DPD vs GDPR

Lawfulness, fairness, and transparency: The term lawful purpose in PDP bill is non-
exhaustive, ambiguous and wide. GDPR on the other hand wields the trident of sicut lex (just
law) by including in its ambit lawfulness, fairness and transparency.

Purpose limitation: PDP bill specifies ‘consent’ and ‘specified purpose’ but it does add any
additional qualification or caveats for additional protection of data. GDPR adds the caveats
to use of data and unambiguously identifies the limitations on use of personal data. It
additionally add a proviso that exempts the Data Fiduciary from the purpose limitation.

Data minimization: The PDP bill does not include in its ambit the data minimization
principal thereby giving a long rope to the use of data for other purposes. GDPR is more air
tight in comparison and it requires processed data to be adequate, relevant and limited.

Accuracy: PDP bill asks of data fiduciary ex-ante to make a ‘reasonable effort’ to ensure
‘accurate and complete’ personal data is processed when used by a Data Fiduciary or shared
with another Data Fiduciary. GDPR mandates the Data Fiduciary to rectify or erase
inaccurately processed data ex-ante.

Storage limitation: PDP bill allows data retention until it is ‘no longer necessary’ without
necessary safeguards. The ambit of ‘no longer necessary’ is ambiguous. GDPR introduces a
system of pseudonymization of data. It however does not mention deletion of data that DPD
mentions.

Integrity and Confidentiality: In case of a data breach, PDP bill does not impose liability on
Data Fiduciary that GDPR does.

Notice: PDP bill has a retroactive effect on the issue of notice. It mandates data principle to
give a description of personal data sought and the purpose of data processing. GDPR does not
have a retroactive mandate (Art 13.4). It additionally provides detailed information on the
stakeholders that would be controlling and processing data (Art 13.1) as well as a description
of rights of Data Principal (Art 13.2).

Consent: PDP bill puts the onus of withdrawal of consent on the Data Principal even when
the withdrawal is for valid reason. It further creates a new entity called ‘Consent Manager’
who would act on behalf of, and be accountable to the Data Principal. GDPR does not
mention anything on the onus of withdrawal of consent. It does not have a ‘Consent
Manager’ either.

Deemed Consent: Art 8 of PDP bill elucidates an exhaustive list of deemed consent given by
the Data Principal. However, it does not include processing that is required to carry out a
contract to which the data subject is a party or to further the controller's or a third party's
legitimate interest. The justifications of deemed consent under GDPR is non-exhaustive and
leaves room for dynamism.

Additional obligations for data of children: PDP bill does not define the age of the child
and hence the presumed age is 18 years. The bill however adds negative obligations for not
tracking children which is diluted by the caveat that the negative obligation is based on the
prescribed purpose. GDPR is more descriptive in this regard where it defines the minimum
age to be 16. It further gives flexibility to member states of EU to define the age of the child
with a minimum ceiling of 13 years.

Additional obligation of Significant Data Fiduciary: PDP bill introduces a special

provision for Significant Data Fiduciary (SDF), who are a privileged class of people as
notified by the Central Government. The SDF will appoint a Data Protection Officer who will
work on behalf of and represent the SDF under various circumstances as mentioned in Art 11
of PDP bill. GDPR makes no reference to such designation. However, the provision for Data
Protection Officers and Data Protection Impact Assessments is provided in the GDPR.

Transfer of personal data outside India: Both PDP bill and GDPR leaves the issue of
transfer for personal data outside their territory at the discretion of the sovereign. GDPR
however specifies the basis of such transfer which is an additional safeguard.

Exemption: PDP bill grants exemption to executive agencies of the GOI. GDPR grants
exemptions only when it is ‘necessary and proportionate’ and it must be supported by other
EU members. It lists down the circumstances in which legislative measure can be taken to
restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article
34, as well as Article 5.