{"id":198913,"date":"2018-07-25T10:41:54","date_gmt":"2018-07-25T05:11:54","guid":{"rendered":"https:\/\/www.scconline.com\/blog\/?p=198913"},"modified":"2020-07-20T16:54:35","modified_gmt":"2020-07-20T11:24:35","slug":"eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence","status":"publish","type":"post","link":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/","title":{"rendered":"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence"},"content":{"rendered":"

In the present day modern digital era, privacy has attracted the attention of many policymakers, Judges, and scholars. The digital \"\"environment has granted access to the entire world on a click, but has also exposed us to snooping eyes of the government and private individuals. It is in this context that the right to privacy plays a crucial role. With the aim of having a regulatory policy in place to protect all European Union (EU) citizens from any violation of personal data and privacy, the EU Parliament enacted the General Data Protection Regulation[1]<\/a> (GDPR) on 14-4-2016[2]<\/a>, repealing the previous Directive 95\/46\/EC (old Directive).<\/p>\n

This article aims to discuss the provisions of the GDPR and explore the impact on the Indian businesses. GDPR is important to be studied in the Indian context carefully for two reasons. Firstly, it has extraterritorial application (discussed below), thereby, affecting the interests of several Indian businesses operating within the EU. Secondly, GDPR has set international standards with respect to data protection regime in the global digital era. The principles embodied in the GDPR have been referred extensively in the judgment of K.S. Puttaswamy<\/em> v. Union of India<\/em> (Privacy judgment).[3]<\/a> Even the Data (Privacy and Protection) Bill, 2017[4]<\/a> introduced in the Lok Sabha follows the same framework as the GDPR and can be seen as the \u201csummary\u201d of GDPR.<\/p>\n

Justice Chandrachud, in his judgment, acknowledged the internet usage to have increased exponentially and the individuals leave \u201celectronic tracks\u201d.[5]<\/a> The tracks (including food habits, preferences), even though \u201cinconsequential\u201d, he notes that disclose who the user is and his\/her interests. The age of information and its concomitants such as cookies, big data, data mining, and has given birth to complex issues for privacy. He focused on the centrality of individual\u2019s autonomy, consent, and transparency. Similarly, Justice Kaul stressed on increasing invasion of privacy due to new technology, and gave support to principle in GDPR with respect to restrictions on \u201cprofiling\u201d and \u201cright to be forgotten\u201d.[6]\"\"<\/a><\/p>\n

This article is divided into four parts. In Part I, we discuss the categories of information covered under the phrase \u201cpersonal data\u201d and protected under the GDPR. In Part II, we discuss the scope of the GDPR and how Indian businesses would be covered due to the extraterritorial application of GDPR. In Part III, we talk about the extensive number of obligations imposed on the covered entities. Finally, in Part IV, we analyse the other impacts of the GDPR on the non-EU businesses.<\/p>\n

I. Information covered under \u201cpersonal data\u201d<\/strong><\/p>\n

GDPR affords protection to information that falls within the ambit of \u201cpersonal data\u201d. \u201cPersonal data\u201d was given a very broad definition in the old direction and the same has been carried forward in the GDPR. It is defined as \u201cany information relating to an identified or identifiable natural person\u201d[7]<\/a>. A person can be identified by way of \u201ca name, an identification number, location data, an online identifier or \u2026 factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person\u201d[8]<\/a>. The definition covers both \u201cobjective\u201d (e.g., biometric data, presence of a substance in a patient\u2019s blood) and \u201csubjective\u201d data (e.g., individual\u2019s opinion, assessment of an employee, assessment of the reliability of borrowers). The data can be either false or true. It can be in any format (e.g. alphabetical, numerical, graphical, photographical or acoustic). For example, customer preferences, customer\u2019s recorded voice in telephone banking, images taken by video surveillance, etc., they all constitute \u201cpersonal data\u201d. The only qualifier is that the data (or its combination) in the possession of the entity must be comprehensive enough to \u201cidentify\u201d an individual. For instance, ordinarily, a very common family name might not to be sufficient to identify anyone, but the same family name used within a specific organisation (for example, a school) might be sufficient to identify the individual.[9]<\/a> However, it is worth noting that anonymous or anonymised data is not \u201cpersonal data\u201d and hence is not covered by data protection regime, therefore, allowing free exchange of data where identification of individual is not possible.<\/p>\n

II. Scope of GDPR<\/strong><\/p>\n

GDPR covers all EU \u201cestablished\u201d entities and certain non-EU \u201cestablished\u201d entities. Under the former, if an entity is operating in the EU through one of its \u201cestablishment[s]\u201d (e.g. sales office or representative), and is processing the data of EU data subjects, irrespective of whether the processing is occurring in the EU or not, is covered under the ambit of the GDPR.[10]<\/a> Under the extraterritorial application, a non-EU \u201cestablished\u201d entities, would be covered only if it is performing either of the following\u2014<\/p>\n

1.Offering goods and services to EU subjects<\/em><\/p>\n

If a non-EU entity is directing its business activities towards the EU residents, and, in the process of doing so, is collecting personal data of the data subjects, then the entity would be covered under GDPR. The test is whether the entity envisages to offer goods and services to an EU resident. In deciding whether the activities are \u201cdirected\u201d at EU residents or not, various factors would have to be considered, such as the intention of the non-EU entity, currency of the trade and the language used (with the possibility of placing the order in the local language of the target EU resident). Setting up a website merely accessible to EU residents is not covered.[11]<\/a> This approach reflects the decision taken by the European Court of Justice in Weltimmo Sro<\/em> v. Nemzeti Adatv\u00e9delmi \u00e9s Inform\u00e1cioszabadsag Hatos\u00e1g<\/em>, where the Court factored in the use of the Hungarian language on the website.[12]<\/a><\/p>\n

2. Monitoring behaviour of EU data subjects<\/em><\/p>\n

This condition is, especially, designed to cover those entities that collect personal data on the internet for the purposes of profiling individuals, taking decisions regarding him\/her, or for analysis or prediction of their personal preferences, attitudes and usage behaviours. As per the recitals of GDPR, under certain circumstances, personal data would also cover \u201ccookie\u201d[13]<\/a> identifiers and IP addresses[14]<\/a>. This can have widespread ramification for numerous entities that use cookies on their websites to gauge customer preference and usage pattern. A decision from the UK High Court in Vidal-Hall<\/em> v. Google Inc.<\/em> exemplifies similar understanding.[15]<\/a> The Court in this case had held that browser-generated information (BGI) included IP addresses, websites visited, advertisements opened, among other things collected by Google through cookies constituted \u201cpersonal data\u201d.[16]<\/a> This would have a huge impact on \u201chow [businesses] collect, use and store private information, and what risk management controls are in place to protect them against potentially costly litigation<\/em>\u201d.[17]<\/a><\/p>\n

III. Obligations on controller and\/or processors under GDPR<\/strong><\/p>\n

GDPR classifies the entities into two categories \u2014 controller and processor. A controller is an entity that \u201cdetermines the purposes and means of the processing of personal data\u201d.[18]<\/a> An entity processing the personal data on behalf of a controller is a processor.[19]<\/a><\/p>\n

The majority of the obligations are imposed on the controller, however, it might be required to discharge these obligations through the processor. For instance, a controller employs another entity (processor) to process the consumer data collected by it. Now, if a data subject requests the controller to have access to the information relating to him, then the controller would direct the processor retrieve the data and send the same to the controller. The processor would be obliged to adhere to the controller\u2019s directions.<\/p>\n

Few of the important obligations that have been imposed on controller\/processor to regulate privacy are mentioned below\u2014<\/p>\n

1. Strengthened consent requirements<\/em><\/p>\n

GDPR has strengthened the requirements of consent, giving the data subjects control over whether or not their personal data will be processed. Consent from a data subject must be free, specific, informed, and with an explicit indication of their wishes (either by a statement or clear affirmative action).[20]<\/a> The data subject has the right to withdraw their consent at any time,[21]<\/a> and hence command a high degree of control. One of the major changes introduced is that it puts the burden of proof on the controller to prove that the data subject had given consent of data processing for a specified purpose.[22]<\/a> Further, if the consent is obtained through a contractual agreement, then the consent for data processing must be distinguishable in appearance with the other parts of the agreement.[23]<\/a><\/p>\n

2. Requirement of providing information to data subjects<\/em><\/p>\n

If a controller is collecting information of a data subject, then an information notice must be provided to the latter. This notice must specify identity and contact details of the controller, purpose of data processing, period for which the data will be sorted, existence of various rights, recipients of the personal data, any other information necessary to guarantee fair processing of personal data, etc.[24]<\/a> These conditions do not differ substantially from the old Directive.<\/p>\n

3. Breach and notification<\/em><\/p>\n

In case of personal data breach, the controller is responsible to report the matter to the appropriate supervisory authority without any delay and where feasible within 72 hours from the time of being aware of the same.[25]<\/a> This obligation is not applicable if it is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach poses high risk to the rights and freedoms of the individuals, then the controller has the obligation to inform the data subjects regarding the same \u201cwithout any undue delay\u201d after first becoming aware of the data breach.[26]<\/a><\/p>\n

However, an obligation to inform the data subjects does not arise in three cases.[27]<\/a> First, where the controller adopts technological protection measures, rendering the information breached as incomprehensible to the unauthorised person. Second, when the controller has undertaken certain measures to eliminate the risk; for instance, the controller immediately identifies and takes an action against the person concerned.[28]<\/a> Third, in case the controller is required to be involved in a \u201cdisproportionate effort\u201d (indicative factors such as number of subjects and age of the data), then a public notice or similar measures must be issued to inform the data subjects of the breach.[29]<\/a><\/p>\n

4. Stronger rights given to data subjects<\/em><\/p>\n

GDPR has strengthened the existing rights of the data subjects and introduced new rights as well. The subjects have a right to access the data possessed by the controller. The controllers must, upon request, confirm if they are processing an individual\u2019s personal data, provide a copy of the data, and provide supporting explanatory materials. In certain circumstances, the subjects have the right to object to specific types of processing such as for research\/statistical purposes, and for direct marketing, among others. The subjects have a new right of data portability, making it easier to transmit personal data between service providers.[30]<\/a> GDPR not only fortifies the right to be forgotten, as recognised in Google Spain case<\/em>[31]<\/a> but also expressly acknowledges the counterbalance aspects and factors such as freedom of expression.[32]<\/a><\/p>\n

5. Duty to undertake data protection measures<\/em><\/p>\n

The controller\/processor is required to implement appropriate technical and organisational measures, such as pseudonymisation[33]<\/a> and encryption[34]<\/a>, in an effective manner and to integrate necessary safeguards in the processing to comply with the GDPR obligations and protect the rights of data subjects.[35]<\/a><\/p>\n

6. Data protection impact assessment<\/em><\/p>\n

Similar to the old Directive, GDPR mandates the controller to conduct an impact assessment for new technologies that pose high risk to the rights and freedoms of data subjects. This obligation is triggered only in cases where there is a systematic and extensive processing activities based on automated processing, large scale processing of sensitive data or criminal convictions, and monitoring of public areas. The controller is obliged to conduct an impact assessment of the envisaged processing on the protection of personal data.[36]<\/a><\/p>\n

7. Appointment of Data Protection Officer<\/em><\/p>\n

The business entities (controllers and processors) covered under GDPR are required to appoint a Data Protection Officer (DPO). This obligation is triggered if, (i<\/em>) the core activities of the entity (as defined below) involves processing operations engaged in regular and systematic monitoring of data subjects; or (ii<\/em>) there is large scale processing of special categories of data or data regarding criminal conviction. The Working Party 29 Guidelines[37]<\/a> indicate that the core activities also include businesses whose data processing operations are \u201cinextricable\u201d to its core activities (e.g. processing of patients\u2019 information by a hospital). However, if the processing is merely \u201cnecessary\u201d or \u201cessential\u201d to the organisation, then it does not have the obligation to appoint DPO (e.g. storing information of salaries of an organisation\u2019s employees). The designated representative will be the point of contact for the organisation including being subject to enforcement proceedings in the event of non-compliance by the controller or processor. However, this does not mean that the DPO will be personally liable for non-compliance of the duties of controller\/processor.<\/p>\n

8. Obligations specific to the processor<\/em><\/p>\n

The processors will have to abide by the contract with the controller and comply with any other EU or member State\u2019s law. The contract between the two must state that the processor can only carry out processing activities on the basis of written instructions from the controller. Processor has the responsibility to see that the personnel authorised to process the data has signed confidentiality agreements. The contract obliges the processor to delete\/return the data to the controller after expiry of the contract. The processor must also provide all requisite information to the controller for demonstrating compliance with all its obligations.<\/p>\n

IV. Other impacts on non-EU (including Indian) businesses<\/strong><\/p>\n

1. Allowing businesses to expand across borders<\/em><\/p>\n

GDPR will help Indian businesses to expand their business operations from one or few EU countries to other member States. Under the old Directive, if an Indian company having its operations in Germany wanted to expand to another member State such as France, then the proprietor would have to deal with different regulators, within the local laws (French), for various data processing activities. This would add costs of obtaining legal advice and possibly make changes to business models in order to enter the new market. This had a prohibitive effect, especially in cases where few member States required the businesses to pay notification fees for processing data.<\/p>\n

To ease business operations, GDPR has implemented a \u201cone-stop-shop\u201d mechanism. If an entity is engaging in cross-border processing of personal data (i.e. processing or its effect on data subjects takes place in more than one member State), it would have to identify one \u201clead\u201d supervisory authority for the purposes of compliance. This selection would depend on the place where the main decisions regarding purpose and means of processing is taken, constituting its central administration, that will act as the lead supervisory authority.[38]<\/a><\/p>\n

2. GDPR will help in the growth of new and small entrants in the market<\/em><\/p>\n

As per GDPR, the citizens have a right to data portability.[39]<\/a> It will allow them to move their personal data from one service provider to another. For instance, earlier if a new business wanted to enter in a specific market where there were big corporations already in place, the consumers might not want to shift to the new service provider, as their entire data is registered on the previous existing service providers\u2019 database. Due to the data portability right now being available, the consumers would be able to easily shift to new service providers.<\/p>\n

3. GDPR will help in improvement of international cooperation<\/em><\/p>\n

GDPR has streamlined the process of data transfer to other countries. It provides for an \u201cadequacy decision\u201d \u2014 an acknowledgement given at EU level to a non-EU country that adequate protection is afforded to data subjects in its domestic law or international commitments.[40]<\/a> If an adequacy decision has not been passed in favour of a country, then data transfer can take place on the basis of binding corporate rules. The standard corporate rules incorporate provisions requiring the data recipient to adhere to the EU standards of data protection. If there is neither an adequacy decision nor any binding corporate rules, data transfer can take place on the basis of very narrow exceptions. These exceptions cannot be invoked on a regular basis. They can only be used for a limited amount of data and number of subjects, and for compelling legitimate interests of the controller.[41]<\/a><\/p>\n

4. Enhanced responsibility on knowledge process outsourcings<\/em><\/p>\n

Under the GDPR, certain differentiated responsibilities have been imposed on both, controllers and processors. Under the old Directive, the data subjects had no right of remedy against the processors. However, GDPR provides that if the processor violates any of the provisions, then it will be deemed to be a controller in respect of the liability provisions.[42]<\/a> These provisions puts numerous Indian businesses engaging in knowledge process outsourcing (KPO) at risk for liability.<\/p>\n

GDPR is bound to give jitters to Indian businesses looking to expand their operations to the EU. In the long term, one can expect these norms to be imported to India as GDPR has taken the lead by setting high industry standards. The Privacy<\/em> judgment<\/em>[43]<\/a> is just a start towards a safer tomorrow for the data subjects and a tougher one for the businesses.<\/p>\n

——————————-<\/p>\n

*<\/strong> 5th year students, BBA LLB, O.P. Jindal Global University, Sonipat.<\/p>\n

[1]<\/a>\u00a0 Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation), Regulation (EU) 2016\/679.<\/p>\n

[2]<\/a>\u00a0 The GDPR will come into force on 25-5-2018.<\/p>\n

[3]<\/a>\u00a0 (2017) 10 SCC 1<\/a>, p. 252 of Justice Chandrachud\u2019s judgment. The Report of group of experts referred to by Justice Chandrachud heavily relies on the EU Data Protection Regimes.<\/p>\n

[4]<\/a>\u00a0 The Data (Privacy and Protection) Bill, 2017, Bill No. 100 of 2017, available at <http:\/\/164.100.47.4\/BillsTexts\/LSBillTexts\/Asintroduced\/889LS%20AS.pdf<\/a>>.<\/p>\n

[5]<\/a>\u00a0 Justice Chandrachud, (2017) 10 SCC 1, 196, 197<\/a>.<\/p>\n

[6]<\/a>\u00a0 Justice Kaul, (2017) 10 SCC 1, p. 7, 8, 35, 36<\/a>.<\/p>\n

[7]<\/a>\u00a0 Art. 4 of the GDPR.<\/p>\n

[8]<\/a>\u00a0 Art. 4 of the GDPR.<\/p>\n

[9]<\/a>\u00a0 Art. 29, Data Protection Working Party, Opinion 4\/2007 on the concept of Personal Data, 01248\/07\/EN.<\/p>\n

[10]<\/a>\u00a0 Google Spain SL<\/em> v. Agencia Espa<\/em>\u00f1<\/em>ola de Protecci<\/em>?<\/em>n de Datos<\/em>, 2014 QB 1022 : (2014) 3 WLR 659<\/a>, also available at <http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX: 62012CJ0131&from=EN<\/a>>.<\/p>\n

[11]<\/a>\u00a0 Recital 23 of the GDPR.<\/p>\n

[12]<\/a>\u00a0 (2016) 1 WLR 863<\/a>, also available at <http:\/\/curia.europa.eu\/juris\/document\/document.jsf?docid =168944&doclang=EN<\/a>>.<\/p>\n

[13]<\/a>\u00a0 Cookie is a message that is stored in the browser of the person who is storing a particular website. This message is sent to the server of the same website every time the person visits it again. Cookies are used to modify the content of the website in accordance with the previous behaviour of the person.<\/p>\n

[14]<\/a>\u00a0 Recital 30 of the GDPR.<\/p>\n

[15]<\/a>\u00a0 (2015) 1 WLR 4934 : 2015 EWCA Civ 311, available at <https:\/\/www.judiciary.gov.uk\/wp-content\/uploads\/2015\/03\/google-v-vidal-hall-judgment.pdf<\/a>>.<\/p>\n

[16]<\/a>\u00a0 Para 115 of the judgment.<\/p>\n

[17]<\/a>\u00a0 Aon Risk Solutions, Data privacy: New ruling may change the game for companies\u2019 cyber exposures, available at <http:\/\/www.aon.com\/attachments\/risk-services\/Google-vs-Vidal-Hall-Cyber-News-Alerts-Final.pdf<\/a>>.<\/p>\n

[18]<\/a>\u00a0 Art. 4(7) of the GDPR.<\/p>\n

[19]<\/a>\u00a0 Art. 4(8) of the GDPR.<\/p>\n

[20]<\/a>\u00a0 Art. 4(11) of the GDPR.<\/p>\n

[21]<\/a>\u00a0 Art. 7(3) of the GDPR.<\/p>\n

[22]<\/a>\u00a0 Art. 7(1) of the GDPR.<\/p>\n

[23]<\/a>\u00a0 Art. 7(2) of the GDPR.<\/p>\n

[24]<\/a>\u00a0 Art. 13(1) of the GDPR.<\/p>\n

[25]<\/a>\u00a0 Art. 33(1) of the GDPR.<\/p>\n

[26]<\/a>\u00a0 Art. 34(1) of the GDPR.<\/p>\n

[27]<\/a>\u00a0 Art. 34(3) of the GDPR.<\/p>\n

<\/a>[28]<\/a>\u00a0 Guidelines on personal data breach notification under Regulation 2016\/679.<\/p>\n

[29]<\/a>\u00a0 Art. 34(3) of the GDPR.<\/p>\n

[30]<\/a>\u00a0 Art. 17 of the GDPR.<\/p>\n

[31]<\/a>\u00a0 2014 QB 1022 : (2014) 3 WLR 659<\/a>, also available at: <http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:62012CJ0131&from=EN<\/a>>.<\/p>\n

[32]<\/a>\u00a0 Art. 17(3)(a<\/em>) of the GDPR.<\/p>\n

[33]<\/a>\u00a0 \u201cPseudonymisation\u201d of data means substituting any of the identifying characteristics of data with a pseudonym, which prevents the data subject to be directly identified.<\/p>\n

[34]<\/a>\u00a0 Encryption converts the data into a secret code. To access the data, a password is required.<\/p>\n

[35]<\/a>\u00a0 Art. 32(1) of the GDPR.<\/p>\n

[36]<\/a>\u00a0 Art. 35 of the GDPR.<\/p>\n

[37]<\/a>\u00a0 The guidelines were formed under the previous EU data Regulation of 1995. It has continued to exist under GDPR as well.<\/p>\n

[38]<\/a>\u00a0 Art. 51(3) of the GDPR.<\/p>\n

[39]<\/a>\u00a0 Art. 20 of the GDPR.<\/p>\n

[40]<\/a>\u00a0 Art. 45 of the GDPR.<\/p>\n

[41]<\/a>\u00a0 Recital 113 of the GDPR.<\/p>\n

[42]<\/a>\u00a0 Art. 28(10) of the GDPR.<\/p>\n

[43]<\/a>\u00a0 (2017) 10 SCC 1<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

by Shubham Janghu* and Kashish Jain*<\/p>\n","protected":false},"author":91,"featured_media":198988,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[42503,1191],"tags":[31142,31140,31141,6571],"class_list":["post-198913","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-legal-analysis","category-op-ed","tag-business","tag-general-data-protection-regulation","tag-impact","tag-india"],"yoast_head":"\nEU data protection regulation \u2014 Impact on Indian businesses and jurisprudence | SCC Times<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence\" \/>\n<meta property=\"og:description\" content=\"by Shubham Janghu* and Kashish Jain*\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/\" \/>\n<meta property=\"og:site_name\" content=\"SCC Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/scc.online\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-25T05:11:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-07-20T11:24:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1330\" \/>\n\t<meta property=\"og:image:height\" content=\"887\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Saba\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Saba\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/\",\"url\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/\",\"name\":\"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence | SCC Times\",\"isPartOf\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg\",\"datePublished\":\"2018-07-25T05:11:54+00:00\",\"dateModified\":\"2020-07-20T11:24:35+00:00\",\"author\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/e8e76b10dfc9c0d576324bfdbb2c2785\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage\",\"url\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg\",\"contentUrl\":\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg\",\"width\":1330,\"height\":887},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.scconline.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#website\",\"url\":\"https:\/\/www.scconline.com\/blog\/\",\"name\":\"SCC Times\",\"description\":\"Bringing you the Best Analytical Legal News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.scconline.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/e8e76b10dfc9c0d576324bfdbb2c2785\",\"name\":\"Saba\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a815285315cd85d8b3246c60ed8ed99825949c1b85b370c49212daa54ededa98?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a815285315cd85d8b3246c60ed8ed99825949c1b85b370c49212daa54ededa98?s=96&d=mm&r=g\",\"caption\":\"Saba\"},\"url\":\"https:\/\/www.scconline.com\/blog\/post\/author\/editor_2\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence | SCC Times","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/","og_locale":"en_US","og_type":"article","og_title":"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence","og_description":"by Shubham Janghu* and Kashish Jain*","og_url":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/","og_site_name":"SCC Times","article_publisher":"https:\/\/www.facebook.com\/scc.online\/","article_published_time":"2018-07-25T05:11:54+00:00","article_modified_time":"2020-07-20T11:24:35+00:00","og_image":[{"width":1330,"height":887,"url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg","type":"image\/jpeg"}],"author":"Saba","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Saba","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/","url":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/","name":"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence | SCC Times","isPartOf":{"@id":"https:\/\/www.scconline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage"},"image":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage"},"thumbnailUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg","datePublished":"2018-07-25T05:11:54+00:00","dateModified":"2020-07-20T11:24:35+00:00","author":{"@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/e8e76b10dfc9c0d576324bfdbb2c2785"},"breadcrumb":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#primaryimage","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg","width":1330,"height":887},{"@type":"BreadcrumbList","@id":"https:\/\/www.scconline.com\/blog\/post\/2018\/07\/25\/eu-data-protection-regulation-impact-on-indian-businesses-and-jurisprudence\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.scconline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"EU data protection regulation \u2014 Impact on Indian businesses and jurisprudence"}]},{"@type":"WebSite","@id":"https:\/\/www.scconline.com\/blog\/#website","url":"https:\/\/www.scconline.com\/blog\/","name":"SCC Times","description":"Bringing you the Best Analytical Legal News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.scconline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/e8e76b10dfc9c0d576324bfdbb2c2785","name":"Saba","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a815285315cd85d8b3246c60ed8ed99825949c1b85b370c49212daa54ededa98?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a815285315cd85d8b3246c60ed8ed99825949c1b85b370c49212daa54ededa98?s=96&d=mm&r=g","caption":"Saba"},"url":"https:\/\/www.scconline.com\/blog\/post\/author\/editor_2\/"}]}},"jetpack_featured_media_url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/07\/GDPR.jpg","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":229367,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/05\/12\/application-of-general-data-protection-regulation-on-indian-processor\/","url_meta":{"origin":198913,"position":0},"title":"Application of General Data Protection Regulation on Indian Processor\u00a0","author":"Bhumika Indulia","date":"May 12, 2020","format":false,"excerpt":"by Sharmin Godrej Irani*","rel":"","context":"In "Op Eds"","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/05\/GDPR.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":232502,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/07\/20\/eu-us-privacy-shield-declared-invalid-for-not-providing-adequate-data-protection-of-european-citizens-from-us-surveillance-activities\/","url_meta":{"origin":198913,"position":1},"title":"EU-US Privacy Shield declared invalid for not providing adequate data protection of European citizens from US surveillance activities","author":"Editor","date":"July 20, 2020","format":false,"excerpt":"Sucheta Sarkar, Editorial Assistant has put this story together","rel":"","context":"In "Case Briefs"","block_context":{"text":"Case Briefs","link":"https:\/\/www.scconline.com\/blog\/post\/category\/casebriefs\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2016\/09\/ECJ.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2016\/09\/ECJ.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2016\/09\/ECJ.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2016\/09\/ECJ.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2016\/09\/ECJ.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":225268,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/02\/06\/evolution-of-data-privacy\/","url_meta":{"origin":198913,"position":2},"title":"Evolution of Data Privacy","author":"Bhumika Indulia","date":"February 6, 2020","format":false,"excerpt":"Bhumesh Verma, Managing Partner, Sayantan Dey, Legal and Compliance Professional and Ujjwal Agrawal, Student Researcher Corp Comm Legal Cite as: (2020) PL (CL) February 74","rel":"","context":"In "OP. ED."","block_context":{"text":"OP. ED.","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2018\/03\/Corp-Comm-Legal-1.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":225091,"url":"https:\/\/www.scconline.com\/blog\/post\/2020\/02\/07\/indian-data-protection-regime-the-future-of-fintechs-in-india\/","url_meta":{"origin":198913,"position":3},"title":"Indian Data Protection Regime & the Future of Fintechs in India","author":"Bhumika Indulia","date":"February 7, 2020","format":false,"excerpt":"(Kritika Krishnamurthy, Director, Bridge Policy Think Tank and Aashrit Verma, Consultant, Bridge Policy Think Tank) The FinTech industry has grown out of strengthening of linkages between the financial services sector and the technology sector. With a surge of accessibility due to technological support, there is a considerable leap in progress\u2026","rel":"","context":"In "Op Eds"","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2019\/12\/BANNER-3.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":282772,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/01\/31\/can-india-take-a-page-out-of-the-eu-law-on-online-content\/","url_meta":{"origin":198913,"position":4},"title":"Can India Take a Page Out of the EU Law on Online Content","author":"Bhumika Indulia","date":"January 31, 2023","format":false,"excerpt":"by Dr Srikant Parthasarathy\u2020 and Dr Amirthalakshmi R\u2020\u2020 Cite as: 2023 SCC OnLine Blog Exp 13","rel":"","context":"In "Op Eds"","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"EU Law on Online Content","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/01\/MicrosoftTeams-image-231.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":241472,"url":"https:\/\/www.scconline.com\/blog\/post\/2021\/01\/04\/data-protection-all-you-need-to-know-about-gdpr-implementation-in-eu-countries\/","url_meta":{"origin":198913,"position":5},"title":"Data Protection: All you need to know about GDPR implementation in EU countries","author":"Editor","date":"January 4, 2021","format":false,"excerpt":"by Bhumika Indulia\u2020","rel":"","context":"In "Law made Easy"","block_context":{"text":"Law made Easy","link":"https:\/\/www.scconline.com\/blog\/post\/category\/law-made-easy\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2020\/12\/Austria.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/198913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/users\/91"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/comments?post=198913"}],"version-history":[{"count":0,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/198913\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media\/198988"}],"wp:attachment":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media?parent=198913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/categories?post=198913"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/tags?post=198913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}