GDPR is not just stringent in penalties, it gives far more rights to the citizens
The European General Data Protection Regulation (GDPR) has almost become a common noun for personal data protection regulation, not just for the stringent provisions that it contains but also for comprehensiveness of the issues that it addresses.
The Indian panel created to draft a data protection legislation, under Justice BN Srikrishna has referred to GDPR repeatedly in a whitepaper that it released in November last year as well as the report that it submitted last week, along with the draft Personal Data Protection Bill 2018.
While most of the areas such as having a clear purpose of processing of personal data, consent, other rights, appointment of Data Protection Officers in organizations are taken directly from GDPR provisions, there are a few differences too.
Presented here are ten of the most important differences between the two. Of course, GDPR is not an Act; individual member nations have enacted their own legislations based on GDPR. They could only add to it.
To some extent, the comparison between GDPR and Indian draft bill, hence is a bit of that between apples and oranges, but only when one gets into the language and enforcement provisions.
We avoid getting into that and analyze only areas where the stances are different on a specific issue.
Please note that the citizens whose personal data is being processed are called ‘data subjects’ in GDPR terminology and ‘data principals’ by Indian draft bill. Similarly, entities that process the personal data are called ‘data controllers’ by GDPR while being referred to as ‘data fiduciaries’ by the Indian draft bill.
Here are the eight differences
- Unlike in GDPR, Indian draft legislation does not require the data fiduciary to share the names and categories of other recipients of the personal data with the data principal.
- There is no obligation on data fiduciary to share with the data principal for how long the data will be stored while collecting or at any time, as GDPR mandates
- The data fiduciary does not need to share the source of the personal data to the data principal in case the data has not been collected from him/her which is an explicit requirement in GDPR
- Unlike GDPR, there is no requirement that the data fiduciary share with the data principal the existence of automated decision making, including profiling
- GDPR requires that the data subject (data principal) is provided with a copy of data undergoing processing. The Indian legislation mandates a summary of that data to be shared, with no definition of what that summary is.
- One of the biggest differences is that in India, a citizen has not been given the right to demand his/her data to be erased. Data reassure, which is an article in itself in GDPR does not even find a mention in the Indian draft bill.
- In case of a breach, there’s no requirement by Indian draft bill to share it with the data principal; rather, the data protection Authority shall determine whether such breach should be reported to the data principal. This is also in contrast to GDPR provisions.
- The provision that has attracted the most criticism—as well as the only dissent note from one of the members—is the issue of where the personal data resides. “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies,” says the bill. The draft bill also mentions that the Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India. GDPR leaves this to specific countries most of which have chosen to allow free flow of data, though Germany and France require personal data to be resident in their countries. A few others like Bulgaria have very specific requirements like gambling data to be stored in the country. Globally, many countries require government data to be stored in their countries. Today, that is the requirement in India too. Australia, for example, mandates that the health data should be stored inside country. This is the most contentious issue.
Overall, while the whole concept of GDPR starts with the premise that the ownership of data must belong to the data subject, Indian bill does not even provide that!
Overall, Indian bill is a diluted version of GDPR, with lesser power for the citizens!