The Personal Data Protection (PDP) Bill, 2019 draws significant similarities with the European Union’s General Data Protection Regulation (GDPR) but also has some notable divergences. Discuss.
The Personal Data Protection (PDP) Bill, 2019 has been introduced recently in the Parliament. It draws significant parallels with the EU’s General Data Protection Regulation (GDPR). There are similarities between the two data regulations as well as some differences.
Similarities between the bills –
- Exceptions given – Exceptions present in the Indian Bill and the EU Regulation look similar as both allow for processing of data to prevent, investigate, detect and prosecute criminal offences. Both have also discussed public security, defence and judicial proceedings.
- Concept of Consent – GDPR and PDP Bill are founded on the concept of consent. It means that data processing would be available when it is allowed by an individual. Consent carries meanings like, free, specific and informed. They also give special protection to children’s lack of ability to provide consent.
- Rights on an individual – It includes the right to correction, right to transfer data to another entity and the right to erase disclosure of data.
- Responsibility of fiduciaries – It is the responsibility of the fiduciary, to include privacy by design and transparency about data related matters. They have similar features like dispute resolution and code of conduct.
Differences –
- Transferring data abroad – A significant difference between the GDPR and the PDP Bill is the framework about deciding whether data can leave the country or not. Both give government authorities the power to decide if data transfers can occur, but the GDPR lays down clear parameters related to this decision. The PDP bill states that the authority needs to have approval of the transfer of data abroad but without any specific details.
- Automation of decisions – The GDPR directly addresses personal harm from automated decision-making. The PDP Bill requires assessment in the case of large-scale profiling, but does not provide the citizen with the right to object to profiling, except in the case of children. The GDPR states that where personal data is processed for the purpose of direct marketing, it is subject to the right to object related to processing and profiling.
- Personal data – To give an importance to data, the PDP Bill categorises personal data much more explicitly. The Indian Bill has a sub-category of personal data called sensitive data which includes health, financial, caste, and biometric data. The GDPR on the other hand does not have separate localisation rules for this type of data.