Loopholes in the General Data Protection Regulation
The introduction of GDPR in EU is envisaged to raise standards of data privacy and security in EU for protection of personal data of EU residents. However, certain loopholes have been identified with respect to high costs involved, ambiguity in legislative interests and territorial scope.
India: Provisions of Companies Amendment Act now effective
The Companies Act, 2013 (hereinafter referred to as “Companies Act”) enforced with the objective of regulating the affairs of companies incorporated in India was amended vide the Companies (Amendment) Act, 2017 (hereinafter referred to as “Amendment Act”) after receiving the assent of the President on January 3, 2018. By a recent notification dated May 7, 2018, Ministry of Corporate Affairs has made effective certain provisions of the said Amendment Act. Some of the said provisions have brought about the following changes in the Companies Act as below:
- Section 2(6): A company shall be recognized as an associate company with respect to another company which has at least 20% voting power or control or participation in business decisions and also includes joint control arrangement between the parties with respect to rights and assets of the associate company.
- Section 26: Prospectus of the company must state information and set out financial reports as specified by Securities Exchange Board of India.
- Section 54: Issue of sweat equity shares is no longer limited to the elapse of 1 year from the date of commencement of the business of the company.
- Section 77: Duty to register charges shall not apply with respect of the charges, prescribed in consultation with the Reserve Bank of India.
- Section 89: The declaration in respect of beneficial interest in any share can be filed even after the lapse of the time period indicated (30 days) with the payment of additional fees without being barred by the final limitation of 270 days.
- Section 92: The Annual return can be filed even after the lapse of the time period indicated (60 days) with the payment of additional fees without being barred by the final limitation of 270 days.
Section 117: The resolution and agreements can be filed even after the lapse of the time period indicated (30 days) with the payment of additional fees without being barred by the final limitation of 270 days. Non- filing of the same will entail minimum penalty of INR 100,000 (USD 1472 approx.) and any company official including liquidator shall be subject to a minimum fine of INR 50,000 (USD 736 approx.)
Resolutions passed by a company according consent to the exercise by its Board of Directors are exempted from filing.
Banking Companies are not required to file resolution with respect to grant of loans, giving of guarantees or providing of security with respect of loans.
- Section 121: The report of the annual general meeting can be filed even after the lapse of the time period indicated (30 days) with the payment of additional fees without being barred by the final limitation of 270 days.
- Section 129: The Companies having one or more subsidiary or associate companies shall prepare a consolidated financial statement of the company and of all the subsidiaries and associate companies in the same form and manner as that of its own and in accordance with applicable accounting standards to be laid before the annual general meeting of the company. Additionally, a separate statement containing the salient features of the financial statement of subsidiary or subsidiaries and associate company or companies in such form as may be prescribed is to be provided by the Company.
- Section 137: The copy of the financial statements, including consolidated financial statement can be filed even after the lapse of the time period indicated (30 days) with the payment of additional fees without being barred by the final limitation of 270 days.
- Section 139: The appointment of auditors shall not be subject to ratification by members at every annual general meeting anymore.
- Section 157: The details of the Director Identification Number of all its directors can be filed even after the lapse of the time period indicated (15 days) with the payment of additional fees without being barred by the final limitation of 270 days.
Section 164: The Director appointed in defaulting Company shall not be disqualified for 6 months from such appointment.p>
Disqualification to be appointed as Director shall continue to apply even if the appeal or petition has been filed against the order of conviction or disqualification
- Section 167: The Director of the defaulting company in terms of non-filing of financial statement or failure to pay debts shall cease to be the Director of all other companies except such defaulting Company.
- Section 168: Now it is optional for the Directors to submit a copy of their resignation to the Registrar within thirty days of the said resignation.
- Section 173: Any Director can participate through video conferencing or other audio visual means in any meeting on any matter.
Section 177: Recommendations regarding unapproved transactions by the Audit Committee except those covered under related party transactions (Section 188).
The transaction between related parties being more than INR 100,000,000 (USD 1472000 approx.) shall be voidable at the option of the Audit Committee if the same has been done without its approval or has not been ratified by it within 3 months.
Section 178: The Nomination & Remuneration Committee shall specify the manner for effective evaluation of performance of Board, committees and individual directors.
The Board report shall comprise of the salient features of the policy and the changes therein.
Section 185: Loan or guarantee in respect of the same shall not be permissible to a Director of the company or holding company.
Loans may be permissible only when a special resolution is passed in the said regard along with an explanatory statement disclosing full particulars of the said loan which are to be utilized for principal business activities.
The revised section procedure for issuance of such loans and penalties in contravention of the provisions so laid down which extends to imprisonment for upto 6 months or fine upto INR 250,000 (USD 3680 approx.)
- Section 186: Provisions of this section shall not be applicable where the loan/ security is provided by a company to its wholly owned subsidiary or joint venture or acquisition is made by the holding company. This Section shall not be applicable with respect to any loan made, any guarantee given or any security provided or any investment made by a banking company, or an insurance company, or a housing finance company in the ordinary course of its business, or a company established with the object of and engaged in the business of financing industrial enterprises, or of providing infrastructural facilities.
- Section 403: The time period required for the submission of the documents under the Companies Act along with additional fees has been done away with.
India: Changing face of serving Summons: From Post to What’s App
Several Courts around the country are experimenting the usage of technology and in judicial proceedings especially while serving of official documents. Recently, the Delhi High Court gave an order setting a milestone, “Double tick on WhatsApp is a prima facie proof of delivery of summons.
The primary method of serving summons is by personal service, which means that someone must physically deliver the summons document to the other person. There may be certain restrictions depending upon the jurisdictions and whether the case is civil or criminal. The alternative method is to affix a copy of the summons on the outer door or some other conspicuous part of the house in which the defendant ordinarily resides or carries on business or personally works for gain if the serving officer after due diligence is not able to trace the person. The Court shall also in addition to personal service, may direct the summons to be served by registered post at the place where the defendant, or his agent, actually and voluntarily resides or carries on business or personally works for gain.
The summons in most cases are not served timely due to reasons like shortage in the manpower or lack of training and more often due to the challenging task of dealing with people who avoid service of process. To address the existing bottlenecks and introduce reforms in the rules and procedures relating to process service, important legislative changes have been introduced in the procedural laws. Further, High Courts have also adopted practical steps to address the problems of delay caused due to process service by introducing changes in rules and policies. The Code of Civil Procedure, 1908 was amended in 2002 which included electronic means of serving summons in Rule 9 and 9A.
The Hon’ble Supreme Court of India in the case of Central Electricity Regulatory Commission Vs National Hydroelectric Power Corpn. Ltd. & Ors., directed that in commercial litigation and in those cases where the Advocates seek urgent interim reliefs, service of notices may be effected by E-mail, in addition to normal mode of service. The Courts have inducted the “electronic means” in their respective rules in order to speed up the summons process. The Delhi High Court notified on February 9, 2011, “Delhi Courts Service of Processes by Courier, Fax and Electronic Mail Service (Civil Proceedings) Rules, 2010” wherein service by fax and electronic mail was provided for. Similarly, Bombay and Andhra Pradesh High Court have amended their rules for the same. This helps cut down the cost & effort that goes into serving notices to defendants, especially those who do not want to be found.
However, recently the Courts have taken landmark judgements and added WhatsApp to the list of electronic means trying to tackle the problem. The first one to send summons by WhatsApp is Financial Commissioner (FC) Court in Haryana, a quasi-judicial body. In April 2017, Senior IAS officer Ashok Khema ordered that summons in a partition suit be served via WhatsApp.
In the same month, Justice Gautam Patel, of the Bombay High Court set a precedent allowing serving of summons through WhatsApp in a copyright infringement case. The case concerned allegations of copyright infringement against Producers of the Kannada movie ‘Pushpaka Vimana’ that was released in the beginning of 2017. Justice Patel said “It cannot be that our rules and procedure are either so ancient or so rigid (or both) that without some antiquated formal service mode through a bailiff or even by beat of drum or pattaki, a party cannot be said to have been ‘properly’ served. The purpose of service is put the other party to notice and to give him a copy of the papers. The mode is surely irrelevant. We have not formally approved of email and other modes as acceptable simply because there are inherent limitation to proving service. Where an alternative mode is used, however, and service is shown to be effected, and is acknowledged, then surely it cannot be suggested that the Defendants had ‘no notice’…
…Defendants who avoid and evade service by regular modes cannot be permitted to take advantage of that evasion.”
Soon after on May 4, 2017, the Delhi High Court in Tata Sons Ltd & Ors. Vs. John Doe(s) & Ors., allowed the Plaintiff to serve the summons on one of the Defendant through WhatsApp, text message & email, and to file affidavit of service.
Around the same time, Rohini Civil Court in Delhi, accepted the blue double-tick sign in a WhatsApp message as valid proof that a case related notice had been seen by the message’s recipients. A man served the notice to five people including his son, daughter-in-law, her parents and her friends through WhatsApp in connection with a family dispute (trespass to property). He then took the color printout of the sent message with the blue double tick, which indicates that the message has been read – visible in it. Senior Civil Judge cum Rent Controller (North) Sidharth Mathur concluded based on the proof that the Defendants had acquired the knowledge of the scheduled hearing.
The Delhi Metropolitan Court, earlier in March this year allowed a woman to serve summons to his husband in Australia through WhatsApp. In this case, the man had left for Australia in the year 2015 for pursuing further studies leaving behind the complainant, a homemaker, and their minor daughter, who was two years old then. The complainant continued to stay in their rented accommodation in Noida but soon joined her parents in Delhi after the husband stopped paying rent for the house. After a few months, he severed all contacts with the complainant and never reciprocated to her attempts to contact him. The complainant also learnt through sources that he had visited India last year but did not make any efforts to meet her or their daughter. Therefore, the woman filed a case of domestic violence and also sought maintenance for their daughter and herself.
In March, Pal and Kumar had suggested to the magistrate that the summons can be served via WhatsApp etc since summons sent from past eight months being returned, as the man is not staying at the last known address in Delhi. Advocate Kumar also remarked that it takes over two weeks for summons to be served to anyone outside India and the Ministry had raised objections, as the summons sent to the man in Australia has changed his address, and therefore they are left with no other option but to request the Court to allow him to summon through WhatsApp, SMS and e-mail. Following the earlier order of the Court, the wife served the summons to her husband via email and mobile. However, the husband failed to respond. The husband had earlier appeared before the court in some other matter and knew well that his summoning was urgent in this matter as well. The documents submitted before the Court reveal that there is “Double Tick” on the WhatsApp messages sent. The Court observed that this implies that the copy of the summons has been delivered on the mobile number of the estranged husband. The case will now be heard in May.
The procedural laws and the Courts in their rules and policies have laid down a proper procedure and method for serving summons. In addition to the traditional methods the Courts have now recognized WhatsApp as one. The Courts have found a completely new purpose of WhatsApp. However, it is essentially important to understand that the electronic means, least of all WhatsApp, are not going to replace the “regular models”. They are meant for those exceptional cases where the Defendants are hiding and evading their appearance in Courts.
Loopholes in the General Data Protection Regulation
The European Union (hereinafter referred to as “EU”) will be implementing the General Data Protection Regulation (hereinafter referred to as “GDPR”) with effect from May 25, 2018. GDPR seeks to protect personal data of EU residents and is applicable on companies collecting, storing and processing the personal data of EU residents. A brief understanding of GDPR can be found on our website over
The present article talks about some loopholes that these new privacy regulations may have.
One of the most important provisions of the GDPR is that processing of data shall be lawful only if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.  However, the same provision contains another condition that processing of data shall be lawful processing if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. It is not clear whether consent is to be taken in case of legitimate interest or whether data subjects are to be informed about processing of information. Also, the term “legitimate interest” is a broad and flexible term and could apply to any type of processing for any reasonable purpose. Moreover, GDPR does not define if any factors are to be considered for deciding “legitimate interest”.
Offering goods and services
The territorial scope of GDPR states that GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, and where such processing should be related to offering of goods or services or the monitoring of their behavior as far as their behavior takes place within EU.  Hence, a controller who is not in EU is subject to GDPR if the processing is relating to offering goods and services to individuals in EU. However, the same personal data, once obtained by an entity after duly following GDPR norms, may be used for another purpose other than for offering goods or services.
For example, Company “A” which is a company outside EU obtains personal data of a EU data subject after obtaining consent and the data is duly processed. Thereafter, the Company “A” sells the personal data to Company “B” in the same country for a purpose not related to offering goods and services and therefore, such activity would be outside the scope of GDPR.
Compliances under GDPR will be costly depending upon the amount of EU citizens’ data that are to be processed by an entity. Companies will also require changing their internal policies and appoint a Data Protection Officer. Companies may also have to invest in softwares to ensure safe protection of data and prevent unauthorized use or misuse as penalties for non-compliances under GDPR is quite high. Companies may be fined upto EUR 2,00,00,000 or 4% of global annual turnover for the preceding financial year, whichever is higher, in case of non-compliance. 
Obtaining information by data subjects
The GDPR puts an obligation on the controller that at the time of obtaining personal data, the data subject shall be provided various information like contact details of data protection officer, identity and contact details of controller, purpose of processing data, etc. However, when such data is shared with third party, only the recipients or categories of recipients of the personal data are to be provided to the data subject. It is peculiar that the controller has to reveal its own name and details but not the name and details of the third-party recipients of personal data.
All legislations are bound to have some loopholes, and so does GDPR. Nonetheless, GDPR is envisaged to provide more protection to people in terms of their personal data. GDPR has indeed raised the bar on data privacy and security. Also, it has made way for a single legal framework applicable across EU member states, and therefore, businesses will be subject to a consistent set of norms.