• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
BW Businessworld

GDPR : EU's New Data Protection Law Will Affect Indian Software Companies Too

The article looks at various aspects of how the GDPR is going to determine the fate India software sector even as it tries to unravel other related repercussions of whether it will open a challenge or comes as the blessing in disguise by weaning out the wheat from chaff!

Photo Credit :


Cyber - police - online shutterstock_4757014

In the aftermath of  Cambridge Analytica - Facebook fiasco, particularly in terms of how companies in the  Indian Software sector will decipher and prepare for stringent privacy standards of EU GDPR (General Data Protection Regulations). Given the lack any govt initiatives, it is feared that the complicated EU GDPR privacy laws to create a ‘walled garden’ is bound to leave many unprepared even as it will be extremely difficult to comply with!

When Mark Zuckerberg was asked by Senator Chuck Grassley in the Capitol Hill testimony on April 9 on Cambridge Analytica controversy on whether FB prized open individual messages .....Zuckerberg fumbled... sipped water!  Grassley repated the question ...and finally, Zuckerberg admitted: "Yes... we tap audio of the video uploaded! So that the data can be sent to advertisers. We sell data and that’s our business model ...."

But come May 25, EU will be implementing the stringent General Data Protection Regulations (GDPR) EU 2016/279 -- General Data Protection Regulations which ---is bound to knock the wind out of many cyber operators (*read* data miners) around the world.

Under the GDPR EU 2016/279 guidelines, citizens and organizations of EU would get to retain and excercise their right to data privacy. Not only individuals but on the anvil are stricter international business norms through ePrivacy as well as NIS directive on cybersecurity. And any data breach or violation of the laws would attract a penalty imposition by as much 4 per cent of the global revenue of the company or Euros 20 million whichever is higher for high risk breaches and 2 per cent or Euros 10 million for low risk breaches.

The prospective EU-GDPR is an extension of a 2014 statute of the EU and comes into effect automatically on May 25 without a Parliamentary ratification. The comprehensive EU GDPR suite of laws hold that an overt and a full user agreement towards privacy for each permission would be mandatory after May 25 which will have to be ratified by the data protection officers. Passive agreement that data miners cash in on at the time of user downloading fancy apps or websites or even mirrored clones of popular sites-- would no longer be valid.  

For India, the EU- GDPR move comes as a major challenge!  Indian software companies as still under preparation to meet these stringent guidelines. "Overall, Indian companies preparedness level could have been far better... but given the historical nature of Indian society, people invariably tend to do things at the last minute," says Pavan Duggal, India's leading cyber law expert and SC advocate told BW Businessworld.

Particularly as India doesn’t have a legal framework at par with the EU GDPR and there is also no government to government talks on the issue which is being seen as a potential hazard in coming days.

As much as 90 per cent of India’s software exports in terms of IT and ITES services are to US, UK and  EU. As per NASSCOM,  continental EU makes up almost 12 per cent of India IT and  ITES services. Out of total service exports from India as much as 45 per cent is made from IT services at over USD 100 billion. For financial 2018-19  total IT exports are pegged at USD 137 billion with a CAGR of between 7 to 9 per cent.

However, barring compliance related to employee data, many companies in India will be data processors, and their compliance requirements would not only be decided by GDPR and the specific clauses related to security but also contractual clauses that support data controllers to comply with GDPR, says NASSCOM. Gagan Sabharwal, Sr Director, Global Trade Development, NASSCOM told BW, "In a run-up to GDPR implementation we have been constantly engaged with the European Union to cushion the impact on the Indian data processors and ...are raising awareness levels due to very stringent penalties on non-compliance.  The European Union acceded to our stance to take accommodative view during the initial phase of the GDPR implementation. Companies genuinely trying to cope with the new regime will be benefitted from this accommodative stance of the EU."

But even though NASSCOM vouches to have tweaked the Indian sector to pro EU GDPR pre-requisites yet skeptics hold that there exist several chinks in the armor that is bound to make life tougher.

"Given the sensitivity around many issues, a company would need to carefully assess its ability to comply and it might be wiser to temporarily suspend their EU operations until they are in compliance if they haven't done so in the last two years, " says Santanu Mukherjee, Senior legal advocate on Intellectual Property Rights.

The EU GDPR/2018 is a comprehensive suite of laws that completely limits the seepage of private data. Issues relating to the anonymity of data -- meaning the right to forget -- or making the data anonymous and not pointing to the original subject are some of the intricacies that make data privacy a watertight compartment in the realm of  EU GDPR.

Sounding optimistic, Arvind Mehrotra, NIIT Technologies, President & Global Head- Infrastructure and Technology Services says:  "... they should see it as a massive business opportunity knocking at their doors as a GDPR compliant organization will be given greater business preference at a global level." In a way, the move would weed out the non-competitive players help in garnering a larger share of the legit data mining.

Data is the new gold!.  And legit data brokering is the gold rush! According to the  Gartner, US-based world leading advisory company says under the garb of service providers, application enablers, even government agencies as well as NGOs -- data miners siphon off data from the gullible users. Many christened as customer engagement company, research, and data collection company, consumer risk management company et al thrive under such pseudonyms covertly siphoning off personal data of vulnerable customers.

"This is indeed a good opportunity to close all ongoing efforts in establishing a dedicated privacy statute in India and if our SW industry considers the EU market as important then it would be worth modeling the law on GDPR," says Mukherjee.  Meanwhile, Indian online data protection is governed by Indian IT Act 2000. Under the Act section 43 A and 72 A clauses for protection of data. But the way privacy of a user is misused and tapped in many surreptitious ways, ensuring data privacy in India remains a Herculean task.  

Often misusing the social media to collate personal and private data into political campaigning or promoting products and flooding the user with an ad blitzkrieg -- and normally without the consent of the user. In fact, bludgeoning the user -- based on his or her personal private profile -- with ads comprises a major strategy for revenue for such sites like social sites.

In fact, in the Capitol Hill testimony, at one point in time, Zuckerberg admitted that ".. the user might have to pay us to stop being flooded by these ads ....that's our business model". That's a new business model where the user is flooded with ads and the user pays a sum to be not being flooded by the ads. So the company makes money both ways! One it charges companies for ads and one, on the other hand, it also extorts money for not being flooded!.

Seen in the wake of the  Cambridge Analytica controversy which has been procuring data since 2014, the issue of data privacy assumes bigger importance. Facebook, reportedly had 2.2 billion users by the end of 2017.  What will happen to the personal data already acquired by  Cambridge Analytica and stored in its servers? How do you assure that it has deleted al the acquired data? --.particularly in terms of deciphering what privacy comprises of! Even as Zuckerberg assured that his company had severed relations with Cambridge Analytica but subsequently he admitted that there could a possibility that CA could have assessed its users' private data subsequently. In fact, he admits that there is still no guarantee that CA would erase the captured data from its servers.

Back home,  there has been a rising debate over violation of privacy of personal data over Modi's much-touted social identity number -- Aadhaar. Even as Aadhaar promises to give the much needed social identity tag to citizens yet there are several loopholes. For one, there is huge potential for misuse of the aadhaar data by the private third-party data collaters - who collect data from users. Despite several assurances from MeitY and UIDAI CEO AB Pandey, it remains that in recent months a plethora of episodes have appeared where Aadhaar data has been misused to siphon off funds from bank accounts or even collect subsidies under the direct benefit transfer scheme. But despite repeated assurances by UIAI, the matter is still hanging fire. The SC has deferred its implementation based on a PIL

At the global level, as of now, there has not been any official bilateral talks on the EU GDPR issue with the Indian government.  Even if there was then its implementation carries a big question mark.  Mukherjee holds:  ".. even if there were govt talks in line with the EU-US Privacy Agreement... On a hypothetical note, given that the previous 'Safe harbor' did not stand the test of law before the European Court of Justice (ECJ), there is no complete assurance as to how such complicated arrangements even if executed by governments would be interpreted by the ECJ."

But this is just the tip of the iceberg! Apart from EU, UK,  Japan and US  are well on their way to erect a ‘walled garden’ for the privacy of data.  US has state-specific laws to curtail any unauthorised data breach while Japan has formulated an Act on Protection of Information -- a central law to prohibit any misuse of data for individuals and institutions without their prior consent.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:
data privacy facebook Cambridge Analytica

Sanjay Thapa Jeet

The author is an independent journalist

More From The Author >>