Opinion

Data Privacy and Protection under GDPR vis-à-vis PDPB 2018 – A Critical Study

  • Introduction

On July of 27th 2018, India took a constructive step to realize its dream of becoming a true digital economy and country, following the landmark judgment of the Hon’ble Supreme Court in the case of Justice Puttusamy v. Union of India[i] that declared privacy as a fundamental right.

On this day, the Central Government published the draft Personal Data Protection Bill, 2018 (PDP Bill), which was based and followed by the Justice Srikrishna Committee’s recommendations on data security. With India moving swiftly towards digitization, a robust and efficient data protection law became the need of hour. And this Bill tries to meet that need[ii]

This Bill has been broadly based on the guidelines and framework of the General Data Protection Rules (the GDPR) and comes under purview of Section 43A of the IT Act 2000[iii] and IT Rules[iv] which were enacted under Section 43A.

There are, however, subtle differences between both the enactments. For one, the GDPR focuses solely on data protection and security of the user, while the Chinese Cyber Security Law skews towards lending the state an upper hand in data processing. India’s PDP 2018 Bill, though, stands somewhere in the middle, striving to empower both the state and individuals in giving the benefit of doubt with respect to personal data protection.

In his comments, Justice B.N. Srikrishna likened it “buying new shoes. It will be tight in the beginning but will be comfortable later.”

Of course, by this statement he meant that data fiduciaries (data operating/ processing entities) would need time to adapt to the new rules[v]. Notably, the very usage of the word ‘fiduciaries’ in the proposed Bill shows that the intent is to build a trust-based relationship between data fiduciaries (data operating/ processing entities) and data principals (individuals whose personal data is being processed, similar to data subjects in GDPR). The committee also indicated that it seconds the liberal nature of data economy. This is evident from the extended territorial scope granted to ensure that organizations, even if not located physically in India but trading with the country, are to be regulated under the PDPB. After the Bill’s enactment, a transaction period of 12 months is granted to organizations to become compliant.[vi]

The Bill is currently pending in both the Houses for further deliberation.

  • Key Highlights of the Bill:

Data protection obligations ensure transparency, keeping records, conducting DPIA’s and appointments of DPO; watch on breaches etc. are imposed on entities (data fiduciaries) processing personal data of individuals of India (data principals).

Legal grounds on which personal and sensitive data could be processed (including of children) are defined, where burden of proof for identifying the legal ground lies with  data fiduciaries; it also provides a wide berth for processing operations performed by the state.

Rights given to data principals to control their personal data, which is being processed by data fiduciaries, through such rights as the right to data portability and right to be forgotten, which are similar to the ones provided to a data subject under GDPR.

Measures such as privacy and notice de-identification and encryptions are to be ensured by data fiduciaries. Indian organizations stand on equal footing with global standards; hence it is vital that transparency and accountability is ensured. Data localization mandates a copy of personal data to be stored in servers/data centers in India; certain categories notified by Central government/DPAI to be processed in server or data located in India

Fines and penalties for individuals/organizations for non-compliant with PDPB resulting in fine up to 2-4 percent of global turnover or INR50-150 million (whichever is higher); non-adherence of timelines specified for resolution of data principals will result in penalty of INR 5000 for each day during which defaults continue up to INR10 Lakh.

Establishment of DPAI (Data Protection Authority of India) and Appellate Tribunal by Central government has been suggested, ensuring fast and speedy resolutions.[vii]

  • Applicability vis-à-vis Exemptions

In both the enactments there are also some differences with respect to exemptions. For instance, the PDPB is applicable to any data processing entity located in India. The Bill, however, shall be applied to foreign entities if such entities have:

  1. Business connection in India
  2. Trading relations (offering of goods and services) with India
  3. Engaged in profiling of individuals of India

In all three above cases a foreign organization is required to have a representative in India[viii]

The wide ambit of PDPB ensures that organizations outside India processing personal data of individuals of India come under the purview of the Bill. The expanded scope of PDPB is a change from the current limited scope of IT-RS Rules which apply only to corporate bodies and persons.

The PDP Bill provides for certain exceptions when security is carried out pursuant to:

  1. State Security
  2. Detection, prevention, prosecution and investigation of contraventions of law
  3. Processing for legal proceedings
  4. Research, archiving or statistical purposes
  5. Personal purposes
  6. Journalism
  7. Manual processing by small entities

It is noteworthy that the scope of exemptions under PDPB is wider than GDPR.[ix]

  • GDPR and PDPB

It is well worth nothing here how certain aspects of GDPR and PDP are at variance. For instance, right from the outset, the GDPR is explicit in its approach. It states: “The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. The principles of, and rules on protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular, their right to the protection of personal data.”[x]

As opposed to this, we can see that the intention of the Indian draft Bill gets confusing in the very next sentence:

“Whereas it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation…”[xi]

This seems to have been partly derived directly from the GDPR, which in its article 7 advocated:

“A strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.” However, in the same paragraph, it also reiterated that “users should have control of their personal data,” something that the draft Bill missed. Unlike the GDPR, though, where data has been clearly delineated as “property” and clarified that one’s personal data belongs to him or her, the draft Indian Personal Data Protection Bill treats data as a matter of “trust.”

Explaining this aspect Justice Srikrishna stated, “We haven’t treated data as property here. It’s a matter of my trust in somebody and he’s answerable to it. That’s how we have treated it. That’s why we haven’t used data subjects which some others like GDPR have treated, but data principals, the ones who have agreed to share their data with data fiduciaries.”[xii]

Still, in line with the GDPR, the scope of applicability of India’s PDPB 2018 is wide. Besides India-based data processing companies, it is equally applicable to data fiduciaries that don’t exist in Indian Territory but are connected with Indian data principals.

Some current confusion in the Bill, however, still exists over the provisions for data storage. The Srikrishna Committee seemed to accommodate far out views about data storage and hence emerged somewhat crude in its approach. The draft Bill, though bound to entertain the users’ rights such as right to access, right to be forgotten and right to correct, states, “”Every data fiduciary shall ensure the storage on a server or data centre located in India, of at least one serving a copy of personal data to which this Act applies.”[xiii]

  • Conclusion

In summary, the PDP Bill envisages a much more nuanced and rigid approach for data protection in India than was covered by the IT-RS Rules. Its proposed introduction of a data protection authority and regulatory structure for dealing with data protection also differs from the IT-RS Rules. Significantly, the PDB Bill’s provisions envisage a stringent regulatory system for private entities, but offer wide exemptions to the State for processing data, provided such processing is deemed ‘necessary’ for the State’s functioning or provision of State services/benefits or certifications/licenses. The PDB Bill’s one advantage is that it provides wide parity to Indian industries with the GDPR. This may go a long way towards ensuring that EU authorities grant a recognition of adequacy to Indian industries complying with the final act resulting from the PDP Bill. The PDP Bill, undoubtedly, is a laudable attempt to solve data security issues in India. Still, much remains dependent on how the law from the PDP Bill finally emerges in the Parliament. 


[i] Justice Puttusamy v. Union of India, (2017) 10 SCC 1.

[ii] “The Personal Data Protection Bill, 2018 – Key Features And Implications – Data Protection – India”. Mondaq.Com, 2018.

[iii] Compensation for failure to protect data. -Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation. -For the purposes of this section,-

(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;

(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;

(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

[iv] IT (Resonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

[v] G., Shreya, Shreya G., Bhumika K., Meha A., Suprita A., Dipen P., and Team Inc42 et al. “Can The ‘Ambiguous’ Draft Indian Personal Data Protection Bill 2018 Hold A Candle To The GDPR? – Inc42 Media”. Inc42 Media, 2018. https://inc42.com/features/can-the-ambiguous-draft-indian-personal-data-protection-bill-2018-hold-a-candle-to-the-gdpr/.

[vi]Assets.Kpmg.Com,2018. https://assets.kpmg.com/content/dam/kpmg/in/pdf/2018/08/personal_data_protection_bill.pdf.

[vii] Ibid.

[viii] Samvadpartners.Com, 2018. https://samvadpartners.com/wp-content/uploads/2018/08/data-protection-bill.pdf.

[ix] Ibid.

[x] Vollmer, Nicholas. “Recital 1 EU General Data Protection Regulation (EU-GDPR). Privacy/Privazy AccordingToPlan.”. Privacy-Regulation.Eu, 2018. http://www.privacy-regulation.eu/en/recital-1-GDPR.htm.

[xi] “THE PERSONAL DATA PROTECTION BILL, 2018 – Iconx Solutions”. Personaldataprotectionbill.Iconx.In, 2018. https://personaldataprotectionbill.iconx.in/the-personal-data-protection-bill-2018.

[xii] Supra 5.

[xiii] Pwc.In,2018.https://www.pwc.in/assets/pdfs/news-alert-tax/2018/pwc_news_alert_1_august_2018_data_protection_bill_2018.pdf.

This article is written by
Rhea Seth of
Maharashtra National Law University, Nagpur.

Disclaimer:  This article is an original submission of the Author. Lex Insight does not hold any liability arising out of this article. Kindly refer to our Terms of use or write to us in case of any concerns.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.