Navigating Data Protection: A Comparative Analysis of GDPR and DPDP Act”
Abstract:
In today’s digital era, privacy is not just a buzzword—it’s a fundamental right gaining recognition and momentum globally. As individuals grow increasingly aware of their privacy rights, governments worldwide are stepping up to fortify data protection frameworks. Among these, the GDPR stands as a renowned benchmark in safeguarding personal data. Not to be left behind, India has joined this global initiative. After meticulous consultations and revisions to the data protection bill, the President has given a nod to India’s inaugural privacy legislation, signaling a new chapter in the country’s commitment to ensuring its citizens’ right to privacy. Our blog focuses specifically on these pivotal privacy laws, offering readers a comparative study between India’s DPDP Act and the EU’s GDPR. Furthermore, we intend to delve deep into the significant provisions of both the Personal Data Protection Act of India and the EU’s GDPR, bridging the understanding between these two monumental pieces of legislation.”
Applicability:
GDPR: The GDPR casts a wide net in its applicability. It encompasses entities established in the EU, even if their data processing activities occur outside of it. Moreover, corporations located outside the EU are not exempt; if they process data related to offering goods or services to individuals in the EU, they’re required to comply. Additionally, in some cases driven by public international agreements, even entities outside the EU might find themselves governed by the GDPR if specific EU member state laws become applicable.
DPDP Act, 2023: The DPDP Act provides comprehensive coverage for the processing of digital personal data within India. This encompasses data that is initially collected in digital form as well as data that, though collected in a non-digital format, is later digitized. The Act’s jurisdiction is not limited solely to India’s territorial boundaries; it also extends to the processing of digital personal data beyond India’s shores when such processing is linked to activities offering goods or services to Data Principals located within India. However, there are notable exceptions. The Act does not apply to personal data specifically processed for a predetermined purpose and to personal data made publicly available either by the Data Principal or by another party obligated by existing Indian laws to disclose such information.
Significant Roles mentioned in GDPR & DPDP Act:
In the DPDP Act, several terms are central to understanding the dynamics of data protection. The ‘Data Principal’ refers to the natural person whose personal data is being collected, shared & processed. On the other hand, the ‘Data Fiduciary’ is the individual (or entity) determining the purpose and means of processing this personal data. This might be done individually or collaboratively with others. The Act also defines the ‘Data Processor’, an individual distinct from the Data Fiduciary’s employees. This person carries out the processing activities on the Fiduciary’s behalf.
In the GDPR, the ‘Data Subject’ is the person whose data is used. The ‘Controller‘ decides how and why to use this data. The ‘Processor‘ does the actual work of using the data based on the Controller’s decisions. Both the Controller and Processor can be people or organizations.
Comparative Analysis of EU GDPR and India DPDP Act:
Subject of comparison | GDPR | DPDP Act |
Rights of natural persons
|
Following rights are conferred on the data subjects by GDPR:
· Right to correction · Right to erase · Right to access · Right to restriction on processing · Right to data portability · Right to be forgotten · Right to object |
Following rights are conferred on the data principals by DPDP Act:
· Right to access information about personal data. · Right to correction and erasure of personal data. · Right of grievance redressal. · Right to nominate. |
Principals of Data processing | Any person (data controller & data processor) processing the personal data has to comply with the following requirements and limitations under GDPR:
· Lawfulness, fairness and transparency of data processing. · Purpose limitation · data minimization · Accuracy of data · Storage limitation · Integrity and confidentiality(security) of data |
Any person(data fiduciary & data processor ) processing the personal data has to comply with the following requirements and limitations under DPDP Act:
Data fiduciary & data processor shall process data of data principal only in accordance with the provisions of this DPDP Act and for a lawful purpose- · For which the Data Principal has given her consent; or · For certain legitimate uses.
|
Penalties for data breach | · For data loss- 10 million euros or 2% of global annual income which is higher
· For misuse of data- 20 million euros or 4% of annual global income which one is higher. |
Data protection board shall impose fine up to 250 crore rupees on data fiduciary & data processor:
· For non-compliance of this act- 200 crores · For breach on any obligations- 50 crores rupees
Data protection board shall impose fine of rupees 10,000 on data principals who fail to adhere to their duties as prescribed under the DPDP Act.
|
Conclusion:
In our comparative exploration of the EU’s General Data Protection Regulation (GDPR) and the DPDP Act, 2023, it’s evident that while the two laws share substantial similarities, they also present distinct nuances. The DPDP Act, 2023, boasts a broader scope, capturing a wider spectrum of data processing scenarios. However, the GDPR has the advantage of precision; it meticulously lays out its requirements, while the DPDP Act still leaves certain processes and procedures open to interpretation. Notably, while the GDPR outlines extensive processing grounds and principles, and provides data subjects with specific rights to challenge government data processing in certain situations, the DPDP Act emphasizes processing for ‘legitimate purposes’ and grants the government a more pronounced authority over data use. This juxtaposition underscores the dynamic nature of data protection legislation and the different approaches regions adopt to safeguard their citizens’ data.