Countries around the world are enacting laws to protect personal data. Statistics from UNCTAD show that 66% of countries worldwide have data protection legislation in place. The General Data Protection Regulation (GDPR) is one law enacted in 2018 to protect the personal data of all European Union member states. India is yet to enact the data protection bill known as the Personal Data Protection (PDP) Bill, 2018. Personal data is protected by the Sensitive Personal Data or Information Rules (SPDI) 2011 under the Information Technology Act, 2000.
The GDPR is comprehensive legislation that aims to protect the processing and movement of individuals’ data within and outside the EU. Although it was enacted to protect the personal data of all European Union member states, the impact of the GDPR is worldwide. Many countries are taking privacy and data protection more seriously after the entry into force of the GDPR. Companies are trying to ensure compliance with the GDPR and drafting regional legislation in line with it. In order to understand this regulation and its applicability, it is important to know who is the data processor, the data subject, and the data controller.
Article 4(7) defines “controller” as a legal person, public authority, agency or other body determining the purpose of personal processing data. “Processor” means a public authority, legal person, or agency that processes personal data on behalf of the controller according to Article 4(8). Data subject refers to an identified natural person or identifiable, according to the GDPR.
The applicability of the GDPR is discussed in Article 3 of the GDPR. It is applicable on:
- All data controllers and data processors within the territory of the EU
- All data controllers and data processors outside the EU offering goods or services in the EU are profiling people in the EU
- Processing personal data in the outline of the activities from one of its branches established in the EU.
To protect the personal data of residents of EU Member States, the GDPR also has extraterritorial applicability, which means that the scope of the GDPR extends to countries outside the jurisdiction of the EU. However, not all Indian companies need to comply with the GDPR. Indian companies offering goods or services in the EU, personal processing data transferred from the EU or profiling the personal data of EU residents must comply with the GDPR.
Companies worldwide are assessing the impact to EU General Data Protection Regulations (“GDPR”) will have on their activities. High administrative fines for non-compliance with the provisions of the GDPR are a driving force behind such concerns as they can lead to loss of business for various countries like India.
India has had a peculiar economic structural transition. Economic Survey reveals a top-down economic structure with 66.1% of the contribution of the services sector to the GDP. According to NASSCOM, the information technology sector – business process management (IT-BPM) “should touch an estimated share of 9.5% of GDP and more than 45% of total services exports in 2015-2016.
The contribution to revenues from IT-BPM exports is expected to hit US$108 billion, with a relatively smaller domestic contribution of US$22 billion. “The main markets for IT software and services exports are the United States, the United Kingdom and Europe, representing around 90% of Total IT/ITeS exports.” According to NASSCOM estimates for 2014, the UK and mainland Europe accounted for 17.4% and 11.6% of the IT/ITES services exports to India.