Explained: How India’s data protection Bill compares with EU regulation

* Consent

EU: Users must have informed consent about the way their data is processed so that they can opt in or out.

India: Processing of data should be done in a fair and transparent manner, while also ensuring privacy

* Breach

EU: Supervisory authority must be notified of a breach within 72 hours of the leak so that users can take steps to protect information

India: Data Protection Authority must be informed within 72 hours; DPA will decide whether users need to be informed and steps to be taken

* Transition period

EU: Two-year transition period for provisions of GDPR to be put in place

India: 24 months overall; 9 months for registration of data fiduciaries, 6 months for DPA to start

* Data fiduciary

EU: Data fiduciary is any natural or legal person, public authority, agency or body that determines purpose and means of data processing

India: Similar suggestions; additionally, NGOs which also process data to be included as fiduciaries

Difference between EU’s regulation and JCP recommendations:

* Anonymous information

EU: Principles of data protection do not apply to anonymous information since it is impossible to tell one from another

India: Non-personal data must come under the ambit of data protection law such as non-personal data

* Punishment

EU: No jail terms. Fines up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year

India: Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.

Newsletter | Click to get the day’s best explainers in your inbox