The Digital Personal Data Protection Act (DPDPA) secured the Indian President’s assent in August of 2023. This marked a significant step towards tackling severe data breaches like the Aadhaar data leak fiasco in 2018 to the recent boAt data breach in 2024. Over the years, India has positioned itself to be fifth most breached country across the world.
The parallels between the DPDPA and the European Union (EU) General Data Protection Regulations (GDPR) are evident. However, it is undeniable that the GDPR offers much broader latitude in the essence of territorial applicability and the nexus of personal data enclosed. GDPR is an umbrella framework instilling differing data protection laws across all the EU/European Economic Area (EEA) countries, installing a level-playing field among all the entities by streamlining the divergent complex procedures. In tandem with this, GDPR is acclaimed as the prime standard data protection law, since it introduced the distinct concepts of consent, right to data erasure, data potability, data minimization, etc.
The Court of Justice of the European Union (CJEU) recently delivered a landmark verdict in March 2024 vis-à-vis the advertising landscape against media giant Interactive Advertising Bureau (IAB) Europe. This consequently entails some ramifications for Instagram, Tiktok, Google and many more that profit from personalised advertising and marketing. The CJEU deemed auctioning of data through consent pop-ups on these platforms as illegal and a severe case of data breach. It is pronouncements like these which sets apart and establishes the EU GDPR as the compliance and regulatory standard all over the world in terms of data protection law.
This post now aims to macro-analyse the varying stances of both the Acts based on different parameters. Together, the Acts involve three fundamental components: Firstly, Data Principal (in DPDPA) and Subject (in GDPR), the consenting individual of personal data. Secondly, Data Fiduciary (DPDPA) or Controller (GDPR) which identifies the reasoning and procedure for processing data. Lastly, Data Processor, which operates technical matters of the data.
DPDPA versus GDPR
Territorial Realm
DPDPA scrutinises not only the data processing of digital personal data that occurs within India, but also, outside India. However, the same is limited only to any activity with respect to the offering of goods or services to data principals in India. GDPR, in addition to the aforementioned, applies to every entity outside the territory of EU, specifically targeting the EU markets by establishing a commercial interconnect between global entities and member states. The intent to offer goods and services through use of language, currency of any member state, personalised advertising or even mere monitoring of EU data subjects, will fall within the threshold of commercial interconnect. This showcases the broader sphere of GDPR as each and every entity keen on entering the EU market has no alternate modus operandi but to comply with the GDPR, thus expanding the scope of cross-border transaction of goods and services.
Scope of Personal Data
While the definition of personal data under the DPDPA carries “any digital data about an individual”, GDPR inscribes personal data as “any information relating to an identified or identifiable natural person.” This exhibits the wider scope of GDPR, inculcating both non-digitised data along with data already publicly available including such sensitive personal data. DPDPA is confined exclusively to private digital data, eliminating any and all publicised data.
Data Principal/Subject: Rights and Relief
Both DPDPA and GDPR enclose the rights of Data Principals/Subjects to access information regarding their personal data, receive a report in case of data breach and secure the right to completely erase or rectify the supplied data. Conversely, the two further embody unique provisions to themselves as well. Under the DPDPA, there has been an addition of right to grievance redressal along with the nomination right in supposed death of the data principal. This nominated individual shall bear the right to exercise over deceased principal’s data. Meanwhile, the GDPR allows data portability, which capacitates the data subject to move their personal data past varying IT platforms along with the right to voice an objection against automatic data processing and profiling.
Data Fiduciary/Controller
The new concept of Significant Data Fiduciary (SDF) has been introduced under the DPDPA. The Indian government designates such SDF as a specified classification under data fiduciaries. SDFs are identified considering the volume and sensitivity of data that they process and possess along with the amount of risk associated with the same. These fiduciaries have been classified due to the potential impact on security and public order. The SDF is required to appoint a Data Protection Officer along with an Independent Data Auditor for periodic maintenance of audit and compliance checks. In tandem with this, a periodic Data Protection Impact Assessment is mandated for the SDF. GDPR is unfamiliar to this concept of SDF, nonetheless, it ingrains the concept of Joint Data Controllers simpliciter, implying controllership of two or more data controllers bound to act in accordance with the general obligations of controllers.
Processing of data on children
Unlike the DPDPA, GDPR lacks auxiliary safeguard obligations when processing children’s data. GDPR accommodates just two provisions i.e. parental consent and transparency of information on children. Even though the DPDPA calibrates unique key responsibilities upon the data fiduciaries, the moral imperative set upon them to refuse processing of data only based upon predictions and discretions of their own, presuming the data processing may bring harm to the well-being of the child, is an incredibly unfeasible and superficial section included in the DPDPA. Another issue is the age of attaining majority which, under DPDPA, is 18 years. In GDPR, it differs depending on the member state, although the standard in most is 16 years.
Cross-border data transfer: A conundrum
Since the DPDPA is not yet in force, no out-and-out transfer mechanisms under the much awaited official procedural rules and regulations have been notified by the Indian government. At present, the Act equips transfer of personal data to every single country in the world, unless the Central government through notification imposes such restriction forbidding the data transfer to such notified countries. However, the GDPR enforces stringent data transfer rules. The first rule being, execution of transfer impact assessment (TIA) in order to ensure an adequate level of protection of personal data in a third country. Additionally, all the general corporate rules and international cooperation mechanisms shall be binding on the entity situated in the third country with the onus to include the standard contractual clauses as applied in EU for data protection.
Consent manager: The unique proposition
The DPDPA acquaints the unique idea of consent managers, who shall act as the mediator and aggregator connecting the data principal and the data fiduciary. This is a person enrolled with the Data Protection Board of India (DPBI) and is empowered to manage the data principal’s consent in every way through an interoperable platform. The further responsibilities shall be notified within the rules and regulations under the DPDPA. There is no such concept of consent manager under GDPR. However, DPDPA at present doesn’t engage in (i) a relationship between the data fiduciary and consent managers vis-à-vis contractual obligations or arrangements; (ii) roles, responsibilities and obligations of consent managers; and (iii) their capacity under the grievance redressal mechanism.
Data breach notification: Data fiduciary/controller
The two differing components of data breach notification ought to be adhered to by the data fiduciary/controller under the DPDPA and the GDPR are (i) the threshold in severity of breach; and (ii) the time frame stipulated to notify. While under the DPDPA, it is crucial to apprise the DPBI and the affected data principal with respect to the data breach, the Act falls short in allocating a time frame to notify the same. Meanwhile, under the GDPR, a time frame of 72 hours has been set for the data controller to inform the supervisory authority and the data subject of the data breach. Still, a breach low in risk, certainly not affecting the freedom of a natural person, may not be reported.
Data breach complaint
Both the DPDPA and the GDPR contain the right to lodge a complaint with the DPBI/supervisory authority when the data principal/subject demonstrates non-performance of obligations. However, over and above that, the data principal under the DPDPA has the avenue of grievance redressal which shall be exhausted before exercising the right to approach the DPBI. The grievance redressal mechanism is exclusive to DPDPA, warranting each and every data fiduciary to set one up.
Penalty: Distinct methodology
The penalties enumerated under the DPDPA and the GDPR conform to fundamentally contrasting methodologies contingent upon disparate situations. Under the DPDPA, the slew of penalties, as high as ₹250 crore, have been listed in a straight-jacket formula varying based on infringement of distinct obligations. Under the GDPR, an administrative penalty of 10 million or 20 million Euro may be imposed, consequent to the act of infringement, or the companies are bound to pay the administrative penalty of 2% or 4% of their global annual turnover for the preceding fiscal year, whichever may be higher. Additionally, the GDPR mandates compensation for the data subject, regardless the nature of the damage. Whereas, the DPDPA will gauge the compensation based on the nature and gravity of the damage. And lastly, data breach infringement not subject to administrative fines are slivered and specific to each member state under GDPR. This is an unparalleled distinction between DPDPA and GDPR.
Challenges and opportunities
The DPDPA represents the result of over six years of discourse on personal data protection regulation. While there are elements of the DPDPA that are analogous to the GDPR, making it fairly familiar for international organisations, it is not absolutely homogenous. For multinational undertakings, this can pose a challenge in terms of a universal outlook to global data protection compliance.
The efficacy of the DPDPA is a matter of conjecture subject to determination by future regulatory developments and institutional arrangements. Even though new law establishes a groundwork for data privacy, it is not enough to corroborate it. To an extent, it shall depend on the Central government's allegiance to privacy rights, as it perpetuates considerable discretionary power on critical matters.
Himja Singh is an Associate at Suman Khaitan & Co.