How GDPR Compliance is Different from Indian PDP Compliance
HOW GDPR COMPLIANCE IS DIFFERENT FROM INDIAN PDP COMPLIANCE?
GDPR and India’s Personal Data Protection are identical in many ways but the differences between them might mean that the complying with GDPR will not necessarily make you PDP compliant.
The points of differences are as follows:
- A broader definition of personal data
Unlike the GDPR, the PDP categorises personal data, sensitive personal data, and critical personal data into three groups.
The latter is especially relevant since there is no equivalent in European legislation, and it comes with its own set of terms and conditions, such as being required to data localisation.
Furthermore, in comparison to the GDPR, India has cast a wider net on what constitutes sensitive personal data. Even if a company only processes personal data in India and does not collect it locally, it may be required to comply. This suggests that even if businesses are GDPR compliant, they would have to sort their data further and follow more laws.
- Government hold on critical personal data
Not only is critical personal data a new category, but businesses must ensure that it is stored and processed exclusively in India. Firms would require additional permission from the Data Protection Authority (DPA) and the Supervisory Authority before transferring any data that falls under that category outside of India.
Therefore, compliance with the GDPR may not result in compliance with the PDP, since transfer outside India will depend on approvals and permissions, either by the DPA or the central government.
The government's involvement does not end there. There are no terms and conditions in the GDPR for monitoring anonymized data. The PDP, on the other hand, enables the central government to access non-personal data as long as it is used to form policies that benefit the ‘digital economy.'
- Consent
While it is understandable to have terms and conditions available in multiple languages for users, it means a lot more work for companies collecting data, particularly in a country as diverse as India.
In India's data protection system, the development of "consent managers," a new form of agency for channelling consent, is also proposed. Through a consent form, the data principal consumer may give or withhold consent. Whereas nothing like this exist in GDPR.
- Legitimate interests versus reasonable purposes
According to the GDPR, data can be held for longer periods of time for archiving, testing, and statistical analysis. The PDP, on the other hand, proposes that data should be kept for longer periods of time if the user consents or if it is necessary to comply with a legal requirement.
The bill in India also requires businesses to process data for "reasonable purposes." However, unlike the GDPR's explicitly defined "legitimate interests," an intent would be considered "fair" only by the DPA, the overarching authority. This leaves a lot of grey ground for businesses to work in.
The phrase "reasonable purpose" is extremely broad and has been left to the DPA's subsequent prescription, while under the GDPR, data controllers may decide the extent of "legitimate interest" on a case-by-case basis.
- Who has the power?
Both violations must be reported to the supervisory authority as well as the users under the GDPR.
Users in India, on the other hand, would not be required to be notified by law. In the event of a data breach, a data provider would only be required to notify end users if the DPA determines that it is necessary.
Many provisions of the PDP are left open-ended, requiring notification from the Central Government or the Data Protection Authority. As a result, there's a lot of space for future abuse and continuing regulatory confusion.
Prantik Mukherjee is a lawyer specializing in data protection and privacy compliance.