Data is widely hailed as the new fuel. The electronic processing of data has made data very valuable. However, the computerized processing of data has also led to increasing privacy concerns. In response to these concerns, the European Union had adopted the General Data Protection Regulation (“GDPR”) in May, 2018. The Indian government had also released draft Personal Data Protection Bill, 2018 (“Bill”) in August, 2018. The Bill is one of the most crucial bills that is supposed to be considered in the winter session of the Parliament.
Territorial Jurisdiction under the Bill
Territorial jurisdiction refers to application of legislation on a geographical basis. However, data of Indian citizens is being collected by companies based in various jurisdictions, not just India. Accordingly, considering the transnational nature of data, the Bill also envisages applicability to any activity that has data protection consequences for individuals located in India, even if the person collecting the data (i.e. the data processor or data fiduciary) is not present in India, but the data has been collected or processed in India. This is similar to the approach taken by GDPR.
Clause 2 of the Bill envisages two bases for exercising territorial jurisdiction:
- Processing of personal data if such data has been collected, disclosed, shared or otherwise processed in India; and
- Processing the data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law.
However, in case the data processor or data fiduciary is not located in India, the Bill envisages jurisdiction only if the processing is in connection with:
- any business carried on in India, or any systematic activity of offering goods or services to data principals within India; or
- any activity which involves profiling of data principals within India
It is clear that the intent of the Bill is not to extend jurisdiction to all websites that Indians are accessing. Rather, the Bill intends to cover only those that have a significant economic or digital presence in India.
Territorial Jurisdiction under GDPR
On the other hand, GDPR applies to processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not. This correlates to the second basis for jurisdiction envisaged in the Bill. The recitals of GDPR make it clear that “establishment” implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The second basis for jurisdiction has also been mirrored in the Bill to some extent.
Bill v. GDPR
Physical Presence of Entities: Both the Bill and GDPR envisage jurisdiction on data processors or data fiduciaries based on physical presence of an organization within their territory. While GDPR makes it clear that it applies to European establishments even if the processing doesn’t take place in the Union, the Bill does not. However, this can be read into the provision by implication.
Physical Presence of Data Principals: The attempt by the Bill and GDPR to protect the rights of their citizens even in cases where the processing is done by a foreign entity are praiseworthy. The exercise of jurisdiction on the second basis has been limited to the following two scenarios under the Bill:
1. Offer of Goods or Services to Indian Citizens: The Bill envisages exercise of jurisdiction in cases where the foreign entity is offering goods and services to Indian citizens. However, the mere fact of an Indian accessing a foreign website may not lead to application of the Bill. GDPR makes a crucial clarification that the jurisdiction does not depend on whether payment on the European citizen is required, while the Bill does not. The guiding factor for determining whether a website is covered under Indian jurisdiction is likely to be whether it is made available in any Indian language, whether it ships goods to India, targeted advertising to Indians, etc.
2. Profiling of India Citizens: The Bill also envisages jurisdiction when Indian citizens are being profiled by a foreign company. The GDPR has a similar basis of jurisdiction based on monitoring of European citizens’ behaviour. To determine whether Indian data principals are being profiled, it could be ascertained whether Indians are being tracked in order to predict their personal behavior and preferences. Behavioral advertising can therefore be covered within this description.
The extra-territorial jurisdiction envisaged under the Bill and GDPR is likely to evolve in response to change in technology. It will be interesting to watch how the proposed Data Protection Authority in India enforces the extra-territorial jurisdiction envisaged under the Bill.
This post has been contributed by Ms. Vaneesa Agrawal.
[DISCLAIMER: This article is for academic purpose and is solely to provide readers with general information regarding developments in Indian law. The information contained herein does not constitute legal or a professional advice.]