India has recently made significant strides to establish itself as a leading global digital economy. But compared to other nations with sophisticated legal systems, India was in a weaker position since it lacked a strong data protection statute. Realizing this, the Indian government decided to create a specific data protection law that could properly oversee and control the complex interactions between personal data and technology. Another goal was to make it consistent with international law.
The General Data Protection Regulation (GDPR) of the European Union is by far the strictest privacy regulation in existence. GDPR, which came into effect on May 25, 2018, established strict security requirements that are punishable by severe fines. The regulation’s extensive reach and broad impact convey its tough stance on data security. The GDPR has prompted other countries to put these privacy protections in place, making compliance a difficult task.
The Digital Personal Data Protection Bill of 2023 (the “DPDP”) was signed into law by the President of India in August of that year. The goal of this legislation is to address the growing privacy and data protection concerns, which can be reduced by fostering an atmosphere that promotes the development of ethical business practices in the digital economy and refrains from violating people’s privacy.
India’s government decided to enact its own data protection law since the nation has specific needs, interests, and socioeconomic limitations. The EU’s GDPR served as a model for the DPDPB, therefore there are numerous parallels between the two, but the DPDPB is not an exact replica of the European Law. The DPDPB departs from the GDPR in a number of ways.
Similarities between Personal Data Protection Bill and General Data Protection Regulation-
- Data Subject Rights: The relevance of data subject rights is recognized by both the GDPR and the DPDPB. These include the right to data portability, the right to be forgotten, the right to access personal data, and the right to correct errors. Both regulations demand that businesses employ the necessary security measures to guard against unauthorized access, disclosure, or modification of personal data.
- Processing of data without consent permitted in certain circumstances: The Personal Data Protection Bill (DPDP) outlines specific ‘legitimate purposes’ for data fiduciaries (data controllers) to process personal data in particular special circumstances without the need for the data subject’s consent. These legitimate purposes, where consent from the data subject is not mandated include activities related to employment, addressing medical emergencies, fulfilling legal obligations, or when the government offers services or benefits to the data subject. General Data Protection Regulation (GDPR) grants data controllers the authority to process personal data without consent in specific scenarios, while also imposing certain responsibilities on the data controller.
- Data Fiduciary: Given the criteria used to classify a data fiduciary as a substantial data fiduciary under the DPDP (i.e. based on characteristics like the amount and sensitivity of the data processed), incremental responsibilities like the appointment of data protection officers seem to be compliant with GDPR.
- Consent: One of the fundamental tenets under which a data fiduciary or data controller may process personal data is the consent of the data principal. The fundamental requirements for permission under the DPDP and the GDPR, namely that it be free, specific, and informed, are broadly the same. Furthermore, in order to treat personal data, GDPR and DPDP both demand a legal basis. Another requirement shared by the GDPR and DPDP is that the data fiduciary must show that consent was obtained in accordance with the relevant laws. By requiring that the consent request be provided in a number of languages, of the data principal’s choice, DPDP places additional requirements on accessibility.
Differences between Personal Data Protection Bill and General Data Protection Regulation-
- Categorization of Personal Data: The GDPR classifies personal data into additional subcategories. Special categories of personal data entail distinct compliance requirements for processing data. In contrast, the DPDPB applies to a broader spectrum of personal data without further categorization into sensitive or critical personal data. Consequently, there is no statutory obligation to enforce separate compliance standards for various types of personal data collected under the Bill. Instead, the Bill mandates the implementation of reasonable security measures for personal data. Furthermore, while the GDPR covers offline data if it is part of a filing system, the DPDPB restricts its applicability exclusively to digital or digitized data.
- Age of Majority: The GDPR classifies individuals under the age of 16 as minors, whereas the DPDPB defines minors as individuals who have not yet reached the age of 18 years. Notably, the GDPR does not explicitly prohibit behavioral monitoring or targeted advertising directed at children, which differs from the DPDPB. Indian law sets out restrictions on such practices and mandates the need for verifiable parental consent in specific circumstances.
- Notice: The GDPR demands a more comprehensive privacy notice to be provided to data subjects either at the time of or before collecting their personal data. It specifies numerous mandatory details that must be included in these privacy notices. In contrast, Personal DPDP requires privacy notices to be given to data principals only when the basis for processing personal data is their consent. These notices are primarily required to outline the personal data requested from data principals and the purposes for which it will be collected. Additionally, the DPDP stipulates the provision of a privacy notice for personal data collected before the commencement of the Bill.
- Transfer of data to other jurisdictions: The DPDP gives the Central Government the ability to limit a data fiduciary’s transfer of personal information to specified nations or territories outside of India. Personal data can therefore be transferred freely, with the exception of nations that are on the Central Government’s forthcoming negative list. The GDPR contains broader and specific restrictions on cross-border transfer, as compared to the DPDP.
- Consent Managers: This is a unique idea in the context of the DPDP. An individual who has registered with the Data Protection Board is known as a “Consent Manager.” This person is responsible to the data principal and serves as a single point of contact for the data principal so they can manage their consent through easily accessible platforms.
- Penalties: One of the most critical aspects of the DPDPB is its significantly high penalties for contravention. The financial penalties under the GDPR are linked to the higher of a monetary cap or a certain percentage of the organization’s worldwide turnover. The PDBP only provides capped financial penalties. The financial penalties under the Bill can go up to Rs 250 crores, and in case of significant contraventions, penalties can be as high as Rs 500 crores.
India has a diverse and complex social and cultural landscape. As a rule, laws need to consider the specific cultural norms, values, and traditions of a country to be relevant and accepted by the population. Laws must be tailored to address the specific challenges and needs of a nation, taking into account its economic and social context.
Socio-economic conditions vary widely between India and other countries. Imported laws may not have the necessary support and infrastructural backing for proper implementation. Keeping in mind all these points, the Government of India, decided to draft its own policies and procedures to protect the data of its citizens.
With the emergence of India as a viable option for future businesses and the strong waves of the emergence of technology-based start-ups in various fields like- finance, education, and e-commerce, the Digital Personal Data Protection Bill, of 2023 was the need of the hour.