Unraveling India’s Digital Personal Data Protection Bill 2023: A Comparative Study with GDPR – Part 2
In the first part of our blog series – India Enacted the Digital Personal Data Protection Bill in 2023: What is the Sentiment Around it? – Part 1, we delved into the structure, application, and basic concepts of the Digital Personal Data Protection (DPDP) Bill enacted in India in 2023. Now, in this part, we will explore the differences between the DPDP Bill and the General Data Protection Regulation (GDPR). We will also shed light on the Consent Manager and the Right to Nominate – two new solutions mandated by the law that will significantly impact how companies operate within this new regulatory landscape.
GDPR vs DPDP: The Key Differences
The DPDP Bill 2023 in India and the GDPR in the European Union are two major legislations that regulate the processing of personal data. While they have some commonalities, there are also crucial differences between the two.
Scope
Both the GDPR and the DPDP have an extraterritorial reach. The GDPR applies to any organization processing the personal data of individuals within the EU, irrespective of the organization’s location. Conversely, the DPDP applies to the processing of digital personal data within India, whether it is collected digitally or digitized later. It also extends to the processing of digital personal data outside India if it is associated with offering goods or services to Data Principals within India.
Type of Data
The GDPR applies to all personal data, digital or otherwise. The DPDP, however, is limited to digital personal data.
Model of Processing
The GDPR encompasses automated, semi-automated, and non-automated processing of personal data. The DPDP, on the other hand, covers only automated or semi-automated processing.
Definition of Personal Data
The GDPR defines personal data broadly, referring to any information related to an identified or identifiable natural person. The DPDP’s definition is more straightforward, referring to any data about an individual who can be identified by or in relation to such data.
Category of Data
The GDPR differentiates between personal data and special categories of personal data. The DPDP, however, does not distinguish between personal data and sensitive or critical sensitive data.
Terminology
The GDPR uses the terms Data Controller and Data Subject. The DPDP, in contrast, uses the terms Data Fiduciary and Data Principal.
Data Controller/Data Fiduciary
The GDPR defines a Data Controller as an entity that determines the purposes, conditions, and means of the processing of personal data. The DPDP defines a Data Fiduciary as any person who alone or in conjunction with others determines the purpose and means of processing personal data. The DPDP also introduces the concept of a Significant Data Fiduciary, based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, the risk to electoral democracy, and so on.
Responsibility of Compliance
Under the GDPR, the Data Controller and Data Processor are responsible for compliance. Under the DPDP, the responsibility for compliance lies with the Data Fiduciary.
Significant Data Fiduciary
The DPDP introduces the concept of a Significant Data Fiduciary. This includes measures such as appointing a Data Protection Officer (DPO), appointing an Independent Data Auditor, conducting periodic Data Protection Impact assessments, and periodic audits.
Definition for Processing
The GDPR defines processing as any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. The DPDP defines processing as a wholly or partly automated operation or set of operations performed.
Comparison
| Law | GDPR | DPDP Bill |
Scope | Extraterritorial: The GDPR is relevant to any organization processing the personal data of individuals within the EU, regardless of the organization’s location | Extraterritorial: The DPDP applies to the processing of digital personal data within the territory of India, whether collected in digital form or digitized subsequently. It also applies to the processing of digital personal data outside India if related to offering goods or services to Data Principals within the territory of India. |
Type of data | Any personal data (digital and non digital) | Only Digital personal data (only digital) |
| Model of processing | Automated, Semi-automated and Non Automated | Automated or Semi-automated |
Definition of personal data | Broad: any information relating to an identified or identifiable natural person, known as the data subject. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. | Simple – any data about an individual who is identifiable by or in relation to such a data |
Category of data | Distinction between personal data and special categories of personal data | Any personal data: no distinction between personal data & sensitive data or critical sensitive data |
Names | Data controller/Data subject/Data Processor | Data fiduciary/Data principal/Data Processor |
Data Controller/Data fiduciary | An entity that determines the purposes, conditions, and means of the processing of personal data | Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data + Significant Data Fiduciary (based on the: 1. volume and sensitivity of personal data and 2. risk to the rights of data principals, 3. risk to electoral democracy, etc) |
| Responsibility of compliance | Data Controller & Data Processor | Data fiduciary |
Significant Data Fiduciary | / | Any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government based on an assessment of such relevant factors as it may determine, including: a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order. The Significant Data Fiduciary shall: – Appoint DPO (responsible to the Board of directors or similar governing body of the SDF) – Appoint an Independent Data Auditor to evaluate compliance of SDF with the provisions of the Act* Other Measures: 1. Periodic Data Protection Impact assessment (which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed) 2. Periodic Audit 3. Such other measures in relation to the objectives of the Act |
Additional to this we have:
| Law | GDPR | DPDP Bill |
Definition for processing | Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction | Means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction. |
Excluded from applicability – exemptions from applicability | GDPR doesn’t apply to a “purely personal or household activity.” | DPDP Bill doesn’t apply to: 1. Personal data processed by individuals for personal/domestic purposes 2. Personal data made publicly available by: – the Data Principal to whom such personal data relates; or – any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. 3. Exemptions made by the State for certain Data Fiduciaries or class of Data Fiduciaries including Startups, having regard to the volume and nature of personal data processed |
Bases for processing personal data | 6 Lawful grounds for processing personal data – Consent – Contractual Necessity – Legal Obligation – Protection of Vital Interests – Task Carried Out in Public Interest or Official Authority – Legitimate Interests Pursued by the Data Controller or a Third Party | Only 2 lawful grounds: – Consent-based framework + Privacy notice (English + 22 other languages in India) – Certain legitimate uses framework: 1. for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. 2. Government Subsidy, Benefit, Service, etc – Processing personal data by the State or its instrumentalities to provide subsidy, benefit, service, certificate, license, or permit as prescribed 3. Performance of Legal Functions -Processing personal data by the State or its instrumentalities for the performance of functions under the law, in the interest of sovereignty, integrity, or security of India 4. Compliance with Legal Orders – Processing personal data to comply with judgments, decrees, or orders issued under Indian law 5. Medical Emergency and Public Health – Processing personal data to respond to medical emergencies, threats to life, immediate threats to health, and providing medical treatment or health services during epidemics or outbreaks of disease 6. Employment-related Purposes – Processing personal data for purposes related to employment, safeguarding the employer from loss or liability, prevention of corporate espionage, maintenance of confidentiality, and provision of services or benefits to employee Data Principals |
Historic data | No need to opt in for fresh consent Privacy notice Document the purpose for processing | No need to opt in for fresh consent The company need to furnish a notice as soon as reasonably practicable with all the nuances in the bill about withdrawal and other data principal rights |
Consent request | Freely given, specific, informed and unambiguous Right to Withdraw Clear Affirmative Action Informed Consent Doesn’t mandate a specific language | Specific, informed, unconditional and unambiguous with clear affirmative action and limited for specific purpose Option to withdraw Clear Affirmative Action Provide details of DPO for significant data fiduciaries or any authorized person for responding to communications from data principals for exercising their rights Informed Consent In English + 22 languages recognized by the Indian Constitution |
Consent manager | / | Person (eligible) entities/persons registered by the Data Protection Board of India and expected to serve as a single point of contact to enable data principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform |
| Data processing agreement – essential elements | Covers essential elements such as purpose, nature, duration, types of personal data, and obligations/rights | Align with principles of DPDA; |
Breach notification | Report a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Threshold for notifying the data subjects, DPIA for assessing the risk Notification to the Data Controller, promptly | No threshold for notification to the Data protection board and data subjects in case of data breaches. Data subjects must be notified in any case scenario of data breaches. No DPIA for assessing the risk. No threshold for notification/every breach Data processor doesn’t have obligation by law to notify for the breach |
| Children threshold | 16 years and less till 13 years | 18 year and less |
| Processing children’s data | Parental Consent given in a clear and easily understandable manner | No processing that is likely to cause detrimental effect on the well-being of child |
Let’s not forget about the last key differences:
| Law | GDPR | DPDP Bill |
Data Subject’s Rights | Right to be informed Right of access Right to rectification Right to erasure Right to restriction of processing Right to data portability Right to object Right not to be subject to a decision based solely on automated processing | Not specified but implies Right to Access Information about Personal Data Right to Correction, Completion, Updating, and Erasure Right to Grievance Redressal Right to nominate – person who can decide on processing of personal data in case of death or incapacity of data subject |
Duties of Data Principal | / | Comply with Applicable Laws Provide Authentic Information No Impersonation No Suppression of Material Information No False Grievances |
Data Transfer | Adequacy Decisions: The European Commission decides if a country or organization has adequate data protection, allowing data transfers without further authorization. Appropriate Safeguards: If there’s no adequacy decision, data transfers can occur if both parties provide safeguards like binding corporate rules or standard contractual clauses. | Restricted to notified countries by Government (Negative List) to others not restricted transfer |
Data Protection Authority | Independent public authorities in each member state: – Supervise the application of data protection law through investigative and corrective powers – Provide expert advice on data protection issues – Handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws | Data Protection Board – Digital Office Chairperson and other Members appointed by the Central Government The Board addresses personal data breaches, inquiries, and penalties based on complaints, references, or court directions It issues directions to ensure compliance, and these must be followed. The Board has the power to summon, enforce attendance, receive evidence, inspect documents, and take actions similar to a civil court |
Grievance Redressal | Right to lodge a complaint with a supervisory authority, typically in the EU member state of their habitual residence or place of work, or where the alleged infringement occurred The supervisory authority is empowered to investigate complaints, conduct audits, and issue corrective measures or fines for GDPR violations If the supervisory authority does not handle the complaint or inform the complainant within a reasonable timeframe, or if the individual is not satisfied with the supervisory authority’s decision, they have the right to an effective judicial remedy. National courts may refer questions of law to the ECJ for a preliminary ruling, and the ECJ’s decisions are binding on national courts. | Data Principals have the right to seek redressal from Data Fiduciaries or Consent Managers The Data Fiduciary or Consent Manager must respond within a prescribed period The Data Protection Board can be approached if grievances are not resolved by the Data Fiduciary or Consent Manager. The Board has the authority to inquire into complaints, breaches, and impose penalties. Individuals dissatisfied with Board decisions can appeal to the Appellate Tribunal. The Appellate Tribunal may entertain appeals related to orders or directions made by the Board The Board may accept voluntary undertakings related to compliance with the Act. Mediation may be suggested by the Board for dispute resolution |
Penalty | Lower Level Fines: Fines of up to €10 million or 2% of the global annual turnover of the preceding financial year, whichever is higher. These fines are generally applicable to less severe infringements, such as not having records in order, not notifying the supervisory authority and data subject about a breach, or not conducting impact assessments. Higher Level Fines: Fines of up to €20 million or 4% of the global annual turnover of the preceding financial year, whichever is higher. These fines are reserved for more serious infringements, including violations of the core principles of processing, infringement of the rights of data subjects, or non-compliance with certain key aspects of the regulation. | Cumulation of penalties can exist, and the penalties are: A breach in observing the obligation of Data Fiduciary (250 crore INR): Penalty: May extend to €27.5 million. A Breach in observing the obligation to give notice (200 crore INR): Penalty: May extend to €22 million. A Breach in additional obligations in relation to children (200 crore INR): Penalty: May extend to €22 million. A Breach in additional obligations of Significant Data Fiduciary (150 crore INR): Penalty: May extend to €16.5 million. A Breach in observance of duties (10,000 INR): Penalty: May extend to €1,100. A Breach of voluntary undertaking accepted by the Board: Penalty: Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted. A Breach of any other provision (50 crore INR): Penalty: May extend to €5.5 million. |
Consent Manager and Right to Nominate: Transformative Elements
Apart from the commonalities and distinctions highlighted, the aspects that set themselves apart not only from the GDPR but also from other data protection frameworks are the Consent Manager and the Right to Nominate, representing transformative elements in the regulatory landscape.
Consent Manager: Empowering Data Control
The Consent Manager is a pivotal tool ensuring organizations secure explicit user consent, manage preferences, track consent lifecycles, propagate notices, and demonstrate compliance. In the context of India’s DPDP Bill, a Consent Manager, registered with the Data Protection Board, serves as a single contact point, facilitating Data Principals in giving, managing, reviewing, and withdrawing consent through an accessible, transparent, and interoperable platform.
Right to Nominate: Safeguarding Data Rights
The Right to Nominate grants Data Principals the authority to appoint a representative for posthumous or incapacitated data matters. This ensures individuals maintain control over their personal data, exercising their rights under data protection legislation even in situations where they are unable to do so themselves.
Navigating DPDP’s Impact: Business and Technical Considerations
To align with the requirements for a Consent Manager and safeguard Data Principals’ right to nominate, companies must blend business operations and technical perspectives:
Business Operations Perspective:
Understand the Legislation: Grasp the requirements of the DPDP Act of 2023 and relevant data protection laws.
Cultivate Trust: Foster consistent trust with customers by transparently explaining data usage.
Implement Policies: Enforce policies aligning with legislation, covering consent management and nominations.
Training: Train employees to comprehend the importance of data protection and handling procedures.
Technical Perspective:
Consent Management Platform (CMP): Leverage CMPs for compliance, automating consent processes and enabling preference updates.
Data Infrastructure: Establish secure data infrastructure with encrypted databases for personal data management.
APIs: Develop or utilize APIs for seamless interaction with the Consent Manager, handling consent requests and responses.
Nomination Mechanism: Implement mechanisms allowing Data Principals to nominate representatives, including user interfaces and backend systems.
Actual implementation varies based on legislation specifics, business nature, and technical capabilities.
The DPDP Bill’s Impact on Companies in India
The DPDP Act of 2023 will exert profound effects on companies operating in India’s market. Key areas of impact include:
In essence, the DPDP Act signifies a substantial shift in India’s data protection landscape, demanding companies to thoroughly review and adapt their data processing practices for compliance.
Number of Affected Companies
Determining the exact number of companies affected by the DPDP Act is challenging, but its impact is widespread. Sectors like banking, financial services, insurance, e-commerce, D2C businesses, software companies, and healthcare are anticipated to feel the regulatory repercussions. A study by PwC India examining 100 Indian enterprise websites found that 41% specified data principal rights in their privacy policies, indicating proactive compliance steps. The actual number may surpass this, considering the law’s broad scope and the multitude of companies in India’s digital economy. Notably, foreign companies processing digital personal data of Indian individuals are also obligated to comply with the Act.
GDPR Local: A Compliance Companion
At GDPRLocal, we assist companies in seamlessly implementing India’s Digital Personal Data Protection Act (DPDP Act). Here’s how we can support your organization:
Data Protection Services:
Our experts offer guidance on compliance with various frameworks, covering essential areas like Data Mapping, Governance, Automation, Vendor Management, and more.
Compliance Hub:
Access our Compliance Hub and leverage a team of global experts, providing centralized tools to navigate data protection laws effectively.
Compliance Review:
Benefit from a thorough review of critical elements such as websites, cookie policies, and key documentation to ensure alignment with the DPDP Act.
Ongoing Support:
Our Data Protection Experts are available for continuous support in addressing any compliance issues your company may encounter.
In essence, we deliver a streamlined approach to help your business adhere to the DPDP Act, offering advisory services, a Compliance Hub, compliance reviews, and ongoing support.
In conclusion, as the DPDP Act reshapes India’s data protection narrative, businesses must heed the call to review, adapt, and navigate the intricacies of this new regulation.