Personal data and non-personal data are the two primary categories of data.

Personal data refers to identification qualities, traits, or properties that may be used to identify an individual. Non-personal data includes aggregated data that cannot be used to identify people.

The Supreme Court ruled in 2017 that privacy is a fundamental right guaranteed by Article 21 of the Constitution. The Court further stated that the confidentiality of personal data and facts is an essential component of the right to privacy.

A Committee of Experts, led by Justice BN Srikrishna, was formed in 2017 to investigate several concerns concerning data privacy in India. In 2018, the committee presented its findings to the Ministry of Electronics and Information Technology, along with a Draft Personal Data Protection Bill, 2018.

The similarities

• Consent
  • EU: Users must have informed consent about the way their data is processed so that they can opt in or out.
  • India: Processing of data should be done in a fair and transparent manner, while also ensuring privacy
• Breach
  • EU: Supervisory authority must be notified of a breach within 72 hours of the leak so that users can take steps to protect information
  • India: Data Protection Authority must be informed within 72 hours; DPA will decide whether users need to be informed and steps to be taken
• Transition period
  • EU: Two-year transition period for provisions of GDPR to be put in place
  • India: 24 months overall; 9 months for registration of data fiduciaries, 6 months for DPA to start
• Data fiduciary
  • EU: Data fiduciary is any natural or legal person, public authority, agency or body that determines purpose and means of data processing
  • India: Similar suggestions; additionally, NGOs which also process data to be included as fiduciaries

Difference between EU’s regulation and JCP recommendations:

• Anonymous information
  • EU: Principles of data protection do not apply to anonymous information since it is impossible to tell one from another
  • India: Non-personal data must come under the ambit of data protection law such as non-personal data
• Punishment
  • EU: No jail terms. Fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year
  • India: Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.

Data is a precious resource in the digital era that should not be uncontrolled. In this environment, the time has come for India to establish a strong data protection regime.

It is past time to make the necessary revisions to the Personal Data Protection Bill, 2019. It must be rewritten to ensure that it focuses on user rights, with a particular emphasis on user privacy. To enforce these rights, a privacy commission would need to be formed.

The government would also have to preserve citizens’ privacy while enhancing their access to information. Furthermore, technical advances in the recent two to three years must be addressed, since they have the potential to render the legislation obsolete.

How to structure:

1. Give an intro about India’s Data protection bill
2. Now, briefly mention about European Union’s General Data Protection Regulations.
3. Compare and contrast- mention the similarities and where the differences lie
4. Mention what India can take from European Union’s General Data Protection Regulations.
5. Conclude

Reference:

1. https://indianexpress.com/article/explained/data-protection-india-versus-european-union-7678664