GDPR and PDPB: Relations & Differences

The five brief differences between GDPR and Personal Data Privacy Bill

The Indian Government Has Recently Introduced the Indian Privacy bill, 2019. Ostensibly the bill was considered as an Indian version of the General Data Protection Bill which the European Union Introduced in 2017. However, there are some major differences between the GDPR and PDPB. This article discusses five brief differences between GDPR and PDPB.

Legal Basis for Processing of personal Data

The EU GDPR has laid down six legal bases for the processing of personal data. Namely, Consent, Legitimate Interests, the performance of a contract, Legal Obligations, Life protection and Public Interest. On the other hand, the Indian Privacy bill has laid Consent, Legal Obligations, Medical emergency, Health services, protection of individual safety and Employment reasons. Further, the Indian Bill has specifically mentioned the clause for the reasonable purpose specified by regulation. The primary difference between both the regulations is GDPR has explicitly given provisions for the performance of a contract as a legal obligation which was absent in Indian PDPB. On the other hand, The Indian Privacy bill has explicitly provided provisions regarding Health and Employment reasons.

Legitimate Interests

According to GDPR processing of data without consent is permitted unless it overrides the Interests of the Data Subject. Further, it was the controllers’ responsibility to determine and assess the purpose of collecting data without consent. Indian Data Protection bill lays the responsibility to assess the data collection under reasonable purpose to Data Protection Authority of India. Therefore, the Indian Data Protection bill, 2019 was significantly more stringent than the EU GDPR where such responsibility was held in the hands of the Data controller.

Conditions for processing of sensitive data

GDPR has provided 10 Legal bases for the processing of sensitive data. They are Explicit consent, exercising the right to employment, Life protection, legitimate activities, legal claims, medical emergencies, scientific research & and substantial interest specified by law. On the other hand, the Indian Privacy bill has laid the same grounds for the processing of both sensitive data and personal data. However, specified some provisions like the consent should be obtained explicitly. Further, the Indian Data privacy bill has provided that some cases can be exempted if authorised by the Data Protection Authority of India (e.g., Research Activities)

DPA Registration

According to Indian Data Privacy law, the Significant data fiduciaries shall need to register with the Data Protection Authority of India. A Data Fiduciary is notified as significant data fiduciary by taking account of the factors like high volumes of data, the sensitivity of data, company revenue, the risk involved and use of new technologies which was specified by DPA. However, there was no such provision in European Union General Data Protection Bill.

Audit Requirements

Indian Data Privacy Bill has perspicuously mentioned that Significant data fiduciaries must submit their data processing to annual audit by independent auditors qualified by the Data Protection Authority of India. Such Auditing shall assess the performance of data fiduciary through “Data Trust Score. Further, Data Protection Authority is empowered to direct the data fiduciary to conduct an audit if he believes there can be any harm to the data. EU’s GDPR has not provided any such provisions. Rather the processor must agree to audit provisions in the contract with the controller.
Therefore, to conclude the primary differences is that Indian Data Protection laws emphasise more on Personal Data protection whilst EU’s GDPR mostly Business-driven. The range of government interference in data protection frameworks like policy monitoring, profiling of sensitive data was much more consolidated in Indian data policy, which on the other hand EU’s law is mostly Organisation driven. Nevertheless, the EU’s GDPR is criticised for being excessively Stringent and imposing many obligations on the organisations. On the Other hand, Indian Data Law is criticised that the bill gives substantial authority to the government. Both the European union’s general data protection regulations and Indian data privacy law emphasise greater data protection and best privacy practices like Data Accounting, Data policy formulation, Maintaining Inventory and so on.

Is your organisations sensitive information safe? Get a cybersecurity assessment now, to know your current state of data security.

Share on twitter
Share on linkedin