Quick points of key difference between the PDPB, 2018 and the PDPB, 2019
1. The Central Government has reserved the power to exempt any agency of Government from application of the Act.
2. Certain provisions not be applied to the Government if personal data is processed in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of any law.
3. The blanket prohibition on transfer or processing of data has been done away with. Instead nuanced concepts of Sensitive personal data and Critical personal data have been introduced.
4.Sensitive personal data may be transferred outside India, subject to the certain conditions but such shall continue to be stored in India.
5.Critical personal data (as defined by the Government) shall only be processed in India.
6. Sensitive personal data may only be transferred outside India for the purpose of processing, when explicit consent is given by the data principal for such transfer, and where
(a) the transfer is made pursuant to a contract or intra-group scheme approved by the Authority [GDPR equivalent of BCRs, supposedly] or
(b) the Central Government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation [ GDPR equivalent of “Adequacy decision”, supposedly] or
(c) the Authority has allowed transfer of any sensitive personal data or class of sensitive personal data necessary for any specific purpose.
7. Critical personal data may be transferred outside India only in the following two cases:
(a) to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action under the Act; or
(b) Adequate Nation, where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State