[Raj Shekhar and Aman Yuvraj Choudhary are 4th year and 3rd year law students pursuing BA LLB (Hons.) from National University of Study and Research in Law, Ranchi]
On 18 November 2022 the Ministry of Electronics and Information Technology (MeitY) published the draft Digital Personal Data Protection Bill, 2022 (DPDP Bill), which seeks to replace the earlier Personal Data Protection Bill (PDP Bill) introduced in 2019 and which was later withdrawn in August 2022. A preliminary review of the draft Bill shows that it is concerned with the regulation of processing (which includes collection/recording, storage, alteration, dissemination, removal/deletion) of personal data, the obligations of the data fiduciary, and the rights and duties of the data principal. The DPDP Bill also sets up a compliance framework, which includes the establishment of a Data Protection Board.
The reactions from industry experts regarding the bill have been more or less mixed. While some have criticized it for diluting the stringent requirements relating to processing and data localization which existed in the previous drafts, others have praised it for its simplistic layout and intuitive way of dealing with data. At this point in time when General Data Protection Regulation (GDPR) is considered as the golden standard for data protection laws around the globe, it would be interesting to test the DPDP Bill against such standards. With this backdrop in consideration, this post seeks to carry out a comparative analysis of the DPDP Bill and the GDPR, while simultaneously analyzing the overall effectiveness of the various provisions considered.
The GDPR and the DPDP Bill: A Comparative Analysis
The legislative intent behind introducing the GDPR is reflected in Article 1 which clarifies its aim to lay down rules for the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. On the other hand, the DPDP Bill aims to provide for the processing of “digital” personal data in a manner which safeguards the right of individuals to protect their personal data and allows processing for other lawful purposes. On a bare perusal of both these legislation, the objectives seem to be more or less congruent; however, on delving deeper, we find that there exist many differences.
Categorization of Data
The GDPR has a classification of data as personal data and, along with it, there are other classifications of data as ‘special categories’ which include data such as those relating to racial/ethnic origin, political opinions, trade union membership, and the processing of genetic data, biometric data. On the other hand, the DPDP Bill has classified certain data as personal data, which are to be regulated, and there exist no other classifications like sensitive or special personal data which existed in the previous iterations of the bill. Further, only those personal data which are “digital” shall be controlled, with an explanation for the same being provided under Clause 4 of the DPDP Bill.
Processing of Children’s Data
The GDPR has adopted a graded approach for permissions required for the processing of personal data of children. The age for valid consent ranges in such cases ranges from 13 to 16 years depending on Member States. Further, it is the responsibility on the part of the entity receiving parental consent to take reasonable efforts to verify whether consent is given by the parent. The DPDP Bill, just like its predecessors, has once again failed to take into consideration the graded approach that is prevalent worldwide and has relied on the absolute age of 18 years for providing valid consent. Another difference that the DPDP Bill brings to the table is that in case parental consent is obtained by the entity for processing data of children, such consent has to be a ‘verifiable parental consent’ in a manner that shall be prescribed in future.
Fundamental Principles Guiding Processing of Personal Data
The GDPR clearly mentions under Article 5 that Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality, and Accountability shall be the core principles guiding the processing of personal data. The DPDP Bill has no express mention of any such principles. However, the same GDPR principles are highlighted in an explanatory note which comes with a disclaimer that it does not form a part of the BILL itself. Thus, it is unclear as to how binding such principles would be when they have not been included in the Bill.
Cross Border Flow of Data
It is pertinent to note that the GDPR under Chapter 5 has laid down an exhaustive procedure for cross border flow of data. This is implemented through adequacy decisions, prescribed rules, standard contracts, and clauses relating to derogation. The DPDP Bill, on the other hand, has dealt with the idea of cross border flow of data in a fleeting and open-ended manner. Further, the idea of data localization, which was prominently present in the previous drafts, finds no mention. The transfer of personal data has been allowed ‘freely’ to ‘trusted’ jurisdictions which are to be notified at a later stage.
Introduction of Consent Managers
The DPDP Bill has introduced the involvement of third-party ‘consent managers’ who would serve as a link between the data principal and the data fiduciary. They would be interoperable platforms registered with the Data Protection Board through which the data principal may give, manage, review, or withdraw her consent to the data fiduciary. No such involvement of third parties of any kind is seen in the GDPR.
Data Breach Notification
The GDPR mandates reporting of data breaches to data principals only in cases when a personal data breach is likely to result in significant harm to the rights and freedoms of data subjects. Such a requirement is indicative of the fact that not all data breaches are to be reported. However, the DPDP Bill takes a more stringent approach by mandating the reporting of all kinds of data breaches to data principals, irrespective of their effects. The same has to be done in a form and manner which shall be later on prescribed.
Penalties on Non-Compliance
The GDPR prescribes fines under Article 83 and the same are administered according to the size of the organization, gravity and impact on non-compliance, and other criteria. On the other hand, the DPDP Bill prescribed an upper limit on the financial penalty for non-compliance and the same has been limited to not more than INR 500 crores. Further, Schedule I of the Bill lays down different penalties for different categories of non-compliance.
Other Key Differences
Keeping in mind the linguistic diversity of India, the DPDP Bill prescribes that notices served to the data principals shall be made available in all 22 official languages of India. The GDPR, on the other hand, has no such prescribed obligations. The DPDP Bill shall be implemented in a phased manner, i.e., different dates of enforcement shall be accorded to different sections, unlike the GDPR which was implemented in toto and provided two years for ensuring compliance. Further, the DPDP Bill provides for an implied obligation to address grievances within seven days, unlike the GDPR which provides for a time period of one month, further extendable to two months on grounds of complexities.
The concept of “Significant Data Fiduciary” is novel to the DPDP Bill, and the GDPR finds no mention of such classification. The obligations of these significant data fiduciaries are higher than other data fiduciaries, which include additional requirements of appointing a data protection officer, an independent data auditor, and carrying out periodic data protection impact assessments.
Towards A Stakeholder-Friendly Data Protection Regime
The above-mentioned comparative analysis of the GDPR and the DPDP Bill clearly indicates a close nexus that exists in the idea of data protection enshrined in both of these legislative documents. The DPDP Bill has proposed a simplified and streamlined personal data protection regime for India that is more business-friendly than its predecessors. The comparative analysis has also pointed out that even following such simplification, the international standards for data protection have been met in most of the circumstances and made even better in others. At this juncture, when India is all set to receive its first-ever data protection legislation, the DPDP Bill seems to be a praiseworthy attempt on part of the legislators. However, the exercise of sound principles of administrative law while performing the delegated powers to the central government would be decisive in the overall success of the data regime.
– Raj Shekhar & Aman Yuvraj Choudhary