Professional Documents
Culture Documents
India pdpb2019 Vs GDPR Iapp Chart
India pdpb2019 Vs GDPR Iapp Chart
This chart provides a high-level comparison between the EU General Data Protection Regulation
and India’s Personal Data Protection Bill.
The GDPR applies to: The PDPB applies to: • The PDPB’s scope of appli-
• Organizations that have • Processing personal data that cation is potentially broader
an establishment in the has been collected, disclosed, than that of the GDPR, as
European Union and process shared or otherwise pro- an entity may fall within
personal data “in the context cessed within the territory scope merely by processing
of” the EU establishment. of India1 (S. 2(A)(a)). personal data in India (e.g.,
even through the use of a
• Organizations that are not • Indian companies, Indian
processor in India).
established in the EU but pro- citizens, and any other per-
cess personal data in relation sons or bodies incorporated • However, this broad scope of
to either (a) offering goods or created under Indian law application may be narrowed
or services in the EU; or (b) (S. 2(A)(b)). should the government exer-
monitoring the behavior of cise its authority to exempt
individuals in the EU. such processing activities.
1
Although it is not clear whether an organization must be based in India for this jurisdictional basis to apply, the reference to “data
fiduciaries or data processors not present within the territory of India” in Section 2(A)(c) suggests that this basis for jurisdiction
should be read more narrowly to apply only to organizations with a presence in India.
2
See GDPR, Recital 26.
• Biometric data (for the pur- • Sexual orientation. • The PDPB allows the gov-
pose of uniquely identifying ernment to define additional
• Biometric data, which as
a natural person). categories of sensitive data,
defined, includes the concept
whereas the list of categories
• Health. of being used to uniquely
under the GDPR is finite.
identify an individual.
• Sex life or sexual orientation.
• Genetic data. One exception is that the GDPR
Personal data relating to provides for additional rules for
• Transgender or intersex status.
criminal convictions and processing criminal convictions
offenses, while not special • Caste or tribe. and offenses data, but the PDPB
category data, is subject to includes no similar provision.
• Religious or political belief or
distinct rules defined by EU affiliation.
or member state law.
The PDPB permits the govern-
ment in consultation with the
data protection authority to
define additional categories of
sensitive personal data, taking
into account:
• The risk of significant harm
that could result from pro-
cessing such data, including
harms to a discernible class.
• Any expectations of confiden-
tiality attached to the data.
• The adequacy of protections
afforded by the provisions
applicable to ordinary
personal data.
RELEVANT PARTIES
• Controller: The natural or • Data fiduciary: Any person, • The definitions of the relevant
legal person, public authority, including the state, a com- parties generally align, despite
agency or other body that, pany, any juristic entity or the use of different terms for
alone or jointly with others, any individual who alone or functionally similar concepts.
determines the purposes and in conjunction with others • Although use of the term
means of the processing of determines the purpose “fiduciary” may imply the
personal data. and means of processing existence of a duty of care
of personal data.
• Processor: A natural or legal and/or loyalty, no such duty
person, public authority, • Data processor: Any person, is expressly provided except
agency or other body that including the state, a com- within the provisions relating
processes personal data on pany, any juristic entity or to children’s data.
behalf of the controller. any individual, who processes
personal data on behalf of a
• Data subject: An identified or
data fiduciary.
identifiable natural person.
• Data principal: The natural
person to whom the personal
data relates.
The GDPR sets out seven The PDPB does not refer to • At a high level, there is a sig-
principles in Article 5: “principles,” but a number nificant degree of conversion
• Lawfulness, fairness and of provisions impose similar between the two frameworks.
transparency. requirements: • With respect to lawfulness
• Personal data may not be
• Purpose limitation. of processing, as discussed
processed by any person below, the PDPB places
• Data minimization. “except for any specific, clear greater emphasis on the
• Accuracy. and lawful purpose” (S. 4). role of consent; however,
• Storage limitation. • Personal data must be pro- consent under the PDPB
cessed “in a fair and reason- is more closely linked to
• Integrity and confidentiality.
able manner and ensure the transparency than GDPR’s
• Accountability. privacy of the data principal” concept of consent, which
(S. 5(a)). emphasizes specific and
meaningful control.
• Personal data must be
processed “for the purpose • The PDPB’s accuracy require-
consented to by the data ments are more specific than
principal or which is incidental those under the GDPR —
to or connected with such in particular, these require
purpose, and which the data accuracy to be assessed
principal would reasonably in relation to a number of
expect that such personal factors, including whether
data shall be used for, having the data is a fact or an
regard to the purpose, and opinion or assessment.
in the context and circum- • The PDPB’s storage
stances in which the personal limitation provisions are
data was collected” (S. 5(b)). also more specific than
• Personal data must be those under GDPR:
“collected only to the extent 1. Unlike GDPR, which
that is necessary for the permits retaining the
purposes of processing of data in a form that
such personal data” (S. 6). no longer identifies
• Data fiduciaries must “take an individual, the PDPB
necessary steps to ensure requires deletion.
that the personal data pro- 2. The PDPB also requires
cessed is complete, accurate, data fiduciaries conduct
not misleading and updated, periodic reviews of
having regard to the purpose whether personal data
for which it is processed,” must be retained.
taking into account whether
(a) the data is likely to be • The PDPB does not have a
used to make a decision provision analogous to the
about the data principal; GDPR’s integrity and confi-
(b) the data is likely to be dentiality principle, but there
disclosed; or (c) is kept in a are specific provisions govern-
form that distinguishes facts ing information security,
from opinions or personal which are addressed in
assessments (S. 8). detail below.
There are six lawful bases There are seven lawful bases for • The PDPB does not provide
for processing personal data, processing personal data: for a basis for processing
subject to member states • Consent. that is necessary for the
adding more: performance of a contract
• Legal obligation.
• Consent. (although consent is defined
• Medical emergency involving less restrictively and may
• Performance of a contract. a threat to life or severe permit processing that is
• Legal obligation. threat to health. necessary to enter into or
• Legitimate interests. • Providing medical treatment perform contracts).
or health services. • The “reasonable purposes”
• Life protection and vital
interests. • Protecting the safety of basis under the PDPB is sim-
individuals during a disaster. ilar to the GDPR’s legitimate
• Public interest.
interest basis, but is limited
• Employment purposes.
to purposes that are specified
• “Reasonable purposes” as by regulation.
may be specified by regula-
• Additional bases for health
tions, including for preventing
and safety and for employ-
or detecting unlawful activity,
ment purposes under the
whistleblowing, mergers and
PDPB may have been justified
acquisitions, network and
under the GDPR’s broader
information security, credit
legitimate interests or public
scoring, recovery of debt, the
interests bases, which do not
operation of search engines,
appear under the PDPB.
or processing of publicly
available personal data.
CONSENT
The GDPR imposes a number Under the PDPB, valid consent The PDPB definition of consent
of requirements for obtaining must be: is considerably more flexible
valid consent: • Free, taking into account than that under the GDPR
• Consent must be freely given, whether it complies with and incorporates elements
specific and informed. Indian contract law require- of the GDPR’s “contractual
ments (i.e., freedom from necessity” basis:
• It must be granted
coercion, undue influence, • The standard for freely
by an unambiguous
fraud, misrepresentation given matches a contractual
affirmative action.
or mistake). standard under the PDPB,
• Generally, provision of a rather than the GDPR’s
• Informed in accordance
service cannot be made more stringent “without
with the provisions on
conditional on obtaining detriment” standard.
transparency.
consent for processing that is
• There’s an argument that
not necessary for the service. • Specific.
consent would be considered
• A request for consent must • Clear, taking into account “informed” as long as a pri-
be distinct from any other whether it is indicated by a vacy notice is made available
terms and conditions. meaningful affirmative action and that it is not necessary
under the circumstances. in all cases to provide the
• Consent for separate pro-
cessing purposes must be • Capable of being withdrawn, request for consent sepa-
provided separately. taking into account the com- rately from the privacy notice
parative ease of withdrawing or other terms.
• Individuals have the right to
and providing consent. • “Specificity” is defined by
withdraw consent at any time
“without detriment” and it reference to what the data
should be as easy to withdraw subject would expect.
consent as it was to give it. • There does not seem to be
a concrete requirement to
ask consent for separate
purposes separately.
• A data fiduciary may be
permitted to penalize the
data principal for withdrawing
consent without a “valid
reason” (S. 11(6)).
• S. 11(4) suggests that provi-
sion of a service can be made
conditional on consent where
the processing is “necessary
for that purpose.”
LEGITIMATE INTERESTS
• Processing is permitted, The PDPB permits the DPA to • The PDPB is significantly
without consent, where it is specify “reasonable purposes” more stringent than the
necessary for the controller’s for processing. GDPR in that it assigns
(or a third party’s) legitimate responsibility for defining
interests and provided such In defining these reasonable reasonable purposes to
interests are not overridden purposes, the DPA must take the DPA rather than to the
by the rights and interests of into consideration: controller/data fiduciary.
the data subject. • The interests of the data fidu-
• The factors the DPA must
ciary or any public interests.
• It is the controller’s respon- consider under the PDPB
sibility to determine whether • Whether the data fiduciary are generally similar to those
the interests it pursues under can reasonably be expected enumerated under guidance
this basis are legitimate and to obtain consent for the by EU regulators, but there is
proportionate, and controllers processing. no requirement for the DPA
are expected to document • The effect of the processing to enumerate any or all of
their assessments. on the rights of data the reasonable purposes
principals. set out in the bill.
• The GDPR imposes additional • A child is defined as someone • The PDPB sets the age
obligations when collecting under the age of 18. threshold for being consid-
consent from children under ered a child higher than the
• There is a general obligation
the age of 16 or at an age set GDPR permits.
to process personal data “in
between 13 and 16 by member such a manner that protects • The PDPB’s requirement to
state law. the rights of, and is in the best verify a child’s age before
• Where providing certain elec- interests of” children. any processing imposes a
tronic services at a distance significant new requirement
• Data fiduciaries are required
(i.e., “information society not present in the GDPR.
to verify a child’s age and
services”) directly to a child obtain the consent of a • Unlike the GDPR, the PDPB’s
and where the processing is parent or guardian before requirement to obtain
based on consent, consent processing any personal parental consent applies to
must be provided by a parent data of a child. The DPA is all processing of children’s
or guardian. empowered to promulgate data, not just where consent
• Processing personal data of regulations that specify how is the legal basis.
children is pertinent to other this is to be done. • The ban on profiling of
GDPR requirements (e.g., • Data fiduciaries that operate children for guardian data
notices must be tailored to online services directed at fiduciaries is broader than
children; the fact that data children or process large any similar restrictions
subjects are children could tip volumes of children’s data under the GDPR as it is not
the balance of the legitimate may be classified as “guard- limited to significant auto-
interests test or trigger ian data fiduciaries” by mated decisions.
a data protection impact regulations — guardian data
assessment). fiduciaries are barred from
• One recital states significant profiling, tracking or targeting
automated decisions should advertising at children.
not be taken concerning
children.
• Information must be provided • Notices must be clear, concise • There is significant overlap
in a concise, transparent, and easily comprehensible to between the transparency
intelligible and easily a reasonable person. requirements of both
accessible form, using frameworks.
• There is a requirement to
clear and plain language. translate notices to multiple • However, the PDPB does
• Where personal data is languages where necessary include additional disclosure
collected directly from the and practicable. requirements that may not
individual, notice must be already be included in a
• Notice must be provided
provided at of before the privacy notice drafted for
at the time of collection,
time of collection. GDPR, such as details on
or, if not collected directly
the procedure for handling
• For personal data collected from the individual, as soon
individual requests and
indirectly (i.e., from another as reasonably practicable,
grievances, and, if applicable,
source), notice must be pro- unless providing notice
a data trust score assigned
vided within one month (or would “substantially prejudice
by a data auditor pursuant to
upon first contact with the the purpose of processing”
the PDPB’s audit provisions
individual, if earlier), unless (S. 7(3)).
(discussed below).
providing notice would be • Detailed requirements for the
impossible or would require • In addition, requirements to
contents of notices, including:
disproportionate effort. provide the contact details
• Detailed disclosures of the data protection officer,
• Detailed requirements for of the “individuals or and to provide notice in
the content that must be entities including other multiple languages, may
included in notices. data fiduciaries or data require the localization of
processors, with whom global privacy notices.
such personal data may
• Finally, the requirements for
be shared” (S. 7(1)(g)).
disclosing recipients under
• The procedure for the PDPB may require more
redressing grievances specific disclosures of data
(in addition to respond- processors than is required
ing to rights requests) under the GDPR.
(S. 7(1)(k)).
• Any rating of a data
trust score that may
be assigned to the data
fiduciary (S. 7(1)(m)).
• Any other information
that may be specified by
regulations (S. 7(1)(n)).
RIGHT OF ACCESS
• Individuals have the right to • Individuals have the right • The rights of access are
receive information about to receive: broadly similar.
how their personal data is • Confirmation of whether • However, the requirement
processed and a copy of their their personal data is to provide the identities
personal data. being processed and a of all data fiduciaries with
• Personal data must be summary of the process- whom personal data has
provided: ing activities that were been shared could result in
undertaken. significant new administra-
• Free of charge, except
tive burdens. It is not clear
where requests are • Copies of the personal
whether the “by any data
manifestly unfounded data processed by the
fiduciary” language would
or excessive or for data fiduciary “or any
also require documenting
additional copies. summary thereof”
any onward transfers by data
(S. 17(1)(b)).
• In electronic form when fiduciaries to whom personal
so requested. • The information provided data is disclosed.
• Within one month unless above must be provided
• Although the PDPB does not
free of charge.
an extension applies. include format requirements,
• The data fiduciary must also these appear in the more
• Exceptions apply where
“in one place the identities broadly formulated portability
providing the information
of the data fiduciaries with right under the PDPB.
above would adversely affect
whom his personal data has
the rights and freedoms of • The PDPB exception for pro-
been shared by any data
others, including intellectual tecting other data principals
fiduciary together with the
property rights. may not permit withholding
categories of personal data
personal data on intellectual
shared with them” (S. 17(3)).
property grounds.
• The time period for respond-
ing will be specified by
regulations.
• There is an exception where
compliance would “harm
the rights of any other data
principal” (S. 21(5)).
RIGHT OF PORTABILITY
• The right to portability applies • The right to portability • The right to portability under
only to: applies to personal data the PDPB is broader than
processed through automated the corresponding GDPR right
• Processing based on
means, where: as it is not limited to data that
consent or a performance
is processed under certain
of a contract. • The personal data
legal bases.
was provided to the
• Where the data is
data fiduciary. • The PDPB portability right
provided to the controller
also applies to profile infor-
by the data subject, • The “data” has been
mation, even if the data
which includes informa- generated in the course
may be inferred.
tion observed about the of provision of services
data subject, but not or use of goods.
inferences. • The “data” forms part
• The processing is carried of any profile on the
out by automated means. data principal or which
• Where the right applies, per- the data fiduciary has
otherwise obtained.
sonal data must be provided
in a structured, commonly • Where the right applies, per-
used and machine-readable sonal data must be provided
format, with the right to in a structured, commonly
transmit such data to others used and machine-readable
without hindrance. format and may be trans-
ferred directly to another
• Where technically feasible,
data fiduciary.
an individual may ask for the
data to be transmitted directly • Exceptions are provided
to another controller. where compliance would
reveal a trade secret or would
• As with the right of access,
not be technically feasible.
there is an exception to pro-
tect the rights and freedoms
of third parties.
RIGHT OF CORRECTION
• Grants data subjects the • Grants data principals the • These rights are broadly
right to: right to: aligned with only cosmetic
differences.
• Correct inaccurate • Correct inaccurate or
personal data. misleading personal data.
• Complete incomplete • Complete incomplete
personal data. personal data.
• Where personal data is • Update out-of-date
updated, it must be commu- personal data.
nicated to each recipient to • The data fiduciary must take
which it was disclosed, unless steps to communicate the
this would involve dispropor- updated data to relevant
tionate effort. entities or individuals to
• The controller must restrict whom the personal data was
processing where the accu- disclosed, particularly where
racy of the data is disputed there may be impacts for
for the time needed to verify the rights and interests of
the request. the individual.
• Where the data principal
disputes the accuracy of the
data and the data fiduciary
does not take action, the data
fiduciary must take reason-
able steps to indicate that the
accuracy of such personal
data is disputed.
RIGHT TO BE FORGOTTEN
• The GDPR grants data • The right to erasure (S. 18(d)) • The PDPB distinguishes
subjects the right to request grants a right to request the between two separate rights
the deletion of personal data deletion of personal data — one for erasure and one for
processed by the controller, that is no longer necessary restricting the disclosure of
where the data is no longer for the purpose for which it personal data (i.e., the right
needed for the purpose for was processed. to be forgotten).
which it is processed, where • If the data fiduciary • Unlike the GDPR, the PDPB
the data subject withdraws fulfils the request, it must places responsibility for
consent or objects, and where notify all relevant entities determining the scope of
processing is unlawful or or individuals to whom application of the right to be
deletion is required by law. the personal data was forgotten on adjudicating offi-
• If the controller grants a disclosed, particularly cers appointed by the DPA,
request for the deletion of where this will impact rather than the controller.
data that was previously the rights and interests • By requiring adjudicating
made public, the controller of the individual. officers to consider a number
would need to “take reason- • The right to be forgotten of contextual factors and to
able steps” to inform any (S. 20) grants individuals a balance various interests, it
third parties that may be right to restrict or prevent is likely that the PDPB right
processing the data of the the continued disclosure of to be forgotten will be inter-
data subject’s request. There personal data (i.e., this is not preted more narrowly
is also an obligation to com- a deletion right). than the corresponding
municate the request directly GDPR right.
to any known recipients of • The right applies where
the data, unless it would be data is no longer needed
impossible or would require for the purposes for
disproportionate effort. which it was processed,
the data principal
• Controllers may rely on a withdraws consent where
number of exceptions, includ- processing was based on
ing establishing, exercising consent or the disclosure
or defending legal claims, was unlawful.
conducting research meeting
certain conditions, and other • To enforce the right,
compelling legitimate inter- individuals must apply
ests to override a request. to an adjudicating officer
appointed by the DPA.
• The adjudicating officer
must take into account
a number of contextual
factors in weighing
whether restriction
is justified.
• In particular, the right
to be forgotten must be
balanced against freedom
of expression concerns.
Accountability requirements
APPOINTMENT OF A REPRESENTATIVE
DPA REGISTRATION
• N/A. • “Significant data fiduciaries” • The PDPB introduces a
are required to register with requirement for a class
the DPA in accordance with of entities (significant
procedures that will be set data fiduciaries) to register
out in regulations (S. 26(2)). with the DPA.
• The DPA is required to notify
data fiduciaries or classes of
data fiduciaries as significant
taking into account the
following factors:
• The volume and sensitiv-
ity of data processed.
• Company revenue.
• Risk of harm.
• Use of new technologies.
APPOINTMENT OF A DPO
• Required for private entities • Appointment of a DPO is • The PDPB leaves it to the DPA
only where a “core activity” required for all significant to determine the thresholds
of the controller or processor data fiduciaries. for being considered a
involves either (a) the regular “significant data fiduciary”
• There are no express indepen-
and systematic monitoring of — it is difficult at this stage
dence or skill requirements,
data subjects on a large scale; how this will compare to
but further guidance may
or (b) the large-scale process- the GDPR’s thresholds for
be provided by regulations.
ing of sensitive data. appointing a DPO.
• The DPO must be based
• The DPO must have sufficient • The requirement to appoint a
in India.
independence and skill to DPO may pose a challenge for
carry out its functions and • The DPO must “represent the global organizations.
must be able to report to the data fiduciary under this Act.”
• The requirement to “repre-
highest levels of management sent” the data fiduciary raises
within the organization. questions about whether the
• DPOs may be outsourced. Indian DPO could be subject
to personal liability.
• Guidance from EU regulators
recommends that the DPO
should be based in the EU.
RECORD OF PROCESSING
• Controllers and processors • Only significant data fidu- • The PDPB record of process-
must retain detailed records ciaries are required to retain ing requirements appear to
of their processing activities specific records of processing be more flexible than those
unless very narrow exceptions (S. 28(1)). under the GDPR and will likely
apply. apply to a small proportion
• The requirement to retain
of companies subject to
records of processing applies
the framework.
to “important operations,”
periodic review of security
safeguards and DPIAs, and
other records that may be
specified by regulations.
AUDIT REQUIREMENTS
• None that is applicable to • Significant data fiduciaries • The GDPR contains no similar
controllers. must submit their processing audit requirement.
to annual audit by indepen-
• Processors must agree to
dent auditors selected from
audit provisions in contracts
a list approved by the DPA.
with controllers.
• Data auditors may assign
a “data trust score” to a
data fiduciary based on
their findings.
• The DPA may also direct
data fiduciaries that are not
“significant” to conduct an
audit if the DPA considers the
data fiduciary’s processing to
be likely to cause harm.
APPOINTMENT OF
PROCESSORS
• Controllers are processors • Data fiduciaries and data • There is little functional differ-
are required to implement processors are required ence between the provisions.
appropriate technical and to implement necessary
organizational measures security safeguards.
to protect the security of
personal data.
BREACH NOTIFICATION
• Controllers must notify the • Data fiduciaries must notify • The PDPB leaves it to the DPA
DPA of a breach within 72 the DPA of a breach “as to establish the deadline for
hours, unless the breach soon as possible” if it is notification of breaches.
is unlikely to result in a risk “likely to cause harm to • The threshold for a reportable
to individuals. any data principal.” breach is higher under the
• Notification may be made • The time period for PDPB, as it must be “likely”
in stages as information notifying breaches that the breach will cause
becomes available. may be established harm to individuals.
by regulations.
• Controllers must notify • It is the DPA’s responsibility
individuals of a breach • The time period for noti- to decide whether individ-
without undue delay only fication should also take uals should be notified of a
if it is likely to result in a into account any period breach, though data fiducia-
“high risk” to individuals. that may be required to ries appear to be permitted to
adopt urgent measures proactively notify, such as to
• Processors must notify
to remedy or mitigate help mitigate risks.
a controller of a breach
the breach.
without undue delay. • There is no express require-
• Notification may be ment on processors to notify
made in stages. data fiduciaries of a breach
but it may be implicit from
• The DPA may direct the data
the data fiduciary’s responsi-
fiduciary to post about the
bility for processing that
breach on its website (or may
it will need to secure this
post on its own website).
commitment from its
processors by contract.
3
However, note that the definition of sensitive personal data includes financial information. In addition, the Reserve Bank of India
has promulgated requirements to localize payment data in India.
PENALTIES Enforcement
• The GDPR does not stipulate • Imposes criminal liability on • The penalty provisions under
criminal liability, but permits any person who, knowingly both regimes are similar, with
member states to impose or intentionally, re-identifies the exception of the PDPB’s
criminal penalties for viola- personal data that has criminal liability provisions,
tions of the regulation and been deidentified by a data which are relatively narrow.
applicable national rules. fiduciary or processor without • One minor distinction is that
that entity’s consent by up
• Administrative fines up to the the PDPB permits individuals
to three years’ imprisonment,
higher of 20 million euros or to seek compensation from
a $3,000 fine or both, unless
a 4% of a group of undertak- an administrative hearing
that person re-identifies their
ings’ annual global revenue. before an adjudicating officer.
own data or if the relevant
• DPAs may also issue injunc- data principal has given
tive penalties, which include their consent.
the ability to block process-
• Administrative fines up to
ing, restrict international
the higher of approximately
transfers, and require the
$2 million USD or a 4% of a
deletion of personal data.
group of companies’ annual
• Individuals may bring claims in global revenue.
court for compensation and
• The DPA may also issue
mechanisms exist for repre-
injunctive penalties, which
sentative actions on behalf
include the ability to block
of a class of individuals.
processing, restrict interna-
tional transfers, and require
the deletion of personal data.
• Individuals may bring claims
to adjudicating officers
appointed by the DPA for
compensation and there
is a mechanism to permit
group actions.
• Although not defined by • Anonymized data is data that • The PDPB includes novel
the GDPR, anonymous data, has undergone an irreversible provisions that could
which cannot identify an indi- process of transforming or require organizations to
vidual by means reasonably converting personal data to turn anonymized data
likely to be used, falls outside a form in which an individual over to the government.
of the scope of the law (rea- cannot be identified, which
sonable steps to re-identify). meets the standards of
In practice, anonymization is irreversibility specified
a high standard to meet. by the DPA.
• The government may, in
consultation with the DPA,
direct a data fiduciary or
data processor to disclose
anonymized data or other
non-personal data “to enable
better targeting of delivery
of services or formulation
of evidence-based policies”
(S. 91(2)).
SOCIAL MEDIA INTERMEDIARIES
• National DPAs and the EDPB • Many provisions either • A significant number of
are may issue guidance permit either the Central provisions leave authority
clarifying the application of Government or the DPA to to the DPA to promulgate
provisions of the GDPR, but promulgate additional rules regulations that may affect
the guidance is non-binding. or regulations that may important requirements.
clarify PDPB requirements
• Some limited areas of the • The Central Government
and/or specify additional
GDPR are left to national law, has broad discretion to form
requirements.
such as clarifying the condi- policy, impose additional
tions for processing criminal • A complete list of areas requirements, remove require-
record data or adopting where the Central ments from certain entities,
additional derogations from Government is autho- and exercise control over the
certain provisions. rized to intervene is set operation of the DPA.
out in Annex A.
• A complete list of areas
where the DPA is autho-
rized to form additional
rules, standards or
regulations is set out
in Annex B.
• The DPA may also develop
codes of practice to aid
organizations in complying.
S. 1(2) The Central Government may decide the law’s effective data and set different effective dates for different provisions.
S. 15(1) The Central Government (in consultation with the DPA) may designate additional categories of sensitive personal data.
S. 26(4) The Central Government may designate social media intermediaries as “significant data fiduciaries.”
S. 33 The Central Government may define “critical personal data,” which is subject to the localization requirement.
S. 34(1)(b) The Central Government (in consultation with the DPA) may designate a country, international organization or
class of entities in a country as “adequate” for the purposes of transferring sensitive personal data.
S. 34(2)(b) The Central Government may permit transfers of critical personal data where it determines the transfer does not
affect India’s security and strategic interests.
S. 35 The Central Government may exempt any agency of the government from any or all of the provisions in the PDPB.
S. 37 The Central Government may exempt any data processor or class of data processors, where the processor
processes only data relating to individuals outside India pursuant to a contract with a person or entity
outside of India.
S. 42(1) The Central Government may appoint the chairperson and members of the DPA.
S. 44(1) The Central Government has the authority to remove the chairperson and any member of the DPA.
S. 62(2) The Central Government may specify the number of adjudicating officers, as well as the manner and terms of
their appointment and their jurisdiction, among other requirements “as the Central Government may deem fit.”
S. 64(8) The Central Government may specify the procedure for hearing a complaint to the DPA.
S. 67(1) The Central Government is tasked with establishing an Appellate Tribunal for appeals from the adjudicating officer.
S. 78 The Central Government may appropriate to the DPA the amount of funds “as it may think fit for the purposes
of this Act.”
S. 86 The Central Government may issue policy directions to the DPA “as it may think necessary in the interest of the
sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order.”
S. 91(1) The Central Government remains free to frame any policy for the digital economy that does not govern personal data.
S. 91(2) The Central Government (in consultation with the DPA) may direct any data fiduciary or data processor to
disclose any anonymized data or other non-personal data.
S. 92 The Central Government may prohibit a data fiduciary from processing biometric data.
S. 93(1) The Central Government may make rules to carry out the provisions of the PDPB.
S. 97(1) The Central Government may remove any inconsistencies “as may appear to be necessary or expedient.”
S. 7(1)(n) Regulations may specify additional information that must be included in privacy notices.
S. 9(4) Regulations may specify how personal data must be deleted when it is no longer required.
S. 14(1) Regulations may specify “reasonable purposes” for processing personal data without consent, which take
into account a number of listed factors. Where the DPA establishes reasonable purposes, it must also set
out safeguards for such processing.
S. 15(2) The DPA may (by regulations) specify additional safeguards or restrictions for processing sensitive personal data.
S. 16 The DPA may (by regulations) specify how to conduct age verification of children, how to obtain parental
consent, when a data fiduciary will be classified as a “guardian data fiduciary,” and how the children’s provisions
will apply to counselling and child protection services.
S. 17(3) Regulations may specify how to comply with the access right.
S. 18 Regulations may specify how to comply with correction and erasure requests.
S. 21 Regulations may specify the time period for responding to a request and any fees that may be charged.
S. 22(2) The DPA may (by regulations) specify a process for obtaining certification of a privacy-by-design policy.
S. 24(2) Regulations may specify how to comply with information security requirements.
S. 25(3) Regulations may specify the time period for reporting breaches.
S. 26 The DPA may notify a data fiduciary (or class thereof) as a significant data fiduciary based on factors enumerated
in the PDPB. The DPA may also classify significant data fiduciaries, notwithstanding the enumerated factors,
where it considers there to be a significant risk of harm.
S. 27(2) The DPA may (by regulations) specify the circumstances where a DPIA would be required and where a data
auditor may be required to conduct the DPIA.
S. 28(1) Regulations may specify the form and manner of maintaining records of processing.
S. 29(3) The DPA shall (by regulations) specify the form and procedure for conducting data audits.
S. 29(6) The DPA shall (by regulations) establish the criteria for assigning a data trust score.
S. 29(7) The DPA may direct any data fiduciary to conduct an audit where a processing activity is likely to cause harm,
even if other criteria are not met.
S. 34(1)(c) The DPA may permit the transfer of any sensitive personal data or class of such data outside of India for any
specific purpose.
S. 38 The DPA may exempt certain classes of processing for research, archiving or statistical purposes from provisions
of the PDPB, where it is satisfied that a series of enumerated criteria are met.
S. 39(2) The DPA may (by regulations) define “small entities” that will be exempt from some requirements of the PDPB.
S. 94(2) The DPA may make regulations on any or all of the topics indicated above or any other topic consistent
with the PDPB.