The landmark judgment of Justice K S Puttasawamy vs Union of India highlighted the need for legislation concerning data privacy and protection as the right to privacy was provided as the fundamental right under Article 21 of the Indian Constitution. As India moves towards the era of “Digital India”, as the usage of the internet is surging, the need for legislation on data privacy and protection is essential.
So, in November, the Ministry of Electronics and Information Technology published the draft of the Digital Personal Data Protection Bill (DPDPB) 2022, governing the privacy and protection of digitalized data after the withdrawal of the draft Personal Data Protection Bill, 2019 due to the lack of comprehensive framework.
The Digital Personal Data Protection Bill has its inspiration from the European Union’s General Data Protection Regulation (GDPR). Where the DPDPB aims to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their data and the need to process personal data for lawful purposes. Whereas in the case of GDPR, it aims to lay down the rules for the protection of natural persons concerning the processing of personal data and the rules relating to the free movement of personal data.
The DPDPB applies to personal data, but there are no such classifications as sensitive data, so the personal data that are digitalized can be controlled. When compared to the GDPR, it has the classification of not only personal data but also includes special categories of data which also refers to as sensitive data which includes data that is related to racial, ethnic origin, genetic data, biometric data, etc., Even though DPDPB has its inspiration from GDPR, there are minor changes when it comes to DPDPB when compared to GDPR.
One such change is that the DPDPB applies only to the digitalized form of data and not the offline data. But when GDPR is concerned it applies to all forms of records be it digital or paper records.
As per the draft DPDPB, the provisions apply to the processing of digital personal data of the individuals within the territory of India where such personal data are collected from the data principles online and when the personal data is collected offline when it is digitized, as DPDPB applies only to the digitalized version of data and not to the manually processed structured files.
It should be noted that it does not apply to the processing of the data of foreign nationals who are outside India. And also, not applicable to the personal data about an individual that is concerned with a record that has been in existence for at least 100 years.
When it comes to GDPR, it applies to the data of the individuals that are residents of the European Union and to organizations that are based in the EU which are either established in the EU or using equipment in the EU to process the data. This regulation also applies to the processing of personal data in the context of the establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Extraterritorial applicability extends the scope of applicability of the laws beyond the territories. The extraterritorial applicability is seen in both GDPR and DPDPB.
The draft of DPDPB mentions the extraterritorial application, which states that the provisions are applicable for the processing of digital personal data outside the territory of India when such processing relates to any profiling or if the activity of offering the goods or services to the data principles located within the territory of India. When this condition is satisfied then DPDPB will apply to the foreign entities.
The draft of DPDPB explains “Profiling”, which means any form of processing of personal data that analyses or predicts the aspects concerning the behavior, attributes, or interests of the data principal.
As stated above, the extraterritorial effect is also seen in GDPR, as per Article 3 which states that this regulation applies to businesses based outside of the EU also. Even when the businesses are established in non-EU countries, they are also subject to GDPR when they process the data of the data subjects in the EU in connection with the offering of the goods or services or monitoring of the behavior of the individuals in the EU.
This regulation also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State applies under public international law.
The EU also states the appointment of the representatives in the EU, in the case when the companies are located in non-EU countries that process the data of EU citizens. So, they act as a point of contact for EU-based individuals and the authorities that want to raise questions about the data processing activities or exercise their rights of a non-EU organization.
They also assist with the enforcement of GDPR, like making and keeping the Record of Processing Activity (RoPA) and liaising with the regulators.
The organizations are exempted from the appointment of EU representatives under any one of the conditions when the processing of the data is only occasional and where that is unlikely to result in risks to the rights and freedom of the individuals and under overseas public authorities or public bodies.
WHY AN ORGANISATION SHOULD BE AWARE OF EXTRATERRITORIAL SCOPE?
As far as data privacy and protection is concerned, it is wholly based on the welfare of the data subjects where they are provided with the rights, and as well as the organization that collects the data of the individuals is obliged to inform the purpose for which the data is used, transparency and lawfulness in collecting data, freely obtained consent are some of the significant ingredients. So, an organization that collects the data of the data subjects must be aware of the existing data protection laws as well as their territorial, particularly the extraterritorial applicability to comply with the existing laws to reduce the risk of non-compliance, breach, and penalty.
So, the companies that collect the data of EU citizens data they should comply with the scope of GDPR even if they are located outside the EU. The same applies in the case of DPDPB where there is extraterritorial applicability, where the companies have to comply with those provisions as said in DPDPB.
As an organization, it is an obligation to comply with the laws to protect the data of data subjects as well as to escape from huge penalties.
It is a great step for India to have exclusive legislation on Data Protection and privacy after a series of corrections, and recommendations from various authorities as well as the public.
If you are an organization looking to comply with data protection laws worldwide then considering Tsaaro might be a great option where they work on the compliance of various companies to function effectively to prevent the risk associated with confidential data.
With a well-equipped team of privacy professionals and cybersecurity professionals, who works on the task of identifying, analyzing, and assessing the risk associated with the data by conducting the assessments, Tsaaro helps with privacy and compliance issues.
So, it is high time to consider Tsaaro before the DPDPB becomes effective, if you’re one such organization looking for privacy and compliance work then considering Tssaro might be a good choice. Get in touch with us at firstname.lastname@example.org.