Ever since GDPR came into circulation, it has become a trend setter in Data Protection Regulation. When PDPA 2018 followed, it was natural that several concepts which were part of GDPR also became a part of PDPA.
Since GDPR had a legacy of EU Data Protection, the WP 29 documents and further a two year lead time for implementation and now nearly one year after its implementation, there is a huge knowledge base already created on GDPR and most of the Indian practitioners are also familiar with the provisions as they have had multiple rounds of discussions with their foreign counterparts.
It is therefore natural that any aspect of PDPA2018 will quickly be interpreted as per the learning under GDPR. In this process there is a danger of misinterpreting PDPA 2018 and this should be avoided. We need to explore PDPA 2018 withut being prejudiced by our perceptions of GDPR. If necessary we need to unlearn some of our dogmas created if any out of GDPR before we learn PDPA.
Naavi therefore advocates a clean interpretation approach to PDPA without the overhang of our GDPR baggage. The PDPSI (Personal Data Protection Standard of India) is one such approach advocated in this context because PDPA holds some innovative differences with GDPR which needs to be recognized.
There is no doubt that the first and the most critical differences between GDPR and PDPA is the re-defining of the Data Subject-Data Controller relationship as Data Principal-Data Fiduciary relationship. This has been discussed several times in the past through these columns and remains the fundamental difference between GDPR and PDPA and any comparison without taking this into consideration would be like comparing Apple and Oranges.
I am not sure that the full implications of this innovative master stroke has sunk in the minds of the Indian Data Protection Professionals as they try to look into PDPA with the colored glass of GDPR. There is a danger of this being missed by legal pundits also as we move towards the formalization of the PDPA Bill into an Act in the coming days. Even the DPA when it comes through may not find it easy to remember that PDPA is not Indian GDPR and they need to be reminded again and again that “It is different”.
But in addition to this fundamental redefinition of the role of the so called “Data Controller” as a “Data Fiduciary”, there are some more differences which we need to recognize so that we realize that PDPA 2018 is not a copycat of GDPR. It does incorporate many of the provisions of GDPR but tries to add it’s own spice in between.
Let us try to capture some of these minor differences before we get back to the analysis of the Data Fiduciary master stroke.
- Classes of Data Fiduciaries
GDPR recognizes Controllers, Joint Controllers, Processors and Recipients as different entities who handle the personal data and sensitive personal data which is the subject matter of protection.
On the other hand PDPA recognizes Data Fiduciaries, Significant Data Fiduciaries, Guardian Data Fiduciaries as different classes of Fiduciaries in addition to the Processor. Significant and Guardian Data fiduciaries maybe required to register themselves with the DPA.
2. Criminal Penalties
PDPA includes Criminal punishments for data breach while GDPR does not
3. Right to Forget
Under PDPA, right to erasure requests are subject to adjudication by an external authority. In GDPR it is the decision of the Company.
4. Dispute Resolution Mechanism
Instituting a dispute resolution mechanism is mandatory under PDPA and is a recommended good practice under GDPR.
5. Mandatory Annual third party Data Audit
PDPA requires a mandatory data audit by an external auditor on an annual basis besides DPIA. No such requirement is there in GDPR.
6. DPO as a Service
GDPR provides an external consultant who can work as a DPO. PDPA has no such provision
7. Harm Audit
PDPA includes a concept of “Harm Audit” to be conducted which is an assessment of the gravity of a data breach incident. This may also be required when there is a conflict between RTI Act and disclosure under PDPA. Under GDPR no such mention has been made though the concept is inherent in every data breach notification policy.
8.Data Trust Score
PDPA requires Data Auditors to compute a Data Trust Score for every organization they audit. This is not part of GDPR.
9. Data Breach notification
Under PDPA, data breach notification to the data principals is determined by the DPA. There is no such requirement under GDPR where the company has to decide.
10: Official Identifier
Official identifier such as Aadhaar is declared as a Sensitive Personal Information under PDPA. GDPR leaves it to the member countries to determine how the national identifiers would be processed.
11. Codes and Practices
PDPA has left it to the DPA to define the codes and practices besides an enabling provision for industry bodies to come up with their own codes to be approved by the DPA. GDPR has also a similar provision where the member states will encourage development of codes and practices and certification bodies will be accredited by the supervisory authorities.
GDPR provides some exemptions to Churches whereby they can apply for their own regulation to be brought into the legislation. Indian PDPA has no such recognition of any religious rights and is therefore more secular than GDPR.
GDPR leaves it to the member states to frame laws regarding information in the course of employment. PDPA has specific reference under Section 16 providing permissions to process data for employment purposes.
PDPA has a direct provision that a copy of personal data shall be in India and sensitive data shall not be transferred out but provides several exemptions. GDPR addresses the same issue indirectly by allowing data transfer only to such countries where EU considers considers that there are adequate laws, and also provides other exemptions. In effect there does not seem to be much difference.
Thus there are many differences between the PDPA and GDPR and as we go forward, even more differences can be spotted.
It is therefore unfair to call PDPA as a Copy Cat of GDPR. In fact leading with the Data Fiduciary, Criminal penalties, Adjudication etc., there are several unique differences that make PDPA far more practical than GDPR.
More on this should come up for discussion in the March 15 seminar in Mumbai.