India’s first comprehensive legislation for the protection of personal data, The Digital Data Protection Act 2023 (“DPDP Act“) came into force on 11th August 2023. The implementing rules crucial for the Act’s enforcement however are yet to be published. The DPDP Act at this stage does not clearly set out which actions companies should take now and which should be taken once the rules have been issued and a lot has been left on delegated legislation. In the interim, Organizations that handle personal data and fall under the purview of this Act are therefore taking a range of approaches to utilize this grace period to prepare & adapt to the upcoming novel regulatory landscape. A silver lining for Indian companies that have already embraced compliance with the gold standard of the European Union’s General Data Protection Regulation (GDPR) is that they can navigate this transition more smoothly by recognizing and addressing the key disparities between the two legislations and take incremental measures.
This Article outlines a comparative analysis of salient features of DPDP Act vs GDPR.
Scope & Applicability: While GDPR applies to both digital and analog personal data, including offline data that is part of a structured filing system, DPDP Act exclusively covers digital personal data or personal data digitized subsequently. This means that non-digital data such as paper records, falls outside the scope of the DPDP Act.
GDPR is jurisdiction agnostic and applies offshore to all organizations involved in processing personal data of EU residents whether offering offers goods & services or employing people in the EU even if an entity is based outside the EU. DPDP Act extends to the processing of digital personal data within India. Like GDPR it also has extraterritorial applicability to offshore organizations offering goods or services to individuals in India. However, whether an entity monitoring/profiling data outside of India but not actually offering goods & services will be caught under the purview of DPDP Act remains a writ large question.
Lawful Basis of Processing: Consent, performance of contract, vital & legitimate interest, public interest or exercise of official authority are some of the lawful bases under GDPR for processing personal data. While the DPDP Act primarily envisages two lawful bases “Consent” and “Legitimate Use. The latter being a sum of other broadly classified bases including but not limited to employment purpose, data voluntarily provided for a specified purpose, processing necessary for performance of functions by state or its instrumentalities etc.
Consent: Under GDPR when Consent is the lawful basis for processing, the same shall be freely given, specific, informed, and unambiguous. Akin to GDPR, under DPDP Act consent shall be Freely given, specific and informed, Unconditional, Unambiguous, in clear and plain language English as well as in all the official languages as prescribed in the VIIth Schedule of the Indian Constitution. Under both the legislations consent shall be capable of being withdrawn with same ease to which consent was given.
Categorization of Personal Data: In contrast to GDPR where personal data is further categorized into special category of data (racial/ethnic origin, political opinions, religious/philosophical beliefs, health data, sexual orientation) and personal data relating to criminal convictions & offenses. Notably, the pre-conditions, reasons and mechanism for processing of each category is different. DPDP Act does not carve out any such distinction and all data capable of identifying an individual is considered as personal data and organizations can adopt one size fits all approach.
Children Personal Data: DPDP Act expressly prohibits behavioral monitoring or targeted advertising aimed at children and places a strong emphasis on safeguarding the privacy of minors. This does not find a express mention under GDPR.
Categorization of Data Fiduciaries: Under DPDP Act Data fiduciaries have been further classified on the basis of volume, sensitivity of the personal data, amongst other prescribed criteria and have additional obligations to discharge such as appointing a data protection officer, an independent data auditor, and conducting data protection impact assessments. No such categorization under GDPR of controllers which is equivalent of Data Fiduciary.
Sub-processing: A Processor may undertake processing activities on Data Fiduciary’s /Controller behalf only under a valid contract under both the legislations.
Technical and organizational measures: Detailed guidance on the standard of technical and organizational measures, controls has been provided under GDPR that Controllers and processors have to implement alike to ensure a level of security appropriate to the risk. No such guidance available under DPDP Act, in which case it will become difficult for the board and organizations to demonstrate presence of reasonable security practices. Organizations must therefore follow best-in-class, global industry standards.
Cross-Border Transfers: DPDP Act allows for cross-border transfers of personal data to all countries unless specifically restricted by the Central Government. This is a much simpler approach contrary to exhaustive & compliance-heavy mechanisms under GDPR ranging from adequacy decisions, Transfer impact assessment, and Standard Contractual Clauses in applicable modules to Binding Corporate Rules (in case of intra-group transfer). In another significant departure from GDPR which rather looks like a lacuna, DPDP Act does not provide for any mechanism for third-party beneficiary rights including the right to obtain compensation by the Data Principal in the event of cross-border transfer of data.
Data Protection Authorities: DPDP Act stipulates the establishment of the Data Protection Board (DPB) appointed by the Central govt. for discharging powers and functions upon intimation, complaint about a breach or reference of the Central govt. to direct remedial or mitigation measures in event of a breach, inquire into such breach and impose penalty as provided in the Act. GDPR mandates establishing supervisory authorities in each EU member state and the European Data Protection Board (EDPB) guarantees that these authorities work together in cohesion for uniform implementation of the regulation. Unlike GDPR, the DPB cannot initiate a proceeding suo moto.
Access to Government: Under GDPR where govt. /public authority alike private organizations is subject to the prescribed conditions of processing. Throughout the DPDP Act govt. has been given carte blanche to access personal data under the garb of “legitimate use” without requiring consent of or intimation to concerned data principals. This might lead to a negative outcome of a Transfer impact assessment carried out pursuant to Schemes-II judgment and may render India at a non-adequate level of data protection per EU Commission.
Liability & Penalties: GDPR casts liabilities and penalties alike on the Controller & processor. While under the DPDP Act penalties can only be imposed on Data Fiduciaries. There however remains ambiguity on Processors roles and obligations in the absence of any penal provisions against them under the DPDP Act and organizations will have to negotiate contractual terms with processors very minutely & strategically to bind them contractually to cover violation of any provision of this Act on a processors account.
Key compliances mapped:
Record of Processing Activities (ROPA): GDPR mandates for Controllers and Processors alike to maintain a ROPA in writing containing inter alia the name and contact details of the controller, DPO, the purpose of processing, and other details of the processing activity except if the Controller/Processor employs less than 250 employees. No such requirement under the DPDP Act.
Data Processing Impact Assessment (DPIA): Under GDPR, the Controller shall under specific circumstances for example prior to undertaking a high-risk processing activity. systematic profiling etc. carry out a DPIA in a prescribed format and where necessary the processor should assist the controller in ensuring compliance with the obligations w.r.t DPIA. Under the DPDP Act only a Significant Data Fiduciary must carry out a DPLA, although not necessarily before the processing activity unlike under GDPR but periodically and containing among other parameters an assessment, management of the risk to the rights of the Data Principals arising out of the processing activity.
Privacy Notice: Privacy notice to be provided to data subjects at the time of collection of personal data or within one month when not obtained directly from data subjects per GDPR. Similarly, Consent must be accompanied or preceded by a privacy notice given by the Data Fiduciary to the Data Principal under GDPR.
Deletion/Retention: Per GDPR unless retention is necessary for compliance with any law for the time being in force Controller to erase personal data as soon as the purpose for which it was collected has been fulfilled (purpose limitation). Under DPDP Act Unless retention is necessary for compliance with any law for the time being in force Data Fiduciaries are required to erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, and further cause its Data Processor to erase any personal data made available by the Data Fiduciary to such Data Processor.
Notification of Breach: Under GDPR Controllers must report breaches likely to result in a risk to rights & freedom of data subjects, to the supervisory authority within 72 hours as well as the affected data subjects in prescribed format. While Processors must notify the controller without undue delay after becoming aware of a data breach. DPDP Act mandates Data Fiduciaries to notify the Board and each affected Data Principal regardless of the potential harm in the event of a personal data breach. This seems onerous and unnecessary. Will organizations be penalized for not reporting breaches not resulting in any harm to the data principals concerned? It is anticipated that such ambiguities will be addressed in the upcoming implementing rules.
Authorized Person: Data Fiduciary to appoint and publish the details of the authorized person who shall remain responsible to respond to any communication, query from the Data Principal for the purpose of exercise of her rights under the provisions of DPDP Act. No such requirement under GDPR.
Data Protection Officer (DPO): The controller, processor under GDPR where prescribed shall (for example in case of high-risk processing) designate a data protection officer. DPDP Act makes it mandatory only upon Significant Data Fiduciary to appoint a DPO.
Grievance Redressal: Under the DPDP Act a data principal must exhaust the option of redressal of its grievance by Data Fiduciary before reaching out to the Board. Organizations should therefore devise a robust grievance redressal mechanism. Under GDPR a data subject can reach out to the competent Supervisory Authority without first reaching out to the Controller. Notably, this staggered approach under DPDP Act will allow organizations to settle grievances amicably.
Besides the differences, the following unique features have been further introduced in the Indian privacy legislation which organizations must consider while developing a compliance framework for DPDP Act 2023:
Obligations on Data Principal: Although the primary objective of the Act is to protect
rights and interests of individuals whose personal data is being processed. Protection under the Act unlike most data privacy laws, is conditional upon a Data Principal complying with certain obligations, failure of which can lead to penalties. A Data Principal in order to exercise rights available to her in the Act must adhere to all the enforced laws currently in addition she must also ensure compliance with the provisions of this Act more specifically they do not a. impersonate anyone b. withhold any essential information c. submit false /frivolous complaints etc. This provision will serve as a deterrent & catalyst in preventing the misuse of the provision of the Act. Its effectiveness however can only be assessed in near future.
Consent Managers: Person registered with the board and overlooking as a central liaison to facilitate via a platform how a Data Principal can provide, oversee, access and retract their consent. This again is a novel concept not seen in privacy laws of other jurisdictions.
Voluntary Undertakings for Default: Board may accept a voluntary undertaking from organizations in case of any default/breach solely at its discretion resulting in bar on proceedings under the Act. More specifically a voluntary undertaking is a written commitment by a data fiduciary to take specific corrective actions to rectify a default.
To conclude Indian companies that adhere to GDPR should take note of the unique requirements introduced by DPDP Act and review, adapt their privacy frameworks, implement the necessary changes, and stay informed about future developments. Complying with DPDP Act is not only a legal obligation but also an essential step in safeguarding personal data and maintaining the trust of individuals in the digital age.
Author Bio
