This article is written by Rituja Tawade pursuing a Diploma in International Business Law. This article has been edited by Ojuswi (Associate Lawsikho) and Ruchika Mohapatra (Associate, Lawsikho).

This article has been published by Sneha Mahawar.


Protection of personal data. What is the first thing that comes to our mind when we hear the above-mentioned sentence? We think of hacking, leaking, or misusing the personal data of an individual or any company or a country. Therefore, for the protection of all this data, many countries are enforcing laws and rules for their respective countries, such as GDPR enforced by the EU or PDPA in the process of enforcing laws in India, etc. Let us see what rules and regulation does GDPR comply and how other countries are coming up with rules and laws to enforce the security of their country’s data.  

Download Now

What is GDPR

The General Data Protection Data (GDPR). It is the firm privacy and safe security law in the world. Drafted and enacted by the European Union (EU). Right to Privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect his private and family life, his home and his correspondence”. The regulation came into effect on May 25, 2018. GDPR stances on data privacy and security of the European citizens and residents. GDPR specifically enacted for Small and Medium-Sized Enterprises (SMEs). Even though GDPR have enacted for European citizens and residents, companies or organizations can apply it as long as their target customers or users related to the EU need to comply with the law, which has referred as the “extraterritorial effect” in Article 3 of GDPR. GDPR desires to acquire compliance for the businesses. In case of non-compliance, the firm must pay fines and penalties as per mentioned in Article 83 of GDPR.

There are two tiers of Infringement:

1. Less Severe Infringement.

2. More Severe Infringement.

  1. In Less Severe Infringement, either fine payable is up to 10 million euros or 2% of the worldwide annual revenue of the firm from the previous year or whichever is higher.
  1. More Severe Infringement deals with infringements that are more serious. These violate the Right to Privacy and the Right to be Forgotten. The fine payable by the organization is 20 million euros or 4% of the worldwide annual revenue of the organization from previous year or whichever is higher. 

Data protection principles

According to Article 5.1-2 of the Act, seven protection principles outlined below:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality 
  7. Accountability 

People’s privacy rights

GDPR recognizes new privacy rights for the data subject, which aim to give more control to an individual over the data.

Data subject’s privacy rights given below:

  1. Right to be informed
  2. Right to access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability 
  7. Right to object
  8. Rights about automated decision making and profiling

India’s undertaking on data protection

As mentioned above GDPR is only applicable to EU-related people and the companies and organizations that target people resident in the EU. 

We saw what is GDPR and its applicability and its functions. Now let us see laws applicable in India for the protection of the personal data of their citizens. 

The Information Technology Act, 2000, currently governs data protection in India. Reasonable security practices and procedures and sensitive data or Information Rules, 2011 (Data Protection Rules) comes under the IT Act. The Data Protection Rules impose certain obligations on the companies and the organizations that collect, process, store, and transfer sensitive personal data or information of an individual such as obtaining consent, publishing a privacy policy, disclosure, and transfer restrictions. 

The Data Protection Rules further provides the implementation of Reasonable Security Practices and Procedures (RSPPs) by organizations dealing with sensitive data or information of individuals.

As GDPR have enacted in the EU, all the other countries have been taking inspiration from the EU to develop the laws of their country. 

Now India is set to legislate a Personal Data Protection Bill (PDPB) or Act (PDPA), which would control the collection, processing, storage, usage, transfer, protection, and disclosure of personal data on Indian residents. PDPB is an important development for global managers.

India has followed the EU’s GDPR in allowing global digital companies to conduct business under certain conditions.

In 2017, the Supreme Court of India ruled that privacy is a constitutional right of Indian citizens. In the case of Justice K.S. Puttaswamy v. Union of India. The matter referred to a Nine Judge Bench. The Bench comprised Chief Justice Khehar and Justices Jasti Chelameshwar, S.A. Bobde, D.Y. Chandrachud, Abdul Nazeer, R.K.Agarwal, Abhay Manohar Sapre, and Sanjay Kishan Kaul. On August 23, 2017, the Supreme Court unanimously recognized privacy as the fundamental right guaranteed by the Constitution. Personal Data Protection Act (PDPA) intends to provide security and protection of the personal data of an individual as well as the country’s security. 

PDPA proposes the concept of “data fiduciary” and “data processor”. Data fiduciary and Data processor are equivalent to the concept of controller and processor. 

As GDPR, PDPA will not only apply to Indian citizens and residents but also the people outside India about the business conducted in India, offering goods and services.

PDPA has categorized data into three types:

  1. Sensitive Data includes information on financials, health, sexual orientation, genetics, transgender status, caste, and religious belief. 
  2. Critical Data information includes that the government stipulates from time to time, such as military or national security data.
  3. General Data does not define but contains the remaining data.

Sensitive Data must be stored in servers located in India and, Sensitive Data must processed outside India but must brought back to India for storage.

Critical Data also must be stored in servers located in India and, Critical Data must not take out of India at all.

In addition, there are no such restrictions for General Data.

Organizations must carefully implement the appropriate measures to prevent unauthorized access to any sensitive or confidential data that might negatively affect the organization.

PDPA enforces steep penalties for non-compliance. In case of data breach or a minor violation, the penalties could reach 700,000 dollars or 2% of a company’s global revenues, whichever is higher. For major violations of data such as data shared without consent, the penalties would be double. For multinational companies that generate global income, the penalty is a potential jail sentence for the officers of digital companies.

PDPA would treat citizens’ data as a national asset, no different from control over citizens’ physical properties. In this respect, PDPA differs from GDPR, which imposes no locational storage requirements or preferential access to data for protecting national interests.

There is an urgent need for data protection in India. This bill is a good step towards data protection and provides broad principles of regulations and detailed laws.The impact of PDPA is good for emerging technologies and their application. For example, PDPA could potentially influence many fintech startups or companies as these companies rely on emerging technologies.  PDPA could potentially increase the growth of the Indian economy.

Justice Sri Krishna, who prepared the Draft Bill, believes that the exemption of government agencies is a clear dilution of the Bill. It means that the ultimate beneficiaries of the Bill, the data principals, will deprived of their rights granted by the Bill if the data processing done by the government agencies. Amidst all the data leakages caused by Aadhar, the Bill expected to cure many data-related problems. However, exemption of Central Government agencies can defeat many purposes intended by this much-needed legislation. 


Just like the EU enforced GDPR for all the European countries, all the other countries are also taking a step ahead for the data protection of their respective countries. GDPR enforces by the EU for the protection of the personal data of an individual and the small and medium organizations and the national security. The non-compliance enforced by the EU is also unbreakable so that no hacker or any invader can steal or fool around with the data. The PDPA draws a lot of inspiration from the GDPR. The GDPR does not exempt government agencies and has compulsory provisions to inform the data principals in cases of data breaches. 

Lastly, my opinion on this whole GDPR or PDPA is that it is a good step towards the security of their respective countries. Protecting the data of an individual is very important. These days we see anybody can steal or misuse the personal data of an individual or any important data of any company or government data that is important for national security and which can be very dangerous if this data comes in the hand of any enemy countries. Right to Privacy is the most important right given to the citizens of their countries and it must respect and must protect their country. All these respective countries have taken a very good step. 


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here