SEMESTER VII, YEAR 4

SUBJECT: CYBER LAW

FINAL DRAFT - PROJECT

Submitted By- Yash Bhatnagar

Fourth Year (Semester 7) Student, Section B (BA LL.B)

Dr. Ram Manohar Lohiya National Law University

Lucknow, Uttar Pradesh

Enrollment Number: 200101157

Submitted To- Prof. Amandeep Singh Sir

(Asst. Professor, Cyber Law)

Dr. Ram Manohar Lohiya National Law University

Lucknow, Uttar Pradesh

TOPIC OF CONTENTION

INDIA’S DATA PROTECTION BILL 2019: DOES GDPR COMPLIANCE

SATISFIES ALL THE HUMAN RIGHTS OR IS THERE MORE TO IT?
 INDIA’S DATA PROTECTION BILL 2019: DOES GDPR COMPLIANCE
SATISFIES ALL THE HUMAN RIGHTS OR IS THERE MORE TO IT?
- YASH BHATNAGAR

India has taken newborn steps in the realm of data protection and privacy. However, some
questions remain unanswered as talks of compliance between the EU’s GDPR and India’s PDP
bill go around.

I. Introduction

Parliament of India, in 2019, passed a yet to be enacted Personal Data Protection Bill (PDP) with
its main goal to stringent the data protection for the citizens and netizens of India, for whom
online data sharing, security, and privacy is a fairly new concept but, does complying it with an
already explored Guidelines of Data Protection, 2016 (GDPR) by the European Union allow the
bill to be more efficient? With the rapid evolution of data circulation and amendments coming in
the technology guidelines in the global sphere, especially during and in the post COVID world,
when more than 5 billion users are online (740 million of them Indians), the fundamental human
right of privacy comes in the picture, intertwined with norms of data protection.

Ii. Present Internet Traffic and Contemporary Situations

India boasts off as the second largest online market with over 560 million users, ranked just
behind China. This also reflects the quantum of the population that can be affected through the
implementation of the bill. Personal Data Protection Bill, 2019 and European Union’s GDPR set
SPDIa similar base for its enaction where Consent, Legal Obligation, Legitimate Interests
(Reasonable Purposes in the case Personal Data Protection Bill, 2019) are an integral part of
basic principles of both statutes. However, GDPR promotes greater protection against data
breaches by demanding companies and institutions to meet certain minimum-security
requirements on any servers that house personal user data. GDPR also provides its users the right
to be ‘forgotten,’ meaning all their data should be deleted upon request. The same does not go
for the Personal Data Protection Bill, as even with its broad concept of storing data locally, these
non-sensitive details can be claimed by the government whenever asked.

While this is not the only case, major companies like Air India, Domino's Pizza, Inc recently
faced a massive data breach, endangering the sensitive data such as Name, Phone Number,
Address and even Credit Card numbers of more than 184 million customers, the situation is a
grave concern to the Right to Privacy under Article 21 of the Indian Constitution and also raises
a requirement of a stringent yet alterable law around the free flow of data in India. Hence, more
strengthening mechanisms are yet to be produced by the Personal Data Protection Bill, that has
not articulated provisions on individual user experiences, especially based upon the regional
differences present in the country like India,

III. Major Difference (The User Experience)

Rule 3 of the Information Technology Act (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011, also known as the “SPDI Rules, already
defines what is known as the “sensitive data.” It is evident that India does have rules and
regulations citing sensitive data (name, contact, passwords, etc.) and defining them.

However, the difference in PDP and GDPR that stands out the most and renders the efficiency of
GDPR much more viable is the user experience. GDPR gives a much secure and nuanced sense
to user experience as it focuses more on individual user experiences, and data transaction and
processing are much more privatized. On the other hand, PDP puts a larger emphasis on public
data circulation and does not explicitly mentions anything about the User Experience and
privatization of any kind of sensitive data. Individual rights are guaranteed in the GDPR in
Chapter 3 (Art. 12-23), but there are no such rights/principles mentioned in the PDP bill of India,
which raises concerns on a holistic level. Moreover, there is already a digital divide between
Indians, as many do not have access to the bare minimum device from which they can go online,
bringing in the fundamental Right of Equality (Article 14 of the Indian Constitution) in the
picture. Implementing a regulation around the same without educating the end-receivers about its
basic implications is something highly dubious. The Indian bill on Data Protection shall also
include provisions regarding individual rights and principles of privacy and data circulation,
preferably in a simplified manner to ensure its reachability to a larger set of people in the diverse
nation.

Iv. Sensitive Data Under PDP

Under the PDP, sensitive personal data must be stored locally. However, in certain conditions,
this data can also be approved for cross-border transfer, although with explicit consent. This, on
the one hand, ensures the safety of data being circulated but restricts the boundaries for its
transmission, which can come as a tough knob for those who work for multi-national companies
or foreign agencies through India. This data before transmission would come under the purview
of the Central Government or Data Protection Authority set up by the government, which further
raises questions on the private nature of this sensitive information. Comparing the same with the
scope of free transmission and rights provided by the GDPR, the PDP is, unfortunately, a
restrictive proposal too. With the government urging social media giants to comply with their
new Consumer Protection (E-commerce) Rules and the new IT guidelines which require end-to-
end encrypted platforms to inform the government IT cells of the “message-originator” of any
particular message when asked, it poses a threat to the fundamental right of Speech and
Expression (Article 19 of the Indian Constitution) and Privacy collectively of such netizens.

V. India And Privacy: A Newborn Legal Right

India is ranked clinically low in the Global Literacy Index with only 63%, 15 plus in age
considered as ‘Literate.’ Hence it can also be said that before implementing the laws and
regulations, India should be made aware and educated about privacy, data, the internet, and
social media. Without having basic knowledge and terminology for the said terms of the 21 st
century, the imposition of any kind of law, no matter how the thought of or morally required it is,
may go futile. This also calls for an administrational appeal to the Government and Ministries
Concerned with Data policing, as they need to be indulged with every sect of the Indian society
to make this bill more administratively viable. It cannot be denied that the structural efficiency
that GDPR has provided to the institutions and individuals dealing with and for the data is
arguably a benchmark in the personal protection and human rights field, but as for India, it must
further investigate the broader prospect of their privacy bill by exploring and teaching about the
basic principles of Online privacy and data protection. Through the Data Protection Bill, the
Indian Government can interfere in cross-border data circulation, which may hinder the whole
essence of the provisions of the bill in the first place. The government has backed this provision
in the name of the Security of the state, which in itself is a reliable defense; however, if looked
through a bigger picture, the said clause can infringe private data circulation of entities as the
state might be enabled to check up on any data transportation without prior consent from the
originator or the receiver.

With the landmark judgment of K.S Puttuswamy (Retd) v Union of India, which declared Right
to Privacy as an intrinsic part of Right to Life and Liberty under Article 21 of the Indian
Constitution. It shall be noted that the principles on which this case was adjudged are deemed to
be found more in the GDPR (lawfulness, fairness, transparency) and the provisions of user
privacy and personal user experience, which go missing from the passed bill of India.

How are lawful bases for processing of personal data different?

Under the DPDPA, personal data can only be processed lawfully if: (i) the data principal has
provided consent; or (ii) data being processed for a ‘legitimate use’.

This contrasts with the GDPR, which provides a longer list of lawful bases for the processing of
personal data, including processing for purposes of a contract, and processing in the legitimate
interests of the data controller. This could mean that the GDPR lawful bases cover a larger
number of processing activities than may be available under the DPDPA.

With respect to consent, the threshold for valid consent under the DPDPA is only slightly less
onerous than that under the GDPR. Both the GDPR and the DPDPA require “free, specific,
informed, unambiguous, and affirmative” consent. However, unlike GDPR, consent under the
DPDPA will likely not need to be granular, although further guidance is expected in the rules.
Similarly, while detailed rules on the form of consent and privacy notices are yet to be published,
it is expected that privacy notices will need to set out the purposes for processing on a granular
basis but the actual act of providing consent (for instance, by ticking a check box) may not need
to be granular – arguably easing the compliance load.

In addition, language in the DPDPA suggests that even having clear consent is not necessarily
carte-blanche for all kinds of processing. In particular, express purpose-specific consent may still
not be sufficient if the processing activity is not considered “necessary” for the consented
purpose.
The DPDPA also provides for specific retention periods to be prescribed, and data collected will
be deemed to be no longer relevant after expiry of such retention periods, even where consent
has been collected to allow for a longer retention period.

With respect to the other lawful basis (‘legitimate use’), the DPDPA sets out a list of pre-defined
legitimate uses, which include personal data voluntarily provided for a specified purpose,
emergency care, compliance with law, certain employment related purposes, loan recovery, court
approved M&A, legal and state use, etc.. However, several of these uses are narrowly defined,
and private entities operating in India are therefore likely to have to largely rely on clear,
purpose-based, revocable consent for their processing.

How are the data principal rights different?

Whilst the DPDPA has introduced a comprehensive set of data principal rights, there are several
distinctions from the GDPR that organisations will need to be aware of.

Under the DPDPA, data principals have:

an absolute right to receive data breach notifications (regardless of harm);

a right to seek erasure of personal data and this right is only subject to: (1) necessity for the
specific purpose for which personal data was collected; and (2) applicable law;

a right to escalate to the Data Protection Board if grievances are not resolved within a time
period which will be prescribed (previous iterations provided for seven days);

Certain data subject rights under the GDPR, such as the right to data portability, and right against
automated decision making are not expressly provided for under the DPDPA.

Data principals in India can also engage ‘consent managers’ (who are third parties that will need
to be registered with the Data Protection Board) to administer and manage consents and personal
data on their behalf. This is a unique concept that GDPR compliant organisations may not be
familiar with. Whilst Article 80 of the GDPR does provide for data subjects to be represented by
not -for -profit bodies, the Indian concept of consent managers goes further. Empowered through
economies of scale and mandatory interoperability, consent managers may lead to an ecosystem
where data principal rights are more actively enforced.

Vi. Conclusion and the Way Forward

Hence, it is not necessarily required to thoroughly comply with already existing data protection
guidelines of any sort, but to channelize the strengths of it and address the weaknesses in one’s
own system and incorporate them in a territory and user-friendly way, as the former Chief Justice
of India rightly quoted to the representing counsel of WhatsApp in a feud heard in the Supreme
Court that “You might be a 2-3 trillion-dollar company, but people prefer their privacy over that
too.” This line of thought opens doors for those who were working for the enhancement of
privacy norms in India. However, as a matter of fact, awareness drives, data protection courses,
teachings in the sphere of privacy, and laws related to it, are still required on a humongous scale.
A recent judgment by the Supreme Court of India stalled the enaction of the new WhatsApp
Privacy Policy until the full implementation of the Data Protection Bill; this not only gives
netizens of India a chance to ponder upon their digital rights but allow the Indian Government to
deliberate ad idem on the clauses of the bill, and may follow the following measures for the
same:

 Formulate a committee of Privacy and Data Protection experts/advocates from India and
around the globe to strengthen the provisions of the bill.
 Conduct a territorial survey of the country to analyze the feasibility of the bill throughout
the nation.
 Through the survey, embed principles about private user interface and experience while
satisfying the fundamental rights mentioned third part of the Indian Constitution.
 Work with the Ministry of Education and Higher Education to promote and insert courses
and lectures on Data Protection, Right to Privacy, and Digital Rights in the education
curriculums of the country.

Compliances and methodologies can be debated, amended, and rectified after the implementation
of privacy regulation, that the common masses of India, from rural to urban, understands,
connects, and follows in their day-to-day life. India, in and through opinions, should start with
the basics and then gradually, with time, evolve their norms as per the demand and usage. That
will ensure the sanctity and execution behind the morals and fundamentals of the Personal Data
Protection Bill and Data Protection on the whole.