Comparative Analysis of European Union General Data Protection Regulation

and India’s Personal Data Protection Bill

I. Introduction

The EU’s General Data Protection Regulation (“GDPR”) came into force in May 2018. It
purported to be the master regulation governing all data and data-processing activities in
the European Union (“EU”). Its counterpart in India is the Personal Data Protection Bill, 2018
(“PDP”) which seeks to provide a streamlined regulation to govern and regulate all data
processing activities in India. It was borne out of the seminal judgment of the Supreme
Court of India, in the case of Justice K. S. Puttaswamy (Retd.) & Anr. V. Union of India & Ors.
(“Privacy Judgement”). The PDP was a result of the Justice B. N. Srikrishna Committee
constituted by the Ministry of Electronics and Information Technology post the Privacy
Judgement.

GDPR was one of the forerunners in the race to regulate the cyber space, and since then has
served as a benchmark for other privacy laws of other nations. The basis of the PDP is
similar to that of GDPR. As a result, the PDP goes about solidifying the same underlying
principles as that of the GDPR, scantily modifying the principles adjectively to fit better into
the Indian legal scenario.

This piece is aimed at initiating a discussion on the differences between the two headlining
legislations to facilitate an understanding of the privacy legal landscape in India.

II. Overview of GDPR

The GDPR provides strict measures for data subjects which include certain rights, security
safeguards and other compliance measures that need to be adhered to by certain
organizations. It came into effect on 25 May, 2018. It changed the manner of collection,
storage and processing of data.

While the prospect of GDPR was much needed and welcomed, many companies in the
beginning did not grasp the magnitude of the applicability of the Regulations. In fact, in a
survey conducted by Veritas, while about 31 percent said that they were GDPR compliant, it
turned out that about 98 (per cent were mistaken about their position vis-à-vis GDPR.

The GDPR covers every organization conducting its business in the territory of EU. Those
outside of EU but under the extra-territorial jurisdiction of the EU or that collects, processes
and stores the data of citizens of the EU. It also extends to non-EU citizens living within the
territory of the EU.
What the GDPR bought forth, apart from a well-defined scope and applicability, were more
stringent penalties for data breaches. For example, an organization that falls short of the
compliances under the GDPR, may be subjected to up to 4 percent of their annual sales
globally, or USD 24 million, whichever is greater. The reason these companies were
struggling with the compliances was due to the GDPR’s strong push for obtaining explicit
consent of the data subjects.

These compliances are taken care of my Data Protection Officers (“DPO”) appointed by all
such organizations. They are granted special protection and positions under the company
regulations and GDPR.

III. Overview of PDP

The PDP Bill is India’s answer to regulation of personal data of individuals collected by
organizations in terms of storage, processing, sharing and usage. The PDP provides for well-
set mechanisms for obtaining the consent for data collection, the steps to be followed for its
processing, the accountability measures, and a machinery for grievance redressal.

The PDP provides for the concepts of Data Fiduciaries, and Data Processors. Data Fiduciary
means any person, including the State, a company, any juristic entity or any individual who
alone or in conjunction with others determines the purpose and means of processing of
personal data”; while a Data Processor means “any person, including the State, a company,
any juristic entity or any individual who processes personal data on behalf of a data
fiduciary, but does not include an employee of the data fiduciary”.

The Bill’s applicability extends to those organizations which deal with the data collected,
processed and shared in within the territory of India; or processes the data that is
connected to any business carried on in the territory of India, or in a territory outside India
but deals with data that is connected directly to India. The Bill is also applicable to data that
is processed by the government. At the same time, the Bill does not makes a distinction
between sectors or fields an organization may be involved in. All organizations shall be
uniformly subjected to the provisions of the Bill.

IV. GDPR vis-à-vis PDP

The foremost difference between the two is seen in terms of the scope of their application.
Since there is a difference in encryption standards between what the GDPR demands, and
what the PDP provides for, if one organization is compliant with the GDPR, does not
necessarily mean that it is in accordance with the Indian law as well. While India provides
for a category of data called sensitive personal data which is entitled to a higher standard of
protection than personal data, GDPR does not makes such a broad distinction. As a result,
Indian organization need to have a higher degree of protection. Furthermore, the PDP also
provides for a category of data called critical personal data. It includes data which is
“critical” for the security and finances of the nation. Such a category is not provided for
anywhere in the GDPR. GDPR’s definition of personal data takes into account the likelihood
of the person being identified, while in the PDP certain types of data like the financial
statements, and health records are explicitly termed as sensitive personal data. On the side
of GDPR, it provides for a separate set of rules to be followed for processing records of
criminal offences and record-keeping. PDP does not provide for such distinctions.

The PDP has provisions for data localization in the form of “local storage requirement”
which mandates that a “serving copy” of data sent outside India. The critical personal data
can be processed exclusively in India. The GDPR on the other hand does not provide for any
such exclusive and stringent data localization requirements. They are still subject to certain
restrictions, although they are not as stringent as those provided for in the PDP. Cross-
nation transfer of data is permitted as per the GDPR with proper permissions from the
relevant authorities.

A significant portion of the two regulations deal with the idea of consent. The PDP provides
for a wider definition of obtaining it from the users than GDPR. Consent under PDP must be
free, and harmonious with other existing Indian laws like the Indian Contract Law; informed
and transparent; specific, clear, and backed by a meaningful and expressive affirmative
action; and capable of being withdrawn by individuals. On the other hand, GDPR’s
requirements while somewhat similar, covers more bases in terms of specificity. For
example, even if the same platform provides for different types of collection and processing
of data, consent should be taken for all such services. A system of “contractual necessity”
basis is provided for in the GDPR.

Both these regulations provide some leeway to the organizations to process some data
without the consent of the data subjects. Under the GDPR, processing is permitted without
consent where it is with regards to the legitimate interests of the data controller, in that, it
should be made sure that the interests of the data controller do not undermine the rights
and interests of the subject. The PDP also permits the collection of data of the subjects for
“reasonable purposes”. The difference here, is that such con-consensual collection of data
has to be permitted by the data protection authority first. These reasonable purposes may
include activities like prevention of fraud, money laundering, debt recovery, etc. as provided
for in the Bill and adjudged by the authority. Thus, it is more restrictive in the Indian
context.
The other important aspect these two regulations differ in is with respect how the right to
be forgotten works under each of them. While the GDPR leaves it at the option of the data
subjects to determine to what extent they want their data to be erased, under the PDP, the
scope of this right is determined by the data protection authority. As a result, a number of
factors play a role when it comes to exercising the right to be forgotten under the PDP,
making it narrower.

V. Conclusion

On the face of it the PDP bill seems to be on par with the considerably well-done and
effective GDPR. It can even be said that in some aspects the provisions under PDP seem
better than those provided for in the GDPR, at least on paper. However, until the Indian
government enacts the Bill which has been in discussion since before the landmark privacy
judgement, no concrete argument can be made with respect to the effectiveness of the PDP
Bill. GDPR, on the other hand, has proven largely successful with what it set out to achieve,
and has since become a benchmark for other privacy laws.

In today’s India, the cyber is expanding every day, the law is unable to keep up, almost
running out of breath behind it. The formal enactment of the PDP into an Act would be the
much-needed push in the right direction to come to fruition the fundamental right to
privacy envisaged in the Constitution of India by the Hon’ble Supreme Court.