consumer data protection

This article has been written by Devangi Vatsaraj, pursuing an MBA with a Specialisation in Data Protection and Privacy Management (From Swiss School of Management) from LawSikho.

This article has been published by Rachit Garg.

Introduction

Data protection legislation around the globe requires that individuals’ data be protected when it is processed and moves freely. The legal requirements of processing the data include the need for the data to be processed fairly and lawfully, to be updated and accurate, to have measures to mitigate accidental loss, and for data to be transferred to only such countries with adequate levels of data protection in place. The General Data Protection Regulation (GDPR) is by far the toughest privacy law in the world. The European Union Regulation, i.e., the GDPR was put into effect on May 25, 2018, and has set high-security standards, the violation of which attracts harsh fines. The regulation has a large, far-reaching impact; signalling its firm stance on data security, the GDPR has encouraged other nations to implement and adopt such privacy measures in place, to make compliance a daunting prospect.

The Indian legislation is highly influenced by the GDPR and was tabled as the “Personal Data Protection Bill” (PDPB) before the Lok Sabha on December 11, 2019. The rationale behind this legislation is to address the emerging concerns regarding privacy and data protection issues, which can be curbed by creating an environment that encourages the growth of fair practices in the digital economy and abstaining from invading the privacy of individuals.

Since the PDPB has taken its shape from the GDPR, the principles of the Indian legislation are similar to the provisions of the European Union’s legislation. However, some provisions vary in the two data privacy legislations. This article analyzes some of the key differences in these legislations.

Jurisdiction and Scope

Territorial Scope

GDPR: GDPR is applicable to organizations that have an establishment in the European Union (EU) and processes personal data in the EU establishment; such organizations that are not established in the EU but process personal data in relation to (a) offering goods or services in the EU; or (b) monitoring the behaviour of individuals in the EU.

PDPB: PDPB is applicable to the processing of personal data that has been collected, disclosed, shared, or otherwise processed within the territory of India; to such Indian companies, Indian citizens, and any other persons or bodies incorporated under the Indian law; and to such organizations that are not present in India, but process personal data in connection with (a) business carried out in India or any offering of goods or services to individuals in India or (b) an activity that involves profiling individuals in the territory of  India.

Analysis: The scope of application of the PDPB is broader than that of the GDPR, as an organization may fall within scope simply by processing personal data in India. 

Further, as per the PDPB, it is unclear whether an organization must be based in India for this territorial basis to apply; however, the reference to “data fiduciaries or data processors not present within the territory of India” in Section 2(A)(c) suggests that this basis for jurisdiction should be read to apply only to organizations which have a presence in India. However, the scope of GDPR is meticulously outlined and systematically categorized.

The Central Government is permitted to exempt any data processor or class thereof from the scope of the PDPB in the context of outsourced services, where (a) the processor is contracted by a person or an organization based outside of India; and (b) the processing relates only to individuals outside of India. There is no such exemption in the GDPR.

Material Scope

GDPR: GDPR is applicable to the data that relates to a naturally identified and/or identifiable person as well as special categories of such personal data.

Processing of anonymized data is out of scope.

PDPB: PDBP is applicable to personal data, sensitive personal data as well as critical personal data.

The central government is authorised to prescribe new categories of sensitive personal data and determines the eligibility of critical personal data.

The Central Government may direct organizations to disclose anonymized personal data and even non-personal data.

Analysis: The GDPR does not govern anonymised data, while the PDPB allows the government to access non-personal data, for specific purposes.

Standards of anonymization may differ between the PDPB and the GDPR.

Relevant parties

GDPR: Under the GDPR, the naturally identified or identifiable person whose data is in question, is known as the “Data Subject”; an entity that collects the data of the data subjects and determines the purposes and means of the processing of personal data is known as “Data Controller” and the entity that process such data is known as “Data Processor”.

PDPB: These terms is defined as “Data Principal”, “Data Fiduciary” and “Data Processor” under the PDPB.

Analysis: The terminology may vary, while the definitions and concepts of the terms are generally similar. 

General principles regarding the lawfulness of processing data

new legal draft

GDPR: There are seven principles laid out under the GDPR, namely, lawfulness, fairness, and transparency; data minimization, purpose limitation, storage limitation, accuracy, accountability, and integrity & confidentiality. All these principles are carved out vide Article 5 of the legislation.

PDPB: The PDPB does not explicitly carve out principles but refers to a number of provisions that impose similar requirements, as stated in the GDPR. Some of these requirements are as follows: 

  • Section 4 of the PDPB states that the personal data may not be processed by any person “except for any specific, clear and lawful purpose”;
  • Section 5 (a) of the PDPB states that the personal data must be processed “in a fair and reasonable manner and ensure the privacy of the data principal”;
  • Section 5 (b) of the PDPB states that the personal data must be processed “for the purpose consented to by the data principal or which is incidental to or connected with such purpose, and which the data principal would reasonably expect that such personal data shall be used for, having regard to the purpose, and in the context and circumstances in which the personal data was collected”;
  • Section 6 of the PDPB states that the personal data must be “collected only to the extent that is necessary for the purposes of processing of such personal data”; 
  • Section 8 of the PDPB states that the data fiduciaries must “take necessary steps to ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed,” taking into consideration various factors such as whether: (a) the data is likely to be used to make a decision about the data principal; (b) the data is likely to be disclosed; or (c) is kept in a form that distinguishes facts from opinions or personal assessments, etc.;
  • Section 9 of the PDPB states that the data fiduciaries may “not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of the processing” in the manner specified by regulations unless the data principal provides explicit consent or the processing is required by law;
  • Section 10 of the PDPB states that the data fiduciaries are “responsible for complying with the provisions of this Act in respect of any processing undertaken by it or on its behalf” 

Analysis: Although we may consider that the provisions of the PDPB have been framed on similar grounds that of the GDPR, the PDPB puts more emphasis on the legal principles and require more specific or direct adherence to these requirements. 

An important differentiator with respect to consent as a principle is that the GDPR emphasizes more consent as a concept for the information to be specific and meaningful, while consent as implied by the PDPB, highlights more on the information being transparent. Further, the accuracy requirement under the PDPB is more specific; it not only requires the data to be accurate (as in GDPR) but also necessitates whether the data is an opinion, assessment, or merely a fact. The storage limitation principle of the GDPR states that the data may be retained as long as it is anonymised, masked, or encrypted so that it is no longer personally identifiable; however, the PDPB requires absolute deletion of data once the purpose of collection has been achieved. 

Legal bases for processing personal data

GDPR: There are six main legal grounds for the lawfulness of personal data processing and these are consent, performance of a contract, legitimate interest, vital interest, legal requirement, and public interest.

PDPB: The Bill provides for seven legal bases for processing personal data: consent, legal obligation, a medical emergency involving a threat to life or severe threat to health, providing medical/health services, protecting the safety of individuals during a disaster, employment purposes; and for reasonable purposes.

Analysis: Reasonable purpose under the PDPB is anything as may be specified by regulations; some examples include whistle-blowing, network, and information security, preventing unlawful activity, etc. These reasonable purposes sound similar to the GDPR’s base of legitimate interest but are limited to purposes that are specified by regulation and are not very inclusive in nature. Further, the bases for health and safety or that of employment as separately carved out in the PDPB, are inclusive in the GDPR’s legitimate interest or the public interest bases. 

Rights of individuals

Right of transparency:

GDPR: The GDPR provides that information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Further, when data is collected directly from the data subject, notice as to the collection and purpose (detailed requirement must be included) must be given prior to the collection of data and when it is collected indirectly, the data subject must be informed within a month from a collection of the data.  

PDPB: The bill states that the notice for collection of data must be given at the time of collection, or as reasonably soon as possible and such notice must in clear, concise, and easily comprehensible. Further, it highlights that wherever necessary, such notice must be translated to a different language.

Analysis: The transparency requirements seem to overlap in both the frameworks, however, the translation requirement is unique to the PDPB (considering the cultural, ethnic, and language variation throughout the country), while such requirement cannot be found in GDPR. Further, the PDPB includes additional requirements such as handling individual requests and grievances; providing a data trust score assigned by a data auditor (pursuant to the audit provisions as laid by in the PDPB).

Right to access:

GDPR: The GDPR states that the data subjects have the right to receive information about how their personal data is processed and can ask for a copy of their data, which is being processed by the organization. The exception to this rule is that when providing such access if personal data of other data subjects is compromised or intellectual property rights violated, in such cases, the organizations are not obligated to provide access to data.

PDPB: The data subjects have a right to receive access to whether their personal data is processed by the organization and to receive a copy/summary thereof; with an only exception where such access harms the rights of other data subjects. The PDPB has provided that the record must also provide whether data has been shared by the data fiduciary and the type/nature of the data shared.  

Analysis: Though the requirements are similar, the GDPR lays down that the access must be provided within 30 days (subject to extension, if provided), while the PDPB says that the timeline for responding shall be as specified by the different regulations. The exception to this request under the PDPB shall not permit withholding personal data on the grounds of intellectual property. By providing access to records to data shared by data fiduciaries under the PDPB, new administrative burdens will increase as this would also require documenting any onward transfers by data fiduciaries to whom personal data is disclosed.

Right to data portability:

GDPR: The law states that where the right to data portability applies, personal data must be provided in a structured and machine-readable format. However, if the rights of other data subjects are compromised in the process, then, the data must not be provided. The right to portability applies only when the processing of data is under the legal bases of consent or performance of a contract. Moreover, the processing must be by automated means and only applies when a data subject has given the data to the controller.

PDPB: Here, in addition to what has been provided in the GDPR, the right to portability also arises when data has been generated in the course of the transaction and which forms a part of the profile of a data subject. The data fiduciary is exempted to act upon such request when compliance would reveal a trade secret or providing such data not be technically feasible.

Analysis: One of the major differences between the two frameworks is that under the GDPR, the right only arises when the data is collected/processed under the legal bases of contract or consent; however, under the PDPB, the right applies irrespective of the legal base. 

Right to Rectification:

Both frameworks encourage that inaccurate and misleading data be corrected. The right is majorly similar in both the skeletons with minor superficial changes.

Right to be forgotten:

GDPR: The data subject can request that their data be erased; where the purpose of collection of data has been sufficient, where the data subject withdraws consent or objects to the processing, and where processing is unlawful or deletion is required by law. When the controller undertakes to delete the data, it must also inform about the same to the data fiduciaries and/or the third parties with whom they might have shared the data. However, there are various loopholes available to the controller, such as exercising legal claims, conducting certain research, legitimate interest, etc.

PDPB: This framework divides the right into two parts – the right to erasure and the right to be forgotten. The right to erasure provides for the deletion of personal data that is no longer necessary for the purpose for which it was processed; while the right to be forgotten provides for restriction of continuous disclosure of personal data. To enforce the right, data subjects must apply to an Adjudicating Officer, who takes into account a number of factors and decides if the restriction is justified.

Analysis: The PDPB 2019 distinguishes between two separate rights; one for erasure and one for restricting the disclosure of personal data. The PDPB places responsibility for determining the scope of application of the right to be forgotten on Adjudicating Officers; while such responsibility is on the controller under the GDPR.

Protection of Children’s Rights

There are various conditions that both the legislations have laid down in respect to how data subjects’ information must be collected, processed, and retained/deleted and how to treat sensitive data and critical data differently from normal data. Not going into every detail on how both the legislations handle the delicacy of the data, in this article, we’ll focus on how the protection of the rights of the children is handled in both jurisdictions. 

GDPR: GDPR, vide its Article 8, imposes additional obligations when collecting consent from children under the age of 16 or at an age set by the respective Member States. The laws state that in relation to the offering of information society services directly to a child, the processing of the personal data shall be lawful where the child is at least 16 years old. Where the child is below such age, processing shall be lawful only if and to the extent of the consent given or is authorised by the parent/guardian of the child. It is also pertinent to note that the law states that significant automated decisions should not be taken by those concerned children.

PDPB: Data fiduciaries are required to verify a child’s age and obtain consent from a parent/guardian before processing any personal data of a child (someone below the age of 18). The general obligation to process personal data is that it should be processed in such a manner that children’s rights are protected and decisions are made which are in the best interests of children. 

Analysis: The very first difference between the two legislations is that the age of differentiation of whether an individual is a child or not – 16 years under GDPR and 18 years in PDPB. Further, the verification of a child’s age as mentioned in PDPB is not present in the GDPR and the parental consent for the processing of children’s data as specified in PDBP applies to all types of processing, unlike the GDPR, where it applies only when consent is the legal base of processing the data.

Appointment of a representative

Such controllers and/or processors not established in the EU but processing data on EU citizens or are subjected to the GDPR must appoint a representative in the EU, except if the processing is occasional and does not involve large-scale processing of sensitive data.

No such requirement is provided for in the PDPB.

Registration with Data Processing Authorities (DPA)

The PDPB has introduced a requirement for significant data fiduciaries (which are notified considering the volume and sensitivity of data processed, risk of harm and the use of technology, etc.) to register with the DPA in accordance with the regulations. No such requirement is provided for in the GDPR.

Appointment of a Data Protection Officer (DPO)

GDPR: A DPO is required only when the core activity of the controller/processor involves (a) regular and systematic monitoring of data subjects on a large scale or (b)  large-scale processing of sensitive data. DPO must have sufficient independence and skill and must be able to report to the highest levels of management. Though DPOs may be outsourced, it is recommended that the DPO should be based in the EU.

PDPB: A DPO is required to be appointed for all significant data fiduciaries and must represent the fiduciary in front of the authorities. Also, the DPO must be based in India.

Analysis: The PDPB leaves it to the DPA to determine what a significant data fiduciary is and therefore, comparison to the GDPR’s thresholds and that of PDBP, for appointing a DPO becomes difficult. Further, representing the fiduciary (as provided for in the PDPB) raises the question of whether the Indian DPO could be subject to personal liability.

Data Protection Impact Assessment (DPIA)

GDPR: This requires controllers to conduct a DPIA for (a) systematic and extensive profiling, (b) processing sensitive data on a large scale, (c) systematic monitoring of a publicly accessible area on a large scale and other activities posing high risks. When such risks cannot be mitigated, the controller must consult with the DPA before processing the data.

PDPB: This requires the significant data fiduciaries to conduct a DPIA where the processing involves (a) new technologies, (b)  large-scale profiling or use of sensitive data, or (c) any other activities that carry a significant risk of harm. All DPIAs must be submitted to the DPA for review.

Analysis: While the requirement to conduct DPIAs may be similar in the two frameworks, there is a significant difference in the submission of the report with the DPA – while GDPR requires submission only when risks cannot be mitigated, PDPB requires submission of every DPIA.

Audit Requirements

The PDPB provides that the significant data fiduciaries must submit their processing to annual audits by independent auditors. The data auditors may assign a data trust score to a data fiduciary based on their findings. This is a new development that does not find a place in the GDPR. The only audit requirement under the GDPR is when the processors agree to the audit provisions in their contract with the respective controller.

Breach Notification

GDPR: The controllers must notify the DPA of a breach within 72 (seventy-two) hours unless the breach is unlikely to result in a risk to individuals and such breach is to be reported only when it results in high risk. Similarly, the processors must also notify the controller of a breach without undue delay.

PDPB: The data fiduciaries must notify the DPA of a breach as soon as possible if it is likely to cause harm to any data subject and the DPA may direct such fiduciary to post about such breach on their website or may post the same on DPA’s website.

Analysis: The threshold for a reportable breach is higher under the PDPB, as it must be “likely” that the breach will cause harm to the data subjects. The PDPB leaves it to the DPA to establish the deadline for notification of breaches, while the deadline for reporting a breach under the GDPR is laid down by the law as 72 hours. There is no express requirement on processors to notify the data controller of the breach; however, it may be implicit from the data controller’s responsibility that it will need to secure this obligation from its processors by way of a contract.

International Data Transfer

GDPR: The personal data of the data subjects can be transferred outside the EU and the European Economic Area only when the recipient is in a territory considered by the European Commission to offer an adequate level of protection for the personal data or appropriate safeguards are put in places, such as standard contractual clauses or Binding Corporate Rules; or when the data subjects provide explicit consent to such transfer and/or the transfer is required under public interest.

PDPB:  A copy of sensitive personal data may only be transferred outside of India when the data subject provides explicit consent, and the transfer is made pursuant to a contract or intra-group scheme approved by the DPA. The DPA has specifically authorized the transfer or the government has deemed another country on having adequate protection.

Analysis: Though the transfer mechanisms are similar in both the frameworks, the PDBP requires collecting the explicit consent of the data subject (even when the transfer is to a country that has adequate safety measures as approved by the DPA). The PDBP subjects only the sensitive data to the transfer restrictions, however, the Reserve Bank of India has promulgated requirements to localize the financial data in India.

Penalties

GDPR: This law sets forth fines of up to 10 Million Euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. The DPAs may also issue injunctive penalties, which include the ability to restrict international transfers, requiring the deletion of personal data, blocking the processing of data, etc. 

PDPB: Under the provisions of the PDBP, the data fiduciary will be liable to pay a penalty not exceeding ₹15 Crore, or 4% of its total worldwide turnover of the preceding financial year, whichever is higher. Similar to GDPR, the PDBP also provides that the DPAs may issue injunctive penalties.

Analysis: The penalty provisions under both frameworks are similar. One distinction is that the PDPB permits data subjects to seek compensation from an administrative hearing, while under the GDPR, data subjects may bring claims in court for compensation and mechanisms by way of class action suits.

Conclusion

While the provisions of the PDBP seem to be adopted from the GDPR, there are significant differences that make the PDBP a unique framework. While the issues with the PDBP are likely to be corrected as the bill evolves, it would be interesting to see the implementation of the bill and see how different regulators manage to warrant compliance from different entities.

References

  1. General Data Protection Regulation – https://gdpr-info.eu/
  2. Personal Data Protection Regulation – https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
  3. Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR by Covington & Burling LLP – https://www.privacysecurityacademy.com/wp-content/uploads/2020/05/Comparison-Chart-GDPR-vs.-India-PDPB-2019-Jan.-16-2020.pdf
  4. Comparison: Indian Personal Data Protection Bill 2019 vs. GDPR by IAPP – https://iapp.org/media/pdf/resource_center/india_pdpb2019_vs_gdpr_iapp_chart.pdf

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here