1. Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) came into force on 25 May 2018 as an umbrella regulation to safeguard data and privacy in the European Union (“EU”) and European Economic Area. Closer home, in Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors[1] (“Privacy Judgment”), a nine judge bench of the Supreme Court of India fleshed out the need for a strong data protection regime[2]. Accordingly, the ministry of electronics and information technology (“MeitY”) constituted a committee of experts, headed by Justice B. N. Srikrishna (former Indian Supreme Court Judge) (“Srikrishna Committee”). This committee submitted its report on 27 July 2018, which also contained a draft data protection law, later codified as the draft Personal Data Protection Bill, 2018 (“PDP Bill”)[3].
While the underlying principles and structure of the PDP Bill may be similar to the GDPR, there are some critical differences between the two instruments. The intent of this blog post is to examine whether compliance with the GDPR would automatically make an entity compliant with the draft PDP Bill in India as well. This analysis may be important to data fiduciaries[4] (“DF”) and data processors[5] (“DP”) from the perspective of compliance costs and strategies.
2. Theme-wise comparison between the GDPR and the PDP Bill
| S. No. | Theme | GDPR | PDP Bill | Observation(s) |
| 1. | Territorial and material scope | · Has extraterritorial applicability[6] in some cases.
· Applies to data[7] that relates to an identified/identifiable natural person (also called personal data) as well as ‘special categories of personal data’. · Relaxes certain requirements on data controllers (“DC”) who pseudonymize personal data. · Excludes anonymized data from its application.
|
· Has extraterritorial applicability[8] in some cases.
· Empowers the central government to exempt certain Indian DPs from the law. · Applied to personal data and sensitive personal data (“SPD”). The definition of SPD is broader than special categories of data under the GDPR. Further, Data Protection Authority (“DPA”) may prescribe new categories of SPD. · Envisages a category of ‘critical personal data’ which can be processed only in India. There is no parallel in the GDPR. · Excludes anonymized data from its application.
|
· Anonymization standards may differ between the PDP Bill and the GDPR. Therefore, being GDPR compliant does not necessarily make an entity compliant with the PDP Bill.
· Broader definition of SPD means that entities in India will have to apply higher standards of data protection to more categories of personal data in India, as compared to the GDPR. · Entities will have to be especially careful with their processing of ‘critical personal data’, which has no parallel in the GDPR.
|
| 2. | Data localisation and cross border data flows | · No hard data localisation[9]. Cross border data transfers allowed subject to certain conditions. Special categories of personal data may be prohibited from being transferred outside the country.
· Cross border data transfer permitted[10] with and without the authorization of the relevant Supervisory Authority (depending on the nature of the data), subject to certain restrictions. |
· Prescribes different conditions for data localization[11] and for cross border transfer of different categories of data: (i) for personal data, DFs are required to have at least one “serving copy” in India. (“Local Storage Requirement”), with some exemptions; (ii) the Local Storage Requirement extends to SPD, without any exemptions; (iii) critical personal data may be processed only in India.
· Cross border transfer[12] of personal data and SPD permitted in some cases, subject to certain conditions. Critical personal data may be transferred outside India in limited cases. |
· Entities may have to comply with higher standards of data localization under the PDP Bill, as compared to the GDPR. The conditions for cross border data transfer may differ between the DPA and the Supervisory Authority.
· Therefore, compliance with the GDPR may not result in compliance with the PDP Bill entirely. However, there are some overlaps between the GDPR and the PDP Bill.
|
| 3. | Notice and consent | · Notices[13] need to be clear, simple and easy to understand and must contain all relevant details including identity of the DC, contact details of the data protection officer (“DPO”), among other things.
· Valid consent[14] (consent which is freely given, specific, informed, unambiguously indicated through a statement/clear affirmative action and, capable of being withdrawn) of the data subject should be procured before processing. |
· Notice requirements[15] include the GDPR requirements plus notices in multiple languages and data trust scores/other information as asked for by the DPA.
· Consent requirements[16] are similar to those in the GDPR. The PDP Bill fixes responsibility for consequences of consent withdrawal on the data principal. · SPD to be processed only on the basis of explicit consent, as defined in the PDP Bill. |
· Compliance with the GDPR is not equivalent to compliance with the PDP Bill’s notice requirements.
· The PDP Bill offers relatively more clarity on the legal consequences of consent withdrawal than the GDPR.
|
| 4. | Data processing principles and grounds for processing personal data | · Data processing principles[17] are lawfulness, fairness and transparency; collection limitation; purpose limitation; accuracy; storage limitation; integrity and confidentiality’ and accountability.
· Grounds for processing personal data[18] are consent, compliance with the law, public interest, vital interest, performance of a contract, legitimate interests, when data is manifestly made public by the data principal. |
· Data processing principles[19] are substantially similar with semantic differences.
· In addition to the grounds listed in the GDPR, the grounds[20] for processing personal data are ‘purposes relating to employment’, and ‘reasonable purposes as specified by the DPA’. · Performance of a contract is not a ground under the PDP Bill, while it is under the GDPR. |
· Under the GDPR, data can be retained for a longer time for archiving/ research/statistical purposes, whereas under the PDP Bill, data can be retained for a longer time if explicitly mandated by a law to comply with any obligation under a law.
· The PDP Bill allows the DPA to specify further grounds for data processing while there is no corresponding provision in the GDPR. Thus, being compliant with the GDPR does not mean automatic compliance with the PDP Bill. |
| 5. | Security and compliance | · DC is required to incorporate data protection by design[21].
· DPs and DCs are obligated to enforce security safeguards[22] for personal data · DCs are obligated to notify the breach of personal data[23] to the Supervisory Authority, within 72 hours, with limited exceptions. · DCs are obligated to perform data protection impact assessment[24] (“DPIA”) prior to processing some kinds of personal data subject to limited prescribed exemptions. · Each DC is required to maintain a record[25] of processing activities that it is responsible for, with certain exceptions. · Each Supervisory Authority is empowered to investigate DPs and DCs through data protection audits[26]. |
· The PDP Bill also requires privacy by design[27].
· DFs and DPs need to implement security safeguards[28]. · DFs must notify[29] the DPA of any breach in personal data security, who will determine if the affected data principals should be notified. · DFs are obligated to perform DPIA[30] prior to the processing personal data in certain cases. The concerned DPO is obligated to review the DPIA and submit the review to the DPA. · The DF is required to maintain up-to-date records[31] of certain information in the form prescribed by the DPA. · The DF shall get its conduct and policies audited[32] by an independent auditor. The DPA will register experts in information technology, data science, and computer systems as data auditors.
|
· In terms of privacy/data protection by design PDP Bill and the GDPR are broadly aligned.
· The codes of practice under the PDP Bill and the GDPR may not be the same. · What is likely to adversely affect a data principal may differ between the Supervisory Authority and the DPA. · The grounds for determining if DPIA is necessary are wider under the GDPR. Further, the information to be provided in the DPIA is narrower under the PDP Bill as compared to the GDPR. · Until the DPA determines the final list of records to be maintained and their final form, there is little clarity on how to comply with this requirement of the PDP Bill. The PDP Bill requires only DFs to maintain records, whereas the GDPR imposes record keeping obligations on both, DCs and DPs. · The PDP Bill expressly mandates data protection audits whereas the GDPR only requires compliance with the best security practices. The PDP Bill allows data auditors to assign data trust scores, whereas the GDPR does not. Thus, complying with the GDPR may not be enough to ensure compliance with the PDP Bill. |
| 6. | Data processors | · DCs can only employ DPs[33] who comply with the GDPR. A DP needs prior authorisation from the DC before engaging another DP.
· If the DP determines the purpose and means of processing, such DP shall be considered as a DC for the purposes of the GDPR. |
· The DF can employ a DP[34] through a valid contract to process data on its behalf.
· The DP may engage another DP in certain cases. |
· The GDPR treats DPs as DCs if the DP in question determines the purpose and the means of processing personal data, while the PDP Bill makes no such stipulation. With this one exception, the two instruments seem broadly aligned. |
| 7. | Grievance redressal and penalties | · The DC and DP shall assist the DPO in carrying out any task related to grievance redressal[35] .
· The data subjects can contact the DPO to exercise their rights under the GDPR. · Data subjects have the right to approach the Supervisory Authority to seek judicial remedy in certain situations. · Each member state shall make rules to implement GDPR the provisions related to penalties[36]. · The GDPR prescribes fines (of up to 10 million euros in certain cases) for the DC, certification authority and monitoring body, variably, if they fail to comply with their obligations under the GDPR. |
· DFs to maintain grievance redressal mechanisms[37].
· The data principal can raise concerns to an officer assigned for the purpose, which grievance must be resolved within 30 days. · Any person aggrieved by an order made by the adjudication officer can appeal to the appellate tribunal. · The PDP Bill prescribes penalties[38] (of up to INR 15 crores in certain cases). · Where no specific penalties have been provided, the person shall be liable to pay a penalty of up to INR 1 crore (in case significant DF, as defined under the PDP Bill) and up to INR 25 lakh (for other DFs and other specified entities such as the data auditors). |
· Unlike the GDPR, the PDP Bill does not allow states to determine their rules regarding penalties for any violation.
· Further, the penalties imposed under GDPR are significantly higher than the ones imposed by the PDP Bill. · Unlike the GDPR, any person can appeal to the appellate authority under the PDP Bill. · Therefore, complying with the GDPR may not be enough to prove compliance with the PDP Bill.
|
(Authored by Ratul Roshan, Associate, with inputs from Tuhina Joshi, Associate and Nehaa Chaudhari, Public Policy Lead at Ikigai Law)
[1] Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors[1], (2017) 10 SCC 1.
[2] Para 1354, Privacy Judgment.
[3] See https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf.
[4] According to section 3(13) of the PDP Bill, a ‘data fiduciary’ means “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data”.
[5] According to section 3(15) of the PDP Bill, a ‘data processors’ means “any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary”.
[6] Refer article 3 read with recitals 22, 23, 24 and 25.
[7] Refer articles 1, 2, 4 and 9 read with recitals 26 and 51.
[8] Refer sections 2 and 104.
[9] Refer articles 44, 48 and 49 read with recitals 101 and 115.
[10] Refer articles 44, 45, 46, 47 and 48 read with recitals 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113 and 114.
[11] Refer section 40.
[12] Refer section 41.
[13] Refer articles 7, 12, 13, 14, 40 and 41 read with recitals 60, 61 and 62.
[14] Refer articles 4, 6, 7 and 9 read with recitals 32, 33, 40, 42, 43, 50, 51, 54, and 71.
[15] Refer section 8.
[16] Refer sections 12 and 18.
[17] Refer article 5 read with recital 39.
[18] Refer articles 4(11), 6, 7 and 9 read with recitals 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, and 50
[19] Refer sections 4, 5, 6, 7, 8, 9, 10 and 11.
[20] Refer sections 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 and 22.
[21] Refer articles 25 and 42 read with recital 78.
[22] Refer article 32 and recital 83.
[23] Refer articles 19, 33, 34 and 55 read with recitals 85, 87, 88 and 89.
[24] Refer article 35 read with recitals 75, 84, 89, 90, 91, 92, 93, 94, 95 and 96.
[25] Refer article 30 read with recitals 13 and 82.
[26] Refer article 58 read with recitals 122, 129 and 131.
[27] Refer sections 29 and 30.
[28] Refer sections 31 and 61.
[29] Refer section 32.
[30] Refer section 33.
[31] Refer section 34.
[32] Refer section 35.
[33] Refer to article 28 read with recital 81.
[34] Refer section 37.
[35] Refer articles 38, 57, 77, 78, 79 and 80 read with recital 97.
[36] Refer articles 83 and 84 read with Recitals 148, 149, 150, 151 and 152.
[37] Refer section 39.
[38] Refer sections 69, 70, 71, 72 and 73.
