The DPDPA finally saw the accent of the President of India in August 2023, and therefore comes to be a landmark verdict for India’s long-waged battle against serious data breaches, such as that of Aadhaar data in 2018 and the more recent case of boAt data breach in 2024. Haunted ever since by its being rated as one of the most breached countries in the world, the DPDPA sets on its journey to strengthen data protection not only within Indian borders but also outside.
Digital Personal Data Protection Act (DPDPA)
Like the GDPR of the European Union, the DPDPA provides a framework for protecting digital personal data. Not only the processing activities carried out in India but also that of processing activities regarding the offering of services or goods located in India to any person, irrespective of the place where such entity is located, come under the ambit of the act. This extraterritorial reach underscores India’s commitment to protecting personal data in the global digital economy.
Some of the key provisions under the DPDPA relate to definitions of roles, such as those of Data Principal, similar to the Data Subject under the GDPR; Data Fiduciary, akin to the Controller under the GDPR; and, most importantly, bringing into play Significant Data Fiduciaries. The SDFs, classified by volume and sensitivity of data processing, will have stringent compliance requirements, including the mandatory appointment of a Data Protection Officer and frequent audits.
Unique to the DPDPA is the concept of a consent manager; this would be a mediator for easing interactions between data principals and fiduciaries—this kicks the can down the road on operational specifics. It has introduced several prescriptive provisions—the right to grievance redressal and posthumous management of citizens’ data—which suggest subtle reflections in treating data.
General Data Protection Regulation (GDPR)
On the other hand, the GDPR itself has only been in force since 2018 and establishes a broad, all-encompassing standard of data protection for all EU and EEA states. It also broadly defines the term ‘personal data’: any information related to an identified or identifiable natural person. Therefore, this is not limited only to digital data but also includes nondigitized and publicly available information.
Among others, some of the key principles encapsulated within the GDPR are explicit consent, minimization of data, the right to data portability and erasure. Controllers and processors now face a much tighter regime, with compliance measures that will be necessary, such as privacy impact assessments and notification in the case of a data breach within 72 hours. It also introduces significant new fines of up to 4% of global annual turnover or €20 million for non-compliance, alongside provisions for compensation for affected individuals.
Recent judgments from the CJEU stress the impact of GDPR on worldwide data protection standards. For example, the judgment of the CJEU on data auctioning by way of consent pop-ups underlines strict enforcement in the case of data privacy infringement and broad applicability.
Comparative Analysis: DPDPA vs. GDPR
1. Territorial Application: Both laws have extraterritorial effects, but the GDPR extends to any entity targeting EU residents, either by way of offering goods and services or monitoring behavior, regardless of physical presence, whereas DPDPA’s operation is primarily focused on activities that target Indian data principles.
2. Scope of Personal Data: Under the GDPR, the scope is wider for personal data because it considers more types of data and sources than the rather limited DPDPA scheme focused on digital personal information. The difference shows that GDPR has far-reaching approaches towards safeguarding the privacy of individuals.
3. Rights of the Data Principals/Subjects: It provides rights to access personal data, rectification, and erasure under both laws. GDPR further ensures data portability and the right to object to automated decision-making, thereby underpinning the fact that the individual is in charge of his or her information.
4. Supervisory Authority and Fines: A very stringent penalty provided for in the GDPR inconsistency entails heavy administrative fines and damages compensation; hence, it ensures a quite firm enforcement mechanism of standards for data protection. In contrast, DPDPA’s penalties are organized differently and may have implications for compliance strategies of MNCs operating in both regions.
5. Challenges and Opportunities: The DPDPA embeds the challenges of harmonization of data protection practices across very different regulatory settings, particularly in the case of those multinational corporations trying to handle GDPR compliance. At the same time, despite their similarity, these regulatory nuances call for tailored strategies in keeping with the local and international standards of data protection.
Conclusion
DPDPA will be a game changer for the data protection road map in India, benchmarked against global standards while at the same time addressing challenges and harnessing opportunities abetted by the digital era. Compared to the GDPR, one could make its inferences right and come up with defined lines concerning the global conversation surrounding data privacy. While regulations change, the most important thing is to strike the right balance between innovation and the right to privacy in moving forward to ensure further establishment of trust in digital ecosystems across the world. The effectiveness of these laws will only be realized by proper implementation and customization as presented by each new technological frontier, accentuating the requirement for dynamic discussion and collaboration in the global move toward data protection.
Contributed by – Aanya Bhargava
Kamala Nehru College (UoD) (2021-2024)