Lessons from the United States Withdrawal from the World Health Organisations
August 19, 2020
In Conversation with Ms. Preeti Ahluwalia – Legal Framework on Cryptocurrency: Regulation and Challenges in India
August 22, 2020

Analysing the Personal Data Protection Bill with respect to the GDPR

At the moment, data is recognized globally as one of the organizations’ most important assets, thus prompting the need for a strict data protection standard.  Data is one of the company’s most important properties. When the data economy grows, businesses compile, exchange and use data at a tremendous price. Companies like Google, Facebook and Amazon have all built empires in the data economy. Transparency in the way businesses obtain approval, comply with their privacy policy and handle the data they collect is key to building trust and transparency with customers and partners who demand confidentiality. Many companies have discovered the importance of privacy through highly advertised failures. While recent progress has been made in data privacy laws and practices, the privacy of the customer is violated and influenced daily by corporations and administrations. Some people argued that consumers already lost the war on privacy.
The General Data Protection Regulation (GDPR) of the European Union ( EU) came into force in May 2018 harmonizing European Union-wide data security and privatization standards. Several other states have either met or are in the process of meeting data protection requirements. This blog will examine the current data privacy regulations in India in the light of GDPR and whether the current regulations.
India is also taking steps to develop a GDPR-modelled data protection system. In July 2017, under the chairmanship of Justice B.N. Srikrishna, the Government of India constituted the Data Protection Policy Committee of Experts for India or the Data Protection Committee (DPC) to address data protection issues in India.  While the committee submitted its report – a detailed data protection Act was proposed – in the report submitted by the Committee on 27 July 2018, the economic costs and benefits of the adoption of the GDPR-style law in India were not evaluated. The draft data protection legislation introduced by the Srikrishna Committee has taken up concepts like the right to access and correction, the right to portability and the right to be forgotten, but compared to EU law, the scope of the rights of a person is restricted.
Such policies need to carefully assess the direct and indirect costs of these regulations given the advantages of the data protection system in developing economies like India. The new law, known as the Personal Data Protection Bill, contains several aspects of the EU GDPR.
These include notice requirements, prior permission for use of individual data, limits to which businesses can access the data and limits to ensure that only information is collected which is required for the delivery of the service to the person concerned. It also requires criteria for data location and the appointment of data protection officers in businesses. If adopted, the legislation would provide India with a robust, cross-cutting structure on privacy and data security.
The latest GDPR literature has major economic implications for the EU with possible influence on SMEs, labour markets, cross-border trade and overall economic growth.   A comprehensive literature review evaluating its influence highlights both the possible negative implications of a GDPR-like data protection legislation for India and the need for similar studies to be conducted in India before the bill is enforced. The DPC proposal for a bill must be carefully and seriously evaluated as a legislative initiative that will have a direct effect on the main industries of India’s economy.
While for some time now, (under the Treaty on the Functioning of the European Union) the EU has acknowledged the right to personal data protection, India continues not to have cross-sectoral data protection rule. The Information Technology Act of 2000 primarily governs cyber-crime and Internet intermediaries’ liability, for example, while social media sites do have some provisions concerning the security of personal data.  Section 43A, for example, provides redress for losses incurred by failure to implement reasonable protections.
Nevertheless, only a patchwork of sector-specific regulatory standards regulates the data security and confidentiality criteria. In August 2017, the Supreme Court of India declared the right to privacy as part of the fundamental right to life of Article 21 of the Indian Constitution. The Court held that informational privacy to be part of the right to privacy. This simply meant that the patchwork approach to privacy enshrined in current law was inadequate and an approach to information protection had to be more detailed. The judgment noted that the Indian government had already formed the DPC and authorized the work of the committee. While the DPC has evaluated various legislation structures in different countries to protect privacy, it has opted to introduce a law broadly based on the GDPR.
The similarity of GDPR with Indian Law:
  1. Data processing (personal data collection and analysis) as well as data managers (persons or organizations supplying data used for data processing by companies). Specifications for the notification and consent of personal data processing.
  2. The collection of personal data, including the minimization criteria, is limited primarily to obtain data required to provide the customer with services to be rendered by the data processor.
  3. Data processor compliance criteria such as the incorporation of data security by design and the appointment of data protection officers to perform daily impact reviews and data audits.
  4. Providing consumers with favourable freedoms, including the right to data transfer (to switch data from one service provider to another) and the right to erasure.
  5. Data localisation requirements — critical personal data must be stored on servers in India and the transfer of other personal data outside India is limited.
  6. The proposed Data Protection Authority regulation and supervision.
  7. Financial penalties including the prohibition of processing as consequences for non-compliance.
Differences between GDPR with Indian Law:
  1. The law, however, in several respects differs from the GDPR — the major is the introduction of criminal sanctions for damage caused by the breach of the regulations. In contravention of the regulation, the draft legislation of the Srikrishna Commission prescribes both civil penalties and criminal offences while the GDPR includes a violation of the fines of EUR 20 million, of 4% of the overall worldwide annual turnover for a business.
  2. The proposal to classify a data processor-consumer relationship as a “fiduciary” relationship. These clauses in the bill would also dramatically increase data security obligations.
  3. The bill will facilitate economical improvements to Indian businesses and foreign companies that provide services across India in the field of data collection, storage and management. Data processors and data controllers may move data outside the EU if certain requirements are met under EU GDPR.
 Will the GDPR work in India?
The review of the literature on the GDPR impact assessment poses some important problems in implementing a law of the kind of GDPR for India. Primarily, the precise framework of such legislation should be carefully examined even though regulations such as the GDPR or the new bill on data protection was meant to protect fundamental rights. For instance, although the EU treat information privacy as a basic right, the EU IA has also published an estimation of the possible cost and benefits of the proposed GDPR. The EU IA was then the basis for further study and criticism of the new GDPR.
Furthermore, the EU IA claimed that a harmonization of the standards of privacy would be the main economic benefits of enacting GDPR in the EU. Given that India did not suffer from the issue of the fractured data protection regulatory system, it is worth asking what economic benefits the proposed bill would offer India. The federal parliament has enacted India’s patchwork of central laws which currently affect privacy and are therefore widely applicable across India at least one is not of immediate relevance.
It would certainly be important to pass a law that safeguards personal data. This will have some protection against harassment and legal redress against damage caused by this misuse. However, such a law should be crafted explicitly in nature with no adverse impact on the economy as a whole. For example, if India does not gain harmonization with current legislation, how does the expense of a GDPR-style law overweight the other sources of benefits?
Besides, the unique nature of India’s institutional data protection choices is likely to have a direct effect on the economy of India. This may have direct effects ( e.g. increased costs of compliance) or indirect implications (innovation’s potential stifling and overall loss of productivity). While the statistics mentioned may not be valid for India, they point out how a GDPR-style data protection law could affect certain sectors of the Indian economy. They also emphasize that the data security legislation introduced by the DPC needs to be extensively economically evaluated.




Gyanda Kakar is a 2nd-year law student at Gujarat National Law University, Gandhinagar.


In Content Picture Credit: Indian Corporate Law

Leave a Reply

Your email address will not be published. Required fields are marked *