Insights

Data Privacy

Data Protection | Aug 10 2018

Data surrounds us and is generated in virtually everything we do. Data is generated during our everyday activities- whether it be travel, order a meal or use transportation. There is no doubt that this data is immensely valuable, and several companies are willing to pay for access to this data. Indeed, in this age of universal and virtually free access of internet, data is the new currency. The recent controversy surrounding data harvesting to provide personalised news to influence individual voters highlights the extent to which personal data can be used.

Global Data Privacy Initiatives:

With increase in data breaches and complexity of data usage, the need for robust data protection laws has become even more relevant. In today’s globalised environment, cross-border data movement is the norm. Businesses need to keep a 360° view of the global legislations to be universally compliant. Many countries have adopted regional data protection norms, however, as of now, there is no global data protection initiative in place.

GDPR: General Data Protection Regulation (“GDPR”) is a robust pan- European legislation which was approved and adopted by European Parliament in April 2016 has come into force on May 25, 2018. The purpose of GDPR is to enable to free movement of personal data within the European Union (“EU”) while protecting the right of natural persons to their personal data. GDPR is not only applicable to businesses operating in EU, but also extends its territorial reach to businesses operating outside the EU if they ‘process’ personal data of EU subjects and where the processing activity relates to (a) offering of goods or services (including for free) to data subjects in EU; or (b) monitoring their behaviour if the behaviour takes place within the EU.

Asia Pacific Economic Cooperation (APEC): APEC is composed of twenty-on member economies including United States of America, Canada, China, Japan, South Korea and Australia that together represent approximately 55 percent of the world’s GDP. APEC has developed a number of initiatives to protect personal data. One of the key initiatives implemented by APEC is APEC Cross-Border Privacy Rules System (“CBPR”). The APEC CBPR system provides standard data privacy policies that businesses can use in order to comply with the APEC privacy framework. The system is meant to facilitate cross-border data flows by providing a voluntary framework to ensure certainty and minimum privacy protections.

Indian regulations: Presently India does not have a comprehensive data protection mechanism, the main enactment that deals with protection of data is the Information Technology Act, 2000 and the rules framed thereunder. Other than the above, the respective sectoral regulators prescribe the data privacy measures required to be undertaken by the relevant sectors.

For a long time, there was no clarity as to whether the right to privacy is a fundamental right protected under the Constitution of India. However, this debate has now been put to rest by the Supreme Court of India by its landmark judgment of last year in case of K. S. Puttaswamy (Retd.) v Union of India.

As a next steps and with a view to introduce a comprehensive data protection mechanism, the expert committee formed under chairmanship of Justice Srikrishna, a former Judge of the Supreme Court of India has also released a white paper outlining the issues which require incorporation under law. The first draft of the comprehensive data protection law is expected to be released in the month of July.

The two cases pending before the Supreme Court of India which are likely to have an impact on the way the data protection legislature takes shape are (a) the challenge to the Adhaar Act, and (b) the case filed by Karmanya Singh Sareen challenging the change in privacy policy of WhatsApp Inc.

Impact of global norms on Indian businesses:

Affected business sectors: With extra-territorial applicability of GDPR and regular flow of data across borders, Indian businesses need to be more cognizant of global data privacy laws applicable to their businesses. This is not only applicable for the sectors which actively deal with data, like e-commerce companies, social networks, IT outsourcing units but could impact other businesses in sectors like hotels and hospitality, insurance, B2C sales etc.

Private equity industry: The private equity players raising funds from individual investors across the globe also come into possession of large quantities of personal data (including financial data). The collection, storage, transmission and processing of such data needs to comply with relevant data privacy norms.

Listed securities: Indian companies proposing to list their securities on the recognised stock exchanges in India or outside India may approach individual investors from offshore jurisdictions, all personal data including financial information collected form such individuals needs to comply with the applicable data protection regulations in the relevant jurisdictions.

Offshore subsidiaries: Many Indian businesses have subsidiaries in offshore jurisdictions. The Indian parent has access to the employee, customer, vendor data of such offshore subsidiaries. Sometimes such information is also stored on servers in India. It is imperative that these Indian businesses analyse the applicability of data protection regulations to their business operations including employee and customer data collected and stored in India.

The impact of new technologies

Data protection norms need to keep pace with the advent of new technologies and innovative business practices. In recent times, the three new technologies that have had an impact on data privacy are (a) cloud computing, (b) The Internet of Things, and (c) Big data analytics. A number of private equity investors are also looking to invest in entities engaged in these sectors.

Cloud computing: cloud computing adds to the complexity of issues pertaining to cross border transfer of data. Data localisation requirements adopted in various countries is one of the ways in which the countries have tried to address this issue. These laws require that some or all categories of personal data be stored on servers located in host country. In India, Reserve Bank of India pursuant its directive dated April 6, 2018 has directed all payment system providers to ensure that the entire data relating to payment systems operated by them is stored in a system only in India. China is another country which requires critical information infrastructure operators to store data they gather or produce, within China’s borders.

The Internet of Things:

Internet of Things means a number of devices connected to the internet which transmit data. With increased usage of fitness and health monitors, connected security devices, household appliances, Internet of Things is affecting our lives in more ways than we acknowledge. Amazon Echo and Google Home are some of the examples of the Internet of Things. Internet of Things leads to increased transmission of data and consequently increased concerns surrounding data privacy and protection. Businesses engaged in Internet of Things need to ensure that the data transmitted in order to allow connectivity of devices is compliant with applicable data privacy norms.

Big data analytics:

Big data analytics refers to the strategy of analyzing large volumes of data, or big data. The aim is to uncover patterns and connections that might otherwise be invisible, and that might provide valuable insights about the users who created such data. The ‘big data analytics’ involves large volumes of data sets which makes it susceptible to data breaches. GDPR has tried to address the concern to some degree by requiring organisations which process, on large scale, special categories of personal data such as data revealing ethnic origins, criminal offenses, genetic data, to appoint a data protection officers and conduct security audits.

However, the global laws surrounding data privacy and protection are still at a nascent stage. Jurisprudence surrounding the data privacy laws is still in the process of getting evolved. It will be interesting to see how the laws surrounding data privacy and protection develop in view of the everchanging technology and growing globalisation of trade.