The Economic Times daily newspaper is available online now.

    How JPC recommendations on Personal Data Protection Bill compare with GDPR?

    Synopsis

    In the original Personal Data Protection Bill of 2019 and, the recommendations provided by the JPC, some concepts like data fiduciary, data processor and data principles are similar to the controller, processor, and data subjects, in GDPR.

    photo
    The JPC has provided many recommendations covering the entire original PDPB of 2019. One can only speculate that which recommendations will be adopted in the law.
    The General Data Protection Regulation (GDPR) has been around for a few years now for safeguarding the privacy of European Union citizens. In South-east Asia, countries such as Singapore and Philippines have their own Data privacy and protection laws. In India, Personal Data Protection bill was tabled in the Parliament on Dec 2019 to protect individuals’ personal data and a proposal for the establishment of the Data Protection Authority.

    This bill was referred for examination and recommendations to a Joint Committee of both Houses of Parliament (JPC), which after going through many deliberations, and discussions over a period of around two years, submitted their report on December 2021 suggesting many amendments.

    The report talks about some dissents provided by certain members. In the current form considering the recommendations suggested by the JPC (which may or may not be adopted by the Parliament), there are certain similarities with GDPR which are listed below. This is not an exhaustive list but captures important and similar aspects between the two regulations.

    Similarities between GDPR and Personal Data Protection bill In the original Personal Data Protection Bill of 2019 and, the recommendations provided by the JPC, some concepts like data fiduciary, data processor and data principles are similar to the controller, processor, and data subjects, in GDPR. The JPC has also referred to some definitions such as ‘Controller’ in GDPR which means a natural or legal person, public authority, agency or other body alone or jointly with others. The JPC has recommended adding Non-governmental Organizations (NGOs) to be treated as data fiduciaries and falling under the purview of the law. The definition of data fiduciary is broadened to match that of the GDPR.

    GDPR had a two-year transition period for implementation and the JPC has also recommended a two-year period for implementation of the PDP regulations.

    Similarly, the term ‘risk’ in GDPR covers wider aspects of physical, material or non-material damage with respect to personal data. The JPC has recommended considering widening the term ‘harm’ to incorporate psychological manipulation which impairs autonomy of the person.

    The GDPR covers informed consent from persons about the way their data is processed with an option to opt-in or out. The JPC also recommended a fair and transparent manner of data processing to ensure transparency and privacy. The JPC has also recommended an exhaustive definition of Consent Manager that enables a data principal to give, withdraw, review, and manage his consent through an accessible, transparent, and interoperable platform.

    In Personal Data Protection Bill 2019, there is clause 16 about processing of personal data and sensitive personal data of children. GDPR has a similar clause, but it only mentions personal data of children. The JPC has recommended removal of the expression ‘sensitive personal data’ and to retain ‘personal data of children’.

    In the clause related to ‘Right to erasure’, GDPR states a controller’s obligation to erase the data in case a data subject withdraws consent related to data processing. The JPC observed that in the original PDP bill, the term processing wasn’t explicitly mentioned in the clause related to ‘Right to be forgotten’ and has recommended adding ‘processing’ as an explicit term.

    The GDPR states that any personal data breach should be reported to supervisory authority within 72 hours of controller becoming aware. Similarly, JPC has recommended a similar breach reporting timeframe.

    In addition to the similarities, there are certain areas where the JPC has different opinions, or they have been more specific in their recommendations as compared to GDPR.

    Will renaming help?
    GDPR deals with personal data and principles of data protection do not apply to anonymous information, however the JPC has suggested renaming the Personal Data Protection Bill to Data Protection Bill, as it should deal with both Personal and Non-Personal data.

    In the GDPR, it is stated that the regulation does not apply to the personal data of deceased person and member states have liberty to provide such rules. The JPC noted, there is no mention in the PDP Bill about the rights of the deceased person and, has recommended adding clauses related to rights of data subject to exercise his or her rights in case of death. In such a situation, the data subject should have options of nominating a legal representative or heir, or the right to be forgotten.

    For appointment of a Data Protection Officer (DPO), GDPR states that the DPO should have expert knowledge of data protection law in addition to other related experience. The JPC observed that the original PDPB has no mention of specific qualification or position of the DPO in the company. The JPC has recommended that DPO should be a senior level officer in the state or key managerial personnel of the company in addition to the technical qualifications and experiences required for a DPO.

    When it comes to penalties, GDPR does not state any jail terms however it states fines up to 20 million Euros, or in case of an undertaking, up to 4% of total global turnover of the preceding fiscal year. JPC has recommended additional stricter penalties around jail term of up to three years, personal fine of Rs 2 lakh or both in addition to larger fines and penalties in-line with the GDPR.

    The JPC has provided many recommendations covering the entire original PDPB of 2019. One can only speculate that which recommendations will be adopted in the law. However, once the bill is enacted, is set to impact all industries. The latest recommendations of the JPC seem to be in best interest of Indian citizens, companies will have to proactively ensure their business processes stay aligned with best practices around managing personal data.


    (The writer is Senior Managing Director – India, Ankura Consulting Group)
    (Disclaimer: The opinions expressed in this column are that of the writer. The facts and opinions expressed here do not reflect the views of www.economictimes.com.)
    SIDBI MSME Conclave 2024 |Register Now.
    ...more
    The Economic Times

    Stories you might be interested in