Privacy protection regime has been aggressively pursued by EU for a long time. GDPR is an extension of this aggression where the penalties proposed are threatening. Hence though the principles of privacy protection envisaged under GDPR is commendable, there is discomfort on the attempt to impose extraordinary penalties.
The global community is worried that the penalties may impinge on international companies also and lead to many international conflicts in the coming days. The same concern also applies to Indian data processors who do have a stake in the outsourced data processing business coming out of EU either directly or through the American Companies who outsource the work to Indian companies.
One article which needs some thinking is article 48 which reads as follows:
Article 48: Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
What this Article implies is that a company subject to Indian law will be challenging the jurisdiction of the Indian Courts by virtue of say a contract it may sign with its business partner who is bound by the EU regulation.
It may be noted that this Article is not simply a choice of “Jurisdiction” in a contractual agreement. It tries to render the Indian Courts impotent. For example if Company A in India has processed some data under a GDPR bound agreement and a Court issues a judgement that a certain personal data need to be disclosed, the Company A may be under a dilemma on whether it can disclose the data or not, whether it needs to obey the Indian Judiciary or not.
This Article also introduces a confusion since the general principle of Privacy does provide right to the law enforcement agency to intrude on certain circumstances. If the law enforcement can claim exemption from the restrictions under GDPR for reasons such as national security, criminal investigation etc. it is strange that the Judiciary has no right even after a trial having been conducted and arriving at a judgement.
Hopefully this Article should be interpreted as applicable only if the data has to be released by an organization which is not under the jurisdiction of the Indian Judiciary and not to companies who operate in India whether they are incorporated in India or not.
Probably the confusion could have been avoided if the Article had specified that it is not applicable to data processors who are established outside the Union or that it was not in derogation of the rights of the Judiciary of the country in which the data controller operates.
Naavi