COMPARISON BETWEEN THE GDPR AND THE PDP BILL

Abbreviations

DATA CONTROLLERS ("DC") [EU context]

DATA FIDUCIARY (DF) [INDIAN CONTEXT]

SENSITIVE PERSONAL DATA ("SPD")

PERSONAL DATA PROTECTION (“PDP”)

DATA PROCESSOR (DP)

DATA PROTECTION AUTHORITY ("DPA") [INDIAN CONTEXT]

THE DATA PROTECTION OFFICER ("DPO") [EU context]

S. Theme GDPR PDP Bill Observation(s)

No.
1 Territorial Has extraterritorial Has extraterritorial The GDPR does not govern
and applicability in some applicability in anonymised data at all, while the
material cases. Applies to data limited cases. PDP Bill allows the government
scope that relates to an Empowers the to access non-personal data
identified/identifiable central government held by any DP or DF for specific
natural person (also to exempt certain purposes under clause 91.
called personal data) as agencies of the Anonymization standards may
well as 'special government of India differ between the PDP Bill and
categories of personal from the application the GDPR. Therefore, being
data'. Relaxes certain of the bill. Further, GDPR compliant does not
requirements for data allows the necessarily make an entity
controllers ("DC") who government to compliant with the PDP Bill.
pseudonymize personal exempt DPs Broader definition of SPD means
data. Excludes processing the data that entities in India will have to
anonymized data from its of foreign nationals apply higher standards of data
application. from the application protection to more categories of
of the bill subject to personal data in India, as
certain conditions. compared to the GDPR. Entities
Covers personal will have to be especially careful
data, sensitive with their processing of 'critical
personal data personal data', which has no
("SPD") and critical parallel in the GDPR.
personal data.
There is no parallel
to critical personal
data under the
GDPR. Further, the
 scope of SPD under
the PDP Bill is wider
than that of special
categories of data in
the GDPR.
Additionally, the
central government
is authorised to
prescribe new
categories of SPD.
The central
government
determines what
'critical personal
data' is. Unlike the
GDPR, the PDP Bill
governs
anonymised data
and non-personal
data to a certain
extent, i.e. the
central government
can ask DFs and
DPs to provide such
data for better
policy-making and
targeted delivery of
services.
2 Data No hard data Places no restriction Entities will have to comply with
localisation localisation. Cross on the processing stricter standards of data
and cross border data transfers and transfer of localization under the PDP Bill,
border data allowed subject to personal data as compared to the GDPR. The
flows certain conditions. outside India. SPD conditions for cross border data
Special categories of to be stored only in transfer may differ between the
personal data may be India, but may be Data Protection Authority
prohibited from being transferred outside ("DPA") and the Supervisory
transferred outside the India for processing Authority. Therefore, compliance
country. Cross border with explicit consent with the GDPR may not result in
data transfer permitted in limited conditions. compliance with the PDP Bill,
with and without the Critical personal since transfers outside India will
authorization of the data to be stored depend on approvals/
relevant Supervisory and processed only permissions either by the DPA or
Authority (depending on in India but may be the central government.
the nature of the data), transferred outside However, there are some
subject to certain India in limited overlaps between the GDPR and
restrictions. conditions. the PDP Bill (for instance, intra-
group schemes or the broad
idea of adequacy).
3 Notice and Notices need to be clear, Notice requirements Compliance with the GDPR is
consent simple and easy to include the GDPR not equivalent to compliance
understand and must requirements plus with the PDP Bill's notice
contain all relevant notices in multiple requirements. The PDP Bill
details including identity languages and data offers relatively more clarity on
of the DC, contact details trust scores/other the legal consequences of
of the data protection information as consent withdrawal than what is
officer ("DPO"), among asked for by the provided by the GDPR. Unlike
other things. Valid DPA. Consent the GDPR, the PDP Bill
consent (consent which requirements are proposed a new type of entities
 is freely given, specific, similar to those in for channelling consent, i.e.
informed, unambiguously the GDPR. SPD to 'consent managers'.
indicated through a be processed only
statement/clear on the basis of
affirmative action and, explicit consent. A
capable of being new class of entities
withdrawn) of the data called 'consent
subject should be managers' have
procured before been introduced in
processing. the PDP Bill to help
manage the consent
of data principals.
4 Data Data processing Data processing Under the GDPR, data can be
processing principles are lawfulness, principles under the retained for a longer time for
principles fairness and PDP Bill are similar archiving/research/statistical
and transparency; collection to those in the purposes, whereas under the
grounds for limitation; purpose GDPR. In addition to PDP Bill, data can be retained
processing limitation; accuracy; the grounds listed in for a longer time if explicitly
personal storage limitation; the GDPR, the consented to by the data
data integrity and grounds for principal or to comply with any
confidentiality' and processing personal obligation under a law. The
accountability. Grounds data are 'purposes performance of contract is not a
for processing personal relating to ground under the PDP Bill, while
data are consent, employment', and it is a ground under GDPR. The
compliance with the law, 'reasonable PDP Bill does not recognise
public interest, vital purposes as 'legitimate interests' (as provided
interest, performance of specified by the in the GDPR), but allows DFs to
a contract, legitimate DPA'. Furthermore, process data for 'reasonable
interests, when data is all the grounds purposes'. However, unlike
manifestly made public under the GDPR are legitimate interests that are
by the data principal. placed on an equal determined by the DCs
footing unlike the themselves, reasonable
PDP Bill which purposes will be specified by the
considers consent DPA. Thus, being compliant with
as the primary basis the GDPR does not mean
and all other automatic compliance with the
grounds are PDP Bill.
considered as an
exception.
Performance of a
contract is still not a
ground for
processing data
without consent
under the PDP Bill,
while it is under the
GDPR.
5 Security DCs are required to The PDP Bill In terms of privacy/data
and incorporate data requires DFs to protection by design the PDP Bill
compliance protection by design. prepare privacy by and the GDPR are broadly
DPs and DCs are design policies. DFs aligned, and both refer to similar
obligated to enforce may subsequently concepts such as DPIAs, privacy
security safeguards for have these policies by design, and audits. There are,
personal data. DCs are certified. They are however, differences in
obligated to perform required to publish approach. In the GDPR, while all
Data Protection Impact this policy on their DCs have to undertake DPIAs
Assessments ("DPIA") and the DPA's and maintain records, under the
prior to processing some websites. DFs and PDP Bill, only 'significant DFs'
 kinds of personal data
subject to limited
prescribed exemptions.
Each DC is required to
maintain a record of
processing activities that
it is responsible for, with
certain exceptions. Each
Supervisory Authority is
empowered to
investigate DPs and DCs
through data protection
audits.
6 Breach Under the GDPR, DCs
notification are required to notify the
Supervisory Authority of
a breach of personal
data within 72 hours,
with limited exceptions.
The data subject is
required to be notified of
the breach without
undue delay if there is a
probability of significant
harm to the rights of the
data principals, subject
to the prescribed
exemptions.
7 Data DCs can only employ DFs can employ a
processors DPs who comply with the DP through a valid
GDPR. For this, DPs contract to process
DPs need to are required to do so. Further,
implement security the PDP Bill, allows the DPA to
safeguards. notify regulations specifying the
Significant DFs are manner in which data auditors
required to: (i) should conduct their data audits,
undertake DPIAs; whereas the GDPR does not.
(ii) maintain up-to- Further, DFs getting their
date records of policies certified under the PDP
certain information Bill will be eligible to participate
in the form in the data sandbox. The GDPR
prescribed by the does not propose a sandbox.
DPA; and (iii) have The grounds for determining if
their conduct and DPIA is necessary are wider
policies audited by under the GDPR. Further, the
an independent information to be provided in the
auditor. The DPA DPIA is narrower under the PDP
will register experts Bill as compared to the GDPR.
in information Thus, complying with the GDPR
technology, data may not be enough to ensure
science, and compliance with the PDP Bill.
computer systems
as data auditors.
The 2019 PDP Bill
requires the data
protection officers to
'review' the DPIA
prepared by DFs
and give their
opinion on it.
The PDP Bill The threshold for notification of
requires every DF to breach are different in the GDPR
inform the DPA of and the PDP Bill. In the GDPR,
any breach which is all breaches are to be reported
likely to cause harm to the supervisory authority,
to data principals unless the breach is unlikely to
within the timeline result in a risk to individuals.
stipulated by the Under the PDP Bill, breaches
DPA. DFs have to are to be notified the DPA if they
notify data are likely to cause harm to data
principals, only principals. Unlike the GDPR,
when required to do under the PDP Bill, DFs have to
so by the DPA. The notify data principals only when
DPA determines required to do so by the DPA.
whether an
individual should be
notified, taking into
account the severity
of the harm that may
be caused to the
data principal or
whether any action
is required on the
part of the data
principal to mitigate
such harm.
The PDP Bill appears to be
slightly more relaxed in the
requirements for contracts with
 have to provide sufficient data on its behalf. A DPs, unlike the GDPR, where
guarantees that they DP may engage the DPs have to give the DCs
implement appropriate another DP for sufficient guarantees that they
measures to comply with processing data with will adhere to the GDPR. In
the GDPR. This may be the authorisation of practice, however, pursuant to
measured by a DP's the DF or if the PDP Bill, DPs may have to
adherence to an permitted under its provide similar guarantees to
approved code of contract with the DF. DFs. The GDPR empowers the
conduct or an approved European Commission to
certification. A DP needs prescribe standard contractual
prior authorisation from clauses for the agreement
the DC before engaging between the DCs and DPs. The
another DP. If the DP PDP Bill does not expressly
determines the purpose provide for a similar measure
and means of with respect to the DPA.
processing, such DP
shall be considered as a
DC for the purposes of
the GDPR. The
European Commission
may lay down standard
contractual clauses for
the contracts between
DP and DCs.
8 Storage Under the GDPR, the The PDP Bill Unlike the GDPR, the PDP Bill
limitation data is required to be requires that data requires explicit consent of the
kept in an identifiable shall not be retained data principal in order to store
form and exceptions beyond the period data for a longer period of time
have been clearly laid necessary to satisfy than is necessary to satisfy the
down for increasing the the purpose for purpose for which it is collected.
storage period under the which it is collected Therefore, compliance with
GDPR. Exceptions such and has to be GDPR may not be enough to
as public interest, deleted once the ensure compliance with PDP
scientific, historical and purpose is Bill.
statistical have been fulfilled. The PDP
provided for. Bill requires 'explicit
consent' of the data
principal to retain
data for a longer
period of time.

THE CONCEPT OF IMPLIED CONSENT IN GDPR.

Without raining much eyebrows at the time of getting consent for our products we can resort
to implied consent. Below is recital of GDPR recognising implied consent as valid consent.

“Consent should be given by a clear affirmative act… such as by a written statement,

including by electronic means, or an oral statement. This could include ticking a box when
visiting an internet website, choosing technical settings for information society services or
another statement or conduct which clearly indicates in this context the data subject’s
acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes
or inactivity should not therefore constitute consent”1.

For example, other affirmative opt-in methods might include signing a consent statement,
oral confirmation, a binary choice presented with equal prominence, or switching technical
settings away from the default.

The key point is that all consent must be opt-in consent, i.e a positive action or indication –
there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not
involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-
ticked boxes or your general terms and conditions, or seek to take advantage of inertia,
inattention or default bias in any other way. All of these methods also involve ambiguity –
and for consent to be valid it must be both unambiguous and affirmative. It must be clear that
the individual deliberately and actively chose to consent.

The idea of an affirmative act does still leave room for implied methods of consent in some
circumstances, particularly in more informal offline situations. The key issue is that there
must still be a positive action that makes it clear someone is agreeing to the use of their
information for a specific and obvious purpose. However, this type of implied method of
indicating consent would not extend beyond what was obvious and necessary.

GETTING CONSENT FOR OUR PRODUCT

For our application a simple pop-up will work whereby the user will be provided with the
privacy policy of the company and s/he will have to tick the box to express his/her consent to
it. This will be an express consent to our privacy policy.

The following notice is attached with the Amazon Echo speakers selling online.

1
Recital 32 GDPR.
Since our offline product will, at first, be distributed freely we can have such similar notices
printed and packed along with the product. This will be to fulfil our duty of giving the user a
reasonable chance to know our privacy policy. The continuance to use our product from
thereon will constitute an implied consent to privacy policy.

We may add certain features to our product to show our strong commitment towards the
privacy of users. It may include a simple light to indicate recording of voice by the device.
Other user-friendly features serving the same purpose may be used.

We also need to ensure that users can freely withdraw the consent. The PDP Bill has
introduced the concept of a “consent manager”, who is a data fiduciary tasked with enabling
the data principals to manage their consent, through an interoperable platform. Thus, a
customer can write to data fiduciary, either directly or to the consent manager, to exercise her
rights of confirmation, access, correction, erasure, and data portability. The withdrawal of
consent can also take place through the consent manager. How will this work in practice will
become clear only when further regulations come in this regard.