The General Data Protection Regulation (GDPR) has become a benchmark of personal data regulation and protection. GDPR addresses a comprehensive list of existing and potential issues regarding data; hence it is widely assumed as the working standard for data regulation. In fact, it has been used as a template for other countries striving to create their own data protection bills.
India is the largest democracy, and currently, the fifth-largest economy in the world. India is one of the largest generators of data over the last few years. There have been calls for India to have a nationalized data protection law that was fulfilled in 2019 with the Personal Data Protection Bill or PDP.
While the PDP has clearly adapted GDPR in many major ways, there are also several important differences that serve as a contrast between the different prevailing local realities and the unique requirements of India.
Let us look at some of the PDP’s salient features and compare them with GDPR’s to explore differences.
The scope of sensitive personal data is much broader in the PDP than the GDPR. The PDP provision regarding critical personal data has no appropriate parallel in the GDPR. PDP names three categories of data- personal data, sensitive personal data, and critical personal data. The PDP authorizes the central government to define and determine the nature of critical personal data and recommend new categories of sensitive personal data. There are also provisions to exempt certain government entities from the bill.
Unlike the GDPR, the PDP has provisions for governmental access of non-personal data held by any data processor or data fiduciary for certain purposes relating to better delivery of government services and more effective policy-making.
Residency and Cross-Border Data Flow
GDPR places no demand for hard data residency. Depending on the type of data, getting authorization from the appropriate SAs or Supervisory Authority might or might not be a requirement. There are conditions and restrictions in place regarding the overseas transfer of data.
Under the PDP, sensitive personal data must be stored locally. However, in certain conditions, this data can also be approved for cross-border transfer, although with explicit consent. The same holds true for critical personal data. Non-sensitive personal data can be sent and processed outside India without any restriction.
Broadly speaking, the standards of data residency would be much stricter under PDP than it is under GDPR. Transferring personal data outside India, in many cases, would be the purview of either the central government or the relevant Data Protection Authority or DPA.
Consent and Notice
GDPR requires clear notice regarding the collection of data. This notice needs to be simple and easily understandable. It also needs to include details about the relevant Data Protection Officer or DPO and the identity of the data controller, among other things.
GDPR also requires valid consent before the data is processed. Valid consent is consent that is specific, informed, given without ambiguity, capable of being withdrawn at any point, and given freely without coercion.
The PDP replicates the notice requirements of the GDPR and makes further additions to it. These additions include notice being available in multiple language options and the inclusion of any other information asked by the DPA, including data trust scores and reliability ratings.
The consent requirements are also similar to GDPR, with the addition that sensitive personal data would be processed only when there is explicit consent. To help oversee the consent of the principals better, PDP also introduces a new entity called “consent manager.”
Due to the different classification structures of personal data and separate rules governing each type, the PDP varies in a lot of ways from GDPR. Unlike GDPR, the PDP offers better clarity on the legal fallouts of the withdrawal of consent. Also, with the advent of the new “consent manager” entity, the process of channeling and handling consent would also be fundamentally different from the prescriptions of GDPR.
Under the purview of GDPR, certain principles are attached to data processing. These include:
Fairness and transparency
Confidentiality and accountability
Along with this, the GDPR also spells out certain grounds for processing personal data. These include:
Compliance with the law
Self-motivated publication by the principal
Here there are some interesting differences with the PDP. While the principles of data processing under the PDP are similar, the bill also adds other grounds, including needs related to employment and other reasonable purposes as decided by the DPA.
Contract performance, while a ground for data processing under GDPR, is not considered valid ground under the PDP. Also, all grounds for processing personal data under GDPR carry equal weight. Under the PDP, the primary basis is consent, and all the other parameters are considered exceptions.
GDPR grants permission to retain data for long periods of time due to research, statistical analysis, and archiving purposes. Under PDP, data can only be retained for a long duration with either explicit consent or due to a legal obligation. Also, legitimate interests are not viewed in the PDP as valid grounds for data processing. Instead, they include data processing for reasonable purposes as specified by the relevant DPA.
Compliance and Security
GDPR specifies data protection by design. Data controllers and processors are required to enforce the proper data security measures for any kind of personal data. Controllers are also obligated to carry out Data Protection Impact Assessments or DPIAs before processing certain kinds of personal data. Data protection audits can be employed to investigate data controllers and processors.
In these measures, the PDP remains very similar to GDPR. Audits, privacy by design, and DPIAs are all included in the PDP. However, there are some differences regarding the approach.
GDPR obligates all data controllers to carry out DPIAs and maintain all records of data processing activities. In the PDP, this is only a requirement for “significant” data fiduciaries. Also, the DPA is permitted to bring regulations that specify the exact way in which data auditors would conduct the audits.
Furthermore, the PDP also proposes a data sandbox in which data fiduciaries with certified policies can participate. There is no provision of a data sandbox in GDPR. Therefore, PDP compliance might entail more processes and requirements than GDPR.
In the event of a data breach, GDPR specifies that data controllers would need to provide notification to the relevant Supervisory Authority within a maximum period of 72 hours. If there is a change of harm coming to the data subject, the subject also is required to be notified as soon as possible. Under the PDP, data fiduciaries are only required to notify data principals if they are instructed to do so by the DPA.
In such cases, the DPA determines the need to notify based on the degree of the potential harm the data subject can face. This is the main point of difference from GDPR, where every breach needs to be reported to the Supervisory Authority unless there is a negligible chance of risk to the data subject.
Both GDPR and the PDP have provisions in place regarding the employment of data processors. Under GDPR, only compliant data processors can be employed by data controllers. The eligibility of a particular data processor is determined either through adherence to an approved code of conduct or through certification.
A data processor would need clearance from the data controller before employing another data processor.
In the PDP, it is specified that data fiduciaries can employ a data processor using a valid contract. The contractual requirement for a data processor is a lot more relaxed than mentioned in GDPR, where data processors have to furnish sufficient guarantees of their adherence to GDPR before they can be contracted.
The PDP also does not require DPAs to specify standard contractual clauses between data controllers and processors, whereas GDPR allocates the European Commission with the authority to recommend such clauses.
GDPR mentions that data must be stored in an identifiable form for a certain length of time. Any extension in the storage period would be pursuant to certain exceptions. These exceptions include the use of the data for scientific, statistical, historical, or public interest purposes. Under the PDP, data can only be stored for the period of time required for it to satisfy its purpose. Once it has served its purpose, it must be expunged. Any case where the data is to be retained for a longer period of time requires explicit consent from the data subject under the PDP.
This means that satisfying GDPR compliance requirements regarding data storage might not be a sufficient condition to also remain compliant with the PDP.
Penalties and Grievance Redressal
Under GDPR, data controllers and processors are required to assist the DPO when it comes to matters of grievance redressal. The data subjects can also directly contact the DPO to freely exercise their rights as mentioned in GDPR. In specific cases, data subjects also have the recourse of seeking legal remedies by directly approaching the Supervisory Authority. Upon failure to comply with these obligations, GDPR also recommends fines amounting to up to 10 million Euros applicable to the data controller, monitoring body, and certification authority.
Under the PDP, data fiduciaries are tasked with maintaining appropriate grievance redressal mechanisms. The data subject can raise a concern with the assigned officer, in which case the particular grievance must be satisfactorily addressed within a maximum period of 30 days. An appellate tribunal can handle grievances arising from the orders of adjudicating officers. In specific cases, the PDP recommends financial penalties of up to Rs.15 Crores. The bill also defines significant data fiduciaries eligible to pay up to Rs.1 Crore and other entities eligible to pay up to Rs.25 Lakh in case no specific penalties are assigned.
The time limit imposed by the PDP for grievance redressal is a major point of difference from GDPR. The financial penalties recommended also vary quite significantly. Also, the appellate process is only available to the data principal under GDPR, whereas any person can make an appeal to the tribunal under PDP.
In cases where personal harm can ensue from an automated decision-making process, GDPR has clear and stringent provisions. While large-scale profiling is said to require thorough assessment under the PDP, the bill does not allocate any rights to individuals to object to automated profiling, with only children being exempt. The GDPR covers this ground much more thoroughly, mandating that data subjects can object to automated profiling for the purpose of direct marketing. GDPR also mandates that this right to object be conveyed to the data subject as clear and distinct information.
While the GDPR does seem to be a template for the PDP, there are significant differences that make the Indian PDP a clearly unique entity. While some existing issues with the PDP are likely to be corrected as the bill evolves, it would definitely be interesting to see the implementation of the PDP and how different entities manage to ensure compliance going forward.