Do Indian Entities Need To Look Out For Global Privacy Development?

With pathbreaking developments in telecommunications over the past few decades, national boundaries have in many ways lost their relevance. Using internet, an artisan sitting in Shahpur Jat in Delhi can provide handicrafts to a customer in Germany, or a hotel in Mahipalpur can receive bookings from a traveller from Hungary. As such, cross-border transfer of information (particularly personal information) has become ubiquitous.

According to a report published by IBM last year, every person generated 1.7 megabytes per second in 2020. In view of the exponential surge in handling of data in the last decade, several countries have revamped their data protection regimes and enacted laws that prescribe a robust set of do’s and don’ts when it comes to processing of data. With many of such laws having extra-territorial applicability, it becomes increasingly imperative for entities in India to assess the impact of such laws on their operations and compliance.  

Impact of foreign laws on Indian entities

Laws like the European Union’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) apply to entities that process data of data subjects from beyond the borders as well. The threshold for applicability (e.g. revenue, user base, etc.) may vary from country to country, but the bottom line is that Indian entities are not immune to these foreign privacy laws solely by virtue of being in India. There are many factors to bear in mind (e.g., if data of any foreign users or foreign citizens residing in India is being processed, whether directly or on behalf of a third party) to maintain compliance and avoid the potential hefty penalties and fines under these foreign laws.

To exacerbate the situation, Indian companies are not fully versed with the concept of data protection compliance. This is mainly because the current landscape only requires entities to comply with conditions relating to collection, storage, disclosure, transfer and security practices in respect of ‘sensitive personal data and information’ (like passwords, financial information, medical information, etc.) and not all types of personal information. Further, while the new data protection law in India has remained in the pipeline for over 3 (three) years, it is yet to see the light of day.

Key lookout areas for businesses in India with multi-jurisdictional presence

Many foreign laws impose certain restrictions on businesses regarding transfer and disclosure of data.

An apt example of this is the landmark Schrems-II judgement passed by the Court of Justice of the European Union (EU) that, in a way, placed a roadblock for transfer of GDPR protected data to non-EU countries. Now, in order for transfer of GDPR protected data, it is important to evaluate the extent of government access and surveillance in India. Entities that handle large amount of data relating to foreign data subjects (like outsourcing companies) are particularly impacted by this ruling as cross border transfer of information is not as seamless as it used to be.

A significant ruling of the High Court of England Wales in Soriano and Forensic News case from March 2021 is also relevant to note. The court passed some notable findings in the context of extra-territorial applicability of GDPR as well. GDPR is applicable to entities outside the EU in cases where they offer goods or services to EU residents or monitoring of the behaviour of EU residents. The court held that Forensic News had not specifically targeted individuals in the EU and deployed cookies with the intent of monitoring behaviour of users. Hence, it appears that, going forward, the factual circumstances surrounding the processing of data will play a major role.

Having said that, it is important for entities to consider whether their actions (like providing an option to place orders from overseas or contact numbers with international prefixes) can be said to target or monitor behaviour of foreign individuals. To avoid penalty and heavy litigation costs on foreign soil, entities must introspect and evaluate their mode of operations.

Knowhow of global privacy regulations is also critical for Indian entities (like Oyo, Ola, etc.) and tech unicorns (India is currently third on the global list of most tech unicorns) that are looking to expand operations overseas, for which investment of funds is quintessential. Such funds require compliance with higher standards of privacy and that is another reason why India based companies need to step up and take notice of cross-border data protection laws.