The European Union (EU) continues to be a significant market for the IT/BPO industry in India[1]. Currently, India’s Data Protection Bill, 2019[2] (“the Bill”) is still not enacted into a law, there are many challenges that India is facing while entering into data processing agreements with EU. EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Further, Article 3 (Territorial scope) of the General Data Protection Regulation (GDPR) makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so[3]. The focus of this article is on transfer of data outside EU to India and India’s approach in dealing with such data transfer with respect to its obligation and extent of its liability.
Data transfer and GDPR
Legitimacy of data transfer regarding personal data of data subjects under GDPR involves two stages[4]:
- Data transfer itself must be legal.
- Whether transfer to third country is permitted.
- DATA TRANSFER ITSELF MUST BE LEGAL
Where a processor is situated in a third country, there must be separate mention that allocates the obligations of the controller and processor in every data processing agreement.The reason being that Article 82 of GDPR clearly states that a person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A controller involved in processing shall be liable for the damage caused by processing which infringes the regulations given under GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller[5].
Obligations of the Controller
Consent
Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing[6]. The obligation is on the controller to show that consent of the data subject has been obtained as required under Article 7 of GDPR. Article 82 read with Article 7 of GDPR mandates the controller to be held liable for damages to the data subject in case of infringement of Article 7 of GDPR.
Lawfulness and means of processing
Article 4(7) of GDPR defines controller as one who ascertains the purposes and means of the processing of personal data. The obligations of the controller as stated under Article 24 of GDPR are to be read with Article 5 of GDPR. Thus apart from lawfulness of processing and obtaining consent of the data subjects extended responsibilities which are imposed on the controller, for which the controller shall be held accountable, shall be fair and transparent processing, data collected must be for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Also, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate. Such data must have regard to the purposes for which they are processed, are erased or rectified without delay, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures[7]. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation[8].
Obligations of the Processor
What are the obligations and liability of the Processor is the next question
It is the responsibility of both the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[9]. Further, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law[10]. If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing[11].
In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller[12]. Thus the carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject[13].
Further, it is the responsibility of both the controller and the processor to maintain records of processing activities under their responsibility[14].
- WHETHER TRANSFER TO THIRD COUNTRY IS PERMITTED?
If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. There is a differentiation between secure and unsecure third countries[15].
GDPR allows transfer of personal data of data subjects situated in EU to countries outside EU for the purpose of processing and does not prohibit such transfer per se, whether it is a secure third country that has attained ‘adequacy’ status or an unsecure third country with no data protection law at all as in case of India. The principles embodied under the GDPR recognises the importance of international trade and cooperation in order to achieve economic growth. The Regulation tries to balance economic growth with individual privacy and national security.
The secured third countries for the purpose of data transfer do not require any specific authorisation[16]. As India (third country) does not yet have a separate law dealing with data protection and is regarded as an unsecure third country by EU, the agreements with EU countries consist of a standard contractual clauses as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data. These standard contractual clauses cannot be amended to contradict the notification. The parties are free to add clauses so long as it is consonance with the standard contractual clauses as given in the notification.
The EU Commission’s decision dated 5 February 2010 deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating:
Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.
Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a Data Protection Act in place.
What’s next for India?
Is India Chapter V of GDPR compliant?
For the purpose of data transferred from a controller situated in EU and processed in India i.e. data transfer, without any necessary safeguard provisions, it is necessary that the Indian Data Protection Bill, 2019 comply with Chapter V of GDPR and be regarded as those countries providing adequate protection. India is gearing up to seek ‘adequacy’ status with the European Union‘s General Data Protection Regulation[17] .
In conclusion, the author states that the purpose of this article is to create awareness among the processors regarding their obligations and subsequently its liability. A processor cannot be held liable for all data privacy breaches. Thus it’s necessary to understand the obligations of the controller and the processor and separately allocate each entity their responsibility in the agreement entered between them. This article will also assist the data subjects who have been aggrieved by data privacy breach to approach the right entity and claim relief.
* Advocate
[1] India gets ready for EU’s new data regime, Rahul Kumar, 25 April 2017, https://www.cioandleader.com/article/2017/05/02/india-gets-ready-eu%e2%80%99s-new-data-regime
[2] Personal Data Protection Bill, 2019
[3] How can Indian organisations prepare for the GDPR regime?, Sivarama Krishnan
[4] General Data Protection Regulation, Key Issue, Third Country
[5] General Data Protection Regulation, Recital 79, Allocation of Responsibilities, https://gdpr-info.eu/recitals/no-79/
[6] General Data Protection Regulation, Key Issue, Consent
[7] Article 5 of General Data Protection Regulation, 2018
[8] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/
[9] Article 32 of General Data Protection Regulation, 2018
[10] Article 29 of General Data Protection Regulation, 2018
[11] Article 28(10) of General Data Protection Regulation, 2018
[12] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/
[13] General Data Protection Regulation, Recital 81, The Use of Processors, https://gdpr-info.eu/recitals/no-81/
[14] Article 30 of General Data Protection Regulation, 2018
[15] General Data Protection Regulation, Key Issue, Third Country, https://gdpr-info.eu/issues/third-countries/
[16] Article 45 of General Data Protection Regulation, 2018
[17] India to seek EU’s approval on GDPR compliance for ‘adequacy’ status, Abhimanyu Ghoshal, https://thenextweb.com/asia/2019/07/30/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status/
[Image Credits: analyticsindiamag.com]