General Data Protection Regulation of the European Union and The Indian Scenario

On 15 December 1890, two American lawyers posted an article on the topic “Right to Privacy” in the Harvard law review[1]. They provided a new horizon to the field of personal laws by bringing the Right to be left alone, into the spotlight, which was earlier mentioned by Judge Cooley in his book on Torts.  

In 1948 the Universal Declaration of Human Rights (UDHR)[2] came into existence, which included the Right to Privacy as a fundamental right. Article 12 of the UDHR restricts arbitrary interference into the privacy of an individual, family, and correspondence.

 The European Convention on Human Rights came into force on 3 September 1953, which also included the Right to Privacy under Article 8.

The Freedom of Information Act (FOIA) came into force on 4 July 1967 in the United States of America. This Act allows the general public to access any federal agency and information records subject to certain exemptions.

Later the Organisation for Economic Co-operation and Development (OECD), an organization that has been developing laws for the protection of privacy, issued guidelines on data protection in 1980.

The European Union (EU)was always has been a flagbearer in taking steps regarding data protection. In 1981 the Council of Europe adopted Convention for the Protection of Individuals concerning Automatic Processing of Personal Data, which dealt with securing the Right to privacy of every individual concerning the automatic processing of personal data irrespective of his nationality or residence. In 2016 the EU finally approved the General Data Protection Regulation (GDPR)[3], which came into effect on 25 July 2018.

Objectives of GDPR

Article 1 of the GDPR, enumerates its objectives. 

  1.  To protect the fundamental rights (Right to protection of personal data) and freedom of the people.
  2. To secure the free movement of data. 
  3. To lay down rules regarding the protection of personal data of natural persons and free movement of data.

Rights of the Data Subject

As stated in the objectives, the GDPR provides certain rights to the data subjects. While processing the data of any data subject, the data processor has to take care of these rights. The data processor cannot deny these rights of the data subjects. The rights of data subjects are listed below:

Right of Access

Article 15 of the GDPR defines the right of access. The right of access allows a data subject to verify whether his or her data is being processed by the data controller. The data subject can access the following information from the data controller :

  1. Purpose of processing the data
  2. Type of personal data
  3. Recipients of the personal data
  4. Period of storing the data (if possible)

Right to Rectification

Article 16 of the GDPR designates the right to rectify to the data subject. The data subject has a right to rectify inaccurate personal data available with the data controller. The data controller has to rectify such data without any undue delay. 

Right to be Forgotten

This Right is also known as the right of erasure. Article 17 of the GDPR specifies the right to be forgotten. A data controller must erase the personal data of any data subject on his/her request. The data subject can request for the data erasure on the following grounds: 

  1. If personal data is no longer correlated to the purpose
  2. If the data subject removes the consent
  3. If there is any unlawful processing of the personal data
  4. If there is legal compliance for erasing the personal data

Right to Restriction on Processing

Article 18 of GDPR defines the right to restriction on processing. The data subject also has a right to request the data controller to restrict data processing in the following conditions: 

  1. If the data subject challenges the accuracy of the data, the data controller has to restrict the data processing for a period needed to verify the claim of the data subject.
  2. If data processing is unlawful, and the data subject wants to restrict data processing rather than data erasure.
  3. If the data controller no longer needs the data, but the data subject wants it stored for legal claims.

Right to Data Portability

Article 20 of GDPR grants the right of data portability to the data subject.

The data subject can request the data controller to transfer his/her data to another controller. The controller will have an obligation to transfer such data to another controller without any hindrance.

Right to Object

Under Article 21 of the GDPR, the data subject has a right to object the processing of data on grounds based on his/her situation. When such objection is raised by the data subject, the data controller is required to stop processing the data. The controller can resume the processing if he demonstrates valid grounds overriding the interests of the data subject.

Data Protection officer

According to Article 37 of the GDPR, the controller and processor will have to designate a data protection officer (DPO) in the following conditions:

  1. If any public authority or body is processing the data except courts acting in their judicial capacity
  2. If the nature of the data processed is such that, it requires everyday monitoring
  3. If the controller and processor are dealing with large scale and complicated data

The controller and processor will have to designate a separate DPO if they are processing data of public authority depending upon the size and complexity of the data. But they can appoint a single DPO for many enterprises.

Duties of the DPO

According to Article 39 of GDPR, DPO will have the following duties:

  1. DPO should acquaint the data processor and controller about their obligations listed under GDPR
  2. DPO should monitor the compliance with GDPR and other laws regarding personal data
  3. To guide the data controller and processor regarding the data protection impact assessment (DPIA) and to monitor compliance with DPIA (Article 35)
  4. To coordinate with the supervisory authority 

Remedies and Penalties

The data subject can at any time lodge a complaint with the supervisory authority in case of any alleged infringement in the data processing. The relevant supervisory authority also has a responsibility to inform the complainant about the status of the complaint.

The data subject can also challenge the decision of the supervisory authority in front of a judicial authority (Judicial remedy). 

To ensure the representation of data subjects, the data subjects have a right to establish a non- profit body, organization, or association. The objective of such a body should be to protect the rights and freedom of people related to personal data.

The data subject can also claim compensation against any damage done to him/her due to the actions of the data controller and processors. (Article 82)

The member states are free to impose penalties on infringement of these regulations. General administrative fines up to 10 million EUR or 2% of total turnover, in case of undertakings, whichever is higher, can be imposed.

Data Protection in India

Privacy judgment[4]

On 26 September 2018, a nine-judge constitutional bench of the Supreme Court delivered a landmark judgment recognizing the Right to privacy as a fundamental right under Article 21 of the Indian Constitution. A retired High Court Judge Puttaswamy challenged the AADHAR scheme of Government of India. The petitioner contended that the AADHAR scheme violates the Right to privacy of the citizens, guaranteed by the right to life with dignity under Article 21 of the Constitution.

Justice B.N. Srikrishna committee report on Data Protection[5]

A report titled ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’ was submitted by the committee headed by retired Justice B.N. Srikrishna. It not only described the importance of free and fair digital economy but also gave various recommendations regarding the policies and rights of data processing and usage. 

The report suggests that the processing and usage of personal data should be allowed only for lawful purposes. The report recommends the usage of personal data by the Government for a purpose that is necessary for parliament and the state legislature. The report also advocates the exemption for the government to process the personal data for the prevention of offence and contravention of the law.

The committee also recommends granting the right to be forgotten to the data subjects as provided under GDPR. Based on the recommendations of the committee, the legislature has drafted a Personal data protection bill to effectively provide the citizens fundamental right to privacy and protection of their data.

The Personal Data Protection Bill, 2019 (PDPB)[6]

The Information technology Act governs the processing and usage of personal data in India. But it is limited to governing the companies. IT act does not cover the actions of the government.

A new special law has been drafted by the Indian legislature to govern the usage and processing of personal data. The bill was referred to the Joint Parliamentary Committee (JPC), the report was expected till the budget session of 2020. But the JPC has now sought an extension till the second week of the monsoon session of Parliament. 

PDPB provides for an establishment of the Data protection authority of India (DPA). The DPA will be responsible for protecting the interests of the data subject and will promote awareness of data protection. DPA will also ensure compliance with the provisions provided under the bill.


[1]The Right to Privacy Samuel D. Warren; Louis D. Brandeis Harvard Law Review, Vol. 4, No. 5. (Dec. 15, 1890), pp. 193-220 – https://www.cs.cornell.edu/~shmat/courses/cs5436/warren-brandeis.pdf

[2]Universal Declaration of Human Rights (UDHR)- https://www.un.org/en/udhrbook/pdf/udhr_booklet_en_web.pdf

[3] General Data Protection Regulation – https://gdpr-info.eu/

[4] Justice Puttaswamy (Retd.) and Anr. v Union of India and Ors.-(2017) 10 SCC 1 

[5] ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’- https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf

[6] THE PERSONAL DATA PROTECTION BILL, 2018 – https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf


Shivam Kene from ILS Law College, Pune

Shivam’s short term goal is to work to work at a reputed Company/Firm and his long term goal is to become a more knowledgeable and responsible person.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: