The significance of data protection in current digital or information age can't be ignored. A strong data protection system is much more required as technology develops and global communication rises. Every nation around the world has gradually come to understand this and tried to enact various rules and regulations to protect such personal data. Any information relating to an identified living individual is referred to as a personal data.

India, a country with large population and continuously expanding economy has realised the significance of personal data protection in evolving digital era. The Personal Data Protection Bill also referred as PDPB, was passed in legislature in year 2019 and at present it is being reviewed by the Indian Parliament. The concerned bill intends to establish the rights and duties to the data fiduciaries and data subject and to create a thorough framework for the protection of personal data. India would be one step closer to having its data protection practice more in line with International Standards, if PDPB is effectively implemented.

On the other hand, the General data Protection Regulation also referred as GDPR, which was effectively implemented in May 2018, has put the European Union at the forefront of data protection. The GDPR is a huge step in data privacy law and has served as model for many other nations seeking to pass such legislation. The primary and foremost goal of GDPR is to unify personal data protection regulation across EU member states and provide citizens more power and control over protection of their personal data. The GDPR incorporated important concepts including free consent requirements, purpose restrictions as well as data deduction.

One striking similarity between data protection in India and the EU is the emphasis on the data subjects' rights. In terms of personal data, both laws, GDPR and PDPB recognise the fundamental rights of the individuals. The right of access, rectification, assurance and erasure are among these rights. Both frameworks strive to empower people and enhance their privacy by providing them more control and authority over their data.

However, there are also some notable distinctions amidst two legislations, GDPR and PDPB. The extend and geographic application of these restrictions are one such dimension. The GDPR has extraterritorial legal authority or extra territorial legal application.

In conclusion, data privacy is a crucial issue in the digital age, and both India and the EU acknowledge this. The PDPB in India shows that country's commitment to harmonising it data protection practices with the International norms and criteria, even though legislation is still being drafted. The EU's ideal legislation GDPR, which prioritise individual's rights and cross border data flow, has established a standard for developing data protection law throughout the world. It is crucial for the nations to build strong data protection frameworks as digital landscape continuous to change in order to preserve personal data in the digital age and foster trust in the digital ecosystem.

Significance of Data Protection:

Every fact or piece of information that can be gathered, saved or processed is referred to as a data. Data has grown more significant and prevalent in our lives as we move into digital era. In addition to non-personal information like statistics, research findings and company records, it can also take form of personal information like name, address, financial information.

In order to secure personal information against unauthorised access, use, disclosure, destruction or alteration, a number of procedures, policies and safeguards are put in the place. Name, address and social security number, financial information as well as online identifiers are examples of personal data. Personal data also includes any information that can be used to locate an individual. The significance of data protection in today's digital age cannot be overstated, as it plays a crucial role in maintaining privacy, fostering trust, and ensuring the security of individuals and organizations alike.

The fact that it protects people's privacy is one of the main reasons data protections is important. People require reassurance that their information is being correctly handled in a time when enormous volumes of personal data are collected, processed and shared. Data protection procedure guarantee that personal information is only gathered for specified reasons and that data users have choice over how their information is being used. Individuals are shielded from potential abuse or exploitation and given the power to make well-informed decision about sharing their personal information.

Additionally, data protection promotes trust among people, companies, and organisations. People are more willing to engage in online transactions, disclose their information, and connect with digital services when they are certain that their personal data is being managed carefully and in compliance with recognised privacy rules. The development of digital economies depends on trust since it fosters innovation, stimulates customer participation, and makes information transmission easy. Without sufficient data privacy measures, people would be reluctant to interact with online platforms or reveal their data, which could damage confidence and impede the expansion of digital services.

For organisations and corporations, data protection is also important. Data breaches can cause major financial losses, reputational harm, and legal repercussions. Effective data protection procedures lower the probability of these events. Sensitive consumer data disclosure, intellectual property theft, and interruption of corporate operations are all possible outcomes of data breaches. Organisations may reduce these risks and show their dedication to protecting the security and privacy of consumer data by establishing effective data protection procedures. Their reputation is thus improved, their client base is strengthened, and they are shielded from potential legal obligations as a result.

Regarding adhering to legal and regulatory obligations, data protection is also very important. To defend people's rights and encourage appropriate data management practises, many nations have passed data protection laws and regulations. These restrictions have stiff penalties and legal repercussions for organisations who don't follow them. Businesses can assure legal compliance, uphold moral standards, and shield themselves from risks and liabilities by putting in place data protection safeguards.

Furthermore, maintaining national security and countering new threats depend on data protection. Large amounts of data are gathered and processed by governments and other public organisations for a variety of uses, such as law enforcement, intelligence collecting, and public administration. To prevent unauthorised access, alteration, or theft of sensitive government data, effective data protection procedures are required. Governments can preserve public confidence, safeguard national interests, and guarantee the security of vital systems and infrastructure by protecting personal data.

In the digital age, data protection is crucial. It protects against data breaches, promotes trust between people and organisations, assures legal compliance, and supports national security. People, companies, and governments must prioritise data protection and put effective safeguards in place to protect personal information as the volume and complexity of personal data continue to rise. By doing this, we can establish a safe and reliable online environment that fosters creativity, economic development, and personal freedom.

Data Protection Legal Framework

Data Protection Legislation In India:

Information Technology Act, 2000 and SPDI Rules, 2011
The Information Technology Act of 2000[1], commonly referred to as the IT Act, contains the legal principles concerning data protection. These principles cover various aspects such as the gathering, safeguarding, revealing, and transmission of electronic data. The IT Act also establishes penalties, including imprisonment and fines, for offenses like unauthorized downloading, data destruction, manipulation, or deletion, introducing viruses into computer systems, illicitly accessing computer systems, data theft, identity theft, impersonation-based fraud, cyber terrorism, breaching confidentiality, violating privacy, and disclosing information in contravention of lawful contracts, among others.[2]

Regarding personal data, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011, known as the SPDI Rules, require that a corporate entity, which manages, handles, stores, or processes sensitive personal information or data on a computer resource under its ownership, control, or operation, must follow specific procedures and take certain measures.[3] The SPDI Rules outline several important requirements for compliance, including:

• Acquiring written consent from the data provider before collecting their information, while giving them the option to refuse providing the requested information and the ability to withdraw their consent at a later time.
• Taking reasonable measures to ensure that the data provider is aware of the information collection, its purpose, intended recipients, and the agency responsible for collecting and retaining the information.
• Personal information should not be stored for longer than necessary to fulfill its intended purpose or as required by applicable laws. Establishing and communicating a privacy policy for handling and processing personal information.
• Prohibiting the disclosure of personal information to third parties without prior permission, except when mandated by law or contractually agreed upon with the data provider.
• Appointing a grievance officer to address discrepancies and complaints. Implementing and maintaining reasonable security practices and procedures. The international standard IS/ISO/IEC 27001 on "Information Technology - Security Techniques - Information Security Management System - Requirements" is considered a reasonable security practice, subject to certification by independent auditors.
• Data may be transferred to another party that guarantees the same level of data protection as outlined in the SPDI Rules, provided it is necessary to fulfil a lawful contract with the data provider or with their consent.

Besides the IT Act and the SPDI Rules, there are several other laws in India that can come into effect depending on the entity collecting the data and the type of data being collected. For example, the collection of financial information, such as credit card or payment instrument details, is primarily regulated by the Credit Information Companies (Regulation) Act of 2005, along with the relevant regulations and circulars issued by the Reserve Bank of India. In the telecom sector, data protection norms can be found in the Unified License Agreement issued to Telecom Service Providers by the Department of Telecommunications.[4]

Additionally, regulations like the Telecom Commercial Communications Customer Preference Regulations of 2010 have been formulated to address unsolicited commercial communications. For personal information collected under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act of 2016, data protection norms can be found in the Aadhaar (Data Security) Regulations of 2016. These regulations impose obligations on the Unique Identification Authority of India (UIDAI) to establish a security policy outlining technical and organizational measures for maintaining the security of the information.

Personal Data Protection Bill

• Personal Data Protection Bill, 2018

The Personal Data Protection Bill was the first draft of the legislation produced by the Justice Shrikrishna Committee, which was charged by Ministry of Electronics and Information Technology (MeitY) with writing data protection legislation in India. This plan was implemented by the government and presented to Lok Sabha; it was returned for revision for the following reasons:
• The component of the new rule that caused the most public outrage may be one about data localization. According to regulation, data fiduciaries must store "at least one serving copy" of consumer data on a server or data center in India. Such a rule can only be justified by making it easier for law enforcement to obtain this information.
   
• This comes up with the second concern with the bill: it authorizes the processing of personal data in the interest of state security if authorized and in compliance with legal procedure. Additionally, it permitted the processing of personal data for the purpose of criminal investigation, detection, and prosecution. The state's access to all personal data poses a severe threat to the right to privacy in India because of the country's weak laws barring state surveillance.
   
• The drafted law also failed to create a regulatory framework that was sufficiently independent from the central government, leaving it open to business capture. The proposed legislation gave the central government the power to choose members of the data protection body, according to a proposal from an independent panel. Five years was a very short time for a new institution to get up to speed and gain the independence necessary to be an effective regulator, but that was the maximum time the appointment could last.
   
• Personal Data Protection Bill, 2019

After its introduction, the Personal Data Protection Bill of 2019 was eventually withdrawn, with the assurance of a substitute policy that would uphold India's intricate legal structure and consider the 81 additional recommendations proposed by the Joint Parliament Committee.
 
• Personal Data Protection Bill, 2021

The Joint Parliament Committee formulated the Data Protection Bill of 2021, a comprehensive legislation that would encompass both personal and non-personal datasets. However, there were disagreements regarding the committee's recommendation to move towards complete localization of data. The proposed bill also included the establishment of a data protection authority. It further suggested the explicit specification of the flow and utilization of personal data, as well as the protection of individuals' rights whose personal data is being processed. The bill aimed to develop a framework for cross-border data transfers, establish accountability for entities processing data, and provide remedies for unauthorized and harmful data processing.
 
• Digital Personal Data Protection Bill, 2022
  The Digital Personal Data Protection Bill (DPDP Bill, 2022) now encompasses all forms of digital processing of private data, including both online and offline collection of personally identifiable information in a digital format. The implementation of this measure will have implications for the legal protections offered to clients of Indian start-ups operating internationally, potentially diminishing their competitiveness. Additionally, the bill includes exemptions for data fiduciaries in India processing personal data of Indian individuals, which reduces the number of safeguards applicable to them.[5] It is expected that this draft bill will be presented for approval in the upcoming parliamentary session in 2023.

Data Protection Legislation In EU:

The General Data Protection Regulation (GDPR) is a comprehensive data protection framework that was implemented by the European Union (EU) on May 25, 2018. It represents a significant milestone in data protection regulation and has a far-reaching impact on organizations worldwide that process personal data of EU residents.

The GDPR aims to harmonize data protection laws across EU member states and enhance the protection of individuals' personal data. It is designed to address the challenges posed by rapid technological advancements, increased globalization, and the growing digital economy. By establishing a single set of rules applicable throughout the EU, the GDPR provides consistency and a high level of data protection for individuals. The GDPR has an expanded scope compared to its predecessor, the Data Protection Directive. It applies to both data controllers (organizations that determine the purposes and means of data processing) and data processors (entities that process data on behalf of data controllers) operating within the EU, regardless of their location. It also applies to organizations outside the EU if they offer goods or services to EU residents or monitor their behavior.

One of the key features of the GDPR is its extraterritorial reach. This means that organizations outside the EU must comply with its provisions if they process the personal data of EU residents in connection with offering goods or services or monitoring their behavior. This has significant implications for global businesses and requires them to understand and adhere to the GDPR's requirements to avoid penalties and ensure data protection compliance.

The GDPR grants individuals several rights to exercise control over their personal data. These include the right to access their data, rectify inaccuracies, erase their data under certain circumstances (the "right to be forgotten"), restrict processing, data portability, object to processing, and not be subject to automated decision-making. These rights empower individuals and give them greater control and transparency regarding their personal information.

To process personal data lawfully, organizations must have a lawful basis under the GDPR. It provides six lawful bases, including consent, contract performance, compliance with legal obligations, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests pursued by the data controller or a third party. Consent requirements under the GDPR are more stringent, requiring organizations to obtain freely given, specific, informed, and unambiguous consent from individuals through a clear affirmative action.

The GDPR introduces the concept of Data Protection Impact Assessments (DPIAs), which help organizations assess and mitigate privacy risks associated with high-risk data processing activities. Organizations may also be required to appoint a Data Protection Officer (DPO) to oversee data protection practices, act as a point of contact for individuals and supervisory authorities, and ensure compliance with the GDPR.

The GDPR places a strong emphasis on data breach notification. Organizations must notify supervisory authorities of personal data breaches within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Data subjects must also be informed if the breach is likely to result in a high risk to their rights and freedoms. Non-compliance with the GDPR can result in significant penalties. The regulation introduced higher fines for violations, with penalties of up to €20 million or 4% of global annual turnover, whichever is higher. Supervisory authorities have the power to investigate, issue warnings, reprimands, and administrative fines, and in certain cases, suspend data processing activities.

The GDPR has had a profound impact on organizations worldwide. It has driven organizations to enhance their data protection practices, improve privacy standards, and ensure responsible and ethical handling of personal data. The regulation has also increased transparency, accountability, and individuals' rights regarding their personal information. While the GDPR provides a framework for data protection, individual EU member states may have additional or more specific requirements that organizations need to comply with, ensuring the harmonization of data protection practices

Comparative Analysis Of EU GDPR And PDPB:

Personal Data Protection Bill is highly influenced by EU General Data Protection Regulation. As a result, a major chunk of PDPB is similar to the provisions of GDPR. However, some provisions diverge from each other in both the data privacy legislations.

1. Legislation and Implementation:
   • GDPR: The GDPR is a comprehensive regulation that was implemented on May 25, 2018. It is directly applicable in all EU member states without the need for additional national legislation.
   • PDPB: The PDPB is a bill that was introduced in India in 2019 and is currently under review by the Indian Parliament. It is yet to be enacted as law.
      
2. Objectives:
   • GDPR: The primary objective of the GDPR is to strengthen data protection for individuals within the EU. It aims to harmonize data protection laws across EU member states, enhance individuals' control over their personal data, and establish a framework for the responsible and transparent use of data by organizations.
   • PDPB: The PDPB seeks to establish a framework for the protection of personal data in India and align the country's data protection practices with global standards. Its goals include protecting the privacy rights of individuals, ensuring the responsible processing of personal data, and defining the roles and responsibilities of data fiduciaries and data subjects.
      
3. Scope and Territorial Application:
   • GDPR: The GDPR has extraterritorial applicability, meaning it applies to organizations outside the EU that process personal data of EU residents if their activities involve offering goods or services to individuals in the EU or monitoring their behavior.
   • PDPB: The PDPB's territorial application is not explicitly specified in the bill itself. However, it is expected to primarily focus on the protection of personal data within India.
      
4. Key Principles:
   • GDPR: The GDPR is built on several key principles, including lawfulness, fairness, and transparency of data processing; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability; and the requirement of obtaining valid consent for data processing activities.
   • PDPB: While the PDPB does not explicitly outline its key principles, it is expected to include similar principles of fairness, transparency, purpose limitation, and accountability.
      
5. Rights of Data Subjects:
   • GDPR: The GDPR grants individuals several rights regarding their personal data, including the right to access their data, rectify inaccuracies, erasure (commonly known as the "right to be forgotten"), restrict processing, data portability, object to processing, and not be subject to automated decision-making.
   • PDPB: The PDPB recognizes the rights of data subjects, including the right to access their data, correct inaccuracies, ensure the accuracy of data, and the right to be forgotten.
      
6. Data Localization and Cross-Border Data Transfer:
   • GDPR: The GDPR allows the transfer of personal data to countries outside the EU if adequate safeguards, such as the use of standard contractual clauses or binding corporate rules, are in place to protect the data.
   • PDPB: The PDPB has not explicitly addressed data localization requirements or cross-border data transfer provisions as of yet. It remains to be seen how the final legislation will approach these aspects.
      
7. Enforcement and Penalties:
   • GDPR: The GDPR empowers supervisory authorities in each EU member state to enforce compliance and impose fines and penalties for non-compliance. The maximum fines can reach up to 4% of the organization's annual global turnover or €20 million, whichever is higher.
   • PDPB: The enforcement mechanisms and penalties specified in the PDPB are not explicitly mentioned. However, it is expected to include provisions for enforcement and penalties for non-compliance.

Conclusion
In conclusion, both India and the European Union (EU) acknowledge the importance of data protection in the digital era and have made efforts to establish comprehensive frameworks for safeguarding personal data. The EU's General Data Protection Regulation (GDPR) has set a global standard by harmonizing data protection laws, granting individuals greater control over their data, and enforcing strict principles for data processing. India's Personal Data Protection Bill (PDPB), although still in the legislative process, aims to align the country's data protection practices with global standards and define the rights and responsibilities of data fiduciaries and subjects.

While there are similarities between the GDPR and the PDPB in terms of emphasizing data subjects' rights and recognizing fundamental rights, there are differences in scope, territorial application, and specific provisions. The GDPR's extraterritorial jurisdiction and robust enforcement mechanisms have raised the bar for data protection globally, whereas the PDPB's approach is yet to be fully determined.

To establish themselves as responsible digital nations, both India and the EU must continue developing robust data protection frameworks that foster trust in the digital ecosystem. India can benefit from observing the GDPR's implementation in the EU, learning from its experiences and best practices. By formulating an effective and context-specific data protection framework, India can build trust among its citizens and international partners and position itself as a responsible participant in the digital world.

Suggestions:

1. Harmonization with GDPR Principles: Consider aligning India's data protection laws, such as the Personal Data Protection Bill (PDPB), with the key principles of the GDPR. Assess how the GDPR's principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, accountability, and consent requirements, can be incorporated into the Indian data protection framework.
    
2. Robust Enforcement Mechanisms: Study the enforcement mechanisms of the GDPR, such as the role of supervisory authorities, their investigative powers, and the imposition of fines and penalties. Identify best practices for effective enforcement and consider implementing similar mechanisms in India to ensure compliance and deter data breaches.
    
3. Rights of Data Subjects: Analyze the data subject rights enshrined in the GDPR, such as the right to access, rectify, erase, restrict processing, data portability, object to processing, and not be subject to automated decision-making. Evaluate the inclusion of these rights in the Indian data protection framework and explore opportunities to enhance the rights of Indian data subjects.
    
4. Cross-Border Data Transfers: Examine the GDPR's provisions on cross-border data transfers and explore potential mechanisms for facilitating secure and lawful data transfers between India and the EU, as well as other jurisdictions. Assess the adequacy of India's data protection framework for achieving data transfer agreements with the EU and consider adopting mechanisms such as standard contractual clauses or binding corporate rules.
    
5. Data Localization and International Standards: Analyze the debate surrounding data localization requirements in the Indian context and assess their effectiveness in protecting personal data. Consider the experiences of the GDPR and other international standards to strike a balance between data protection and cross-border data flows, taking into account the unique needs of India's digital economy.
    
6. Privacy Impact Assessments (PIAs): Study the GDPR's requirement for conducting PIAs and consider incorporating similar provisions in the Indian data protection framework. Evaluate the benefits of PIAs in identifying and mitigating privacy risks associated with data processing activities and promoting accountability among data controllers and processors.
    
7. Public Awareness and Education: Emphasize the importance of public awareness and education campaigns to inform individuals about their rights and responsibilities regarding data protection. Take inspiration from the GDPR's emphasis on transparency and awareness-raising initiatives, and develop similar programs to empower Indian citizens in understanding and exercising their data protection rights.
    
8. International Cooperation and Collaboration: Foster collaboration between Indian data protection authorities and their EU counterparts to exchange knowledge, experiences, and best practices. Engage in international forums and initiatives on data protection to stay updated with global developments and actively contribute to shaping international data protection standards.

By considering these suggestions, India can strengthen its data protection practices and learn from the experiences and best practices of the EU. This approach will help India in establishing a robust data protection framework that safeguards personal data, promotes trust in the digital ecosystem, and aligns with international standards.

End Notes:

1. The Information Technology Act of 2000. (21 of 2000)
2. Akshaya S, "An Analysis of Data Protection Laws in India". (2019) (Available at: "https://ssrn.com/abstract=3616637")
3. S.S. Rana & Co. Advocates, "Information Technology (Reasonable Security Practice And Procedures And Sensitive Personal Data or Information) Rules, 2011 (2017) (Available at: "Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011 - Data Protection - India (mondaq.com)")
4. Bandita Das, Jayanta Boruah, "Right to Privacy and Data Protection under Indian Legal Regime" DME Journal of Law, vol 2 (2020) (Available at: "https://ssrn.com/abstract=3827766")
5. The Personal Data Protection Bill, 2022, The Press Information Bureau (Available at: "Press Information Bureau (pib.gov.in)")
6. Cristopher Kuner, "The Path to recognition of Data Protection in India: The role of GDPR and International standards" National Law Review of India Vol 33 No 1