Advertisment

Dealing with the EU?

author-image
PCQ Bureau
New Update


Advertisment

Rodney D Ryder

India has no data protection or privacy laws. But, for Indian companies dealing with the European Union, the absence of laws poses a serious problem as Europe has a strict Data Protection Directive. So much so that if a country wants to join EU, it must comply with the EU’s privacy laws. This is critical in India’s context as data transfers from Europe account for about 20% of the total data received. Data-protection legislation can take this percentage up substantially.

But, India is not the only country not to have such laws. The US, too, does not have any specific data protection legislation. Although, for data transfers there is a ‘safe harbor’ arrangement that involves ‘self-certification’ by the US Federal Trade Commissioner’s Office.

Advertisment

Both, individuals and companies, need to be concerned about how legal rules regarding the holding of information might apply to them. The issue can be seen from three angles: an individual about whom data is held; a commercial organization holding the data; and the impact of the first two on widespread computer and Internet usage.

So, what is the current modus operandi for Indian companies dealing with the EU? Currently, data-protection provisions are written into the service contracts. These service contracts are governed by the EU laws with the seat of arbitration in case of infringement of the law being a EU country. However, the use of contractual safeguards has not been completely satisfactory. It is for this purpose that there is an increasing pressure to create binding rules on data transfer. 

In a work place, companies/institutions store data about their employees, existing clients and customers, potential targets or third parties. ‘Personal data’ under the present European data-protection legislation is broadly defined and can cover practically any information held about an individual. Simplest information, such as a name associated with a terrestrial address, constitutes personal data for the purposes of the legislation.

Advertisment

According to the EU laws, all personal data held must comply with the following eight principles. 

  • Personal data shall be processed fairly and lawfully

  • It must be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose

  • The data held must be adequate, relevant and not excessive in relation to the purpose for which it is processed

  • It must be accurate and, where necessary, kept up to date

  • It must not be kept for longer than is necessary for the purposes for which it was obtained

  • It must be processed in accordance with the rights of data subjects under the relevant country specific legislation (formulated at the EU level on the basis of the Data Protection Directive, 1995)

  • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

  • Personal data shall not be transferred outside the European economic area unless the recipient provides adequate level of protection (equivalent to the data-protection principles in the

    EU)

You’ll see that there is considerable overlap between the above principles as well as quite a degree of opportunity for individual interpretation of the terms. 

Rodney D Ryder is a legal consultant on trade and technology laws

Advertisment