GDPR and its Impact on India

The implementation of the European Union’s General Data Protection Regime (“GDPR”) is touted to bring sweeping changes in the data protection regime across the world. This post discusses how the GDPR impacts Indian businesses.

The GDPR is not only applicable to EU members, but also governs entities in foreign countries that deal with data of EU citizens. Indian businesses that collect data from EU citizens are now required by the GDPR to (a) obtain user consent before collecting data, (b) clearly mention the purpose of using the collected data, and (c) provide users free access to their data. Further, in cases of cross border data transfer of an EU citizen’s data, the transferee country must have adequate levels of data protection. The new law also requires accountability and transparency at each level which makes it different and stringent from the previous law. Non-compliance could even invite fines up to 4% of the annual global revenue.

Indian entities dealing with an EU citizen’s data such as government agencies, banks, hospitals, etc. will now have to put in more resources to comply with the stringent requirements under GDPR. Such Indian entities should expect costs and expenses are to increase.

Indian businesses can achieve the desired results if they adhere to the strict guidelines so as to prevent being penalised. They can certainly make changes to their approach to avoid any violation. They can provide training to their employees about the functioning of the new regulations. There should be periodical review of the data  and users must be given  information about any application of their data.

While the legislature is yet to introduce GDPR-like provisions in India, an ongoing case in the Supreme Court, Karmanya Singh Sareen and Anr. v. UOI and Ors. (The WhatsApp case) challenges the Indian government’s privacy rules and attempts to prohibit cross border sharing of data without user’s consent. The petition claims that WhatsApp altered its privacy laws upon being acquired by Facebook, and divulged user’s data with Facebook, a company that is headquartered outside India. The privacy policy of such websites/ applications are drafted on a ‘take it or leave it’ basis, making it confusing for users to either accept the terms or not use the website/application at all.

Right now, although the GDPR is only applicable to EU countries, its impact on the Indian companies collecting EU citizens data is immediate. Small companies are expected to struggle to assemble resources and put in place a mechanism to ensure GDPR compliance.