This article has been written by Kunal Sinha and edited by Shashwat Kaushik pursuing MBA with Specialisation in Data Protection and Privacy Management (From Swiss School of Management). This article will analyse the current privacy laws in India in and how it stands in comparison with the EU’s GDPR. There are indisputable concerns which may arise with respect to following both the Personal Data Protection Bill (PDPB) vis-à-vis the General Data Protection Regulation (GDPR).
This article has been published by Sneha Mahawar.
Table of Contents
Introduction
Privacy has been topic of debate in the Indian parliament the bill to regulate privacy of people in the age of technology has reached the fourth draft, therefore, this showcases the attempt of the Indian legislators to lay down a law which is all-encompassing with the ever evolving privacy concerns in today’s age of technology.
The other pillar of democracy, i.e the Judiciary, has in a catena of judgments has held the recognition of privacy as a fundamental right protected by the Constitution of India, close. The Apex Court of India has been steadfast in their approach to protect the privacy of people in India. Although one may argue that the European Union vide GDPR has been the torchbearer and has shown little tolerance to businesses who have taken the aspect of privacy with a grain of salt and has paid a heavy price in the form of penalties for violations.
On the other hand, the social and economic atmosphere is different in both EU and India. EU which is largely developed is easier to regulate than India which is still a developing country. Additionally, the lawmakers have to balance the interests of both companies and individual. India has shown to be the promise land for entrepreneurs and stringent privacy laws may act as a deterrence for companies to function as it will be an additional statutory burden for the companies to comply with. The autonomy of the individual to conduct a trade protected by Article 19(1)(g) of the Constitution of India and the Article 16 of the Charter of Fundamental Rights of the EU may ultimately be reticent with stringent legislation as proposed by both GDPR and PDPB. For example, a duty to obtain express consent imposed by the said regulations notwithstanding the contractual agreement between the Data subjects and Processors is an infiltration into the contractual terms between the parties.
The current scenario
The Regulatory Framework as it stands today in the current scenario is governed by the Information Technology Act of 2000 and the Information Technology Rules of 2011 (I.T Act). The current Act contains both criminal and civil sanctions/liabilities for unauthorised use of personal data. The compliance with the IT Act is not exhaustive and exclusive as compared to GDPR. The said Regulations have commonalities such as requirement for consent from the data subjects, specifically for any given purpose. Additionally, the concept of withdrawing consent is also present in both regulations.
When it comes to distinctions between the regulations, the GDPR is an extremely comprehensive framework for unauthorised processing, safeguarding, and creating accountability and transparency. Article 5 Rule 5 categorically ensures adherence to certain provisions and entitlements, such as erasure, restriction of processing and profiling. The same is not present in the Indian IT Act, which has led to the drafting of the Personal Data Protection Bill (PDPB).
The amount of data that is shared and collected today is massive and still, one may argue that it is barely the beginning or just the tip of the iceberg of the way data is collected, used and processed. An example of data theft is when personal data is used without the consent or knowledge of the individual. Therefore, it’s important for companies that act as controllers and processors to comply with the laws.
The area of privacy laws in India is still in a nascent stage so the execution and compliance of data laws in India still have a long way to go, but undoubtedly in the right direction.
To answer the issue at hand, i.e., will complying with India’s privacy law mean violating GDPR? It is critical to analyse the broad distinctions and similarities that exist between the GDPR and the PDPB.
Personal Data Protection Bill (PDPB) resembles, in essence, the GDPR
The notion of data controllers who bear the onus of safeguarding the personal data of people is present in both PDPB and GDPR. The principle of consent from the data subjects (people whose data are being used) The consent of consent is the most important aspect of data protection laws worldwide, as it has multifarious implications and can curb the misuse of data. For example: Details of bank accounts that may be collected by hackers to commit thefts.
The PDPB does not lay down the implications and executions for contractual performance as opposed to GDPR. The exclusion of contractual performance as a basis for data processing may act as a potential conflict for companies that conduct business in both India and the EU. Therefore, again, the onus is on the data officers of the company to comply with both of these laws. As a company, being compliant in India may not be in compliance with laws in the EU.
As per the guidelines of GDPR, there is an obligation on the controllers to make all efforts necessary to authenticate the consent from the parents when they are in the process of acquiring data from a minor (under 16 years old). On the other hand, the PDPB’s definition of a minor is in accordance with Indian law, which is below the age of 18. The PDP B is also silent on the rights and entitlements of the data subject with respect to the acquisition of the set data by the data controller. Moreover, the PDPB does not encompass the right of erasure under the right to be forgotten, in comparison with the GDPR.
Lastly, the GDPR requires that controllers appoint a DPO, who is a data protection officer, when there are activities undertaken that involve monitoring and controlling large amounts of data. On the other hand, the PDPB experience requires that all entities appoint a data protection officer, even if the core activity does not involve the processing of data. Additionally, for compliance with cross-border data flows arising from India, it is imperative to take into account the GDPR’s applicable restrictions.
Lack of uniformity with GDPR
Different countries have different goals and demographics, and the “one size fits all” approach may not be beneficial to the implementation and enforcement of privacy laws. The PDPR has a striking resemblance to the GDPR, and they both guarantee to provide a robust standard of data protection. The GDPR’s fundamental aim to guarantee a concrete plan of data protection for persons within the EU has not come without its downsides.
It has been calculated by the European Commission’s Impact Assessment that although there are overall benefits, the UK Ministry of Justice has stated that the expenses made in execution surpass the advantages. As per the European Centre for International Political Economy (ECIPE), implementation of GDPR has resulted in lower productivity and has created trade impediments, which in turn may have an adverse impact on the GDP as well. The drawbacks are noticeable, especially as the compliances between different jurisdictions may be constraining for trade and commerce.
The ease of doing business under uniform regulations globally is an attractive concept for businesses, but the same may not occur as priorities change from state to state. The research evaluating the impact of GDPR has revealed increased expenses, such as implementation, that would adversely impact small and Medium sized enterprises (SMEs). Additionally, the potential expenses that may be incurred for execution and adherence to laws similar to GDPR for a country like India are difficult to assess as India still has a substantial portion of businesses that are unregulated.
Conclusion
The EU has been a torch-bearer when it comes to legislation around privacy. India, on the other hand, has taken it’s due time and consideration to come up with privacy regulations. There are certain provisions in the IT Act of India that are similar to those in the GDPR, such as the need for consent, which has to be obtained from the data subject before the data controller can use the data. Furthermore, the need for specifically mentioning what that data will be used for is also a requirement under the IT Act and likewise under the GDPR. The same necessitated the creation of PDPB, as the IT Act was comprehensive and incapable of addressing the present issues arising with the changes in the world of technology. However, provisions such as the right to erasure and severe sanctions for non compliance are not present in the IT Act of India. This necessitated an exclusive law pertaining to privacy, which led to the PDPB. India’s PDPB bears a stark resemblance to GDPR and bridges the gap in compliance for companies. An examination of the differences between the PDPB and GDPR helps to evaluate the plausible scenarios when one endeavours to adhere to either of them. There are commonalities between the aforesaid regulations, such as necessitating obtaining consent from data subjects for data processing, along with notable differences. The GDPR provides a more structured method for handling protection and establishing accountability and openness. To summarise, it can be argued that there are potential risks of a breach of GDPR in adherence with the proposed PDPB and the current IT Act of India.
References
- BURMAN, A. (2019). Will a GDPR-Style Data Protection Law Work for India? CARNIGIE, INDIA.
- https://www.lexology.com/library/detail.aspx?g=a7ddfd7c-caba-4a90-8460-1a1dd32e4fce#:~:text=Data%20subjects%20who%20have%20rights,modern%20laws%20such%20as%20GDPR.
- https://iapp.org/news/a/will-complying-with-indias-privacy-law-mean-violating-the-gdpr/
- https://spiceroutelegal.com/a-comparative-guide-to-the-gdpr-and-the-pdpb/#:~:text=Regardless%20of%20exceptions%2C%20the%20PDPB,processing%20principles%20and%20security%20safeguards.&text=Proceedings-,The%20GDPR%20allows%20member%20countries%20to%20carve%2
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.