The Personal Data Protection Bill 2019 (PDP Bill) is the first regulation in India governing data privacy and data protection. Recently, it was referred to the Joint Select Committee of both houses instead of the Standing Committee on Information Technology. The bill currently seeks to regulate the cross-border flow of data and provides for the protection of personal data by setting up a Data Protection Authority.
The PDP Bill, 2019 as tabled appears to be heavily influenced by the European Union’s General Data Protection Regulation (GDPR). However, there are some glaring dissimilarities between the two legislations. In order to understand these dissimilarities better, an acquaintance with a few keys terms is essential. These key terms include:
● The data subject, under GDPR or data principle under PDP Bill: The natural person to whom the data belongs.
● The data controller under GDPR or data fiduciary under PDP Bill: Any person or a legal entity including the State who determines the purpose and means of processing of the data.
● Data processor: Any person or legal entity including State who processes the data. This may consist of data fiduciary itself or a third party.
● Automated means: It means any equipment capable of operating automatically in response to instructions given for the purpose of processing data
The features of PDP Bill, 2019 that are in contrast with GDPR are:
● Classification of Data: The GDPR distinguishes between ‘special categories of data’ and ‘personal data’, but a higher threshold of protection requirements is applicable to the former. The PDP Bill divides data into three categories: personal data, sensitive personal data, and critical data. Personal data generally includes all kinds of data, while sensitive personal data consists of financial data, health data, sexual data, and orientation. Under the PDP Bill, the Critical data has not been defined and provides the Central Government with the power to declare any data as critical data.
● Data Localisation (the compulsory requirement of storage of certain data within the territory of the State): Given the importance of data in this globalised world, the GDPR aims at protecting the data while ensuring its free flow. It allows for cross-border transfer of all types of data provided that an adequate framework of data protection exists in the country of transfer. Such adequacy of framework is based on EU Commissions assessment. On the other hand, the PDP Bill’s main focus seems to be on the protection and regulation of the data rather than enabling it is cross-border flow. Sensitive personal data collected, shared or disclosed to the data fiduciary in India has to be stored within the territory of India only. This category of data may be processed outside India. Critical data, (as assessed by Central Government), cannot be transferred across the borders of India, thereby introducing a mandatory requirement to store this kind of data within India only. In contrast, the approach of GDPR for handling data is more pragmatic by ensuring that the data get similar protection once it moves out of the jurisdiction of the GDPR.
● Storage Limitation: Under GDPR, the data is required to keep in an identifiable form for the duration required for the specified purpose. Exception for increasing storage durations for certain purposes like public interest, scientific, historical or statistical have been provided. However, under the PDP Bill, the distinction of types of data holds relevance for storage purposes. Besides, the mandatory requirement of storing data within the territory of India, the data can also be stored for longer durations with the permission of the data principle or if required by any law or obligation.
● Right to restrict processing: Under the GDPR, a data subject has the right to limit or restrict the processing of his/her data. Meaning that the data processing can be stalled in an intermediary stage on the grounds of data inaccuracy, unlawful processing, etc. The PDP Bill does not incorporate the intermediate right to restrict the processing which provides a window to stop the processing while the claim of other rights is still under challenge. This right only materialises to Data Principal once the data is processed. Thereby creating a lacuna that needs to be addressed.
● Rights of the data subject or data principal: The GDPR and the PDP Bill, considerably provide similar rights to the Data Subject or Data Principal. These rights are namely, right to access and confirmation on processing of data (the data cannot be processed without unequivocal consent of the data subject); right to rectification of inaccurate data (maintain accuracy of the data collected); right to erasure or forgotten (data subject or data principal can ask for deletion of data provided for processing); right to update data periodically (data subject or data principal can timely update their necessary data); Right to data portability (data can be transferred through various modes).
However, the GDPR and the PDP Bill, differ on the right to not be subjected to automated decisions, such as profiling (automated processing of personal data to evaluate certain things about an individual). This right essentially gives the data subject the claim of interference with their data, when such data is automatically processed in order to make an important decision for them, thereby leading to legal consequences.
An example of this right can be for a faster result, automated processing may be used to profile the probable behaviour of an individual. The other possibility is that the individual will not actually behave in the manner reflected in the results. In that case, if such profiling affects the legal rights of the individual, the person must have a recourse of human intervention.
● Certification Mechanism: The EU GDPR provides for data protection certification mechanism, data protection seals and marks to ensure that data controllers and data processors are compliant with the Regulation for the purposes of international data transfer. The Indian PDP Bill does not provide for any such certificate mechanism and raises a question regarding the applicable standards to be adhered to by the data fiduciaries.
● Restrictions and Exemptions: The GDPR inherently does not restrict conditions for cross-border data flow or the rights and principles to which a data processor or controller is subjected, however, these rights and obligations can be modified to respect the essence of fundamental rights and freedom. Under the PDP Bill, similar conditions as defined under GDPR as ‘restrictions’ are classified as ‘exemptions’ where the Central Government may make laws or regulations that can alter the rights of a data fiduciary to protect. The bill also empowers the central government to exempt its agencies from the application of this act, for the purposes in the interest of sovereignty and integrity of India or national security, thereby removing consent, accountability and transparency obligations to ensure effective processing of data.
● Codes of Practice: Both the GDPR and the PDP Bill provide for the creation of code of conduct based on standards of ‘good practice’ to ensure proper implementation of the laws, respectively. Also, importantly the GDPR provides for monitoring of such adherence to code of practice by a body that has sufficient expertise in the subject matter and is ‘accredited’ by EU Member States supervisory authorities (All EU member states are to establish a ‘supervisory authority’ for the proper implementation of GDPR within their States). However, no such body has been provided for under the PDP Bill. Thus, the question of proper implementation of code of practice under this Bill has been left unanswered.
● Compensation: While under GDPR and the PDP Bill, penalties for violating the regulations are relatively the same. However, unlike GDPR which provides for compensation to any person who has suffered material or non-material damages from the infringement of obligations under GDPR. While PDP Bill does not provide for any such compensation.
Various countries including the United States of America and EU have heavily criticised the data localisation policy. Critical data, shall be assessed on the notification from Central Government notifies, cannot be transferred across the borders of India. While India is trying to put barriers on cross border flow of data and protect data, it does not provide all rights to data principals or subjects in the manner they are available under GDPR. On the face of it, the present PDP Bill reflects that it embodies the principles of GDPR for liberalisation of cross-border flow of data and data protection, however with various caveats and checks introduced by the PDP Bill, it has made conditions more onerous for data fiduciaries to function in India.