India's Personal Data Protection Bill 2019 And EU's General Data Protection Regulation – A Comparison

Siddharth Batra & Archna Yadav

20 Nov 2020 11:33 AM GMT

  • Indias Personal Data Protection Bill 2019 And EUs General Data Protection Regulation – A Comparison

    In 2017, the Apex Court of India, in the matter of Justice K.S. Puttaswamy (Retd.) v. Union of India, 2017 (10) SCALE 1 recognized the right to privacy as a fundamental right emerging from Article 21 of the Constitution of India. In light of this, Justice B.N. Srikrishna Committee Report on 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians' stated that the state had a duty to put in place a data protection framework which, "while protecting citizens from dangers to informational privacy originating from state and non-state actors, serves the common good."

    India has not signed or become a party to any treaty or convention about the protection of personal data. There is also no specific legislation on data privacy or protection. Currently, Information Technology Act 2000 ("IT Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPD Rules") govern data protection landscape in the country.

    IT Act was amended via the Information Technology (Amendment) Act, 2008 to include section 43 A and section 72A. Section 43A provides for compensation for failure to protect data in cases where a body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person. Section 72A provides for punishment for disclosure of information in breach of lawful contract.

    SPD Rules provide protection and regulate both personal data or information as well as sensitive personal data or information. However, the SPD Rules apply only to body corporates and persons located in India.

    On the other hand, Regulation (EU) 2016/679 was passed by the European Parliament on the protection of natural persons concerning the processing of personal data and the free movement of such data and repealing Directive 95/46/EC. This new General Data Protection Regulation ("GDPR") provides processing of personal data by individuals, company or organization relating to individuals in the European Union. GDPR entered into force on 24th May 2016 and applies since 25th May 2018.

    The Personal Data Protection Bill, 2019 ("PDPB") was introduced in the Lok Sabha by the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019. GDPR Requirements such as consent to process data, establishing data protection authority etc., have found their way in the PDPB, however, both the legislations have differences too.

    This report aims to bring out these differences.

    Overview of the Personal Data Protection Bill, 2019

    PDPB provides for the protection of the privacy of individuals relating to their personal data, and to establish a Data Protection Authority of India for the said purpose.

    The motivation behind the law

    The preamble of PDPB states the following:

    • The right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;
    • The growth of the digital economy has expanded the use of data as a critical means of communication between persons;
    • It is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion and for matters connected therewith or incidental thereto.

    Roles provided under PDPB

    Data Fiduciary means any person, including the State, a company, means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data.

    Data Principal means the natural person to whom the personal data relates.

    Data Processor means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary.

    Construct of the Bill

    14

    Chapters

    98

    Clauses

    4

    Rights of Data Principal

    Applicability

    Government

    Indian Company

    Foreign companies processing data of individuals in India

    Overview of the EU's General Data Protection Regulation

    Article 8(1) of the Charter of Fundamental Rights of the European Union ("Charter") and Article 16(1) of the Treaty on the Functioning of the European Union ("TFEU") provide that everyone has the right to the protection of personal data concerning him or her.

    GDPR lays down the rules concerning the protection of natural persons about the processing of personal data and rules relating to the free movement of personal data. It protects the fundamental rights and freedoms of natural persons and their right to protection of personal data.

    Roles provided under GDPR

    Data subject is an individual who is the subject of personal data.

    Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

    Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.


    Construct of the GDPR

    11

    Chapters

    99

    Articles

    7

    Principles

    PDPB 2019 v. GDPR

    TERRITORIAL SCOPE

    GDPR

    PDPB

    GDPR applies to:

    • Organizations having an establishment in the EU, which process personal data in "context of the activities" of such establishment. [Art. 3(1)]
    • Organizations not established in the EU, but which process personal data related to (a) offering of goods and services in the EU or (b) monitoring behaviour as far as such behaviour takes place within the EU. [Art. 3(2)]

    PDPB applies to:

    • Processing personal data which has been collected, disclosed, shared or otherwise processed within the territory of India. [Clause 2(A)(a)]
    • Processing personal data by the State, any Indian company, any citizen of India or any person or body of persons incorporated or created under Indian law. [Clause 2(A)(b)]
    • Processing personal data by an organization not present in India and such processing is in connection with (a)business carried on in India, or any systematic activity of offering goods or services to individuals within the territory of India; or (b)any activity which involves profiling of data principals within the territory of India [Clause 2(A)(c)]

    It is clear that PDPB and GDPR both provide for extraterritorial application under Clause 2 and Article 3, respectively. However, the territorial scope of PDPB is much broader than GDPR. It should also be kept in mind that such a broad scope can be narrowed down if the government imposes either restriction of the processing of activities or exemptions.

    MATERIAL SCOPE

    GDPR

    PDPB

    Applies to processing of personal data wholly or partly by automated means and to the processing other than automated means of personal data that forms or intends to form part of a filing system. [Art. 2(1)]

    Does not apply to:

    • Processing of personal data by natural persons in course of purely personal or household activity. [Art. 2(2)(c)]
    • Processing of personal data by competent authorities for purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

    Does not apply to the processing of anonymised data. However, the Central Government may direct any organization to provide any personal data anonymised or other non-personal data. [Clause 2(B) and Clause 91 (2)]

    Does not apply to:

    • Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law for the time being in force;
    • Where the processing of personal data by any court or tribunal in India is necessary for the exercise of any judicial function;
    • Processing of personal data by a natural person for any personal or domestic purpose, except where such processing involves disclosure to the public or is undertaken in connection with any professional or commercial activity; or for a journalistic purpose.

    [Clause 36]

    Government has the authority, under PDPB to disclose information that doesn't qualify as personal data. This broad authority is not provided under GDPR.

    DEFINITION OF PERSONAL DATA

    GDPR

    PDPB

    It means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. [Art. 4(1)]

    It means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for profiling. [Clause 3(28)]

    Definition of personal data is broader under GDPR as it takes into account that identifiers such as location data or an online identifier can independently be used to identify a natural person. This shows that GDPR takes into that there is a reasonable likelihood that a natural person will be identifiable, whereas, in PDPB, there is no such likelihood.

    DEFINITION OF SENSITIVE PERSONAL DATA

    GDPR

    PDPB

    Not specifically defined. However, Article 9 provides that processing of special categories of personal data shall be prohibited. Data relating to (a) racial or ethnic origin, (b) political opinions, (c) religious or philosophical beliefs, (d) trade union membership, (e) the processing of genetic data, (f) biometric data to uniquely identify a natural person, (g) data concerning health or data concerning a natural person's sex life or sexual orientation.

    Processing of personal data relating to criminal convictions and offences, though doesn't come special categories in Article 9, has its own specific set of rules laid down by the Union or Member State law. [Art. 10]

    It means personal data, which may, reveal, be related to, or constitute –

    (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as sensitive personal data.

    The Central Government, under the PDPB, can notify additional categories of sensitive personal data, having regard to:

    • Risk of significant harm that could be caused due to the processing of such a category of personal data.
    • The expectation of confidentiality attached to such data.
    • Significant harm may be caused to a significantly discernible class of data principals.
    • Adequacy of protection afforded by ordinary provisions applicable to personal data.

    [Clause 15]

    On comparison of the definition of 'sensitive personal data', there seems to be an overlap. However, the definition provided under India's PDPB is broader and wider, in comparison to GDPR. PDPB includes financial data as a category under sensitive personal data, which is missing from GDPR. Further, the power of the Central Government to notify additional categories of sensitive personal data is provided under PDPB. GDPR provides no such power to any authority.

    On the other hand, GDPR does provide for the processing of personal data concerning criminal convictions and offences, a category absent in the PDPB.

    OBLIGATIONS OF DATA FIDUCIARY

    a. Processing Personal Data

    GDPR

    PDPB

    Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. [Art.5(1)(a)]

    Processing of personal data shall be in a fair and reasonable manner and also ensure the privacy of the data principal. [Clause 5(a)]

    GDPR focuses on the aspect of "transparency" while processing personal data, which is missing from PDPB.

    b. Limitation of purpose

    GDPR

    PDPB

    Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. [Art.5(1)(b)]

    Personal data shall be processed only for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected. [Clause 5(b)]

    Further, personal data shall not be processed by any person, except for any specific, clear and lawful purpose. [Clause 4]

    There is a difference in the language of the article/clause. GDPR talks about the collection of personal data, whereas, PDPB talks about the processing of personal data. Processing, as per Clause 3(31) of PDPB includes operations such as collection, recording, origination, structuring, storage, indexing etc.

    Moreover, under GDPR, if the processing/collection of data is incompatible with the purposes for which the data was collected, then further processing might not take place. Whereas, the approach under PDPB, is different and wider. PDPB further processing of the data, if the initial processing is incidental to the original purposes.

    c. Limitation on the collection of personal data

    GDPR

    PDPB

    Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. [Art. 5(1)(c)]

    The personal data shall be collected only to the extent that is necessary for the purpose of processing the data. [Clause 6]

    The process of collection of personal data is wider under GDPR. PDPB limits such collection on the basis of the necessity of purpose of processing the data.

    Quality of personal data processed

    GDPR

    PDPB

    Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay [Art. 5(1)(d)]

    Necessary steps should be taken to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed. [Clause 8(1)]

    GDPR and PDPB have emphasized on the importance of the data processed to be accurate. However, PDPB goes a step further and specifies that such data should not be misleading.

    Restriction on retention of personal data

    GDPR

    PDPB

    Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

    It may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

    [Art. 5(1)(e)]

    The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing. [Clause 9(1)]

    However, the personal data may be retained for a longer period if explicitly consented to by the data principal, or necessary to comply with any obligation under any law for the time being in force. [Clause 9(2)]

    There is a difference in the requirement of when personal data may be stored for longer periods. PDPB focuses on consent, however, fails to mention any specific grounds, like those in GDPR.

    CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA

    GDPR

    PDPB

    Article 9(2) lists certain conditions for the processing of special categories of personal data or sensitive personal data. They are:

    • Explicit consent is given by data subject.
    • Processing is necessary for purposes of carrying out obligations in the field of employment and social security.
    • Processing is necessary to protect the vital interest of the data subjects.
    • Processing carried out in the court of its legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members.
    • The processing relates to data manifestly made public by the data subject.
    • Processing is necessary for reasons of substantial public interest.
    • Processing is necessary for the establishment, exercise or defence of legal claims.
    • Processing is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
    • Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices.
    • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

    Under PDPB, there are certain additional grounds for the processing of sensitive personal data, where consent is required, it must be explicitly obtained:

    • in clear terms without recourse to inference from conduct in context,
    • After informing data fiduciary the purpose of, or operation in, processing which is likely to cause significant harm to the data principal.
    • After giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.

    [Clause 11(3)]

    The standards are similar in both the privacy laws with respect to explicit consent. Since the definition of 'sensitive personal data' is wider under PDPB, it is expected that the conditions laid down will affect more activities as compared to GDPR.

    CONDITIONS FOR CONSENT

    GDPR

    PDPB

    • Consent must be freely given, specific, informed and unambiguous.
    • If consent is given as written declaration, the request for consent shall be presented in a manner which is distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
    • The data subject shall have the right to withdraw his or her consent at any time. It shall be as easy to withdraw as to give consent.

    [Art. 7 and Recital 32]

    Consent must be:

    • Free and in compliance with the Indian Contract Act, 1872.
    • Informed, having regard to the provision of transparency.
    • Specific
    • Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context
    • Capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

    [Clause 11(2)]

    Under PDPB, there is no requirement for asking consent separately for separate purposes, as is there in GDPR.

    Under Clause 11(6), if the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.

    As per Clause 11(5), the provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.

    And the burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary. [Clause 11(5)]

    PERSONAL DATA AND SENSITIVE PERSONAL DATA OF CHILDREN

    GDPR

    PDPB

    • Age: Processing lawful where the child is at least 16 years old. Otherwise, additional obligations imposed where the child is below the age of 16 years.

    Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

    • Parental Consent – It is required where the child is below 16 years of age.
    • Process of Verification – The controller shall make reasonable efforts to verify in such cases that consent is given or authorized by the holder of parental responsibility for the child, taking into consideration available technology.

    [Art. 8]

    • Age: Child means a person who has not completed 18 years of age.
    • Every data fiduciary shall process personal data of a child in such a manner that protects the rights of and is in the best interests of, the child.
    • Parental Consent – Duty of data fiduciary to obtain the consent of the child's parent or guardian.
    • The data fiduciary shall, before processing any personal data of a child, verify his age.
    • Process of verification - The manner for verification of the age of a child shall be specified by regulations, taking into consideration— (a) the volume of personal data processed; (b) the proportion of such personal data likely to be that of a child; (c) possibility of harm to the child arising out of the processing of personal data; and (d) such other factors as may be prescribed.
    • Guardian data fiduciary - guardian data fiduciary is someone who— (a) operate commercial websites or online services directed at children, or (b) process large volumes of personal data of children.

    The guardian data fiduciary shall be barred from profiling, tracking or behaviorally monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child.

    Guardian data fiduciary providing exclusive counselling or child protection services to a child shall not require to obtain the consent of the parent or guardian of the child.

    [Clause 16]

    Age for an individual to be considered a child is higher under PDPB.

    The controller is not required to verify the child's age before the processing of any personal data of the data, under GDPR.

    The concept of guardian data is not found in GDPR.

    LAWFUL BASIS FOR PROCESSING

    GDPR

    PDPB

    There are six legal bases for processing personal data:

    • Consent - the data subject has given consent to the processing of his or her personal data
    • Contract - processing is necessary for the performance of a contract to which data subject is a party.
    • Legal obligation - processing is necessary for compliance with a legal obligation to which the controller is subject;
    • Vital interests - processing is necessary to protect the vital interests of the data subject or another natural person
    • Public task - processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller
    • Legitimate interests - processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    [Art. 6]

    There are seven legal bases for processing personal data:

    • for the performance of any functions of the State.
    • necessary for compliance with any order of any Court or Tribunal.
    • Respond to any medical emergency involving a threat to the life or health of the data principal.
    • To provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health
    • Undertake measure to ensure the safety of, or provide assistance or services to, any individual during any disaster or breakdown of public order
    • Purposes related to employment
    • Reasonable purposes

    Reasonable purposes may include: (a) prevention and detection of any unlawful activity including fraud; (b) whistleblowing; (c) mergers and acquisitions; (d) network and information security; (e) credit scoring; (f) recovery of debt; (g) processing of publicly available personal data; and (h) the operation of search engines.

    [Clauses 12, 13 and 14]

    The legal basis for processing necessary for the performance of the contract is missing in the PDPB. Moreover, the requirement of "reasonable purposes" is narrower than the "legitimate interest" under GDPR, in the sense that the reasonable purposes are limited to what is mentioned in the PDPB.

    INDIVIDUAL RIGHTS

    Right to be Informed

    GDPR

    PDPB

    Individuals have the right to be informed about the collection and use of their personal data.

    Such information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. [Art. 12(1)]

    Where data is collected directly, the data subject should be informed when the personal data are obtained.

    Where data is not collected directly, the data subject should be informed within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

    [Art. 13 and Art. 14]

    Every data fiduciary is required to give notice to the data principal at the time of collection of personal data, or if the data is not collected from the data principal, as soon as reasonably practicable.

    Notice shall be clear, concise and easily comprehensible to a reasonable person and in multiple languages where necessary and practicable.

    The notice should contain the following information:

    (a) the purposes for which the personal data is to be processed; (b) the nature and categories of personal data being collected; (c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (e) the basis for such processing, and the consequences of the failure to provide such personal data; ( f ) the source of such collection, if the personal data is not collected from the data principal; (g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; (h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (i) the period for which the personal data shall be retained or where such period is not known, the criteria for determining such period; (j) the existence of and procedure for the exercise of rights; (k) the procedure for grievance redressal; (l) the existence of a right to file complaints to the Authority; (m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary; and (n) any other information as may be specified by the regulations.

    [Clause 7]

    Right to be informed forms an essential part of the Transparency requirements. There is an overlap between these requirements.

    The content of notice under GDPR does not include disclosure of the procedure for grievance redressal. Also, there is no mention of data trust score in GDPR.

    Right of Access

    GDPR

    PDPB

    The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

    The controller shall provide a copy of the personal data undergoing processing.

    The controller shall provide information on action taken on a request under Articles 15 to the data subject without undue delay and in any event within one month of receipt of the request.

    Any action taken under Art.15 shall be provided free of charge.

    [Art. 15]

    The data principal shall have the right to obtain from the data fiduciary— (a) confirmation whether the data fiduciary is processing or has processed personal data of the data principal; (b) the personal data of the data principal being processed or that has been processed by the data fiduciary, or any summary thereof; (c) a summary of processing activities undertaken by the data fiduciary with respect to the personal data of the data principal

    The data fiduciary shall provide the information clearly and concisely that is easily comprehensible to a reasonable person.

    The data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared by any data fiduciary together with the categories of personal data shared with them, in such manner as may be specified by regulations.

    [Clause 17]

    The data principal, under PDPB, has the right to know whether the data fiduciary is processing or has processed personal data. But, under GDPR, the right is limited to whether the data is being processed. Hence, it can be said the right of access is broader under PDPB.

    Further, Data principal shall have the right to access in one place the identities of the data fiduciaries with whom his personal data has been shared, under PDPB. This right is missing under GDPR.

    1. Right to Rectification

    GDPR

    PDPB

    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

    The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

    [Art. 16]

    The data principal shall where necessary, having regard to the purposes for which personal data is being processed, have the right to— (a) the correction of inaccurate or misleading personal data; (b) the completion of incomplete personal data; (c) the updating of personal data that is out-of-date; and (d) the erasure of personal data which is no longer necessary for the purpose for which it was processed.

    Where the data fiduciary corrects, completes, updates or erases any personal data, such data fiduciary shall also take necessary steps to notify all relevant entities or individuals to whom such personal data may have been disclosed regarding the relevant correction, completion, updation or erasure.

    [Clause 18]

    The right to rectification is similar under both frameworks. However, PDPB doesn't mention the time within which the rectification should take place.

    Right to Erasure ('right to be forgotten')

    GDPR

    PDPB

    The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where the data is no longer needed for the purpose for which it was collected, where the data subject withdraws consent on which processing is based, where data subject objects to the procession or where the personal data have been unlawfully processed.

    If the controller has made personal data public and is obliged to erase such data, then it shall take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

    [Art. 17]

    The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure— (a) has served the purpose for which it was collected or is no longer necessary for the purpose; (b) was made with the consent of the data principal and such consent has since been withdrawn, or (c) was made contrary to the provisions of this Act or any other law for the time being in force.

    Such right may be enforced only on an order of the Adjudicating Officer ("AO") made on an application filed by the data principal.

    AO shall take into consideration certain factors such as the sensitivity of the personal data, the relevance of personal data to the public etc.

    [Clause 20]

    Right to be forgotten is envisaged in the right to erasure, under GDPR. However, both the rights are distinguished in PDPB.

    Right to erasure has been inserted in the PDPB 2019 version. This right did not exist in the Draft Bill of 2018.

    Right to Restrict Processing

    GDPR

    PDPB

    Certain grounds are specified under which the data subject have the right to obtain from the controller restriction of the processing. Grounds are where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data, where the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, where the controller no longer needs the personal data for the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; and where the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

    [Art. 18]

    No such right provided in PDPB. However, the right to be forgotten provides three grounds to restrict the disclosure of personal data by data fiduciary.

    Right to Data Portability

    GDPR

    PDPB

    The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or a contract and where the processing is carried out by automated means.

    The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

    That right shall not apply to processing necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.

    [Art. 20]

    This right applies to data which has been processed through automated means, where (i) the personal data was provided to the data fiduciary; (ii) the data which has been generated in the course of the provision of services or use of goods by the data fiduciary; or (iii) the data which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained.

    Such data should be provided in a structure, commonly used and machine-readable format.

    The data principal has the right to have the personal data transferred to any other data fiduciary.

    Where the processing is necessary for functions of the State or in compliance of law or order of a court, or where the compliance would reveal a trade secret of any data fiduciary or would not be technically feasible, then this right won't be applicable.

    [Clause 19]

    The right to data portability, under GDPR, can be exercised by the data subject with respect to data is processed under some legal bases. This limits the scope of the right. However, this is not the case under PDPB.

    Right to Object

    GDPR

    PDPB

    The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on data processing necessary performance of a task carried out in the public interest and processing data for purposes of the legitimate interest, including profiling based on those provisions.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    In case the processing of data is done for direct marketing purposes, then the data subject can object at any time.

    In case the data is processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, has the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

    [Art. 21]

    No such right is envisaged in PDPB 2019.

    Rights in Relation to Automated Decision Making and Profiling

    GDPR

    PDPB

    The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

    In case, such decisions are allowed/permitted, then the data subject has the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

    [Art. 22]

    No such right is envisaged in PDPB.

    TRANSPARENCY AND ACCOUNTABILITY MEASURE

    Privacy by Design

    GDPR

    PDPB

    The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR.

    [Art. 25(1)]

    Every data fiduciary shall prepare privacy by design policy, containing certain elements. [Clause 22(1)]

    Data fiduciary also has an option to submit its privacy by design to the Data Protection Authority ("DPA") for certification.

    Once certified, the privacy by design policy shall be published on the website of the data fiduciary and the DPA.

    [Clause 22]

    The Scope of the measure 'privacy by design' seems to be broader and wider under the PDPB as compared to the GDPR. Under PDPB, data fiduciary has to ensure the maintenance of privacy at all levels, whereas, under the GDPR, the controller has to implement the appropriate technical and organizational measures both at the time of determination of the means of processing and at the time of processing.

    Privacy by Default

    GDPR

    PDPB

    The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

    [Art.25(2)]

    No such provision is provided in PDPB

    Transparency

    GDPR

    PDPB

    The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.

    [Art. 12(1)]

    Every data fiduciary shall take necessary steps to maintain transparency in processing personal data and make the information available as per the manner specified. Information to be made available pertains to categories of personal data collected, the purpose for which the personal data is processed, right of data principal to file a complaint against the data fiduciary to the Authority.

    The data principal may give or withdraw consent through a consent manager.

    [Clause 23]

    PDPB defines consent manager as: "Consent manager is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform."

    There is no concept of consent manager under GDPR.

    Security Safeguards

    GDPR

    PDPB

    To be implemented by – controller and processor

    Conditions to be considered –

    • Costs of implementation
    • Nature, scope, context and purposes of processing
    • Risks of varying livelihood
    • The severity of rights and freedoms of natural persons

    Safeguard Measures –

    • Pseudonymisation and encryption of personal data
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

    [Art. 32]

    To be implemented by – data fiduciary and data processor.

    Conditions to consider –

    • Nature, scope and purpose of processing personal data
    • Risks associated with such processing
    • Likelihood and severity of the harm that may result from such processing.

    Safeguard Measures –

    • Use of methods such as de-identification and encryption
    • Steps necessary to protect the integrity of personal data
    • Steps necessary to prevent misuse, authorized access to, modification, disclosure or destruction of personal data.

    [Clause 24]

    The condition to be considered under GDPR relates to the severity for the rights and freedoms of natural persons, whereas, under PDPB, it is the likelihood and severity of harm that may result from the processing.

    The definition of the word 'harm' under PDPB is an inclusive list of what will constitute as harm, such as bodily or mental injury, loss, distortion or threat of identity, loss of reputation, subjection to blackmail/extortion etc. But there are no other guidelines which might help to interpret the word, in the absence of such factors. The factors provided, are highly subjective, which will end up being interpreted differently by everyone which will cause several issues.

    Personal Data Breach

    GDPR

    PDPB

    Who should be informed? – Supervisory Authority.

    Content of the notice – Notice shall at least a) describe the nature of the personal data breach (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach.

    When should notice be made? - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    If not made within 72 hours, it shall be accompanied by reasons for the delay.

    If it is not possible to provide the information at the same time, the information may be provided in phases.

    Processors must notify a controller of a breach without undue delay.

    What happens after supervisory authority is informed? When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. Such communication shall describe in clear language the nature of the personal data breach. There are conditions which, if met, then communication to the data subject is not required.

    [Art. 33 and 34]

    Who should be informed/notified? – Data Protection Authority

    Content of the notice – Notice shall include particulars such as nature of personal data which is the subject matter of the breach, number of data principals affected by the breach, possible consequences of the breach and action being taken by the data fiduciary to remedy the breach.

    When should notice be made? – It should be done as soon as possible if it is likely to cause harm to any data principal. Where it is not possible to provide all the information at the same time, it shall be provided to the DPA in phases without undue delay.

    What happens after DPA is notified? Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.

    [Clause 25]

    Firstly, there is no deadline that PDPB establishes for notification of breaches. Moreover, such a notification is to be made based on the likelihood of harm, which is highly subjective.

    Under both the regulations, the authorities are not notified immediately. Under GDPR, 72 hours is given and under PDPB, it is 'as soon as possible'.

    DPA Registration of Significant Data Fiduciaries

    GDPR

    PDPB

    No such requirement under GDPR.

    Factors to be considered to notify data fiduciary as significant data fiduciary – Volume and sensitivity of data processed, turnover of the data fiduciary, risk of harm by processing by data fiduciary, use of new technology and any other factor causing harm from such processing.

    Registration - The data fiduciary or class of data fiduciary shall register itself with the Authority.

    Social media Intermediary as significant data fiduciary – Any, any social media intermediary,— (i) with users above such threshold as may be notified by the Central Government, in consultation with the DPA; and (ii) whose actions have, or are likely to have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India, shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary.

    [Clause 26]

    The concept of significant data fiduciary is not found in GDPR. Nor is the requirement of classifying data fiduciary or class of data fiduciary as significant data fiduciary, found in GDPR.

    PDPB also introduces the concept of a social media intermediary, which it defines as follows:

    a "social media intermediary" is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,— (a) enable commercial or business oriented transactions; (b) provide access to the Internet; (c) in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.

    Data Protection Officer [DPO]

    GDPR

    PDPB

    Who should appoint DPO? Controller and the Processor

    When should DPO be appointed –

    • processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    • the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

    Functions to be carried out by the DPO –

    • inform and advise the controller or the processor and the employees who carry out the processing of their obligations under GDPR
    • monitor compliance with the GDPR and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • provide advice where requested as regards the data protection impact assessment and monitor its performance;
    • cooperate with the supervisory authority;
    • act as the contact point for the supervisory authority on issues relating to processing.

    Qualifications - The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks.

    [Art. 37, 38 and 39]

    Who should appoint DPO? Significant data fiduciary.

    Functions to be carried out by the DPO –

    • Provide information and advice to the data fiduciary on matters relating to fulfilling its obligations under PDPB
    • monitor personal data processing activities of the data fiduciary to ensure that such processing does not violate the provisions of PDPB
    • provide advice to the data fiduciary on carrying out the data protection impact assessments, and carry out its review
    • provide assistance to and co-operating with the Authority on matters of compliance of the data fiduciary with the provisions under PDPB
    • act as the point of contact for the data principal for the purpose of grievances redressal
    • maintain an inventory of records to be maintained by the data fiduciary.

    Qualifications – To be specified.

    The data protection officer appointed shall be based in India and shall represent the data fiduciary under this Act.

    [Clause 30]

    GDPR is silent about where the Data Protection Officer should be based. However, the thresholds under both regulations seem similar. The responsibilities of the DPO are more or less the same as well.

    Record of Processing Activities

    GDPR

    PDPB

    Who shall maintain records – Controller and processor, and where applicable, their representative.

    The records shall be in writing, including in electronic form.

    [Art. 30]

    Who shall maintain the record – Significant data fiduciary.

    What activities should be recorded –

    • important operations in the data life-cycle including collection, transfers, and erasure of personal data to demonstrate compliance
    • periodic review of security safeguards
    • data protection impact assessments and
    • any other aspect of processing as may be specified by regulations

    This also applies to the State.

    [Clause 28]

    GDPR doesn't mention what activities have to be recorded.

    Data Protection Impact Assessment [DPIA]

    GDPR

    PDPB

    Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

    Controller to seek the advice of DPO when carrying out DPIA.

    A data protection impact assessment referred shall, in particular, be required in the case of –

    • a systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
    • processing on a large scale of special categories of data or personal data relating to criminal convictions and offences; or
    • systematic monitoring of a publicly accessible area on a large scale.

    Supervisory Authority to publicly publish a list of processing operations which will be subject to DPIA and which will not be subject to such assessment.

    The assessment shall contain at least:

    • a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
    • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
    • an assessment of the risks to the rights and freedoms of data subjects; and
    • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

    [Art. 35]

    Where the significant data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data principals, such processing shall not be commenced unless the data fiduciary has undertaken a data protection impact assessment.

    DPA shall specify where such DPIA shall be mandatory.

    A data protection impact assessment shall, inter alia, contain—

    • a detailed description of the proposed processing operation, the purpose of processing and the nature of personal data being processed;
    • assessment of the potential harm that may be caused to the data principals whose personal data is proposed to be processed; and
    • measures for managing, minimizing, mitigating or removing such risk of harm.

    Upon completion, DPO shall review the assessment and submit to the DPA.

    If DPA has reason to believe that the processing is likely to cause harm to the data principals, the Authority may direct the data fiduciary to cease such processing or direct that such processing shall be subject to such conditions as it may deem fit.

    [Clause 27]

    Data Protection Impact Assessment seems to be very detailed and highly specific under GDPR. This makes the assessment as provided under PDPB to be broader in ambit.

    Representative of controllers/processors not established in Union

    GDPR

    PDPB

    Controller or the processor not established in the Union must designate in writing a representative in the union.

    This obligation will not apply if the processing is occasional and does not include large scale processing of sensitive data and data relating to criminal convictions and offences. It will also not apply to public authority or body.

    [Art.27]

    There is no such requirement mention in PDPB.

    Audit of Policies

    GDPR

    PDPB

    Processor shall make available to the controller all information necessary to allow for and contribute to audit, including inspections, conducted by the controller or another auditor maintained by the controller.

    [Art. 28(3)(h)]

    The significant data fiduciary shall have its policies and the conduct of its processing of personal data audited annually by an independent data auditor under this Act.

    The data auditor shall evaluate the compliance of the data fiduciary with the provisions of this Act, including—

    • Clarity and effectiveness of notices
    • effectiveness of measures pertaining to privacy by design policy
    • transparency in relation to processing activities
    • security safeguards adopted
    • instances of personal data breach and response of the data fiduciary,
    • timely implementation of processes and effective adherence to obligations
    • any other matter as may be specified by regulations.

    A data auditor may assign a rating in the form of a data trust score to the data fiduciary pursuant to a data audit conducted.

    In case the DPA is of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal, the DPA may direct the data fiduciary to conduct an audit and shall appoint a data auditor for that purpose.

    [Clause 29]

    There is no such requirement of audit policies that are mentioned specifically in GDPR.

    Appointment of Processors

    GDPR

    PDPB

    Processing by processors shall be governed by a contract, the requirements of which are laid down in Art. 28.

    The data fiduciary shall not engage, appoint, use or involve a data processor to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor.

    The data shall not engage, appoint, use, or involve another data processor in the processing on its behalf.

    [Clause 31]

    Processing by processors is highly detailed under GDPR, which is not the case under PDPB. Processing by processors is governed by a contract under both the Regulations.

    Grievance Redressal

    GDPR

    PDPB

    Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR.

    The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy

    [Art. 77]

    Every data fiduciary shall have in place the procedure and effective mechanisms to redress the grievances of data principals efficiently and in a speedy manner.

    A complaint shall be resolved by the data fiduciary in an expeditious manner and not later than thirty days from the date of receipt of the complaint by such data fiduciary.

    Where a complaint is not resolved within the period specified or where the data principal is not satisfied with the manner in which the complaint is resolved, or the data fiduciary has rejected the complaint, the data principal may file a complaint to the Authority in such manner as may be prescribed.

    [Clause 32]

    Under PDPB, there is two-tier system for lodging a complaint. Data Principal has to first approach the data fiduciary, and if that is not satisfactory, then approach the DPA.

    RESTRICTION ON TRANSFER OF PERSONAL DATA OUTSIDE INDIA

    GDPR

    PDPB

    A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.

    In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

    The sensitive personal data may be transferred outside India, but such sensitive personal data shall continue to be stored in India.

    The critical personal data shall only be processed in India.

    "Critical Personal Data" shall be notified by the Central Government.

    The sensitive personal data may only be transferred outside India for the purpose of processing when explicit consent is given by the data principal for such transfer, and where:

    • The transfer is made pursuant to a contract or intra-group scheme approved by DPA.
    • The Central Government, after consultation with the Authority, has allowed the transfer to a country or, such an entity or class of entity in a country or, an international organization.
    • the Authority has allowed the transfer of any sensitive personal data or class of sensitive personal data necessary for any specific purpose

    [Clause 34]

    Localization requirements are different under both the regulations. Localization under GDPR is subject to international data transfer requirements.

    Moreover, GDPR doesn't have restrictions as to what kind of data may be transferred. On the other hand, PDPB deals with only sensitive personal data.

    EXEMPTIONS

    Power of the State to exempt

    GDPR

    PDPB

    Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

    1. national security;
    2. defence;
    3. public security;
    4. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
    5. other important objectives of general public interest of the Union or of a Member State, in particular, an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
    6. the protection of judicial independence and judicial proceedings;
    7. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
    8. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
    9. the protection of the data subject or the rights and freedoms of others;
    10. the enforcement of civil law claims.

    [Art. 23]

    Where the Central Government is satisfied that it is necessary or expedient, —

    • in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
    • for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,

    it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government. [Clause 35]

    In cases where personal data is processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law, then certain provisions of the PDPB won't be applicable. [Clause 36]

    GDPR lists down specific grounds when a measure curtailing the rights of the data subject may be undertaken. But, PDPB has no mention of any specific grounds. Also, under PDPB there is a blanket exemption from the provisions of the Bill, instead of specific functions.

    Another difference is with respect to the provision regarding granting exemption in case of processing data in nature of prevention, detection and investigation of offences. GDPR mentions that such provision is applicable to criminal offences. However, PDPB uses the term "offences" which doesn't offer any clarity. Offences can mean a variety of things under various Indian laws.

    Exemption for research

    GDPR

    PDPB

    Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with GDPR, for the rights and freedoms of the data subject.

    Those safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimization.

    Those measures may include pseudonymization provided that those purposes can be fulfilled in that manner.

    [Art. 89(1)]

    DPA may exempt processing of personal data for research, archiving, or statistical purposes, if—

    • the compliance with the provisions shall disproportionately divert resources from such purpose;
    • the purposes of processing cannot be achieved if the personal data is anonymised;
    • the data fiduciary has carried out de-identification in accordance with the code of practice and the purpose of processing can be achieved if the personal data is in a de-identified form;
    • the personal data shall not be used to take any decision specific to or action directed to the data principal; and
    • the personal data shall not be processed in a manner that gives rise to a risk of significant harm to the data principal.

    [Clause 38]

    Sandbox for encouraging innovation

    GDPR

    PDPB

    No such provision under GDPR

    The Authority shall, for the purposes of encouraging innovation in artificial intelligence, machine learning or any other emerging technology in the public interest, create a Sandbox.

    [Clause 40]

    DATA PROTECTION AUTHORITY/SUPERVISORY AUTHORITY

    Establishment

    GDPR

    PDPB

    Each Member State shall provide for one or more independent public authorities ('supervisory authority') to be responsible for monitoring the application of GDPR.

    Central Government to establish Data Protection Authority of India.

    The DPA shall have perpetual succession and a common seal.

    DPA shall have the power to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.

    [Clause 41(1) and Clause 41(2)]

    GDPR allows the Member States to establish more than one supervisory authority, whereas, under PDPB, there will be one central authority.

    Members Appointment

    GDPR

    PDPB

    Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by (a) their parliament (b) their government (c) their head of State or (d) an independent body entrusted with the appointment under Member State law.

    Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.

    [Art.53(1) and Art.53(2)]

    DPA shall consist of a Chairperson and not more than six whole-time Members, of which one shall be a person having qualification and experience in law.

    The Chairperson and the Members of the Authority shall be appointed by the Central Government on the recommendation made by a selection committee.

    The Selection Committee shall consist of (a) the Cabinet Secretary (b) the Secretary to the Government of India in the Ministry or Department dealing with the Legal Affairs, and (c) the Secretary to the Government of India in the Ministry or Department dealing with the Electronics and Information Technology.

    The Chairperson and the Members of the Authority shall be persons of ability, integrity and standing, and shall have the qualification and specialized knowledge and experience of, and not less than ten years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects.

    Appointment of members, under PDPB, can only be done by the Central Government. However, under GDPR, the appointment can be done by parliament, government, head of state or even an independent body entrusted with the appointment.

    Term of the Appointment

    GDPR

    PDPB

    Minimum Period of 4 years.

    Eligibility for reappointment shall be provided by law by each member state.

    [Art. 54]

    The Chairperson and the Members of the Authority shall be appointed for a term of five years or till they attain the age of sixty-five years, whichever is earlier, and they shall not be eligible for re-appointment.

    [Clause 43]

    There is no cap on the age for the appointment of the members, under GDPR. And the power to decide reappointment members has also been given to each member state.

    Code of Practice

    GDPR

    PDPB

    The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation. [Art. 40(1)]

    Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of GDPR. [Art. 40(2)]

    DPA shall, by regulations, specify codes of practice to promote good practices of data protection and facilitate compliance with the obligations under PDPB. [Clause 50(1)]

    DPA may approve any code of practice submitted by an industry or trade association, an association representing the interest of data principals, any sectoral regulator or statutory Authority, or any departments or ministries of the Central or State Government. [Clause 50(2)]

    Complaint Mechanism

    GDPR

    PDPB

    Every data subject shall have the right to lodge a complaint with a supervisory authority.

    The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.

    [Art. 77]

    Data Principal has the right to file a complaint before the DPA. [Clause 7(1)]

    Under PDPB, the DPA doesn't have to keep the Data Principal informed about the status of the complaint.

    Powers to investigate

    GDPR

    PDPB

    Each supervisory authority shall have all of the following investigative powers:

    1. to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;
    2. to carry out investigations in the form of data protection audits;
    3. to carry out a review on certifications issued pursuant to Article 42(7);
    4. to notify the controller or the processor of an alleged infringement of this Regulation;
    5. to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;
    6. (f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

    [Art. 58(1)]

    The Authority may, on its own or on a complaint received by it, inquire or cause to be inquired, if it has reasonable grounds to believe that—

    • the activities of the data fiduciary or data processor are being conducted in a manner which is detrimental to the interest of data principals; or
    • any data fiduciary or data processor has contravened any of the provisions of PDPB.

    [Clause 53]

    Powers of the Authority

    GDPR

    PDPB

    The supervisory authority has the following powers:

    • issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
    • issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
    • order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;
    • to order the controller to communicate a personal data breach to the data subject;
    • impose a temporary or definitive limitation including a ban on processing;
    • order the rectification or erasure of personal data or restriction of processing
    • impose an administrative fine;
    • order the suspension of data flows to a recipient in a third country or to an international organization.

    [Art. 58(2)]

    DPA can take the following steps –

    • issue a warning to the data fiduciary or data processor where the business or activity is likely to violate the provisions of the PDPB;
    • issue a reprimand to the data fiduciary or data processor where the business or activity has violated the provisions of the PDPB;
    • require the data fiduciary or data processor to cease and desist from committing or causing any violation of the provisions of the PDPB;
    • require the data fiduciary or data processor to modify its business or activity to bring it in compliance with the provisions of the PDPB;
    • temporarily suspend or discontinue business or activity of the data fiduciary or data processor which is in contravention of the provisions of the PDPB;
    • vary, suspend or cancel any registration granted by the Authority in case of a significant data fiduciary;
    • suspend or discontinue any cross-border flow of personal data.

    [Clause 54]

    There is a lot of similarities between the powers of the supervisory authority and the DPA, except the power to order the rectification or erasure of personal data which lies with the supervisory authority under GDPR.

    Right to Approach courts

    GDPR

    PDPB

    Each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

    Each data subject has the right to an effective judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

    [Art.78]

    Any person aggrieved by the decision of the DPA may prefer an appeal to the Appellate Tribunal within thirty days from the receipt of the order appealed against.

    [Clause 72]

    PENALTIES AND COMPENSATION

    Amount of Penalty Imposed

    GDPR

    PDPB

    Penalties under GDPR ranges from 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher[Art. 83(4)] to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [Art. 83(5)]

    The penalties under the Bill varies depending on the provisions.

    It ranges from five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher [Clause 57(1)] to fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.[Clause 57(2)]

    Penalties are higher under GDPR

    Failure to comply with the decision of the Authority

    GDPR

    PDPB

    Non-compliance with an order by the supervisory authority shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

    [Art. 83]

    If any data fiduciary or data processor fails to comply with any direction issued by the DPA or order issued by the DPA, such data fiduciary or data processor shall be liable to a penalty which may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crores in case of a data processor it may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.

    [Clause 60]

    The fine under GDPR is much higher.

    OFFENCES

    Re-identification and processing of personal data

    GDPR

    PDPB

    The Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines.

    Such penalties shall be effective, proportionate and dissuasive.

    [Art. 84(1)]

    Any person who, knowingly or intentionally—

    • re-identifies personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or
    • re-identifies and processes such personal data as mentioned in clause (a),

    without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or both.

    [Clause 82(1)]

    The nature of the penalties, under the GDPR, is left to determined by individual member states.

    Siddharth Batra is a Partner and Archna Yadav is an Associate at Satram Dass B & Co. Feel free to contact them at contact.del@satramdass.com for more details


    Next Story