Technology is now a part of us. Neither in professional nor in personal life we
can function without technology. Even you are reading this paper through
technology. Technology is the advent mainly of the 21st century. With new
development comes new problems and crimes. We may very rarely realize but every
day with our interaction with technology our personal information which in
market terms is data is being collected. The data collected can be as personal
as even your location, your entire travel history, etc. These collected data are
used by companies for various purposes. Many times the data is even misused.
To prevent misuse and to regulate the data used by anyone, be it domestic or
foreign companies or the government, rules have to be laid down. In Europe, the
regulation for data protection is the General Data Protection Regulation. It has
already come into effect. On the other hand, the Personal Data Protection Bill
is proposed for the regulation of the data collected in India or of Indian
citizens. In this paper, we will see the areas in which both the regulations are
covered and their key feature. Further, we will analyze the difference or
similarities between the two.
General Data Protection Regulation or GDPR is the legal framework that sets
guidelines for the collection and processing of personal information from
individuals who live in the European Union (EU). It came into effect in May
2018. While Personal Data Protection Bill,2019 (PDPB) was introduced in India's Lok Sabha by the Minister of Electronics and Information Technology, on December
11, 2019. The Bill provides for the protection of personal data of individuals
and established a Data Protection Authority for the same. First, let us see
what are the key features of both the regulation.
Key Features Of GDPR
The General Data Protection Regulation is applicable to all the 28 member states
of the European Union. It has replaced the Directive of the European Parliament
and of the council of 1995. The directive was enacted for the purpose of
protection of individuals with regard to the processing of personal data and on
the free movement of such data. The GDPR have the same objective have the
directives, however, the new regulation rectified the faults in the directive.
The directive was unable to prevent legal uncertainty and remove sufficient
risks with respect to the protection of the personal data of
individuals. Further, the discrepancies in levels of personal data protection
and processing in the member states caused difficulty in the function of the
economic activities in the EU. To resolve all these issues the new regulation
was proposed and brought into effect.
The regulation is applicable to all the entities which were established within
the EU and process the personal data of the citizens of the EU. Further, online
shops and services which perform delivery of services and goods to the territory
of the EU and other entities which monitor the conduct of EU citizens are also
under the ambit of the regulation. According to GDPR “personal data” means any
information relating to an identified or identifiable individual person (“data
subject”); an identifiable individual person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that individual person.
The GDPR works on six core principles according to which the personal data must
be processed. It includes:
- Legitimacy, fairness and transparency- The entity who is processing the
data must mention the information regarding the purpose, means and scope of
processing in a simple and clear way.
- Limitation of purpose- The data must be only used by the company for the
purposes which the individual whose data it is being informed about.
- Minimization of personal data- Personal data should not be collected in
a scope greater than what is required.
- Incorrect personal data should be erased or corrected.
- Limitation of storage period- the personal data should not be stored for
a duration longer than it is needed.
- Entirety and confidentiality- The companies who have collected the
personal data must ensure that the data is being protected from any
unauthorised or unlawful processing, storage or usage.
The processing of personal data will only be lawful if the data subject has
consented for it, data is required for the performance of a contract to which
the subject is a party, the data is required for compliance with the legal
obligation of the controller, data is required for completion of particular
tasks and will be carried out for the benefit of the public interest or for
exercising the controller's functions or the data processing is required for
other lawful purposes.
There is a provision for strict implementation of the rules in the GDPR. The
penalties for breaking the rules may vary from case to case based on its
effectiveness, proportion, and dissuasiveness. However, the already prescribed
fine is for the first level of administrative the fine is an amount of up to
10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total
worldwide annual turnover of the preceding financial year whichever is higher,
and will be applied in case of breach of obligations of the controller and the
processor. The second level of administrative fines in an amount of up to
20,000,000 EUR, or in the case of an undertaking, up to 4% of the total turnover
whichever is higher, will be applied in case of breach of basic GDPR principles
for processing, including conditions for consent.
Along with all these, some other features of the GDPR include the data subject
having the right to ask for any data the company has about the subject in a
readable format so they can reuse it. Further, the new rules promote techniques
such as anonymization, pseudonymization, and encryption to protect personal
Therefore, the regulation has helped in overcoming the faults of the past and
have added new provisions for the protection of data according to the developed
needs. In the next section, we would discuss what provisions does the bill
proposed in the Indian parliament offers for data protection and processing.
Key Features Of PDPB
The bill proposes to supersede Section 43-A of the Information Technology Act,
2000, deleting the provisions related to compensation payable by companies for
failure to protect personal data. The bill also prescribes the manner in which
personal data is to be collected, processed, used, disclosed, sorted and
transferred. It proposes to protect personal data as well as sensitive
personal data. The PDPB applies to the process of personal data that has been
collected, disclosed, shared or processed within the territory of India.
Further, it applies to Indian companies, citizens, and any other person or body
created or incorporated under Indian law and organizations that are not present
in India, but process personal data in connection with organizations or
individuals in India. It also governs foreign companies, if they deal with the
personal data of individuals in India. However, the bill will not apply to
the processing of anonymized data for better delivery of services or formulation
of evidence-based policies by the Central government.
The regulation lays down the rules related to the purpose, collection and
storage limitation of personal data. According to PDPB, 'Personal Data
to data about or relating to a natural person who is directly or indirectly
identifiable, having regard to any characteristic, or any such features with any
other information, and shall include any inference drawn from such data for the
purpose of profiling. Further, it states that the data fiduciaries must
undertake certain transparency and accountability measures such as preparing
personal data, implementing security safeguards, etc.
The bill mentions that no data fiduciaries can be processed without the consent
of the individual. However, there are exceptions to this rule including if the
data is required by the state for providing benefits to the individual, legal
proceedings, to respond to a medical emergency, employment-related, etc.
Further, the data fiduciaries must undertake additional accountability measures
such as conducting a data protection impact assessment before conducting any
processing of large scale sensitive personal data.
The grievance redressal mechanism if the restrictions mentioned in the bill is
not followed, for that the bill has the provision for the set up of a Data
Protection Authority. The Authority will be comprised of members with expertise
in fields such as data protection and information technology. Any individual,
who is not satisfied with the grievance redressal by the data fiduciary can file
a complaint to the Authority. Orders of the Authority can be appealed to an
Appellate Tribunal Appeals from the tribunal will go to the Supreme Court.
The PDPB covers a lot of the areas of data protection and processing. It even
lays down the formation of an authority that will ensure the applicability of
the legislation and also works as an enforcement agency.
From the above two, we have seen in-depth the objective of the respective
regulations. There are certain similarities and differences between the two
regulations. They both focus on personal data; however, the scope and area are
different for both.
Firstly, with respect to the territorial scope, the PDPB's scope of application
is potentially broader than that of GDPR, as an entity may fall within scope
merely by processing personal data in India. However, the government has the
authority to exempt any of such processing activities when required.
Secondly, the subject matter of PDPB grants the government broad authority to
compel the disclosure of information that does not constitute personal data. In
the case of GDPR, the exception from the rule is for natural persons for purely
personal or household reasons and for law enforcement and national security
agency. However, PDPB exempts the regulation for the prevention/detection of
criminal activity are not limited to law enforcement agencies and could apply to
any organization engaged in such processing.
Thirdly, the definition of personal data under PDPB is broader than GDPR.
However, the GDPR with regard to personal data takes into account the reasonable
likelihood that an individual will be identifiable, this flexibility does not
appear in the PDPB. Under PDPB, inferences are expressly within the scope of the
definition of personal data, where they are derived from personal data for
profiling purposes. While in the GDPR, inferences may be personal data to the
extent that they relate to an identifiable individual.
Fourthly, even though the scope for sensitive personal data overlaps in the two,
nonetheless the scope of PDPB is wider. It can be seen in the two points. First
being, PDPB includes 'financial data' within the scope of sensitive data.
Second, being it allows the government to define additional categories of
sensitive data, whereas the list of categories under the GDPR is finite.
However, the GDPR provides additional rules for processing criminal convictions
and offences data, while the PDPB does not have any such provision.
In conclusion, we have seen the territorial applicability, subject-matter
applicability, definitions and their scope and the redressal mechanism for both
the rules. It is seen that the scope of every definition related to data is
wider in PDPB than GDPR. However, the open-ended exception given to the
government is of concern which was even raised during the time when the
government launched the Arogya setu app for the tracking of covid positive
people and preventing further spread.
Further, in many places, the government
has been given the discretion to change the scope of definitions or of
applicability. This also creates concern as the privacy of the citizens is at
stake, especially wherewith Aadhar card details even biometrics and other
sensitive personal data is being under the control of the government.
Talking about the GDPR, in many cases, the scope is very rigid. Nonetheless, it
is functioning well, even though the companies have definitely felt its impact
where they had to revise their privacy policies and take consent of the data
subject. With the recent news, where the EU denied former Facebook, presently
meta, to process the data of the EU citizens after it was found that they were
grossly misusing the data.
Overall, both the regulations are essential to regulate the processing and
protection of data in these times where data collected are being misused and
used for manipulation of various forms. In India, this bill should come into
effect as soon as possible because the personal information of the citizens is
at stake here.
- General Data Protection Regulation (GDPR) Definition (investopedia.com)
- The Personal Data Protection Bill, 2019 (prsindia.org)
- GDPR: What Do You Need To Know - AGP & Co, A.G. Paphitis & Co: Cyprus
Lawyers, Cyprus Law Firm. (agplaw.com)
- Art.4 (1), General Data Protection Regulation, 2018.
- Check out 10 key features of GDPR – Geospatial World
- Key Features Of The Personal Data Protection Bill, 2019 - Privacy -
- The Personal Data Protection Bill, 2019: All you need to know (prsindia.org)
- Section 3(36), Protection of Personal Data Bill, 2019.
- Supra note 6.
- Supra note 7.