Personal Data Protection Bill 2019 and its implications: Is compliance with

GDPR necessary and conclusive?

-Yash Bhatnagar

Republic of India’s parliament in 2019, passed a yet to be enacted Personal Data Protection Bill
(PDP) which was introduced by Mr. Ravi Shankar Prasad, the Minister of Law and Justice,
Electronics and Information Technology and Communications with its main goal to stringent the
data protection norms and develop a sense of fundamental importance to privacy in the citizens
and netizens of India, for which the concept of online data sharing and transactional
communication is fairly new, does complying it with an already advanced and explored
Guidelines of Data Protection, 2016 (GDPR) by the European Union will allow it to be more
efficient or will there be contextual differences?

While there is a feud in the realm of privacy and data experts for the same, the stakeholders on
which the law would be directly applicable on, demands higher protection and exploration in the
various sections and statues of the said bill, to provide for the upmost security. India boasts off as
the second largest online market with over 560 million users, ranked just behind China. In 2020,
India accounted 50% penetration in the online market as new users flocked to join the social
media and streaming websites.Though one must take the fact in consideration that laws and
statues are formulated in consonance with the territorial intricacies and the Public International
Law does speak volumes about the same. Some sections of the Data Protection Bill, especially
the revised draft of 2019 “obscurely” reflects the principles of GDPR, which is evident as these
privacy strengthening statues and guidelines existed when the Indian bill was not even in its pre-
draft stage. Talking about basic principles, Personal Data Protection Bill, 2019 and European
Union’s GDPR sets a similar base for its enaction where Consent, Legal Obligation, Legitimate
Interests (Reasonable Purposes in the case Personal Data Protection Bill, 2019) are an integral
part of basic principles of both statues.

Then what is the major difference? The answer lies in the broad scope of India’s bill of Data
protection.
  The scope of sensitive personal data is much broader in the PDP than the GDPR. The
PDP provision regarding critical personal data has no appropriate parallel in the GDPR.
PDP names three categories of data- personal data, sensitive personal data, and critical
personal data. PDP names three categories of data- personal data, sensitive personal
data, and critical personal data.
 Sensitive personal data has been described in detail in the Rule 3 of the Information
Technology Act (Reasonable Security Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011 also known as the “SPDI Rules.”

There are also provisions to exempt certain government entities from the bill. Unlike the GDPR,
the PDP has provisions for governmental access of non-personal data held by any data processor
or data fiduciary for certain purposes relating to “better delivery of government services and
more effective policymaking.” This also denotes to the fact that government would be able to
access most of the data circulated after the implementation of the bill.

Under the PDP, sensitive personal data must be stored locally. However, in certain conditions,
this data can also be approved for cross-border transfer, although with explicit consent. This on
one hand ensures the safety of data being circulated but restricts the boundaries for its
transmission, which can come as a tough knob for those who work for multi-national companies
or foreign agencies through India. This data before transmission would come under purview of
the Central Government or Data Protection Authority set up by the government, which further
raises questions on the private nature of these sensitive information.

India as a country, is new to the concept of privacy and data protection. It is understood that
large sect of global “netizen-ship” hails from this nation of diversity, yet it has also been marked
clinically low in the Global Literacy Index, with only 63% 15 plus in age considered as
‘Literate’. Hence it can also be said that before implementing the laws and regulation, India
should be made aware and educated about privacy, data, internet, and social media. Without
having basic knowledge and terminology for the said terms of the 21st century, the imposition of
any kind of law, no matter how thought of or morally required it is, will go futile. It cannot be
denied that the structural efficiency that GDPR has provided to the institutions and individuals
dealing with and for the data is arguably a benchmark in the personal protection and human
rights field, but as for India, the constitution of which stands 30 times more than that of United
States of America and is considered as the longest constitution written and enacted must further
investigate the broader prospect of their privacy bill. With the landmark judgment of K.S
Puttuswamy (Retd) v Union of India, which declared Right to Privacy as an intrinsic part of
Right to Life and Liberty under Article 21 of the Indian Constitution, it has to be noted that
liberties and provisions exempting government entities and giving them access to non-personal,
yet cautionary data may in long term start infringing upon the right mentioned in United Nations
Declaration of Human Rights.

Hence, it is not necessarily required to thoroughly comply with an already existing data
protection guidelines of any sort, but to channelize the strengths of it and address the weaknesses
in one’s own system and incorporate them in a territory and user-friendly way, as the former
Chief Justice of India rightly quoted to the representing counsel of WhatsApp in a feud heard in
the Supreme Court that “You might be a 2-3 trillion dollar company, but people prefer their
privacy over that too.” This line of thought opens doors for those who were working for the
enhancement of privacy norms in India. However, as a matter of fact, awareness drives, data
protection courses, teachings in the sphere of privacy and laws related to it, is still required on a
humongous scale. Compliances and methodologies can be debated, amended, and rectified after
the implementation of a privacy regulation, that the common masses of India, from rural to
urban, understands, connects, and follows in their day-to-day life. India, in and through opinions
should start with the basics, and then gradually, with time, evolve their norms as per the demand
and usage. That, will ensure the sanctity and execution behind the moral and fundamentals of the
Personal Data Protection Bill and Data Protection on a whole.