EU’s General Data Protection Regulation
No Comments
EU’s General Data Protection Regulation
Subject – Governance
Context – The JCP recommendations on the Personal Data Protection Bill are in some aspects very similar to global standards such as European Union’s General Data Protection Regulation
Concept –
The similarities between EU’s General Data Protection Regulation and JCP recommendations on Data Protection Bill:
| Parameter | EU | India |
| Consent | Users must have informed consent about the way their data is processed so that they can opt in or out. | Processing of data should be done in a fair and transparent manner, while also ensuring privacy. |
| Breach | Supervisory authority must be notified of a breach within 72 hours of the leak so that users can take steps to protect information. | Data Protection Authority must be informed within 72 hours; DPA will decide whether users need to be informed and steps to be taken. |
| Transition period | Two-year transition period for provisions of GDPR to be put in place. | 24 months overall; 9 months for registration of data fiduciaries, 6 months for DPA to start. |
| Data fiduciary | Data fiduciary is any natural or legal person, public authority, agency or body that determines purpose and means of data processing. | Similar suggestions; additionally, NGOs which also process data to be included as fiduciaries. |
Difference between EU’s regulation and JCP recommendations:
| Parameter | EU | India |
| Anonymous information | Principles of data protection do not apply to anonymous information since it is impossible to tell one from another. | Non-personal data must come under the ambit of data protection law such as non-personal data. |
| Punishment | No jail terms. Fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year. | Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person. |