India's Personal Data Protection Bill 2019 And EU's General Data Protection Regulation – A Comparison
In 2017, the Apex Court of India, in the matter of Justice K.S. Puttaswamy (Retd.) v. Union of India, 2017 (10) SCALE 1 recognized the right to privacy as a fundamental right emerging from Article 21 of the Constitution of India. In light of this, Justice B.N. Srikrishna Committee Report on 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians' stated that the state had a duty to put in place a data protection framework which, "while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good."
India has not signed or become a party to any treaty or convention about the protection of personal data. There is also no specific legislation on data privacy or protection. Currently, Information Technology Act 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPD Rules") govern data protection landscape in the country.
IT Act was amended via the Information Technology (Amendment) Act, 2008 to include section 43 A and section 72A. Section 43A provides for compensation for failure to protect data in cases where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. Section 72A provides for punishment for disclosure of information in breach of lawful contract.
SPD Rules provide protection and regulate both personal data or information as well as sensitive personal data or information. However, the SPD Rules apply only to body corporates and persons located in India.
On the other hand, Regulation (EU) 2016/679 was passed by the European Parliament on the protection of natural persons concerning the processing of personal data and the free movement of such data and repealing Directive 95/46/EC. This new General Data Protection Regulation ("GDPR") provides processing of personal data by individuals, company or organization relating to individuals in the European Union. GDPR entered into force on 24th May 2016 and applies since 25th May 2018.
The Personal Data Protection Bill, 2019 ("PDPB") was introduced in the Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019. GDPR Requirements such as consent to process data, establishing data protection authority etc., have found their way in the PDPB, however, both the legislations have differences too.
This report aims to bring out these differences.
Overview of the Personal Data Protection Bill, 2019
PDPB provides for the protection of the privacy of individuals relating to their personal data, and to establish a Data Protection Authority of India for the said purpose.
The motivation behind the law
The preamble of PDPB states the following:
- The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;
- The growth of the digital economy has expanded the use of data as a critical means of communication between persons;
- It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.
Roles provided under PDPB
Data Fiduciary means any person, including the State, a company, means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.
Data Principal means the natural person to whom the personal data relates.
Data Processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary.
Construct of the Bill
14 Chapters | 98 Clauses | 4 Rights of Data Principal |
Applicability
Government | Indian Company | Foreign companies processing data of individuals in India |
Overview of the EU's General Data Protection Regulation
Article 8(1) of the Charter of Fundamental Rights of the European Union ("Charter") and Article 16(1) of the Treaty on the Functioning of the European Union ("TFEU") provide that everyone has the right to the protection of personal data concerning him or her.
GDPR lays down the rules concerning the protection of natural persons about the processing of personal data and rules relating to the free movement of personal data. It protects the fundamental rights and freedoms of natural persons and their right to protection of personal data.
Roles provided under GDPR
Data subject is an individual who is the subject of personal data.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Construct of the GDPR
11 Chapters | 99 Articles | 7 Principles |
TERRITORIAL SCOPE | ||
GDPR | PDPB | |
GDPR applies to:
| PDPB applies to:
| |
It is clear that PDPB and GDPR both provide for extraterritorial application under Clause 2 and Article 3, respectively. However, the territorial scope of PDPB is much broader than GDPR. It should also be kept in mind that such a broad scope can be narrowed down if the government imposes either restriction of the processing of activities or exemptions. | ||
| ||
MATERIAL SCOPE | ||
GDPR | PDPB | |
Applies to processing of personal data wholly or partly by automated means and to the processing other than automated means of personal data that forms or intends to form part of a filing system. [Art. 2(1)]
Does not apply to:
| Does not apply to the processing of anonymised data. However, the Central Government may direct any organization to provide any personal data anonymised or other non-personal data. [Clause 2(B) and Clause 91 (2)]
Does not apply to:
[Clause 36] | |
Government has the authority, under PDPB to disclose information that doesn't qualify as personal data. This broad authority is not provided under GDPR. | ||
| ||
DEFINITION OF PERSONAL DATA | ||
GDPR | PDPB | |
It means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [Art. 4(1)] | It means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for profiling. [Clause 3(28)] | |
Definition of personal data is broader under GDPR as it takes into account that identifiers such as location data or an online identifier can independently be used to identify a natural person. This shows that GDPR takes into that there is a reasonable likelihood that a natural person will be identifiable, whereas, in PDPB, there is no such likelihood. | ||
| ||
DEFINITION OF SENSITIVE PERSONAL DATA | ||
GDPR | PDPB | |
Not specifically defined. However, Article 9 provides that processing of special categories of personal data shall be prohibited. Data relating to (a) racial or ethnic origin, (b) political opinions, (c) religious or philosophical beliefs, (d) trade union membership, (e) the processing of genetic data, (f) biometric data to uniquely identify a natural person, (g) data concerning health or data concerning a natural person's sex life or sexual orientation.
Processing of personal data relating to criminal convictions and offences, though doesn't come special categories in Article 9, has its own specific set of rules laid down by the Union or Member State law. [Art. 10] | It means personal data, which may, reveal, be related to, or constitute – (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as sensitive personal data.
The Central Government, under the PDPB, can notify additional categories of sensitive personal data, having regard to:
[Clause 15] | |
On comparison of the definition of 'sensitive personal data', there seems to be an overlap. However, the definition provided under India's PDPB is broader and wider, in comparison to GDPR. PDPB includes financial data as a category under sensitive personal data, which is missing from GDPR. Further, the power of the Central Government to notify additional categories of sensitive personal data is provided under PDPB. GDPR provides no such power to any authority.
On the other hand, GDPR does provide for the processing of personal data concerning criminal convictions and offences, a category absent in the PDPB. | ||
| ||
OBLIGATIONS OF DATA FIDUCIARY | ||
a. Processing Personal Data | ||
GDPR | PDPB | |
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. [Art.5(1)(a)] | Processing of personal data shall be in a fair and reasonable manner and also ensure the privacy of the data principal. [Clause 5(a)] | |
GDPR focuses on the aspect of "transparency" while processing personal data, which is missing from PDPB. | ||
b. Limitation of purpose | ||
GDPR | PDPB | |
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. [Art.5(1)(b)] | Personal data shall be processed only for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected. [Clause 5(b)]
Further, personal data shall not be processed by any person, except for any specific, clear and lawful purpose. [Clause 4] | |
There is a difference in the language of the article/clause. GDPR talks about the collection of personal data, whereas, PDPB talks about the processing of personal data. Processing, as per Clause 3(31) of PDPB includes operations such as collection, recording, origination, structuring, storage, indexing etc.
Moreover, under GDPR, if the processing/collection of data is incompatible with the purposes for which the data was collected, then further processing might not take place. Whereas, the approach under PDPB, is different and wider. PDPB further processing of the data, if the initial processing is incidental to the original purposes. | ||
c. Limitation on the collection of personal data | ||
GDPR | PDPB | |
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. [Art. 5(1)(c)] | The personal data shall be collected only to the extent that is necessary for the purpose of processing the data. [Clause 6] | |
The process of collection of personal data is wider under GDPR. PDPB limits such collection on the basis of the necessity of purpose of processing the data. | ||
| ||
Quality of personal data processed | ||
GDPR | PDPB | |
Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay [Art. 5(1)(d)] | Necessary steps should be taken to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed. [Clause 8(1)] | |
GDPR and PDPB have emphasized on the importance of the data processed to be accurate. However, PDPB goes a step further and specifies that such data should not be misleading. | ||
Restriction on retention of personal data | ||
GDPR | PDPB | |
Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
It may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
[Art. 5(1)(e)] | The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing. [Clause 9(1)]
However, the personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force. [Clause 9(2)] | |
There is a difference in the requirement of when personal data may be stored for longer periods. PDPB focuses on consent, however, fails to mention any specific grounds, like those in GDPR. | ||
| ||
CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA | ||
GDPR | PDPB | |
Article 9(2) lists certain conditions for the processing of special categories of personal data or sensitive personal data. They are:
| Under PDPB, there are certain additional grounds for the processing of sensitive personal data, where consent is required, it must be explicitly obtained:
[Clause 11(3)] | |
The standards are similar in both the privacy laws with respect to explicit consent. Since the definition of 'sensitive personal data' is wider under PDPB, it is expected that the conditions laid down will affect more activities as compared to GDPR. | ||
| ||
CONDITIONS FOR CONSENT | ||
GDPR | PDPB | |
[Art. 7 and Recital 32]
| Consent must be:
[Clause 11(2)] | |
Under PDPB, there is no requirement for asking consent separately for separate purposes, as is there in GDPR.
Under Clause 11(6), if the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.
As per Clause 11(5), the provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
And the burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary. [Clause 11(5)] | ||
| ||
PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN | ||
GDPR | PDPB | |
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
[Art. 8]
|
The guardian data fiduciary shall be barred from profiling, tracking or behaviorally monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.
Guardian data fiduciary providing exclusive counselling or child protection services to a child shall not require to obtain the consent of the parent or guardian of the child.
[Clause 16] | |
Age for an individual to be considered a child is higher under PDPB. The controller is not required to verify the child's age before the processing of any personal data of the data, under GDPR. The concept of guardian data is not found in GDPR. | ||
| ||
LAWFUL BASIS FOR PROCESSING | ||
GDPR | PDPB | |
There are six legal bases for processing personal data:
[Art. 6] | There are seven legal bases for processing personal data:
Reasonable purposes may include: (a) prevention and detection of any unlawful activity including fraud; (b) whistleblowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines.
[Clauses 12, 13 and 14] | |
The legal basis for processing necessary for the performance of the contract is missing in the PDPB. Moreover, the requirement of "reasonable purposes" is narrower than the "legitimate interest" under GDPR, in the sense that the reasonable purposes are limited to what is mentioned in the PDPB. | ||
| ||
INDIVIDUAL RIGHTS | ||
Right to be Informed | ||
GDPR | PDPB | |
Individuals have the right to be informed about the collection and use of their personal data. Such information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. [Art. 12(1)]
Where data is collected directly, the data subject should be informed when the personal data are obtained.
Where data is not collected directly, the data subject should be informed within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
[Art. 13 and Art. 14] | Every data fiduciary is required to give notice to the data principal at the time of collection of personal data, or if the data is not collected from the data principal, as soon as reasonably practicable.
Notice shall be clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.
The notice should contain the following information: (a) the purposes for which the personal data is to be processed; (b) the nature and categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data; ( f ) the source of such collection, if the personal data is not collected from the data principal; (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data shall be retained or where such period is not known, the criteria for determining such period; (j) the existence of and procedure for the exercise of rights; (k) the procedure for grievance redressal; (l) the existence of a right to file complaints to the Authority; (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary; and (n) any other information as may be specified by the regulations.
[Clause 7] | |
Right to be informed forms an essential part of the Transparency requirements. There is an overlap between these requirements.
The content of notice under GDPR does not include disclosure of the procedure for grievance redressal. Also, there is no mention of data trust score in GDPR. | ||
Right of Access | ||
GDPR | PDPB | |
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
The controller shall provide a copy of the personal data undergoing processing.
The controller shall provide information on action taken on a request under Articles 15 to the data subject without undue delay and in any event within one month of receipt of the request.
Any action taken under Art.15 shall be provided free of charge.
[Art. 15] | The data principal shall have the right to obtain from the data fiduciary— (a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal; (b) the personal data of the data principal being processed or that has been processed by the data fiduciary, or any summary thereof; (c) a summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal
The data fiduciary shall provide the information clearly and concisely that is easily comprehensible to a reasonable person.
The data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them, in such manner as may be specified by regulations.
[Clause 17] | |
The data principal, under PDPB, has the right to know whether the data fiduciary is processing or has processed personal data. But, under GDPR, the right is limited to whether the data is being processed. Hence, it can be said the right of access is broader under PDPB.
Further, Data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared, under PDPB. This right is missing under GDPR. | ||
| ||
GDPR | PDPB | |
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
[Art. 16] | The data principal shall where necessary, having regard to the purposes for which personal data is being processed, have the right to— (a) the correction of inaccurate or misleading personal data; (b) the completion of incomplete personal data; (c) the updating of personal data that is out-of-date; and (d) the erasure of personal data which is no longer necessary for the purpose for which it was processed.
Where the data fiduciary corrects, completes, updates or erases any personal data, such data fiduciary shall also take necessary steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure.
[Clause 18] | |
The right to rectification is similar under both frameworks. However, PDPB doesn't mention the time within which the rectification should take place. | ||
Right to Erasure ('right to be forgotten') | ||
GDPR | PDPB | |
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where the data is no longer needed for the purpose for which it was collected, where the data subject withdraws consent on which processing is based, where data subject objects to the procession or where the personal data have been unlawfully processed.
If the controller has made personal data public and is obliged to erase such data, then it shall take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
[Art. 17] | The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure— (a) has served the purpose for which it was collected or is no longer necessary for the purpose; (b) was made with the consent of the data principal and such consent has since been withdrawn, or (c) was made contrary to the provisions of this Act or any other law for the time being in force.
Such right may be enforced only on an order of the Adjudicating Officer ("AO") made on an application filed by the data principal.
AO shall take into consideration certain factors such as the sensitivity of the personal data, the relevance of personal data to the public etc.
[Clause 20] | |
Right to be forgotten is envisaged in the right to erasure, under GDPR. However, both the rights are distinguished in PDPB.
Right to erasure has been inserted in the PDPB 2019 version. This right did not exist in the Draft Bill of 2018. | ||
Right to Restrict Processing | ||
GDPR | PDPB | |
Certain grounds are specified under which the data subject have the right to obtain from the controller restriction of the processing. Grounds are where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data, where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, where the controller no longer needs the personal data for the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; and where the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
[Art. 18] | No such right provided in PDPB. However, the right to be forgotten provides three grounds to restrict the disclosure of personal data by data fiduciary. | |
Right to Data Portability | ||
GDPR | PDPB | |
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract and where the processing is carried out by automated means.
The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
[Art. 20] | This right applies to data which has been processed through automated means, where (i) the personal data was provided to the data fiduciary; (ii) the data which has been generated in the course of the provision of services or use of goods by the data fiduciary; or (iii) the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained.
Such data should be provided in a structure, commonly used and machine-readable format. The data principal has the right to have the personal data transferred to any other data fiduciary.
Where the processing is necessary for functions of the State or in compliance of law or order of a court, or where the compliance would reveal a trade secret of any data fiduciary or would not be technically feasible, then this right won't be applicable.
[Clause 19] | |
The right to data portability, under GDPR, can be exercised by the data subject with respect to data is processed under some legal bases. This limits the scope of the right. However, this is not the case under PDPB. | ||
Right to Object | ||
GDPR | PDPB | |
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on data processing necessary performance of a task carried out in the public interest and processing data for purposes of the legitimate interest, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
In case the processing of data is done for direct marketing purposes, then the data subject can object at any time.
In case the data is processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, has the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
[Art. 21] | No such right is envisaged in PDPB 2019. | |
Rights in Relation to Automated Decision Making and Profiling | ||
GDPR | PDPB | |
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
In case, such decisions are allowed/permitted, then the data subject has the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
[Art. 22] | No such right is envisaged in PDPB. | |
| ||
TRANSPARENCY AND ACCOUNTABILITY MEASURE | ||
Privacy by Design | ||
GDPR | PDPB | |
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR.
[Art. 25(1)] | Every data fiduciary shall prepare privacy by design policy, containing certain elements. [Clause 22(1)] Data fiduciary also has an option to submit its privacy by design to the Data Protection Authority ("DPA") for certification. Once certified, the privacy by design policy shall be published on the website of the data fiduciary and the DPA. [Clause 22] | |
The Scope of the measure 'privacy by design' seems to be broader and wider under the PDPB as compared to the GDPR. Under PDPB, data fiduciary has to ensure the maintenance of privacy at all levels, whereas, under the GDPR, the controller has to implement the appropriate technical and organizational measures both at the time of determination of the means of processing and at the time of processing. | ||
Privacy by Default | ||
GDPR | PDPB | |
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
[Art.25(2)] | No such provision is provided in PDPB | |
Transparency | ||
GDPR | PDPB | |
The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. [Art. 12(1)] | Every data fiduciary shall take necessary steps to maintain transparency in processing personal data and make the information available as per the manner specified. Information to be made available pertains to categories of personal data collected, the purpose for which the personal data is processed, right of data principal to file a complaint against the data fiduciary to the Authority.
The data principal may give or withdraw consent through a consent manager. [Clause 23] | |
PDPB defines consent manager as: "Consent manager is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform." There is no concept of consent manager under GDPR. | ||
Security Safeguards | ||
GDPR | PDPB | |
To be implemented by – controller and processor
Conditions to be considered –
Safeguard Measures –
[Art. 32] | To be implemented by – data fiduciary and data processor.
Conditions to consider –
Safeguard Measures –
[Clause 24] | |
The condition to be considered under GDPR relates to the severity for the rights and freedoms of natural persons, whereas, under PDPB, it is the likelihood and severity of harm that may result from the processing. The definition of the word 'harm' under PDPB is an inclusive list of what will constitute as harm, such as bodily or mental injury, loss, distortion or threat of identity, loss of reputation, subjection to blackmail/extortion etc. But there are no other guidelines which might help to interpret the word, in the absence of such factors. The factors provided, are highly subjective, which will end up being interpreted differently by everyone which will cause several issues. | ||
Personal Data Breach | ||
GDPR | PDPB | |
Who should be informed? – Supervisory Authority.
Content of the notice – Notice shall at least a) describe the nature of the personal data breach (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach.
When should notice be made? - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If not made within 72 hours, it shall be accompanied by reasons for the delay. If it is not possible to provide the information at the same time, the information may be provided in phases. Processors must notify a controller of a breach without undue delay.
What happens after supervisory authority is informed? When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Such communication shall describe in clear language the nature of the personal data breach. There are conditions which, if met, then communication to the data subject is not required.
[Art. 33 and 34] | Who should be informed/notified? – Data Protection Authority
Content of the notice – Notice shall include particulars such as nature of personal data which is the subject matter of the breach, number of data principals affected by the breach, possible consequences of the breach and action being taken by the data fiduciary to remedy the breach.
When should notice be made? – It should be done as soon as possible if it is likely to cause harm to any data principal. Where it is not possible to provide all the information at the same time, it shall be provided to the DPA in phases without undue delay.
What happens after DPA is notified? Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.
[Clause 25] | |
Firstly, there is no deadline that PDPB establishes for notification of breaches. Moreover, such a notification is to be made based on the likelihood of harm, which is highly subjective.
Under both the regulations, the authorities are not notified immediately. Under GDPR, 72 hours is given and under PDPB, it is 'as soon as possible'.
| ||
DPA Registration of Significant Data Fiduciaries | ||
GDPR | PDPB | |
No such requirement under GDPR. | Factors to be considered to notify data fiduciary as significant data fiduciary – Volume and sensitivity of data processed, turnover of the data fiduciary, risk of harm by processing by data fiduciary, use of new technology and any other factor causing harm from such processing.
Registration - The data fiduciary or class of data fiduciary shall register itself with the Authority.
Social media Intermediary as significant data fiduciary – Any, any social media intermediary,— (i) with users above such threshold as may be notified by the Central Government, in consultation with the DPA; and (ii) whose actions have, or are likely to have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India, shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary.
[Clause 26] | |
The concept of significant data fiduciary is not found in GDPR. Nor is the requirement of classifying data fiduciary or class of data fiduciary as significant data fiduciary, found in GDPR.
PDPB also introduces the concept of a social media intermediary, which it defines as follows: a "social media intermediary" is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,— (a) enable commercial or business oriented transactions; (b) provide access to the Internet; (c) in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services. | ||
Data Protection Officer [DPO] | ||
GDPR | PDPB | |
Who should appoint DPO? Controller and the Processor
When should DPO be appointed –
Functions to be carried out by the DPO –
Qualifications - The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks.
[Art. 37, 38 and 39] | Who should appoint DPO? Significant data fiduciary.
Functions to be carried out by the DPO –
Qualifications – To be specified.
The data protection officer appointed shall be based in India and shall represent the data fiduciary under this Act.
[Clause 30] | |
GDPR is silent about where the Data Protection Officer should be based. However, the thresholds under both regulations seem similar. The responsibilities of the DPO are more or less the same as well.
| ||
Record of Processing Activities | ||
GDPR | PDPB | |
Who shall maintain records – Controller and processor, and where applicable, their representative.
The records shall be in writing, including in electronic form.
[Art. 30] | Who shall maintain the record – Significant data fiduciary.
What activities should be recorded –
This also applies to the State.
[Clause 28] | |
GDPR doesn't mention what activities have to be recorded. | ||
Data Protection Impact Assessment [DPIA] | ||
GDPR | PDPB | |
Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Controller to seek the advice of DPO when carrying out DPIA.
A data protection impact assessment referred shall, in particular, be required in the case of –
Supervisory Authority to publicly publish a list of processing operations which will be subject to DPIA and which will not be subject to such assessment.
The assessment shall contain at least:
[Art. 35] | Where the significant data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment.
DPA shall specify where such DPIA shall be mandatory.
A data protection impact assessment shall, inter alia, contain—
Upon completion, DPO shall review the assessment and submit to the DPA.
If DPA has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as it may deem fit.
[Clause 27] | |
Data Protection Impact Assessment seems to be very detailed and highly specific under GDPR. This makes the assessment as provided under PDPB to be broader in ambit. | ||
Representative of controllers/processors not established in Union | ||
GDPR | PDPB | |
Controller or the processor not established in the Union must designate in writing a representative in the union.
This obligation will not apply if the processing is occasional and does not include large scale processing of sensitive data and data relating to criminal convictions and offences. It will also not apply to public authority or body.
[Art.27] | There is no such requirement mention in PDPB. | |
Audit of Policies | ||
GDPR | PDPB | |
Processor shall make available to the controller all information necessary to allow for and contribute to audit, including inspections, conducted by the controller or another auditor maintained by the controller.
[Art. 28(3)(h)] | The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.
The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including—
A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted.
In case the DPA is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the DPA may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.
[Clause 29] | |
There is no such requirement of audit policies that are mentioned specifically in GDPR. | ||
Appointment of Processors | ||
GDPR | PDPB | |
Processing by processors shall be governed by a contract, the requirements of which are laid down in Art. 28. | The data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor.
The data shall not engage, appoint, use, or involve another data processor in the processing on its behalf.
[Clause 31] | |
Processing by processors is highly detailed under GDPR, which is not the case under PDPB. Processing by processors is governed by a contract under both the Regulations. | ||
Grievance Redressal | ||
GDPR | PDPB | |
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy
[Art. 77] | Every data fiduciary shall have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner.
A complaint shall be resolved by the data fiduciary in an expeditious manner and not later than thirty days from the date of receipt of the complaint by such data fiduciary.
Where a complaint is not resolved within the period specified or where the data principal is not satisfied with the manner in which the complaint is resolved, or the data fiduciary has rejected the complaint, the data principal may file a complaint to the Authority in such manner as may be prescribed.
[Clause 32]
| |
Under PDPB, there is two-tier system for lodging a complaint. Data Principal has to first approach the data fiduciary, and if that is not satisfactory, then approach the DPA. | ||
RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA | |
GDPR | PDPB |
A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.
In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. | The sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.
The critical personal data shall only be processed in India.
"Critical Personal Data" shall be notified by the Central Government.
The sensitive personal data may only be transferred outside India for the purpose of processing when explicit consent is given by the data principal for such transfer, and where:
[Clause 34] |
Localization requirements are different under both the regulations. Localization under GDPR is subject to international data transfer requirements.
Moreover, GDPR doesn't have restrictions as to what kind of data may be transferred. On the other hand, PDPB deals with only sensitive personal data.
|
EXEMPTIONS | |
Power of the State to exempt | |
GDPR | PDPB |
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
[Art. 23]
| Where the Central Government is satisfied that it is necessary or expedient, —
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government. [Clause 35]
In cases where personal data is processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law, then certain provisions of the PDPB won't be applicable. [Clause 36]
|
GDPR lists down specific grounds when a measure curtailing the rights of the data subject may be undertaken. But, PDPB has no mention of any specific grounds. Also, under PDPB there is a blanket exemption from the provisions of the Bill, instead of specific functions.
Another difference is with respect to the provision regarding granting exemption in case of processing data in nature of prevention, detection and investigation of offences. GDPR mentions that such provision is applicable to criminal offences. However, PDPB uses the term "offences" which doesn't offer any clarity. Offences can mean a variety of things under various Indian laws.
| |
Exemption for research | |
GDPR | PDPB |
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with GDPR, for the rights and freedoms of the data subject.
Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization.
Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner.
[Art. 89(1)] | DPA may exempt processing of personal data for research, archiving, or statistical purposes, if—
[Clause 38] |
Sandbox for encouraging innovation | |
GDPR | PDPB |
No such provision under GDPR | The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine learning or any other emerging technology in the public interest, create a Sandbox.
[Clause 40] |
DATA PROTECTION AUTHORITY/SUPERVISORY AUTHORITY | |
Establishment | |
GDPR | PDPB |
Each Member State shall provide for one or more independent public authorities ('supervisory authority') to be responsible for monitoring the application of GDPR. | Central Government to establish Data Protection Authority of India.
The DPA shall have perpetual succession and a common seal.
DPA shall have the power to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.
[Clause 41(1) and Clause 41(2)] |
GDPR allows the Member States to establish more than one supervisory authority, whereas, under PDPB, there will be one central authority.
| |
Members Appointment | |
GDPR | PDPB |
Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by (a) their parliament (b) their government (c) their head of State or (d) an independent body entrusted with the appointment under Member State law.
Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.
[Art.53(1) and Art.53(2)] | DPA shall consist of a Chairperson and not more than six whole-time Members, of which one shall be a person having qualification and experience in law.
The Chairperson and the Members of the Authority shall be appointed by the Central Government on the recommendation made by a selection committee.
The Selection Committee shall consist of (a) the Cabinet Secretary (b) the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs, and (c) the Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology.
The Chairperson and the Members of the Authority shall be persons of ability, integrity and standing, and shall have the qualification and specialized knowledge and experience of, and not less than ten years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects. |
Appointment of members, under PDPB, can only be done by the Central Government. However, under GDPR, the appointment can be done by parliament, government, head of state or even an independent body entrusted with the appointment. | |
Term of the Appointment | |
GDPR | PDPB |
Minimum Period of 4 years.
Eligibility for reappointment shall be provided by law by each member state.
[Art. 54] | The Chairperson and the Members of the Authority shall be appointed for a term of five years or till they attain the age of sixty-five years, whichever is earlier, and they shall not be eligible for re-appointment.
[Clause 43] |
There is no cap on the age for the appointment of the members, under GDPR. And the power to decide reappointment members has also been given to each member state. | |
Code of Practice | |
GDPR | PDPB |
The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation. [Art. 40(1)]
Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of GDPR. [Art. 40(2)] | DPA shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under PDPB. [Clause 50(1)]
DPA may approve any code of practice submitted by an industry or trade association, an association representing the interest of data principals, any sectoral regulator or statutory Authority, or any departments or ministries of the Central or State Government. [Clause 50(2)] |
Complaint Mechanism | |
GDPR | PDPB |
Every data subject shall have the right to lodge a complaint with a supervisory authority.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.
[Art. 77] | Data Principal has the right to file a complaint before the DPA. [Clause 7(1)] |
Under PDPB, the DPA doesn't have to keep the Data Principal informed about the status of the complaint. | |
Powers to investigate | |
GDPR | PDPB |
Each supervisory authority shall have all of the following investigative powers:
[Art. 58(1)] | The Authority may, on its own or on a complaint received by it, inquire or cause to be inquired, if it has reasonable grounds to believe that—
[Clause 53] |
Powers of the Authority | |
GDPR | PDPB |
The supervisory authority has the following powers:
[Art. 58(2)] | DPA can take the following steps –
[Clause 54] |
There is a lot of similarities between the powers of the supervisory authority and the DPA, except the power to order the rectification or erasure of personal data which lies with the supervisory authority under GDPR. | |
Right to Approach courts | |
GDPR | PDPB |
Each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
Each data subject has the right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
[Art.78]
| Any person aggrieved by the decision of the DPA may prefer an appeal to the Appellate Tribunal within thirty days from the receipt of the order appealed against.
[Clause 72] |
PENALTIES AND COMPENSATION | |
Amount of Penalty Imposed | |
GDPR | PDPB |
Penalties under GDPR ranges from 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher[Art. 83(4)] to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [Art. 83(5)] | The penalties under the Bill varies depending on the provisions.
It ranges from five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher [Clause 57(1)] to fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.[Clause 57(2)] |
Penalties are higher under GDPR
| |
Failure to comply with the decision of the Authority | |
GDPR | PDPB |
Non-compliance with an order by the supervisory authority shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
[Art. 83] | If any data fiduciary or data processor fails to comply with any direction issued by the DPA or order issued by the DPA, such data fiduciary or data processor shall be liable to a penalty which may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crores in case of a data processor it may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.
[Clause 60] |
The fine under GDPR is much higher. |
OFFENCES | |
Re-identification and processing of personal data | |
GDPR | PDPB |
The Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines. Such penalties shall be effective, proportionate and dissuasive.
[Art. 84(1)] | Any person who, knowingly or intentionally—
without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.
[Clause 82(1)] |
The nature of the penalties, under the GDPR, is left to determined by individual member states. |
Siddharth Batra is a Partner and Archna Yadav is an Associate at Satram Dass B & Co. Feel free to contact them at contact.del@satramdass.com for more details