Data protection has always been on the frying pan ever since the advent of internet. The moment social media sites unfurled themselves in the digital market, protection of user data and information has kept policy makers on their toes. In 2018, an expert Committee on Data Protection Framework for India chaired by Justice B. N. Srikrishna, submitted its much-awaited report titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” giving a silhouette on the Personal Data Protection (“PDP”) Bill, 2018.
The Bill represents an important milestone for India, which has yet not enacted a comprehensive, principles-based data protection regulation, lagging in the trend set in recent years by the European Union, California and even Africa. By means of this Bill, the Indian Legislature plans to spread its wings across the realms of the globe, “making it fit for the digital age”. In the latest form, tabled on July 27, 2018, the legislation applies mainly to businesses and individuals having control or storing data of Indian citizens residing world-wide.
At its core lies a set of rules handling over the reins of privacy to its citizens. In the wake of the Aadhaar Program in India, the privacy judgement and Cambridge Analytica Breach, special focus was needed for protecting personal data in the digital arena. Making the right choice, the bill aims at avoiding the privacy plague in India. Affecting the businesses worldwide, whosoever indulges in collecting the information of Indian citizens or offer any sorts of services, tries to monitor their behavior would be penalized for their acts. As stated by the Committee in its observation, the bill aims to balance the interests of the individuals, their personal data and the interests of the entity accessing such private data.
Through this research the authors aim at drawing parallels and pointing out the differences between the Personal Data Protection (“PDP”) Act, 2018, the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”). The PDP Act accompanies an emerging body of national data protection legislation which influences businesses worldwide.
Applicability and Scope:
The PDP Act is along the lines of the GDPR, it largely regulates all processing of personal data with the prohibitive character by providing for a blanket data protection law. It aims at instituting a data protection authority and subjecting companies to numerous administrative duties which include the appointment of data protection officers, local representatives, data protection impact assessments, record keeping, privacy by design and frequent audits among other things. The CCPA also provides for blanket protection, but the intention is not to replace existing data privacy laws at the U.S. Federal and California State level. As a result, it does not create any such administrative obligations and is implemented to address the specific risks for individual privacy created by data trading. While the PDP Act and GDPR secure any information related to an identifiable individual, CCPA takes one step further to additionally includes information relating to households. 
Distinct from the GDPR and the CCPA, the PDP Act is also applicable to the State. In the United States, California and Europe, the member states have enacted separate laws to regulate data processing by the State. However, the PDP Act provides for two exceptions wherein the State may process personal data for its functions. These include “(1) Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature. (2) Personal data may be processed if such processing is necessary for the exercise of any function of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State; or (b) the issuance of any certification, license or permit for any action or activity of the data principal by the State.”
If companies collect or process personal data from or in any of the three above mentioned territories, they will be subject their respective data protection laws. In order to avert the consequences of non-compliance, the companies would have to stop doing business in each jurisdiction. The repercussions of the GDPR were seen in the form of multiple bloggers, non-profit organizations and smaller businesses turning offline, because they could not meet with the several new requirements.
However, a noteworthy difference is that CCPA protects the data belonging to only of its residents whereas the GDPR and the PDP Act administer any processing of personal data on the local territories, i.e. within the EU or Indian territory, which includes processing of personal data pertaining to persons residing in countries other than that of the said countries as the case maybe. Thus, this law applies to foreign companies which not only collect information about residents, but also if they merely process foreign personal data on European or Indian territory.
This raises a major hiccup in the economics of the nation as it unmistakably affects businesses in India, noticeably dampening the BPO firms which include call centres and other data processing conglomerates operating in India. Non-Indian companies will generally shy away from acceding themselves in conformity to such Indian rules. Merely on the basis that they engage a data processor, call center operator or other service provider on Indian territory.
The PDP Act follows the footsteps of countries like Russia, Kazakhstan, Indonesia and China by creating a requirement for companies store on Indian territory all personal data that is subject to the PDP Act, or, at least, a copy of such personal data. However, there’s no such requirement by the GDPR, U.S. Federal or California privacy laws. This law could adversely affect India’s information technology and outsourcing sector in the distant future.
Consent – Age Limit
The present Bill dictates the companies who provide online services to users below the age of eighteen to obtain parental consent, mirroring the Californian version of the Privacy Act. However, the EEU counter-part, sets the age threshold at sixteen years. Foreseeing, the privacy plague nearly two-decades ago, The U.S Congress enacted the Children’s Online Privacy Protection Act (COPPA). Mandating parental consent for users below the age of thirteen. The Federal Trade Commission of United States, while implementing COPPA obligated strict adherence by the Companies. Resulting in, restraining the online consumption by the citizenry below the age of thirteen.
A myriad of opinions and reactions followed. Oscillating between responsible usage of online resources by their children, despite knowing that juveniles do lie about their age online. Companies and parents in India as well as Europe would face an uphill task in enforcing the higher age threshold (eighteen in India compared to thirteen in United States and 16 in the EEA).
The PDP Act akin to the GDPR, plans to penalise companies with penalties of up to US $ 2.7 million or four percent of global turnover. These penalties will fund the Indian Data Protection Authority in establishing special funds for its operative costs and privacy awareness. The GDPR provides for fines up to four percent of global turnover while the CCPA establishes a Consumer Privacy Fund to be funded by penalties and induce and support additional enforcement activities. The Indian law also awards compensation to subjects after an adjudication process if their rights are violated.
In the wake on such awareness brought forward by the EEU and the first world countries, efforts made on the part of India cannot be undermined. India has always been the hot-spot for business investments and innovate engineering methods, therefore the steps taken forward in this direction should not be simply viewed as mimicking the West World. The idea of such a Legislation itself is nothing novel, however scanning the large population that we host and the number of digital users which are rising exponentially each year, the PDP Act will help us mark ourselves safe if a privacy plague would advance upon us, much like the Facebook’s crisis response feature.
 First Post. (2018). Personal Data Protection Bill: Looking at loopholes in sections of the Bill pertaining to data ownership, RTI and more- Technology News, Firstpost. [online] Available at: https://www.firstpost.com/tech/news-analysis/personal-data-protection-bill-looking-at-loopholes-in-sections-of-the-bill-pertaining-to-data-ownership-rti-and-more-2-5197791.html [Accessed 15 Dec. 2018].
 Schreiber, A. (2018). General Data Protection Regulation: Where are we now on global privacy and data protection?. [online] Idaho Business Review. Available at: https://idahobusinessreview.com/2018/12/10/general-data-protection-regulation-where-are-we-now-on-global-privacy-and-data-protection/ [Accessed 15 Dec. 2018].
Nicholson, J. (2018). California’s Data Privacy Law: Taking a Page from the GDPR Playbook. [online] CMSWire.com. Available at: https://www.cmswire.com/digital-marketing/californias-data-privacy-law-taking-a-page-from-the-gdpr-playbook/ [Accessed 15 Dec. 2018].
 Business Ghana. (2018). We are working on a cyber security law – Ursula meets the press [online] Available at: https://www.businessghana.com/site/news/General/178337/We-are-working-on-a-cyber-security-law-Ursula-meets-the-press-(full-address) [Accessed 15 Dec. 2018].
 Bhatia, G. (2018). India needs to acknowledge the gaps in data protection and rights of children. [online] https://www.hindustantimes.com/. Available at: https://www.hindustantimes.com/analysis/india-needs-to-acknowledge-the-gaps-in-data-protection-and-rights-of-children/story-bxBrYtqXylgPou2yADe3xJ.html [Accessed 15 Dec. 2018].
 The Times of India. (2018). Aadhaar needed for PAN, not for bank a/c: Key points of SC verdict – Times of India ►. [online] Available at: https://timesofindia.indiatimes.com/india/supreme-court-upholds-validity-of-aadhaar-says-sufficient-security-measures-taken-to-protect-data/articleshow/65960058.cms [Accessed 15 Dec. 2018].
 The Wire. (2018). Key Highlights of Justice Chandrachud’s Judgment in the Right to Privacy Case. [online] Available at: https://thewire.in/law/justice-chandrachud-judgment-right-to-privacy [Accessed 15 Dec. 2018].
 Graham-Harrison, E. and Cadwalladr, C. (2018). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. [online] the Guardian. Available at: https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election [Accessed 15 Dec. 2018].
 Justice K S Puttaswamy (Retd.) v. Union of India and Others (2017) 10 SCC 1.
 Ministry of Electronics & Information Technology, Government of India. (2018). [online] Available at: http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf [Accessed 15 Dec. 2018].
 Lothar Determann, Adequacy of data protection in the USA: myths and facts, International Data Privacy Law 2016; doi:10.1093/idpl/ipw011 [Accessed 15 Dec. 2018].
 Cal. Civ. Code, §1798.140 o(1).
 Section 13, Personal Data Protection Act 2018.
 Adam Saratiano, U.S. News Outlets Block European Readers Over New Privacy Rules (2018). [online] Available at: www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html. [Accessed 15 Dec. 2018].
 Lothar Determann and Michaela Weigl, Data Residency Requirements Creeping into German Law, Bloomberg BNA Privacy & Security Law Report, 15 PVLR 529 (3/14/16).
 Sections 3(9) and 23(2) of the Indian Personal Data Protection Act.
 General Data Protection Regulation.
 Cal. Civil Code §1798.120. (d).
 See, [Online] Available at: www.ftc.gov/sites/default/files/documents/reports/protecting-childrens-privacy-under-coppa-survey-compliance/coppasurvey.pdf [Accessed 15 Dec. 2018].
 Danah Boyd, Why Parents Help Tweens Violate Facebook’s 13+ Rule, Huffington Post [Online] Available at: www.huffingtonpost.com/danah-boyd/tweens-on-facebook_b_1068793.html. [Accessed 15 Dec. 2018].
 Indian Personal Data Protection Act, Sections 69-74.
 Id. At Section 77.
 Indian Personal Data Protection Act, Section 75.
 Facebook [Online] Available at: https://www.facebook.com/about/crisisresponse/ [Accessed 15 Dec. 2018]
ABOUT THE AUTHORS:
Aman Bahl is a third-year law student at Maharashtra National Law University, Nagpur. In the past, his area of research has covered both corporate and litigation aspects. He has interest in Corporate Law, Public International Law and International Arbitration.
Sarthak Bharsakle is a third-year law student at Maharashtra National Law University, Nagpur. His areas of interest are Corporate Law, Competition Law and International Arbitration. He is an avid reader and takes keen interest in jurisprudential aspects of law.
Picture Credit: Daze Info