in improvement of international cooperation

GDPR has streamlined the process of data transfer to other countries. It provides for an “adequacy decision” — an acknowledgement given at EU level to a non-EU country that adequate protection is afforded to data subjects in its domestic law or international commitments.[40] If an adequacy decision has not been passed in favour of a country, then data transfer can take place on the basis of binding corporate rules. The standard corporate rules incorporate provisions requiring the data recipient to adhere to the EU standards of data protection. If there is neither an adequacy decision nor any binding corporate rules, data transfer can take place on the basis of very narrow exceptions. These exceptions cannot be invoked on a regular basis. They can only be used for a limited amount of data and number of subjects, and for compelling legitimate interests of the controller.[41]

4. Enhanced responsibility on knowledge process outsourcings

Under the GDPR, certain differentiated responsibilities have been imposed on both, controllers and processors. Under the old Directive, the data subjects had no right of remedy against the processors. However, GDPR provides that if the processor violates any of the provisions, then it will be deemed to be a controller in respect of the liability provisions.[42] These provisions puts numerous Indian businesses engaging in knowledge process outsourcing (KPO) at risk for liability.

GDPR is bound to give jitters to Indian businesses looking to expand their operations to the EU. In the long term, one can expect these norms to be imported to India as GDPR has taken the lead by setting high industry standards. The Privacy judgment[43] is just a start towards a safer tomorrow for the data subjects and a tougher one for the businesses.

——————————-

* 5th year students, BBA LLB, O.P. Jindal Global University, Sonipat.

[1]  Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Regulation (EU) 2016/679.

[2]  The GDPR will come into force on 25-5-2018.

[3]  (2017) 10 SCC 1, p. 252 of Justice Chandrachud’s judgment. The Report of group of experts referred to by Justice Chandrachud heavily relies on the EU Data Protection Regimes.

[4]  The Data (Privacy and Protection) Bill, 2017, Bill No. 100 of 2017, available at <http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/889LS%20AS.pdf>.

[5]  Justice Chandrachud, (2017) 10 SCC 1, 196, 197.

[6]  Justice Kaul, (2017) 10 SCC 1, p. 7, 8, 35, 36.

[7]  Art. 4 of the GDPR.

[8]  Art. 4 of the GDPR.

[9]  Art. 29, Data Protection Working Party, Opinion 4/2007 on the concept of Personal Data, 01248/07/EN.

[10]  Google Spain SL v. Agencia Española de Protecci?n de Datos, 2014 QB 1022 : (2014) 3 WLR 659, also available at <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX: 62012CJ0131&from=EN>.

[11]  Recital 23 of the GDPR.

[12]  (2016) 1 WLR 863, also available at <http://curia.europa.eu/juris/document/document.jsf?docid =168944&doclang=EN>.

[13]  Cookie is a message that is stored in the browser of the person who is storing a particular website. This message is sent to the server of the same website every time the person visits it again. Cookies are used to modify the content of the website in accordance with the previous behaviour of the person.

[14]  Recital 30 of the GDPR.

[15]  (2015) 1 WLR 4934 : 2015 EWCA Civ 311, available at <https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf>.

[16]  Para 115 of the judgment.

[17]  Aon Risk Solutions, Data privacy: New ruling may change the game for companies’ cyber exposures, available at <http://www.aon.com/attachments/risk-services/Google-vs-Vidal-Hall-Cyber-News-Alerts-Final.pdf>.

[18]  Art. 4(7) of the GDPR.

[19]  Art. 4(8) of the GDPR.

[20]  Art. 4(11) of the GDPR.

[21]  Art. 7(3) of the GDPR.

[22]  Art. 7(1) of the GDPR.

[23]  Art. 7(2) of the GDPR.

[24]  Art. 13(1) of the GDPR.

[25]  Art. 33(1) of the GDPR.

[26]  Art. 34(1) of the GDPR.

[27]  Art. 34(3) of the GDPR.

[28]  Guidelines on personal data breach notification under Regulation 2016/679.

[29]  Art. 34(3) of the GDPR.

[30]  Art. 17 of the GDPR.

[31]  2014 QB 1022 : (2014) 3 WLR 659, also available at: <http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN>.

[32]  Art. 17(3)(a) of the GDPR.

[33]  “Pseudonymisation” of data means substituting any of the identifying characteristics of data with a pseudonym, which prevents the data subject to be directly identified.

[34]  Encryption converts the data into a secret code. To access the data, a password is required.

[35]  Art. 32(1) of the GDPR.

[36]  Art. 35 of the GDPR.

[37]  The guidelines were formed under the previous EU data Regulation of 1995. It has continued to exist under GDPR as well.

[38]  Art. 51(3) of the GDPR.

[39]  Art. 20 of the GDPR.

[40]  Art. 45 of the GDPR.

[41]  Recital 113 of the GDPR.

[42]  Art. 28(10) of the GDPR.

[43]  (2017) 10 SCC 1.