Technology is now a part of us. Neither in professional nor in personal life we can function without technology. Even you are reading this paper through technology. Technology is the advent mainly of the 21st century. With new development comes new problems and crimes. We may very rarely realize but every day with our interaction with technology our personal information which in market terms is data is being collected. The data collected can be as personal as even your location, your entire travel history, etc. These collected data are used by companies for various purposes. Many times the data is even misused.

To prevent misuse and to regulate the data used by anyone, be it domestic or foreign companies or the government, rules have to be laid down. In Europe, the regulation for data protection is the General Data Protection Regulation. It has already come into effect. On the other hand, the Personal Data Protection Bill is proposed for the regulation of the data collected in India or of Indian citizens. In this paper, we will see the areas in which both the regulations are covered and their key feature. Further, we will analyze the difference or similarities between the two.

Introduction
General Data Protection Regulation or GDPR is the legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU)[1]. It came into effect in May 2018. While Personal Data Protection Bill,2019 (PDPB) was introduced in India's Lok Sabha by the Minister of Electronics and Information Technology, on December 11, 2019. The Bill provides for the protection of personal data of individuals and established a Data Protection Authority for the same[2]. First, let us see what are the key features of both the regulation.

Key Features Of GDPR

The General Data Protection Regulation is applicable to all the 28 member states of the European Union. It has replaced the Directive of the European Parliament and of the council of 1995. The directive was enacted for the purpose of protection of individuals with regard to the processing of personal data and on the free movement of such data. The GDPR have the same objective have the directives, however, the new regulation rectified the faults in the directive. The directive was unable to prevent legal uncertainty and remove sufficient risks with respect to the protection of the personal data of individuals.[3] Further, the discrepancies in levels of personal data protection and processing in the member states caused difficulty in the function of the economic activities in the EU. To resolve all these issues the new regulation was proposed and brought into effect.

The regulation is applicable to all the entities which were established within the EU and process the personal data of the citizens of the EU. Further, online shops and services which perform delivery of services and goods to the territory of the EU and other entities which monitor the conduct of EU citizens are also under the ambit of the regulation. According to GDPR “personal data” means any information relating to an identified or identifiable individual person (“data subject”); an identifiable individual person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual person.[4]
The GDPR works on six core principles according to which the personal data must be processed. It includes:

1. Legitimacy, fairness and transparency- The entity who is processing the data must mention the information regarding the purpose, means and scope of processing in a simple and clear way.
2. Limitation of purpose- The data must be only used by the company for the purposes which the individual whose data it is being informed about.
3. Minimization of personal data- Personal data should not be collected in a scope greater than what is required.
4. Incorrect personal data should be erased or corrected.
5. Limitation of storage period- the personal data should not be stored for a duration longer than it is needed.
6. Entirety and confidentiality- The companies who have collected the personal data must ensure that the data is being protected from any unauthorised or unlawful processing, storage or usage.

The processing of personal data will only be lawful if the data subject has consented for it, data is required for the performance of a contract to which the subject is a party, the data is required for compliance with the legal obligation of the controller, data is required for completion of particular tasks and will be carried out for the benefit of the public interest or for exercising the controller's functions or the data processing is required for other lawful purposes.

There is a provision for strict implementation of the rules in the GDPR. The penalties for breaking the rules may vary from case to case based on its effectiveness, proportion, and dissuasiveness. However, the already prescribed fine is for the first level of administrative the fine is an amount of up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year whichever is higher, and will be applied in case of breach of obligations of the controller and the processor. The second level of administrative fines in an amount of up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total turnover whichever is higher, will be applied in case of breach of basic GDPR principles for processing, including conditions for consent.

Along with all these, some other features of the GDPR include the data subject having the right to ask for any data the company has about the subject in a readable format so they can reuse it. Further, the new rules promote techniques such as anonymization, pseudonymization, and encryption to protect personal data.[5]

Therefore, the regulation has helped in overcoming the faults of the past and have added new provisions for the protection of data according to the developed needs. In the next section, we would discuss what provisions does the bill proposed in the Indian parliament offers for data protection and processing.

Key Features Of PDPB

The bill proposes to supersede Section 43-A of the Information Technology Act, 2000, deleting the provisions related to compensation payable by companies for failure to protect personal data. The bill also prescribes the manner in which personal data is to be collected, processed, used, disclosed, sorted and transferred[6]. It proposes to protect personal data as well as sensitive personal data. The PDPB applies to the process of personal data that has been collected, disclosed, shared or processed within the territory of India.

Further, it applies to Indian companies, citizens, and any other person or body created or incorporated under Indian law and organizations that are not present in India, but process personal data in connection with organizations or individuals in India. It also governs foreign companies, if they deal with the personal data of individuals in India.[7] However, the bill will not apply to the processing of anonymized data for better delivery of services or formulation of evidence-based policies by the Central government.

The regulation lays down the rules related to the purpose, collection and storage limitation of personal data. According to PDPB, 'Personal Data' refers to data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, or any such features with any other information, and shall include any inference drawn from such data for the purpose of profiling[8]. Further, it states that the data fiduciaries must undertake certain transparency and accountability measures such as preparing privacy policy, taking necessary steps to maintain transparency in processing personal data, implementing security safeguards, etc.[9]

The bill mentions that no data fiduciaries can be processed without the consent of the individual. However, there are exceptions to this rule including if the data is required by the state for providing benefits to the individual, legal proceedings, to respond to a medical emergency, employment-related, etc. Further, the data fiduciaries must undertake additional accountability measures such as conducting a data protection impact assessment before conducting any processing of large scale sensitive personal data.

The grievance redressal mechanism if the restrictions mentioned in the bill is not followed, for that the bill has the provision for the set up of a Data Protection Authority. The Authority will be comprised of members with expertise in fields such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal Appeals from the tribunal will go to the Supreme Court.[10]
The PDPB covers a lot of the areas of data protection and processing. It even lays down the formation of an authority that will ensure the applicability of the legislation and also works as an enforcement agency.

Comparative Analysis
From the above two, we have seen in-depth the objective of the respective regulations. There are certain similarities and differences between the two regulations. They both focus on personal data; however, the scope and area are different for both.

Firstly, with respect to the territorial scope, the PDPB's scope of application is potentially broader than that of GDPR, as an entity may fall within scope merely by processing personal data in India. However, the government has the authority to exempt any of such processing activities when required.

Secondly, the subject matter of PDPB grants the government broad authority to compel the disclosure of information that does not constitute personal data. In the case of GDPR, the exception from the rule is for natural persons for purely personal or household reasons and for law enforcement and national security agency. However, PDPB exempts the regulation for the prevention/detection of criminal activity are not limited to law enforcement agencies and could apply to any organization engaged in such processing.

Thirdly, the definition of personal data under PDPB is broader than GDPR. However, the GDPR with regard to personal data takes into account the reasonable likelihood that an individual will be identifiable, this flexibility does not appear in the PDPB. Under PDPB, inferences are expressly within the scope of the definition of personal data, where they are derived from personal data for profiling purposes. While in the GDPR, inferences may be personal data to the extent that they relate to an identifiable individual.

Fourthly, even though the scope for sensitive personal data overlaps in the two, nonetheless the scope of PDPB is wider. It can be seen in the two points. First being, PDPB includes 'financial data' within the scope of sensitive data. Second, being it allows the government to define additional categories of sensitive data, whereas the list of categories under the GDPR is finite. However, the GDPR provides additional rules for processing criminal convictions and offences data, while the PDPB does not have any such provision.[11]

Conclusion
In conclusion, we have seen the territorial applicability, subject-matter applicability, definitions and their scope and the redressal mechanism for both the rules. It is seen that the scope of every definition related to data is wider in PDPB than GDPR. However, the open-ended exception given to the government is of concern which was even raised during the time when the government launched the Arogya setu app for the tracking of covid positive people and preventing further spread.

Further, in many places, the government has been given the discretion to change the scope of definitions or of applicability. This also creates concern as the privacy of the citizens is at stake, especially wherewith Aadhar card details even biometrics and other sensitive personal data is being under the control of the government.

Talking about the GDPR, in many cases, the scope is very rigid. Nonetheless, it is functioning well, even though the companies have definitely felt its impact where they had to revise their privacy policies and take consent of the data subject. With the recent news, where the EU denied former Facebook, presently meta, to process the data of the EU citizens after it was found that they were grossly misusing the data.

Overall, both the regulations are essential to regulate the processing and protection of data in these times where data collected are being misused and used for manipulation of various forms. In India, this bill should come into effect as soon as possible because the personal information of the citizens is at stake here.

End-Notes:

1. General Data Protection Regulation (GDPR) Definition (investopedia.com)
2. The Personal Data Protection Bill, 2019 (prsindia.org)
3. GDPR: What Do You Need To Know - AGP & Co, A.G. Paphitis & Co: Cyprus Lawyers, Cyprus Law Firm. (agplaw.com)
4. Art.4 (1), General Data Protection Regulation, 2018.
5. Check out 10 key features of GDPR – Geospatial World
6. Key Features Of The Personal Data Protection Bill, 2019 - Privacy - India (mondaq.com)
7. The Personal Data Protection Bill, 2019: All you need to know (prsindia.org)
8. Section 3(36), Protection of Personal Data Bill, 2019.
9. Supra note 6.
10. Supra note 7.
11. india_pdpb2019_vs_gdpr_iapp_chart.pdf