The Impact of Data Privacy Laws in India on Multinationals
#India
India has been a following a very fragmented approach towards data protection laws, with protection spread over a mixture of statutes, the most prominent of which being the Information Technology Amendment Act, 2008 which mainly deals with” sensitive personal information”.
In May 2018, we saw the implementation of the European Union’s General Data Protection Regulation (GDPR) in full force. To keep in line with the GDPR regulations, the Indian Government in December 2019 introduced the Data Protection Bill, 2019 (Bill) with the intention of creating the first comprehensive data protection legal framework in India.
This Bill gives more clout to protecting the personal data of citizens, prevents private players from misuse and puts restrictions on both Indian and foreign entities that process the personal data of Indian nationals. Prime examples of the companies that process personal data and information of a sensitive nature include social media entities like Facebook, Twitter, WhatsApp etc. With the introduction of the new Bill, multinationals in India are set to face the heat by the unique compliance challenges imposed viz. data privacy and security.
Key Features of the Bill
Up until now, multinational companies had free reign in using and manipulating the personal data of the Indian citizens who regularly availed their services. In many cases these companies transmitted data to other countries thus jeopardizing the privacy and security of both citizens and the country. Some of the key features of the Bill are modelled on the E.U.’s GDPR and provides more teeth to the protection of citizen’s rights, most notably:
Notice and consent requirements for the processing of personal data;
Limitations on the processing of personal data, only to be processed for the services as agreed by user;
Data localization—critical personal data is to be stored on servers within India, and restrictions on the transfer of other personal data outside India; and
Financial consequences for noncompliance in the form of penalties for instance, Sections 33 and 34 under the Bill can levy a penalty on the violators to the tune of 1.73 million Euros or 4% of the offender’s yearly worldwide turnover of the previous financial year.
What multinationals stand to lose in India if this GDPR like legislation is implemented?
In India, implementation of the new Bill could lead to increased compliance costs for multinationals and small-time businesses. Further, data localization requests of storing critical data on servers within India and the restriction on its transfer outside of India, may severely impact the global operations of these companies, as will prevent the multinationals from using the data for business purposes outside, thereby curtailing innovation and cross border transfers. As per the report by Carnegie Mellon, dated May 2019, in India, a loss of up to 0.8 percent of GDP is estimated should the country adopt a localization requirement. The study also estimates a reduction of up to 1.4 percent of domestic investments in India due to localization requirements.
Conclusion
The implementation of the Data Protection Bill into law in India will come with its own set of problems for multinationals viz. increased compliance cost, restrictions and administrative burdens and a negative impact on investments. However, this Bill is an important step towards the protection of citizen rights and their privacy which is a key principle enshrined in Article 21 of the Indian Constitution. The impact of this Bill on citizens and multinationals can only be finally determined once the Bill becomes law.
We at D’Andrea and Partners have a team of experts who are continually monitoring the changes in the Indian laws and regulations. Reach out to us on info@dandreapartners.com if you have any questions.
Introduction The Ministry of Corporate Affairs (hereinafter referred to as “MCA”) has recently circulated a draft policy called as “Draft Policy for Pre-Legislative consultation and comprehensive review of existing Rules and Regulations” (hereinafter referred to as “the Draft Policy”) which has come into effect from 1st January, 2024. The draft policy aims to conduct public
Introduction In order to conduct any business activities in India by a foreign investor, it is imperative to register an entity either by way of Private Company or a Limited Liability Partnership (“LLP”) so as to create a separate legal entity with perpetual existence with the advantage of minimal personal liability to promoter and initial
In today’s globalized business landscape, companies come to manage labor disputes. The intricate interplay of local laws, cultural nuances, and procedural requirements significantly shapes the resolution process. This article embarks on a comparative journey through four distinct jurisdictions—China, India, Italy, and Vietnam—to illuminate the strategies and challenges involved in addressing labor disputes. Central to this
#China
#Italy
#India
#Vietnam
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.