Under GDPR, Indian Data Processors Should not Agree to Standard Contractual Clauses which are ultra vires the FEMA

The globalization of Indian IT business has created many challenges to the Indian economy as a whole and in particular to certain domain specific regulators. One such regulator who finds himself frequently under a bind is RBI while regulating the Foreign Exchange transactions. Over the years the strict regulations under FEMA have been diluted and great freedom has been given to the Indian public to purchase foreign exchange and also retain it abroad and use it for specified purposes.

In the Free Trade environment, there are many instances where an Indian company enters into a business contract in which it commits itself into certain obligations which directly or indirectly are convertible to payment of compensation to a foreign company in foreign exchange. In the process the regulatory functions of RBI gets disturbed.

As long as the compensation is reasonable and is directly related to and is a part of the revenue proposed to be earned through the contract, it is a fair proposition.

However, in the recent days, we know that “Indemnity” obligations under certain contracts far exceed in value to the actual revenue gained in the contract. One example of this was the claim made on SIFY (Before its merger with TechM) of US$ 1 billion for violations in its software development contract and failure to provide appropriate documentation for the beneficiary (UPAID) to obtain a valid Patent in USA. This is reported to have been finally settled for US $ 70 million in the dispute resolution process.

TCS also faced a situation where a claim of US$ 940 million was made on it by an US Company Epic for a data breach incident, which again must have been reduced to around $200 million in subsequent discussions.

Recently, Tata Group had to face litigation to meet its obligations under a contract with DOCOMO which involved payment of compensation in foreign exchange.

These are instances which indicate that Companies land up confronting RBI in seeking foreign exchange remittance arising as a contractual obligation about which RBI had no inkling until the liability has matured. Given the comfortable FE reserves at present, RBI may be able to meet the requirements without fuss but it is bad in principle that RBI should be unaware of such liabilities until they fructify.

With the onset of GDPR which speaks about a penalty level upto 4% of global turnover of a data controller/data processor coming directly under the jurisdiction of EU, the rules of the game have changed. The EU companies will without doubt incorporate compliance obligations along with indemnity clauses in their contracts with Indian sub contractors who are “Non EU Data Processors”.

Some Indian companies may come directly under the regulation if they are providing any services to EU citizens including “Monitoring” the activities of EU data subjects. All other data processors in India who enter into a contract with any international data controller is also exposed to the indemnity liability by virtue of the contracts signed.

Some of these contracts may appear to emanate from say US but the US client himself may have a back to back processing contract with the EU countries and hence the Indian Companies have to cover themselves for the GDPR risk even in these contracts.

Hence the “Liability Risk arising out of data breaches, for Indian companies acting as Data Processors” is a universal risk that cumulatively add up to several billion US dollars. It cannot be ignored.

Remember that the indemnity clause may simply say “..shall indemnify any loss caused to Party A by Party B not complying with the provisions of this contract..” (or equivalent) and not specify any limits.

We are therefore exposing ourselves to a risk of 4% of global turnover of the international vendor and not limited to 4% turnover of the Indian company.

GDPR also provides for the EU data subjects themselves claiming compensation from the subcontractors of a data controller also and hence some maverick may file a class suit on an Indian Company for a mass data breach running to a claim of compensation of billions of dollars.

In this context, we need to take a look at some of the clauses which are there in the Model Standard Contract Clauses which have been issued by EU earlier which were already part of some Business Process Contracts or may be incorporated in the contract now renewed under GDPR in a contract under article 46(2)(a).

Some of these clauses are as follows:

“…The data subject can enforce against the data importer this Clause, ….(Ed: when a remedy may not be easily available against the data controller)”

“…The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law”

“.. The data importer agrees and warrants:….that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract…” etc

Without going into further details, we can very well see that these contractual terms try to override the Indian laws.

We should not consider that these are normal clauses under a contract where the jurisdiction for dispute resolution is normally switched from Courts to Arbitration or from one country to another country. These clauses determine the liability which is “Indeterminable” at the time of signing of a contract and on which the contracting parties may not have a “meeting of mind”.

Secondly, India has a financial regulation under which RBI is regulating the flow of foreign exchange. While in pursuance of the overall economic objectives of the country, RBI has provided for many free remittance options, some with a mere reporting or approval from an Authorized dealers, remittances that may run to millions of dollars cannot be delegated to Authorized dealers or brought under free contractual remittances.

Hence when a data processor company in India receives a notice from a EU regulator or a Data Controller to pay a few million US dollars as compensation or attend an arbitration which eventually may lead to a similar decision, even if the company has foreign exchange balances earned through its exports and held in approved Foreign Currency accounts (Exchange Earner’s Foreign Currency Account or EEFC) , it cannot take a decision to make the payment without referring the matter to RBI.

The permissible debits to an EEFC account are as follows. (Refer here)

i) Payment outside India towards a permissible current account transaction [in accordance with the provisions of the Foreign Exchange Management (Current Account Transactions) Rules, 2000] and permissible capital account transaction [in accordance with the Foreign Exchange Management (Permissible Capital Account Transactions) Regulations, 2000].

ii) Payment in foreign exchange towards cost of goods purchased from a 100 percent Export Oriented Unit or a Unit in (a) Export Processing Zone or (b) Software Technology Park or (c) Electronic Hardware Technology Park

iii) Payment of customs duty in accordance with the provisions of the Foreign Trade Policy of the Central Government for the time being in force.

iv) Trade related loans/advances, extended by an exporter holding such account to his importer customer outside India, subject to compliance with the Foreign Exchange Management (Borrowing and Lending in Foreign Exchange) Regulations, 2000.

v) Payment in foreign exchange to a person resident in India for supply of goods/services including payments for airfare and hotel expenditure.

Permitted current and capital account transactions under FEMA are described below.

A Current Account Transaction has been defined as a Transaction other than Capital Account Transactions, means all transaction which do not alter assets or liability outside India of resident or assets or liability in India of Non Resident .

such transaction includes,

-Payments due in connection with foreign trade, other current business, services, and short term banking and credit facilities in the ordinary course of business.

-Payments due as interest on loans and as net income from investments,

-Remittances for living expenses of parents, children, and spouse residing abroad,

-Expenses in connection with foreign travel, education and medical care of Parents, Spouse and children’s.

Capital Account Transactions are classified into two classes:

(i). Capital Account Transactions of person resident in India.

-Investment in foreign securities
-Foreign Currency loans raised in India and abroad
-Transfer of Immovable properties outside India
-Guarantees issued by a person resident in India in favour of a person resident outside India.
-Export, Import and holding of currency/currency notes.
-Loans and overdrafts (borrowings) by a person resident in India from a person resident outside India
-Maintenance of foreign currency account in India and outside India by a person Resident in India.
-Taking out a insurance policy form an insurance company outside India.
-Loan and overdraft to a person resident outside India
-Remittance outside India of capital assets of a person resident in India.
-Sale and purchase of foreign exchange derivatives in India and abroad and commodity derivatives abroad

(ii). Capital Account Transactions of person resident outside India.

(a) Investment in India by way of Issue of securities by a body corporate or an entity in India and investment therein by a person resident outside India; and
Investment by way of contributions by a person resident outside India to the capital of a firm or proprietorship concern or an association of person in India.

(b) acquisition and transfer of immovable property in India in favour of, on behalf of a person resident in India.

(c) Guarantee by a person resident outside India in favour of, or on behalf of a person resident in India,

(d) Import / Export of Currency/Currency Notes/ into/from India by a person resident outside India

(e) Deposit between a person resident in India and person resident outside India.

(f) Foreign Currency Accounts in India of a person resident outside India

(g) Remittance outside India of a capital assets in India of a person resident outside India.

All payments in foreign exchange other than what is mentioned above require “Prior Approval” of Government of India.

However, in the case of liabilities arising out of the Standard Contractual Clauses in a data processing contract, a Company approaches the Government or RBI as a post-facto request that it has to remit foreign exchange and RBI or the Government will be in a dilemma of how to deal with this fait accompli.

In my opinion, a Company entering into a contract knowing fully well that it does not have a prior approval of the Government for the contingent event of performance of one of the contractual clauses arises, amounts to entering into a “Fraudulent Contract”.

It is neither enforceable by the Data Controller nor it is executionable by the Indian data processor.

Should we place our Indian companies in such a situation?…… there is need for NASSCOM and the Government to ponder over the issue.

On my part, I suggest companies to ensure that the contracts are all made “Subject to laws prevailing in India” . In other words, it contracts should include “GDPR Exclusion Clause” where

a) the liabilities are limited to a particular amount for which the Company should have a prior permission from the Government or

b) Liabilities are subject to the laws in India including FEMA.

I am sure that the business managers will raise a hue and cry on rejecting the standard contractual clauses suggested by the clients and the corporate legal advisors may be brushed aside.

However, from the compliance angle, I would advise the legal advisors and compliance managers to raise an alert so that the top management takes a decision based on its risk appetite. The CFOs and the Financial Auditors should qualify the accounts for both balance sheet purpose and SEBI purposes that “Certain liabilities committed by the Company are not quantified and not provided for”.

Alternatively, NASSCOM, RBI and the Finance Ministry need to sit together and find out a solution. Presently, it is a good time to find a solution through the proposed Indian Data Protection Act which is under drafting by the Ministry of IT in consultation with NASSCOM. This law will introduce a super regulator for data protection who may be called the “Data Commissioner of India” who will be responsible for all “Data” processed in India.

ITA 2000/8 tries to provide protection for data from the perspective of an Indian data subject whose personal and sensitive personal information is processed by an Indian company. It indirectly addresses the rights of international bodies by suggesting that “Reasonable Security Practice” under Section 43A is as defined in a contract between the data subject/data controller and the data processor. This will enable an international data controller to seek remedy for his losses under ITA 2000/8 when there is a breach of contractual terms of security. This opens up a door for the indemnity clause to be enforced with the support of Indian judiciary. (Adjudicator).

The proposed Data Protection Act of India may go a step further and make all data processors in India subject to a registration/licensing process with the data commissioner. This office can if necessary also be made responsible to vet the data processing contracts and ensure that there are no inherent conflicts.

Alternatively, the Data Commissioner of India should be given a mandatory power by which no legal action can be initiated against a registered data processor in India without the permission of/intervention of the Data Commissioner. In such a case this office will act as a filter between the Indian data processors and the foreign Data controllers/Data subjects and ensure that no unreasonable liability suit is hoisted on Indian companies.

I request the MeITy, NASSCOM and RBI/Finance Ministry to quickly start negotiating on this matter before the law is frozen (before October as the Government has indicated).

An opportunity missed now will be an opportunity lost for ever.

Naavi

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.