Indian Data Protection Law:
How Does It Fare Against GDPR

The General Data Protection Regulation (GDPR), instituted nearly five years ago by the European Union, has established a significant standard for personal data protection. In August 2023, India also introduced the eagerly awaited Digital Personal Data Protection Act (DPDPA) after the bill was successfully passed, which was a significant milestone in data protection legislation . The primary objective of the DPDPA is to implement strong legal frameworks for data protection and privacy. Since the enactment of this legislation, numerous organisations have been diligently undertaking measures to ensure compliance. Here is an insightful comparison between the two regulations, highlighting the nuances and assessing how the DPDPA aligns with or diverges from the GDPR.

Similarities Between India’s Data Protection Law and EU’s GDPR

As aforementioned, GDPR is seen as the golden standard for data protection laws. So, it is quite natural that DPDPA takes a few leaves from their book. Let’s take a look at a few similarities between them.

Processing of Personal Data Allowed Under Certain Circumstances

Both the DPDPA and the GDPR allow for the processing of personal data without explicit consent in specific situations. Under the DPDP, “legitimate uses” include employment-related processing, responding to medical emergencies, fulfilling legal obligations, and providing services to the data principal. In the same way, the GDPR permits data controllers to process personal data without consent in cases such as legal compliance, protection of vital interests, and other legitimate interests. Both regulations impose conditions and protection clauses to ensure responsible and proper data processing.

Significant Data Fiduciary

Under the Digital Personal Data Protection Act (DPDP), significant data fiduciaries are determined by factors like data volume and sensitivity. Similar to the GDPR, the DPDP imposes additional obligations on these entities, such as appointing Data Protection Officers (DPOs). This aligns with the GDPR’s requirement for DPOs in cases involving large-scale data processing or sensitive data. Both regulations emphasise the importance of designated individuals to ensure compliance, accountability, and transparency in handling substantial or sensitive data.

The Role of Consent

Consent is a foundational principle in both the Digital Personal Data Protection Act and the General Data Protection Regulation. Both require consent to be free, specific, and informed, with a legitimate purpose for data processing. Also, DPDP introduces an obligation for consent requests to be provided in multiple languages, promoting accessibility and transparency. This goes beyond GDPR requirements, demonstrating a commitment to inclusivity in the Indian data protection regulations.

Differences Between DPDP vs GDPR

While there are a few similarities between DPDP and GDPR, they come with a set of contrasting differences, too, as given below.

Anonymised Data

The GDPR excludes anonymised data from its scope, meaning data that has been altered to prevent identification. However, the DPDP Act won’t apply to data unless it’s anonymised to the extent that identification of individuals becomes impossible. This indicates a potentially more strict requirement for anonymisation under the DPDP compared to the GDPR.

Indian Data Protection Regulations For Children’s Data

Unlike the GDPR, the DPDP expressly prohibits data processing that is likely to harm a child’s well-being and mandates verifiable parental consent. The GDPR, while addressing children’s data protection, lacks a comparable broad prohibition and focuses on obtaining parental consent for certain age groups in the context of information society services. The DPDP takes a more explicit and strict approach to protecting children’s data.

Voluntary Undertaking For Non-Compliance Actions

The Personal Data Protection Act allows the Data Protection Board to accept voluntary undertakings from those facing non-compliance actions. These undertakings may involve commitments like taking specific actions, refraining from certain actions, or publicising the commitment. Once accepted, voluntary undertaking serves as a legal barrier, preventing authorities or regulators from pursuing legal actions or proceedings specifically regarding the issues addressed in the voluntary commitment. This approach offers alternatives to adjudication, aligning with the government’s goal of decriminalising offences, encouraging compliance, and facilitating business operations. The DPDP promotes a culture of voluntary rectification to address non-compliances efficiently.

The Introduction of Consent Managers

The India Personal Data Protection Bill brings forth a unique concept called a ‘consent manager.’ This is an individual or entity registered with the Data Protection Board, serving as a single point of contact for data principals. The role of a consent manager is to facilitate individuals in managing their consent regarding the processing of their personal data through accessible platforms. The DPDP specifies that obligations and conditions for consent managers, including technical, operational, and financial aspects, will be detailed in accompanying rules. Overall, the concept aims to improve transparency and control for data principals in handling their consent preferences.

Transfer of Personal Data Across Borders

The DPDP allows the Central Government in India to restrict cross-border transfers of personal data, with exceptions for countries not on the negative list. However, the GDPR offers a more detailed approach, permitting free transfers to countries with adequacy decisions and conditional transfers with specific precautions. The GDPR imposes stricter restrictions on transfers to countries lacking adequacy decisions or appropriate securities compared to the DPDP.

Categorisation of Personal Data

The GDPR categorises personal data into subsets, each with specific compliance requirements. However, the DPDP applies uniform compliance standards to all kinds of personal data, irrespective of specific categories. The GDPR, in a way, customises obligations based on data types, while the DPDP adopts a consistent approach for all personal data.

Requirement of Consent Notice

Under the DPDP, notice is required only when consent is the basis for data processing, not for legitimate uses. However, when it comes to GDPR, it mandates notice whenever data is collected, and the details are broader. The DPDP specifies elements for consent-related notice, including the nature and purpose of data collection, withdrawal process, and grievance redressal. ` The GDPR requires a more extensive notice covering the data controller, contact details, processing purposes, legal basis, recipients, cross-border transfers, retention period, data subject rights, and more.

During A Data Breach

Under the DPDP, data fiduciaries must notify the Data Protection Board and each affected data principal in case of a personal data breach without assessing risk, whether big or small. The GDPR requires informing data subjects of a breach only when there is a high risk to their rights and freedoms.

Grievances

The GDPR doesn’t require a data subject to address grievances with the data controller before filing a complaint with the regulatory authority or courts as the DPDP does. The GDPR allows individuals direct access to legal remedies and regulatory intervention without attempting resolution with the data controller.

Conclusion

Another significant difference between the DPDP Act vs the GDPR is that the latter applies to any offline data part of the filing system. However, DPDP is only extended to digital data. While there are a few gaps when we compare DPDP to GDPR, we can see that DPDP has its personality. The DPDP Act 2023 reflects India’s commitment to proper compliance. Organisations must customise their data governance strategies, considering factors like cross-border transfers and breach notifications. A nuanced understanding of these regulations helps with responsible data handling and protecting privacy in this complicated digital environment.

Personal Data Privacy Compliance Made Easy With DPDPA Consultants

We create tailored solutions to meet your organisation’s needs, from expert guidance and training on identifying and mitigating privacy risks to automation tools to manage and review data privacy compliance.