(Co-Authored by Shreya Chandhok, a second-year student at National Law Institute University, and Bhopal while her internship with Ikigai Law.)

I. Introduction

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") came into force on 25 May 2018 as an umbrella regulation to safeguard data and privacy in the European Union ("EU") and European Economic Area. Closer home, in Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors1 ("Privacy Judgment"), a nine judge bench of the Supreme Court of India fleshed out the need for a strong data protection regime2. Accordingly, the ministry of electronics and information technology ("MeitY") constituted a committee of experts, headed by Justice B. N. Srikrishna (former Indian Supreme Court Judge) ("Srikrishna Committee"). This committee submitted its report on 27 July 2018, which also contained a draft data protection law, later codified as the draft Personal Data Protection Bill, 2018 ("2018 Draft Bill")3. This draft was floated for public feedback till 10 October 20184. Armed with extensive comments and information from consultations with diverse stakeholders, the government set out to revise the 2018 Draft Bill. The revised version was tabled in the Indian Parliament on 11 December 20195 as the Personal Data Protection Bill, 2019 ("PDP Bill").

The underlying principles of the PDP Bill are broadly similar to those in the GDPR. However, there are some differences between these two instruments. The table below examines whether compliance with the GDPR would automatically make an entity compliant with the PDP Bill in India as well. This analysis may be important to data fiduciaries6 ("DF") and data processors7 ("DP") from the perspective of compliance costs and strategies.8

II. Theme-wise comparison between the GDPR and the PDP Bill

S. No. Theme GDPR PDP Bill Observation(s)
1 Territorial and material scope Has extraterritorial applicability9 in some cases. Applies to data10 that relates to an identified/identifiable natural person (also called personal data) as well as 'special categories of personal data'. Relaxes certain requirements for data controllers ("DC") who pseudonymize personal data. Excludes anonymized data from its application. Has extraterritorial applicability in limited cases11.Empowers the central government to exempt certain agencies of the government of India from the application of the bill12. Further, allows the government to exempt DPs processing the data of foreign nationals from the application of the bill subject to certain conditions13. Covers personal data, sensitive personal data ("SPD") and critical personal data. There is no parallel to critical personal data under the GDPR. Further, the scope of SPD under the PDP Bill is wider than that of special categories of data in the GDPR14. Additionally, the central government is authorised to prescribe new categories of SPD15. The central government determines what 'critical personal data' is16. Unlike the GDPR, the PDP Bill governs anonymised data and non-personal data to a certain extent, i.e. the central government can ask DFs and DPs to provide such data for better policy-making and targeted delivery of services17. The GDPR does not govern anonymised data at all, while the PDP Bill allows the government to access non personal data held by any DP or DF for specific purposes under clause 91. Anonymization standards may differ between the PDP Bill and the GDPR. Therefore, being GDPR compliant does not necessarily make an entity compliant with the PDP Bill. Broader definition of SPD means that entities in India will have to apply higher standards of data protection to more categories of personal data in India, as compared to the GDPR. Entities will have to be especially careful with their processing of 'critical personal data', which has no parallel in the GDPR.
2 Data localisation and cross border data flows No hard data localisation18. Cross border data transfers allowed subject to certain conditions19. Special categories of personal data may be prohibited from being transferred outside the country20. Cross border data transfer permitted with and without the authorization of the relevant Supervisory Authority (depending on the nature of the data), subject to certain restrictions21. Places no restriction on the processing and transfer of personal data outside India. SPD to be stored only in India22, but may be transferred outside India for processing with explicit consent in limited conditions23. Critical personal data to be stored and processed only in India24 but may be transferred outside India in limited conditions25. Entities will have to comply with stricter standards of data localization under the PDP Bill, as compared to the GDPR. The conditions for cross border data transfer may differ between the Data Protection Authority ("DPA") and the Supervisory Authority. Therefore, compliance with the GDPR may not result in compliance with the PDP Bill, since transfers outside India will depend on approvals/ permissions either by the DPA or the central government. However, there are some overlaps between the GDPR and the PDP Bill (for instance, intra-group schemes or the broad idea of adequacy).
3 Notice and consent Notices26 need to be clear, simple and easy to understand and must contain all relevant details including identity of the DC, contact details of the data protection officer ("DPO"), among other things. Valid consent (consent which is freely given, specific, informed, unambiguously indicated through a statement/clear affirmative action and, capable of being withdrawn) of the data subject should be procured before processing27. Notice requirements include the GDPR requirements plus notices in multiple languages and data trust scores/other information as asked for by the DPA28. Consent requirements are similar to those in the GDPR29. SPD to be processed only on the basis of explicit consent30. A new class of entities called 'consent managers' have been introduced in the PDP Bill to help manage the consent of data principals.31 Compliance with the GDPR is not equivalent to compliance with the PDP Bill's notice requirements. The PDP Bill offers relatively more clarity on the legal consequences of consent withdrawal than what is provided by the GDPR. Unlike the GDPR, the PDP Bill proposed a new type of entities for channelling consent, i.e. 'consent managers'.
4 Data processing principles and grounds for processing personal data Data processing principles are lawfulness, fairness and transparency; collection limitation; purpose limitation; accuracy; storage limitation; integrity and confidentiality' and accountability.32 Grounds for processing personal data are consent, compliance with the law, public interest, vital interest, performance of a contract, legitimate interests, when data is manifestly made public by the data principal.33 Data processing principles34 under the PDP Bill are similar to those in the GDPR. In addition to the grounds listed in the GDPR, the grounds for processing personal data are 'purposes relating to employment'35, and 'reasonable purposes as specified by the DPA'36. Furthermore, all the grounds under the GDPR are placed on an equal footing unlike the PDP Bill which considers consent as the primary basis and all other grounds are considered as an exception37. Performance of a contract is still not a ground for processing data without consent under the PDP Bill, while it is under the GDPR. Under the GDPR, data can be retained for a longer time for archiving/research/statistical purposes, whereas under the PDP Bill, data can be retained for a longer time if explicitly consented to by the data principal or to comply with any obligation under a law. The performance of contract is not a ground under the PDP Bill, while it is a ground under GDPR. The PDP Bill does not recognise 'legitimate interests' (as provided in the GDPR), but allows DFs to process data for 'reasonable purposes'. However, unlike legitimate interests that are determined by the DCs themselves, reasonable purposes will be specified by the DPA. Thus, being compliant with the GDPR does not mean automatic compliance with the PDP Bill.
5 Security and compliance DCs are required to incorporate data protection by design38. DPs and DCs are obligated to enforce security safeguards39 for personal data. DCs are obligated to perform Data Protection Impact Assessments ("DPIA") prior to processing some kinds of personal data subject to limited prescribed exemptions40.Each DC is required to maintain a record of processing activities that it is responsible for, with certain exceptions41. Each Supervisory Authority is empowered to investigate DPs and DCs through data protection audits42. The PDP Bill requires DFs to prepare43 privacy by design policies. DFs may subsequently have these policies certified44. They are required to publish this policy on their and the DPA's websites.45 DFs and DPs need to implement security safeguards46.Significant DFs are required to: (i) undertake DPIAs47; (ii) maintain up-to-date records of certain information in the form prescribed by the DPA48; and (iii) have their conduct and policies audited by an independent auditor49. The DPA will register experts in information technology, data science, and computer systems as data auditors. The 2019 PDP Bill requires the data protection officers to 'review'50 the DPIA prepared by DFs and give their opinion on it. In terms of privacy/data protection by design the PDP Bill and the GDPR are broadly aligned, and both refer to similar concepts such as DPIAs, privacy by design, and audits. There are, however, differences in approach. In the GDPR, while all DCs have to undertake DPIAs and maintain records, under the PDP Bill, only 'significant DFs' are required to do so. Further, the PDP Bill, allows the DPA to notify regulations specifying the manner in which data auditors should conduct their data audits, whereas the GDPR does not. Further, DFs getting their policies certified under the PDP Bill will be eligible to participate in the data sandbox51. The GDPR does not propose a sandbox. The grounds for determining if DPIA is necessary are wider under the GDPR. Further, the information to be provided in the DPIA is narrower under the PDP Bill as compared to the GDPR. Thus, complying with the GDPR may not be enough to ensure compliance with the PDP Bill.
6 Breach notification Under the GDPR, DCs are required to notify the Supervisory Authority of a breach of personal data52 within 72 hours, with limited exceptions. The data subject is required to be notified of the breach without undue delay if there is a probability of significant harm to the rights of the data principals, subject to the prescribed exemptions. The PDP Bill requires every DF to inform the DPA of any breach which is likely to cause harm to data principals within the timeline stipulated by the DPA53. DFs have to notify data principals, only when required to do so by the DPA. The DPA determines whether an individual should be notified, taking into account the severity of the harm that may be caused to the data principal or whether any action is required on the part of the data principal to mitigate such harm.54 The threshold for notification of breach are different in the GDPR and the PDP Bill. In the GDPR, all breaches are to be reported to the supervisory authority, unless the breach is unlikely to result in a risk to individuals. Under the PDP Bill, breaches are to be notified the DPA if they are likely to cause harm to data principals. Unlike the GDPR, under the PDP Bill, DFs have to notify data principals only when required to do so by the DPA.
7 Data processors DCs can only employ DPs who comply with the GDPR. For this, DPs have to provide sufficient guarantees that they implement appropriate measures to comply with the GDPR. This may be measured by a DP's adherence to an approved code of conduct55 or an approved certification56. A DP needs prior authorisation from the DC before engaging another DP57. If the DP determines the purpose and means of processing, such DP shall be considered as a DC for the purposes of the GDPR58.The European Commission may lay down standard contractual clauses for the contracts between DP and DCs.59 DFs can employ a DP through a valid contract to process data on its behalf60. A DP may engage another DP for processing data with the authorisation of the DF or if permitted under its contract with the DF61. The PDP Bill appears to be slightly more relaxed in the requirements for contracts with DPs, unlike the GDPR, where the DPs have to give the DCs sufficient guarantees that they will adhere to the GDPR. In practice, however, pursuant to the PDP Bill, DPs may have to provide similar guarantees to DFs. The GDPR empowers the European Commission to prescribe standard contractual clauses for the agreement between the DCs and DPs. The PDP Bill does not expressly provide for a similar measure with respect to the DPA.
8 Storage limitation Under the GDPR, the data is required to be kept in an identifiable form and exceptions have been clearly laid down for increasing the storage period under the GDPR.62 Exceptions such as public interest, scientific, historical and statistical have been provided for.63 The PDP Bill requires that data shall not be retained beyond the period necessary to satisfy the purpose for which it is collected and has to be deleted once the purpose is fulfilled.64 The PDP Bill requires 'explicit consent' of the data principal to retain data for a longer period of time.65 Unlike the GDPR, the PDP Bill requires explicit consent of the data principal in order to store data for a longer period of time than is necessary to satisfy the purpose for which it is collected. Therefore, compliance with GDPR may not be enough to ensure compliance with PDP Bill.
9 Grievance redressal and penalties DCs and DPs shall assist the DPO in carrying out any task related to grievance redressal66 . The data subjects can contact the DPO to exercise their rights under the GDPR.67 Data subjects have the right to approach the Supervisory Authority to seek judicial remedy in certain situations.68Each member state shall make rules to implement GDPR the provisions related to penalties69. The GDPR prescribes fines (of up to 10 million euros in certain cases) for the DC, certification authority and monitoring body, variably, if they fail to comply with their obligations under the GDPR.70 DFs are required to maintain grievance redressal mechanisms71. The data principal can raise concerns to an officer assigned for the purpose, which grievance must be resolved within 30 days72. Any person aggrieved by an order made by the adjudication officer can appeal to the appellate tribunal73. The PDP Bill prescribes penalties74 (of up to INR 15 crores in certain cases). Where no specific penalties have been provided, the person shall be liable to pay a penalty of up to INR 1 crore (in case significant DF, as defined under the PDP Bill) and up to INR 25 lakh (for other DFs and other specified entities such as the data auditors)75. The PDP Bill stipulates a time period of 30 days within which a grievance is to be addressed. The GDPR does not prescribe such time period. Unlike the GDPR, the PDP Bill states allows any person, as opposed to only a data principal, to appeal to the appellate tribunal. The difference in amount between the penalties imposed by the GDPR and the PDP Bill is significant.

Footnotes

[1] Justice K.S. Puttaswamy (Retd.) & Anr v Union of India & Ors, (2017) 10 SCC 1.

[2] Para 1354, Privacy Judgment.

[3] See https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf.

[4] MeitY, Feedback on Draft Personal Data Protection Bill, available at https://meity.gov.in/content/feedback-draft-personal-data-protection-bill.

[5] The text and date of introduction of the Personal Data Protection Bill, 2019 is available at http://164.100.47.194/Loksabha/Legislation/NewAdvsearch.aspx.

[6] A 'data fiduciary' means "any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data".

[7] A 'data processors' means "any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary".

[8] For a comparison of the 2018 PDP Bill and the GDPR, please refer to this blog post.

[9] Refer article 3 read with recitals 22, 23, 24 and 25, of the GDPR.

[10] Refer articles 1, 2, 4 and 9 read with recitals 26 and 51, of the GDPR.

[11] Refer clause 2, PDP Bill.

[12] Refer clause 35, PDP Bill.

[13] Refer clause 37, PDP Bill.

[14] Refer clause 3 (36), PDP Bill.

[15] Refer clause 15, PDP Bill.

[16] Explanation to clause 33 (2), PDP Bill.

[17] Refer clause 91, PDP Bill.

[18] Refer articles 44, 48 and 49 read with recitals 101 and 115, of the GDPR.

[19] Refer articles 44, 48 and 49 read with recitals 101 and 115, of the GDPR.

[20] Refer articles 44, 48 and 49 read with recitals 101 and 115, of the GDPR.

[21] Refer articles 44, 45, 46, 47 and 48 read with recitals 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113 and 114, of the GDPR.

[22] Refer clause 33 (1), PDP Bill.

[23] Refer clause 34 (1), PDP Bill.

[24] Refer clause 33 (2), PDP Bill.

[25] Refer clause 34 (2) PDP Bill.

[26] Refer articles 7, 12, 13, 14, 40 and 41 read with recitals 60, 61 and 62, of the GDPR.

[27] Refer articles 4, 6, 7 and 9 read with recitals 32, 33, 40, 42, 43, 50, 51, 54, and 71, of the GDPR.

[28] Refer clause 7, PDP Bill.

[29] Refer clauses 11, PDP Bill.

[30] Refer clause 11 (2), PDP Bill.

[31] Refer clause 23, PDP Bill.

[32] Refer article 5 read with recital 39, of the GDPR.

[33] Refer articles 4 (11), 6, 7 and 9 read with recitals 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, and 50, of the GDPR.

[34] Refer clauses 4, 5, 6, 7, 8, 9, 10, PDP Bill.

[35] Refer clause 13, PDP Bill.

[36] Refer clause 15, PDP Bill.

[37] Refer clause 12,13,14 and 15, PDP Bill

[38] Refer articles 25 and 42 read with recital 78, of the GDPR.

[39] Refer article 32 and recital 83, of the GDPR.

[40] Refer article 35 read with recitals 75, 84, 89, 90, 91, 92, 93, 94, 95 and 96, of the GDPR.

[41] Refer article 30 read with recitals 13 and 82, of the GDPR.

[42] Refer article 58 read with recitals 122, 129 and 131, of the GDPR.

[43] Refer clause 22 (1), PDP Bill.

[44] Refer clause 22 (2), PDP Bill.

[45] Refer clause 22 (4), PDP Bill.

[46] Clause 24, PDP Bill.

[47] Clause 27, PDP Bill.

[48] Refer clause 28, PDP Bill.

[49] Refer clause 29, PDP Bill

[50] Refer clause 27 (4), PDP Bill.

[51] Refer clause 40, PDP Bill.

[52] Refer articles 19, 33, 34 and 55 read with recitals 85, 87, 88 and 89, of the GDPR.

[53] Refer clauses 25 (1) and 25 (3), PDP Bill.

[54] Refer clauses 25 (5), PDP Bill.

[55] Under article 40 of the GDPR.

[56] Under article 42 of the GDPR.

[57] Refer to article 28 read with recital 81, of the GDPR.

[58] Refer to article 28 read with recital 81, of the GDPR.

[59] Refer to article 28 read with recital 81, of the GDPR.

[60] Refer clause 31, PDP Bill.

[61] Refer clause 31 (3), PDP Bill.

[62] Refer article 39, of the GDPR.

[63] Refer article 39, of the GDPR.

[64] Refer clause 9, PDP Bill.

[65] Refer clause 9 (2), PDP Bill.

[66] Refer articles 38, 57, 77, 78, 79 and 80 read with recital 97, of the GDPR.

[67] Refer articles 38, 57, 77, 78, 79 and 80 read with recital 97, of the GDPR.

[68] Refer articles 38, 57, 77, 78, 79 and 80 read with recital 97, of the GDPR.

[69] Refer articles 83 and 84 read with recitals 148, 149, 150, 151 and 152, of the GDPR.

[70] Refer articles 83 and 84 read with recitals 148, 149, 150, 151 and 152, of the GDPR.

[71] Refer clause 39, PDP Bill.

[72] Refer clause 32 (2), PDP Bill.

[73] Refer clause 72, PDP Bill.

[74] Refer clauses 57, 58, 59, 60, PDP Bill.

[75] Refer clause 61, PDP Bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.