COMPARATIVE ANALYSIS OF INDIA’S DATA PROTECTION LAW
By Shailja Vikram Singh, Intern, Seth Associates
Keywords- Cyberlaw, Data Protection, cybersecurity, GDPR ,Data privacy
INTRODUCTION
A massive amount of consumer data is being collected by businesses and organizations across the globe. This constant sharing of data creates an inherent responsibility on Data Fiduciaries and Data processors to protect the individual rights of people whose data is being collected. To ensure that the principles of data privacy are being adhered to, which encompasses the right to access information, the right to know who controls or retain their data and how it is being processed, the right to the collection of accurate data, etc., policymakers across the globe have evolved certain data privacy norms and regulations which has made organizations legally obligated to protect privacy rights of individuals.
India, being one of the fastest growing digital economies, has been grappling with the questions around data privacy for years which primarily commenced after the judgment of Justice KS Puttaswamy and Anr. v. Union of India and Ors. wherein the Hon’ble Supreme Court held that the right to privacy as a fundamental right also includes the right to informational privacy. After deliberation of over five years, India received its first law on personal data protection – ‘Digital Personal Data Protection Act, 2023’ (“DPDPA”) on August 11, 2023.
BACKGROUND
Subsequent to KS Puttaswamy’s judgment, a Committee was formed under the chairmanship of Justice Sri Krishna by the Ministry of Electronics and Information Technology (“MietY”) in June 2017. A report titled, “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians “, examining the key data protection issues along with the draft Personal Data Protection Bill, 2018 was released by the Committee. Personal Data Protection Bill, 2019 was introduced in the Lok Sabha and was later withdrawn after a Joint Parliamentary Committee, established to analyze some of its sections, released the Data Protection Bill, 2021. Thereafter, MeitY released a Draft Digital Personal Data Protection Bill for public consultation which eventually received the President’s assent on August 11, 2023.
KEY FEATURES OF DPDPA
- Applicability– According to Section 3 of the Act, it applies to the processing of digital or digitized personal data within the territory of India or outside the territory of India if it involves businesses offering goods and services to Data Principals within the territory of India. Also, it does not apply to personal data processed by individuals for domestic purposes and to personal data made publicly available by the Data Principal or any other person legally obligated to do so.
- Consent– Section 6 of the Act specifies that no personal data shall be processed by anyone without obtaining free, specific, and informed consent of the Data Principal which shall be limited to a specified lawful purpose for which the same has been processed. As per Section 5, a Notice consisting of the details of the personal data and the purpose for which it is being collected shall be given to the Data Principal by the Data
- Obligations of the Data Fiduciary– A Data Fiduciary is defined under section 2(i) as any person who alone or in conjunction with another person determines the purpose and means of processing of personal data. According to Section 8, they are obligated to provide clear notice to Data Principals (individuals to whom the personal data relates), report personal data breaches to the Data Protection Board and Data Principals, ensure the erasure of data as soon its purpose has been fulfilled, restrict from behavioral monitoring of children’s data as well as their targeted advertising, and take consent from parents or guardian before processing children’s data.
- Rights of Data Principles- Chapter III of the Act outlines the rights and duties of the Data Principal. Individuals whose data is being processed shall have the right to access it and seek information on how their data is being processed. They are also entitled to grievance redressal and ask for the erasure of their data after it is no longer required.
- Section 16 of the Act allows transferring of personal data outside of India, except to those countries which have been notified by the Central Government as blacklisted.
- As per Chapter VIII on Penalties and Adjudication, the Act imposes specific penalties for offenses such as up to Rs 200 crores for not giving notice of a Personal data breach, up to Rs 250 crores for not abiding by the provisions of Data Fiduciaries.
- Apart from granting considerable exemptions to the State, the Act also proposes several provisions for exemptions for startups with the intent of promoting innovation and enhancing data protection at the same time as stated under section 17(3) of the Act.
HOW DOES DPDPA DIFFER FROM GDPR?
General Data Protection Regulations (“GDPR”) is one of the earliest regulations on data privacy which has remarkably influenced the discourse surrounding data privacy and data protection. GDPR has allowed EU residents to significantly control their personal data and also hold organizations accountable for breaches of privacy. Similar to GDPR, DPDPA is also not applicable to anonymized data as it is not identifiable to an individual. Consent should be free, informed, and specific, and must be compliant with necessary legislation. Moreover, both GDPR and DPDPA require a legitimate reason or purpose for processing personal data.
DPDPA draws inspiration from GDPR, however, it also differs from it in the following ways:
- Unlike GDPR which imposes statutory obligations on both data fiduciaries (termed as data controllers under GDPR) and data processors whose obligations and duties are outlined in Chapter 4, DPDPA exclusively holds data fiduciaries responsible for the actions of data processors.
- GDPR differentiates between personal data and sensitive personal data as implied under Article 9 of the regulations, whereas, under DPDPA all personally identifiable data is regulated in the same way.
- Unlike GDPR, DPDPA does not protect the publicly available data.
- DPDPA is only applicable to digital or digitized data and not to offline data as covered by GDPR under Article 2.
- Notice is only required to be given under DPDPA whenever consent of the data principal is mandatory before processing of data, and not for legitimate use. Whereas, under GDPR, consent is mandatory every time data is being collected from data subjects. Also, as per Article 13, the notice given under GDPR contains details like the objective of collecting data, how it is being processed, contact details of data protection officers, rights of data subjects, etc. Similar information is also provided under DPDPA, however, its scope is limited to instances where consent of the data subject is required.
- Section 9 of DPDPA deals with processing of personal data of children wherein it states that children under the age of 18 years, require the consent of the parents or guardian before processing their data. The Act also expressly prohibits the processing of children’s data which might be harmful to their well-being. Such provisions are not expressly mentioned under GDPR where, according to Article 8, minors under the age of 16 years require consent from their parents which can be reduced to 13 years by the Member States in their respective regions.
- DPDPA mentions that in the event of a breach of personal data, a data fiduciary must notify the Data Protection Board as well as the data principle, though no time frame has been mentioned for personal data breach notification. However, Article 33 of GDPR mandates notification of only those data breaches that cause high risk to the data principle and it has to be notified to the Supervisory Authority within 72 hours.
- Subject to applicable law and the necessity for which purpose the data was collected, data principals have the right to ask for erasure of their personal data under section 12 of
- GDPR ensures right to data portability under Article 20 and right against automated decision-making under Article 22, however, DPDPA does not provide any such rights. Although, it does comprise the right to nominate under section 14 which allows the individuals to nominate other individuals to exercise their right in the event of death or incapacity.
- DPDPA introduces the concept of a Consent Manager, defined under section 2(g)as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. GDPR similarly provides for not-for-profit bodies that represent data principals under Article 80, however, the concept of consent manager enables wider enforceability of individual rights.
- DPDPA imposes penalties up to Rs. 250 crores which are credited to the Consolidated Fund of India. Whereas, as per Article 83 of GDPR which states general conditions for imposing administrative fines, penalties are up to 20 million euros or 4% of the firm’s annual revenue of the preceding financial year, whichever amount is higher.
- Significant data fiduciaries are mandated to conduct periodic Data Protection Impact Assessment (DPIA) under section 10(2)(c)(i) of DPDPA. They are also obligated to appoint a Data Protection Officer(DPO) as a point of contact for the Data Protection Board. Whereas, Article 35 of GDPR specifies periodic DPIA to be conducted by data controllers who along with data processors are obligated to appoint DPO in specific circumstances.
- Records of processing activities (ROPA) are maintained by the Data Controller and Data Processor as per Article 30 of GDPR. There is no such obligation mentioned under DPDPA.
- In addition to English, notice is required to be given in 22 Indian languages by the Data Fiduciaries as per No such requirement of notifying in regional languages has been mentioned in GDPR.
COMPARATIVE ANALYSIS OF DPDPA AND OTHER LEGISLATIONS
DPDPA AND IT ACT
Information Technology Act,2000 which was amended in 2008 deals with data protection and privacy in India. It was enacted to legally recognize e-commerce and sanction misuse of computers. The IT (Amendment) Act, 2008 inserted Section 43A and Section 72A which provided remedies to the individual who has suffered or is likely to suffer loss due to his/her data not being protected adequately. Under the IT Act, several rules have been enacted, one among which is IT(Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011(SPDI Rules). DPDPA has replaced Section 43A of the IT Act,2008 as well as the SPDI Rules. However, the Act does not repeal section 72A of the IT Act, which penalizes disclosing of personal information without the consent of the individual if there is an intention or knowledge of it causing wrongful harm to the individual.
Section 43 of the IT Act, 2000 deals with accessing a computer system without the permission of the owner or any other person who is in charge of the computer, computer system or the computer network. Section 6 of DPDPA states that no data shall be taken and processed without the consent of the Data Principal. This implies that both the IT Act and DPDPA primarily focus on the idea of informed and clear consent as the foundation principle upon which data will be collected. If any conflict arises between the DPDPA and any other law for the time being in force, provisions of the DPDPA shall prevail to the extent of such conflict.
DPDPA AND PRECEDING DATA PROTECTION LAWS
After several years of discussions and deliberations, India’s first statutory framework for data protection was adopted. DPDPA has considerably shifted from earlier bills on data protection, however, it also shares several similarities.
The scope of the Personal Data Protection(PDP) Bill, 2018 included the processing of personal data within India as well as outside India if it is for businesses offering goods outside India which further included the processing of anonymized data. Thereafter, the Data Protection Bill, 2021 extended its scope to non personal data and anonymised personal data. However, contrary to previous bills, DPDPA limited its scope to digital and digitized personal data and excluded publicly available data from its purview.
Furthermore, the Personal Data Protection (“PDP”) Bill, 2018 had granted the right to portability under section 26 and the right to be forgotten under section 27 to the data principals which was omitted in DPDPA.
PDP Bill, 2018 classified between sensitive and critical data and allowed cross-border transfer of data to certain countries based on consent or approval by authorities. A copy of personal data has to be stored in India and critical data can only be processed in India. This classification of sensitive and critical data was removed under DPDPA and the Central government has been granted the discretion to restrict personal data flow to specific countries as stated under section 16(1) of the Act.
DPDPA mandates notifying the Data Protection Board as well as the Data Principal about a data breach as opposed to previous bills where upon notifying the Data Protection Authority within 72 hours, it was at their discretion to further inform the Data Principal. However, no such timeline for notifying a personal data breach has been mentioned under DPDPA.
Furthermore, DPDPA adds to the parties exempted from the Act and includes exemptions based on sovereignty and security of the state, friendly relations with foreign states, maintenance of public order, etc., and enables the Central government to allow exemptions through notification without any procedure or safeguards, unlike the previous bills.
Additionally, DPDPA omits provisions on data protection impact assessment which was introduced in the PDP Bill, 2018.
CONCLUSION
The DPDP Act represents India’s unique and significant step in protecting personal data, developed through extensive discussions following its initial draft. This law addresses the growing need for data protection amid increasing internet usage, data generation, and cross-border trade. Although less detailed than the GDPR, the DPDP Act demands a major shift in Indian businesses’ handling of privacy and personal data, reflecting India’s distinct approach to modern data protection.
However, DPDPA has been criticized on several grounds as well. It is argued that the Act has provided more discretionary power to the State, thereby creating uncertainty in the regulatory framework. This further poses a question of whether the new data protection law will uphold an individual’s privacy rights. The power of delegated legislation has been given to the Central government which highlights the fact the Data Protection Board of India lacks the necessary powers and guidance. Additionally, the Act does not enable the affected Data Principals to receive compensation for the breach as the penalties get credited to the Consolidated Fund of India. Further, the Act does not specify whether the publicly available data will be processed by the Data Processors .These questions will resolve with passage of time and amendments may be necessary to deal with these issues.