India’s long-awaited data protection law finally made meaningful progress on August 11, 2023 as Digital Personal Data Protection Act, 2023 (“DPDP”) received the Presidential assent – taking it a step closer to being formally implemented.
The DPDP seeks to replace the current patchwork of laws and regulations on data protection and privacy in India; which were quite simple in their consent-is-supreme approach with limited consequences for non-compliance. This is now set to change with the DPDP.
With ever-clashing requirement to respect privacy of individuals and permit data processing by business organizations, a need has been felt for quite some time by the Indian Government to put in place a comprehensive and dedicated data protection regime comparable with global standards. This article provides a broad overview while it compares and discusses how DPDP stacks up against the European Union’s General Data Protection Regulation (“GDPR”).
The GDPR is one of the foremost laws that set the tone for and outlines the need for respecting privacy of individuals in a globalized world. It is but natural that the Indian DPDP resonates closely with and exhibits certain similarities with the GDPR.
Anonymized data excluded – While the GDPR expressly excludes from its applicability, anonymized data, the DPDP suggests that it would not apply to data that is anonymized such that it cannot lead to identification of an individual.
Processing of data without consent permitted in certain circumstances – DPDP provides for certain ‘legitimate uses’ for processing of personal data by data fiduciaries (data controllers) for certain special use cases without the consent of the data principal. Such ‘legitimate uses’ (for which consent of the data principal is not required) include processing for purposes of employment, responding to medical emergencies, performing any function under law or the State providing any service or benefit to the data principal etc. Similarly, the GDPR gives ability to the data controller to process personal data without consent in specific situations while providing for certain obligations on the data controller.
Quality of consent – Consent of the data principal is one of the foundational principles, using which data fiduciary / data controller may process personal data. Broadly speaking, the basic principles of consent are similar under DPDP and the GDPR i.e. consent should be free, specific and informed. Further, both GDPR and DPDP require a legitimate reason (purpose) to process personal data. Another common provision under both GDPR and DPDP requires the data fiduciary to demonstrate that consent has been obtained in compliance with the respective legislations.
DPDP imposes additional obligations in relation to accessibility by requiring the consent request to be provided in several languages at the option of the data principal.
Significant Data Fiduciary – Given the factors relevant for categorization of a data fiduciary as a significant data fiduciary (i.e. based on factors such as volume and sensitivity of data processed) under the DPDP, incremental obligations such as appointment of data protection officers seems consistent with GDPR.
Despite the numerous similarities between DPDP and GDPR, the DPDP it unique in its own way.
No separate / special class of data – The GDPR classifies personal data into various specific subsets. These categories of personal data are subject to separate compliances including the purpose for processing of such personal data. Compliances under the DPDP however, are not dependent on whether personal data is of a particular kind and it equally applies to all kinds of personal data.
Applicability to offline data – While GDPR applies to any offline data which is part of a filing system, DPDP Act restricts its applicability only to digital or digitized data.
When is notice required to be given? – The DPDP requires notice to be provided only where consent is the basis of processing data (and not for legitimate uses). Under GDPR however, the notice requirements appear to apply whenever data is collected from the data subject and is not linked only to consent.
Contents of such notice – The DPDP prescribes elements that a notice must contain so that a data principal can provide their consent. These elements include information regarding nature of personal data being collected, the purpose for which it is collected, the manner in which consent may be withdrawn, information regarding grievance redressal and the manner in which a complaint may be made to enforcement authority.
Under the GDPR, the details required to be provided to a data subject are much wider in scope and do not seem exclusively linked to cases where consent of the data subject is required.
Such notice is required to provide information regarding data controller, contact details of data protection officer, purposes and legal basis of processing, legitimate interest, recipients, details of cross-border transfer, period of retention, existence of certain data subject rights, etc.
Children’s Data – Unlike the DPDP, GDPR does not expressly prohibit behavioral monitoring or targeted advertising aimed at children.
The DPDP prescribes the requirement for verifiable parental consent and there is an express and broad prohibition on processing data which is likely to cause detrimental effect on the well-being of a child; which does not seem to find an express mention under GDPR.
Grievance Redressal – Unlike the DPDP, GDPR does not require a data subject to redress their grievance before the controller before making a complaint to the jurisdictional Supervisory Authority or courts.
Transfer of data to other jurisdictions – The DPDP enables the Central Government to restrict the transfer of personal data by a data fiduciary to notified countries or territories outside of India. Hence, except to countries which are included in the negative list to be published by the Central Government, personal data is freely transferable.
Under the GDPR however, permissibility of transfer of personal data ranges from free transferability to a country or an international organization covered by an adequacy decision, and conditional transfers (such as adopting standard contractual clauses), to limited permission to transfer under certain circumstances. Hence, the GDPR contains broader and specific restrictions on cross-border transfer, as compared to the DPDP.
Notification to data principals in the event of data breach – The DPDP mandates the data fiduciary to notify the Data Protection Board and each affected data principal, in the event of any personal data breach. Unlike the DPDP, an obligation to inform the data subject of a breach is triggered under the GDPR only when there is high risk to the impacted individuals.
Consent Managers – This is a unique concept under the DPDP. A ‘consent manager’ is a person registered with the Data Protection Board, who is accountable to the data principal and acts as a single point of contact to enable a data principal to manage their consents though accessible platforms. The obligations and technical, operational, financial and other conditions applicable to consent managers will be prescribed under the rules.
Voluntary Undertaking – The DPDP empowers the Data Protection Board to accept from a person facing action for non-observance, a voluntary undertaking, which may include a commitment – (i) to take action within a time frame, or (ii) to refrain from taking specified action, and/ or (iii) to publicize the voluntary undertaking. Once such voluntary undertaking is accepted by the Data Protection Board, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking.
This concept seems similar to alternatives to adjudication such as deferred/ non prosecution agreements or compounding of offences, where the party in default may voluntarily admit to contravention and which are accepted subject to conditions. In our view, this will help in voluntary and timely rectification of non-compliances and seems overall consistent with the Government’s strong desire to decriminalize offences, encourage compliance and promote ease of business.
While seeming to learn from global best practices, the Indian law does have its unique characteristics. It is quite unique to note the choice of terminology that DPDP uses, that of a data fiduciary – clearly suggesting an element of trust. It will be interesting to see how an issue may be interpreted under Indian data protection laws/ Indian jurisprudence given this position of “trust” that a data fiduciary seems to enjoy. Despite multiple points of intersection, the DPDP has its own Indian masala. For now, it seems nicely balanced and not too spicy!