Explained: How Data Protection Bill compares with its EU counterpart

The Indian Express

Karishma Mehrotra

The Personal Data Protection (PDP) Bill, 2019, has significant parallels to the European Union’s General Data Protection Regulation (GDPR).

Where they differ
The Personal Data Protection (PDP) Bill, 2019, introduced in Lok Sabha this week, has been referred to a joint select committee. It has significant parallels to the European Union’s General Data Protection Regulation (GDPR). These two overarching data regulations mirror each other in some ways, but also present some notable divergences.

Data transfer abroad: One significant difference between the GDPR and the PDP Bill is the framework built around deciding whether or not data can leave the country. Both give a government authority the power to decide if data transfers can occur, but the GDPR more clearly lays out the parameters of this decision. Their “adequacy decision” is made based on the country’s rule of law, authorities, and other international commitments. The transfer can be made without this decision if there are legally binding rules or other codes of conduct that allow for it. The PDP simply states that the Authority has to have approval of the transfer of any sensitive personal data abroad, without specifying as many details about the other country’s “adequacy” in receiving the data.

Automated decisions: The GDPR much more directly addresses personal harm from automated decision-making. The PDP Bill requires an assessment in cases of large-scale profiling, but does not give the citizen the right to object to profiling, except in the cases of children. This decision making includes, for example, a corporation deciding your credit score as well as profiling an individual to target them with advertising that has now become the bedrock of the data economy. The GDPR states: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”

Personal data types: To give special attention to particularly important types of data, India’s PDP Bill categorises personal data much more explicitly. In the Indian Bill, a sub-category of personal data called sensitive personal data has a pre-determined list including health, financial, caste, and biometric data. It resembles the list of “special categories” in the GDPR, but the GDPR does not have separate localisation rules for this type of data. The PDP Bill, on the other hand, does not allow for sensitive personal data to be stored abroad and can only be processed abroad with authority approval. In addition, the PDP Bill categorises “critical personal data” as an open-ended category in which government can define from time to time. Critical personal data can never leave the country, for storage or processing, according to the PDP. The PDP Bill, unlike the draft Bill, has allowed the Government of India to direct any entity handling data to provide them with “non-personal data”, or anonymised data. The GDPR, on the other hand, states: “This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purpose”.”

Supervision & data handling: The GDPR Bill also gives wide-ranging discretion to “ supervisory authorities” created in each of the ‘US’s member states to oversee this topic. Aspects of the Bill, such as penalties, are left up to these authorities.


Where they are alike
Exceptions: The exceptions given to the Indian Bill and the EU Regulation look similar. Both allow data processing for prevention, investigation, detection, or prosecution of criminal offences. Both also discuss “public security”, “defence”, and “judicial” proceedings. The GDPR states: “This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.”

Consent: The PDP Bill and the GDPR are founded upon the concept of consent. In other words, data processing should be allowed when the individual allows it. Consent carries similar meanings, with words like “free”, “specific”, and “informed”. “Reasonable expectations” are also a parameter for processing, as are limiting the collection and purposes for collection. They also both given special protection to children’s lack of ability to give consent.

Individual’s rights: Both have similar rights given to the individual, including the right to correction, the right to data portability (transferring your data to another entity), and the right to be forgotten (the right to erase the disclosure of your data). But, as mentioned above, the right to object to profiling is in the GDPR and not the PDP Bill.

Other similarities: Both place responsibility on the fiduciaries, such as building products that include privacy by their design and transparency about their data-related matters. The European Data Protection Board in the GDPR and the Data Protection Authority in the PDP Bill have some similar duties, such as dispute resolution and codes of conduct.


Comments

Post a Comment

Popular posts from this blog

India Joins Russia in Voting Against West-Backed Move to Expand Powers of OPCW

The Wire: June 28, 2018 New Delhi: India voted against a UK-backed move that will allow the global chemical weapons watchdog to apportion blame for illegal attacks, criticising the decision to grant “unchecked powers” to the head of the group which could be used for “partisan” purposes. On Wednesday, more than two-thirds of the member states of the Organisation for the Prohibition of Chemical Weapons (OPCW) voted to authorise the international body to identify the perpetrators and sponsors of a chemical weapons attack. It also specifically called on the OPCW’s technical secretariat to begin work on identifying the perpetrators behind the use of chemical weapons in Syria. The draft decision, sponsored by 30 countries, was adopted at the fourth special session of the conference of the states parties to the Chemical Weapons Convention at the Hague, with 82 in favour and 24 negative votes. While Europe, the United States and their allies voted ‘yes’, there was strong oppo...
Read more

As financial insecurity rises in urban India, so does investment in insurance

Image
Scroll.in March 13, 2020 Urban Indians are becoming less confident about their financial security. Up to 58% of them fret over financial independence post retirement, which is a 4% increase from last year. An equal share of urban Indians worry about meeting their daily medical expenses and sustaining their current lifestyle once they stop working. The findings are part of a survey published by Delhi-based Max Life Insurance in association with London-based consultancy Kantar. The firms surveyed 7,014 respondents in 25 cities, including six metros, nine tier-1 cities, and 10 tier-2 cities, between December 2019 and January 2020. Source: Max Life Insurance via Quartz The trends Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz A significant share of urban Indians also say their families will have no financial support in the event of the breadwinner’s death. In such a scenario, around 57% believe the family sav...
Read more

ED tracks Swiss Bank A/Cs of Agusta scamster

The Poineer February 10,2019 Rakesh K Singh The Enforcement Directorate (ED) has tracked a dozen Swiss bank accounts in the name of Rajiv Saxena, who is key accused in the Rs 3,600 crore AgustaWestland VVIP chopper scam. The ED has also found out accounts held by  his family members and associates where the kickbacks in the now scrapped deal were allegedly parked. Two bank accounts are in the name of Rajiv Saxena’s  associates Pankaj Jain and Sumita Jain who are also the authorised signatories. The  third is in the name of another associate Ajit Singh Bubber, but Rajiv and his family members are authorised signatories. The remaining nine accounts are largely owned and operated by Rajiv, his family members and associates. Rajiv Saxena was deported by the UAE authorities on January 30 and the ED formally arrested him the next day and a court later granted his remand to the agency. He is currently undergoing custodial interrogation by the ED. The agency had in 2017...
Read more