Comparative Analysis of General Data Protection Regulation with Personal Data Protection Bill

The subsets of privacy guaranteed in books of the European Union’s Charter of Fundamental Rights and the European Convention of Human Rights were subjected to pagination to the forefront when the European Union announced the implementation of the General Data Protection Regulation (hereinafter referred to as “GDPR”) in May 2018. The implementation of this umbrella regulation throughout Europe was received with much assuagement as personal data was guaranteed protection both in name and in existence. In this milieu, with the GDPR as its premise, the Indian government also tabled the Personal Data Protection Bill, 2019 (hereinafter referred to as “PDPB”). Thus, highlighting the strengths and weaknesses of the GDPR, the paper aims to make a comparative analysis of the PDPB with the GDPR.

Data protection rights provided to the data subject by the GDPR can be considered most expansive in all jurisdictions around the globe. Some of which stand out are the rights to restriction and to object. Right to object is one of the explicit rights provided under GDPR that allows the data subject to object to his personal data processing. PDPB, with the similar subject matter and functionality as the right to restriction, has specified right to be forgotten in its provisions. The purpose of this was also to restrict and prevent disclosure of the personal data processed.[i]

Another important feature of the GDPR is that it limits most of its provisions, principles, purpose, and actions thereof to specificity. Thus, ensuring that the risk of broader and general terms which allow the greater scope of application depending upon their expansive interpretation to be mitigated. Further, GDPR also ensures that in case of any issue concerning legitimacy, the burden of proof always falls on the data controller. This is to ensure that the data subject is not harassed in any manner. Further, expanding the definition of personal data and providing provisions entailing sensitive personal data (provides certainty to special categorization) are some of the other positive steps that have strengthened personal data protection. Apart from these, the fact that GDPR has established a separate bracket clause, subject to parents’ consent, to validate the contracts of minors is a point to be appreciated.

In a similar fashion to GDPR, the PDPB also limits the interpretation of its provisions to its specificity. Further, the Data Protection Authority of India (hereinafter referred to as “DPAI”) attempts to define and differentiate sensitive and critical personal data. Though there remains ambiguity with regards to defining critical personal data in the PDPB, it is still better than the GDPR which does not provide any parallel provision for it. Apart from these, the separate bracket clause exists as is under the PDPB.

Further, the GDPR upholds the Fair Information Principles (hereinafter referred to as “FIP”) by an organization or corporation establishing legitimacy and building up credibility among the people. Thus, it could be said that GDPR directly works towards building up trust among the people, corporations, and the government. Further, the principle of data minimization and data accuracy ensures that only the bare minimum necessary data is processed and accurately transferred. Apart from these, atomization eases the business process and improves data understanding and management. From a layman's perspective, the biggest achievement and strength of GDPR is that it has managed to reduce the complex and detailed privacy terms and conditions to unambiguous and concrete terminologies. The Indian government has also similarly reciprocated these strengths when defining the provisions of PDPB. However, PDPB has omitted the data principal/ data subjects from having the power to decide on either the data profiling or automation.

Further, it is paramount to observe that, unlike PDPB, the GDPR does not define significant data fiduciaries or significant data controllers in its provisions. Thus, the option of imposing additional restrictions and increasing government control over social media through social media significant data fiduciaries or controllers does not exist. Further, though GDPR has been trying to establish consent as not the only underlying principle or ground for data controllers to process data, not establishing a consent manager to record and manage the consent of the data subjects just moves away from the scrutinization necessary to maintain balance. This is subject to the fact that GDPR's main purpose itself was to act as a balancing figure between privacy guaranteed as a fundamental right and huge data processing necessary for economic activities. Similarly, in some other activities such as determining the legitimate interest, in many jurisdictions the data controllers take a back seat and allow the government to take over, however, GDPR allows data controllers monopolistic powers. Thus, there is an excessive dependency on the data controllers and very limited on the government to be involved with the data processing process. However, under PDPB, the government through DPAI commands control and jurisdiction. Further, the PDPB has acted upon these omissions and has defined these terminologies and its functionality accordingly.

Apart from these, it is already a fact that GDPR requires high compliance costs and high non-compliance expenses. The same is expected with the implementation of PDPB. Further, there are chances of GDPR creating paradoxical issues which they were trying to mitigate, that is, users not reading the privacy terms. This is subject to the fact that the frequency of the opt-in mechanism outside of Europe like in India is resulting in fatigue, that is, the users or customers are no longer interested in reading the terms and conditions. Further, there is also some form of disappointment with regards to GDPR and PDPB as it is resulting in the eradication of free services. Earlier, the principle was that if services are free, then data is their product. This can no longer hold, if not now but at least in the coming future.

[i] Ram Govind Singh & Sushmita Ruj, “A Technical Look At The Indian Personal Data Protection Bill”, Indian Statistical Institute Kolkata (2020).

About Author

Aditya Vohra

A final year law student at OP Jindal Global University.