Unraveling India’s Digital Personal Data Protection Bill 2023: A Comparative Study with GDPR – Part 2

In the first part of our blog series – India Enacted the Digital Personal Data Protection Bill in 2023: What is the Sentiment Around it? – Part 1, we delved into the structure, application, and basic concepts of the Digital Personal Data Protection (DPDP) Bill enacted in India in 2023. Now, in this part, we will explore the differences between the DPDP Bill and the General Data Protection Regulation (GDPR). We will also shed light on the Consent Manager and the Right to Nominate – two new solutions mandated by the law that will significantly impact how companies operate within this new regulatory landscape.

The DPDP Bill 2023 in India and the GDPR in the European Union are two major legislations that regulate the processing of personal data. While they have some commonalities, there are also crucial differences between the two.

Scope

Both the GDPR and the DPDP have an extraterritorial reach. The GDPR applies to any organization processing the personal data of individuals within the EU, irrespective of the organization’s location. Conversely, the DPDP applies to the processing of digital personal data within India, whether it is collected digitally or digitized later. It also extends to the processing of digital personal data outside India if it is associated with offering goods or services to Data Principals within India.

Type of Data

The GDPR applies to all personal data, digital or otherwise. The DPDP, however, is limited to digital personal data.

Model of Processing

The GDPR encompasses automated, semi-automated, and non-automated processing of personal data. The DPDP, on the other hand, covers only automated or semi-automated processing.

Definition of Personal Data

The GDPR defines personal data broadly, referring to any information related to an identified or identifiable natural person. The DPDP’s definition is more straightforward, referring to any data about an individual who can be identified by or in relation to such data.

Category of Data

The GDPR differentiates between personal data and special categories of personal data. The DPDP, however, does not distinguish between personal data and sensitive or critical sensitive data.

Terminology

The GDPR uses the terms Data Controller and Data Subject. The DPDP, in contrast, uses the terms Data Fiduciary and Data Principal.

Data Controller/Data Fiduciary

The GDPR defines a Data Controller as an entity that determines the purposes, conditions, and means of the processing of personal data. The DPDP defines a Data Fiduciary as any person who alone or in conjunction with others determines the purpose and means of processing personal data. The DPDP also introduces the concept of a Significant Data Fiduciary, based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, the risk to electoral democracy, and so on.

Responsibility of Compliance

Under the GDPR, the Data Controller and Data Processor are responsible for compliance. Under the DPDP, the responsibility for compliance lies with the Data Fiduciary.

Significant Data Fiduciary

The DPDP introduces the concept of a Significant Data Fiduciary. This includes measures such as appointing a Data Protection Officer (DPO), appointing an Independent Data Auditor, conducting periodic Data Protection Impact assessments, and periodic audits.

Definition for Processing

The GDPR defines processing as any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. The DPDP defines processing as a wholly or partly automated operation or set of operations performed.

Law GDPR DPDP Bill



Scope
Extraterritorial: The GDPR is relevant to any organization processing the personal data of individuals within the EU, regardless of the organization’s locationExtraterritorial: The DPDP applies to the processing of digital personal data within the territory of India, whether collected in digital form or digitized subsequently. It also applies to the processing of digital personal data outside India if related to offering goods or services to Data Principals within the territory of India.

Type of data
Any personal data (digital and non digital)
Only Digital personal data (only digital)
Model of processingAutomated, Semi-automated and Non Automated
Automated or Semi-automated






Definition of personal data
Broad: any information relating to an identified or identifiable natural person, known as the data subject. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.





Simple – any data about an individual who is identifiable by or in relation to such a data

Category of data
Distinction between personal data and special categories of personal data
Any personal data: no distinction between personal data & sensitive data or critical sensitive data

Names
Data controller/Data subject/Data Processor
Data fiduciary/Data principal/Data Processor

Data Controller/Data fiduciary

An entity that determines the purposes, conditions, and means of the processing of personal data
Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data + Significant Data Fiduciary (based on the: 1. volume and sensitivity of personal data and 2. risk to the rights of data principals, 3. risk to electoral democracy, etc)
Responsibility of complianceData Controller & Data Processor
Data fiduciary







Significant Data Fiduciary








/
Any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government based on an assessment of such relevant factors as it may determine, including: a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order. The Significant Data Fiduciary shall: – Appoint DPO (responsible to the Board of directors or similar governing body of the SDF) – Appoint an Independent Data Auditor to evaluate compliance of SDF with the provisions of the Act* Other Measures: 1. Periodic Data Protection Impact assessment (which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed) 2. Periodic Audit 3. Such other measures in relation to the objectives of the Act

Additional to this we have:

Law GDPR DPDP Bill






Definition for processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction




Means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

Excluded from applicability – exemptions from applicability


GDPR doesn’t apply to a “purely personal or household activity.”
DPDP Bill doesn’t apply to: 1. Personal data processed by individuals for personal/domestic purposes 2. Personal data made publicly available by: – the Data Principal to whom such personal data relates; or – any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. 3. Exemptions made by the State for certain Data Fiduciaries or class of Data Fiduciaries including Startups, having regard to the volume and nature of personal data processed






Bases for processing personal data



6 Lawful grounds for processing personal data
– Consent
– Contractual Necessity
– Legal Obligation
– Protection of Vital Interests
– Task Carried Out in Public Interest or Official Authority
– Legitimate Interests Pursued by the Data Controller or a Third Party
Only 2 lawful grounds: – Consent-based framework + Privacy notice (English + 22 other languages in India) – Certain legitimate uses framework: 1. for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data. 2. Government Subsidy, Benefit, Service, etc – Processing personal data by the State or its instrumentalities to provide subsidy, benefit, service, certificate, license, or permit as prescribed 3. Performance of Legal Functions -Processing personal data by the State or its instrumentalities for the performance of functions under the law, in the interest of sovereignty, integrity, or security of India 4. Compliance with Legal Orders – Processing personal data to comply with judgments, decrees, or orders issued under Indian law 5. Medical Emergency and Public Health – Processing personal data to respond to medical emergencies, threats to life, immediate threats to health, and providing medical treatment or health services during epidemics or outbreaks of disease 6. Employment-related Purposes – Processing personal data for purposes related to employment, safeguarding the employer from loss or liability, prevention of corporate espionage, maintenance of confidentiality, and provision of services or benefits to employee Data Principals



Historic data
No need to opt in for fresh consent

Privacy notice

Document the purpose for processing
No need to opt in for fresh consent

The company need to furnish a notice as soon as reasonably practicable with all the nuances in the bill about withdrawal and other data principal rights





Consent request

Freely given, specific, informed and unambiguous

Right to Withdraw

Clear Affirmative Action

Informed Consent

Doesn’t mandate a specific language
Specific, informed, unconditional and unambiguous with clear affirmative action and limited for specific purpose

Option to withdraw

Clear Affirmative Action

Provide details of DPO for significant data fiduciaries or any authorized person for responding to communications from data principals for exercising their rights

Informed Consent

In English + 22 languages recognized by the Indian Constitution

Consent manager


/
Person (eligible) entities/persons registered by the Data Protection Board of India and expected to serve as a single point of contact to enable data principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform
Data processing agreement – essential elements
Covers essential elements such as purpose, nature, duration, types of personal data, and obligations/rights


Align with principles of DPDA;





Breach notification
Report a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it.

Threshold for notifying the data subjects, DPIA for assessing the risk

Notification to the Data Controller, promptly


No threshold for notification to the Data protection board and data subjects in case of data breaches. Data subjects must be notified in any case scenario of data breaches. No DPIA for assessing the risk.

No threshold for notification/every breach

Data processor doesn’t have obligation by law to notify for the breach
Children threshold16 years and less till 13 years18 year and less
Processing children’s dataParental Consent given in a clear and easily understandable mannerNo processing that is likely to cause detrimental effect on the well-being of child

Let’s not forget about the last key differences:

Law GDPR DPDP Bill








Data Subject’s Rights










Right to be informed

Right of access

Right to rectification

Right to erasure

Right to restriction of processing

Right to data portability

Right to object

Right not to be subject to a decision based solely on automated processing



Not specified but implies

Right to Access Information about Personal Data

Right to Correction, Completion, Updating, and Erasure

Right to Grievance Redressal

Right to nominate – person who can decide on processing of personal data in case of death or incapacity of data subject







Duties of Data Principal






/
Comply with Applicable Laws

Provide Authentic Information

No Impersonation

No Suppression of Material Information

No False Grievances




Data Transfer
Adequacy Decisions: The European Commission decides if a country or organization has adequate data protection, allowing data transfers without further authorization.

Appropriate Safeguards: If there’s no adequacy decision, data transfers can occur if both parties provide safeguards like binding corporate rules or standard contractual clauses.



Restricted to notified countries by Government (Negative List) to others not restricted transfer






Data Protection Authority





Independent public authorities in each member state:

– Supervise the application of data protection law through investigative and corrective powers

– Provide expert advice on data protection issues

– Handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws
Data Protection Board – Digital Office
Chairperson and other Members appointed by the Central Government

The Board addresses personal data breaches, inquiries, and penalties based on complaints, references, or court directions

It issues directions to ensure compliance, and these must be followed.

The Board has the power to summon, enforce attendance, receive evidence, inspect documents, and take actions similar to a civil court











Grievance Redressal




Right to lodge a complaint with a supervisory authority, typically in the EU member state of their habitual residence or place of work, or where the alleged infringement occurred

The supervisory authority is empowered to investigate complaints, conduct audits, and issue corrective measures or fines for GDPR violations

If the supervisory authority does not handle the complaint or inform the complainant within a reasonable timeframe, or if the individual is not satisfied with the supervisory authority’s decision, they have the right to an effective judicial remedy.

National courts may refer questions of law to the ECJ for a preliminary ruling, and the ECJ’s decisions are binding on national courts.
Data Principals have the right to seek redressal from Data Fiduciaries or Consent Managers
The Data Fiduciary or Consent Manager must respond within a prescribed period

The Data Protection Board can be approached if grievances are not resolved by the Data Fiduciary or Consent Manager.
The Board has the authority to inquire into complaints, breaches, and impose penalties.

Individuals dissatisfied with Board decisions can appeal to the Appellate Tribunal.
The Appellate Tribunal may entertain appeals related to orders or directions made by the Board

The Board may accept voluntary undertakings related to compliance with the Act.
Mediation may be suggested by the Board for dispute resolution


















Penalty










Lower Level Fines:
Fines of up to €10 million or 2% of the global annual turnover of the preceding financial year, whichever is higher.
These fines are generally applicable to less severe infringements, such as not having records in order, not notifying the supervisory authority and data subject about a breach, or not conducting impact assessments.

Higher Level Fines:
Fines of up to €20 million or 4% of the global annual turnover of the preceding financial year, whichever is higher.
These fines are reserved for more serious infringements, including violations of the core principles of processing, infringement of the rights of data subjects, or non-compliance with certain key aspects of the regulation.
Cumulation of penalties can exist, and the penalties are:

A breach in observing the obligation of Data Fiduciary (250 crore INR):
Penalty: May extend to €27.5 million.

A Breach in observing the obligation to give notice (200 crore INR):
Penalty: May extend to €22 million.

A Breach in additional obligations in relation to children (200 crore INR):
Penalty: May extend to €22 million.

A Breach in additional obligations of Significant Data Fiduciary (150 crore INR):
Penalty: May extend to €16.5 million.

A Breach in observance of duties (10,000 INR):
Penalty: May extend to €1,100.

A Breach of voluntary undertaking accepted by the Board:
Penalty: Up to the extent applicable for the breach in respect of which the proceedings under section 28 were instituted.

A Breach of any other provision (50 crore INR):
Penalty: May extend to €5.5 million.


Apart from the commonalities and distinctions highlighted, the aspects that set themselves apart not only from the GDPR but also from other data protection frameworks are the Consent Manager and the Right to Nominate, representing transformative elements in the regulatory landscape.

Consent Manager: Empowering Data Control

The Consent Manager is a pivotal tool ensuring organizations secure explicit user consent, manage preferences, track consent lifecycles, propagate notices, and demonstrate compliance. In the context of India’s DPDP Bill, a Consent Manager, registered with the Data Protection Board, serves as a single contact point, facilitating Data Principals in giving, managing, reviewing, and withdrawing consent through an accessible, transparent, and interoperable platform.

Right to Nominate: Safeguarding Data Rights

The Right to Nominate grants Data Principals the authority to appoint a representative for posthumous or incapacitated data matters. This ensures individuals maintain control over their personal data, exercising their rights under data protection legislation even in situations where they are unable to do so themselves.

To align with the requirements for a Consent Manager and safeguard Data Principals’ right to nominate, companies must blend business operations and technical perspectives:

Business Operations Perspective:

Understand the Legislation: Grasp the requirements of the DPDP Act of 2023 and relevant data protection laws.

Cultivate Trust: Foster consistent trust with customers by transparently explaining data usage.

Implement Policies: Enforce policies aligning with legislation, covering consent management and nominations.

Training: Train employees to comprehend the importance of data protection and handling procedures.

Technical Perspective:

Consent Management Platform (CMP): Leverage CMPs for compliance, automating consent processes and enabling preference updates.

Data Infrastructure: Establish secure data infrastructure with encrypted databases for personal data management.

APIs: Develop or utilize APIs for seamless interaction with the Consent Manager, handling consent requests and responses.

Nomination Mechanism: Implement mechanisms allowing Data Principals to nominate representatives, including user interfaces and backend systems.

Actual implementation varies based on legislation specifics, business nature, and technical capabilities.

The DPDP Act of 2023 will exert profound effects on companies operating in India’s market. Key areas of impact include:

key areas of impact, dpdp, gdpr

In essence, the DPDP Act signifies a substantial shift in India’s data protection landscape, demanding companies to thoroughly review and adapt their data processing practices for compliance.

Determining the exact number of companies affected by the DPDP Act is challenging, but its impact is widespread. Sectors like banking, financial services, insurance, e-commerce, D2C businesses, software companies, and healthcare are anticipated to feel the regulatory repercussions. A study by PwC India examining 100 Indian enterprise websites found that 41% specified data principal rights in their privacy policies, indicating proactive compliance steps. The actual number may surpass this, considering the law’s broad scope and the multitude of companies in India’s digital economy. Notably, foreign companies processing digital personal data of Indian individuals are also obligated to comply with the Act.

At GDPRLocal, we assist companies in seamlessly implementing India’s Digital Personal Data Protection Act (DPDP Act). Here’s how we can support your organization:

Data Protection Services:

Our experts offer guidance on compliance with various frameworks, covering essential areas like Data Mapping, Governance, Automation, Vendor Management, and more.

Compliance Hub:

Access our Compliance Hub and leverage a team of global experts, providing centralized tools to navigate data protection laws effectively.

Compliance Review:

Benefit from a thorough review of critical elements such as websites, cookie policies, and key documentation to ensure alignment with the DPDP Act.

Ongoing Support:

Our Data Protection Experts are available for continuous support in addressing any compliance issues your company may encounter.

In essence, we deliver a streamlined approach to help your business adhere to the DPDP Act, offering advisory services, a Compliance Hub, compliance reviews, and ongoing support.

In conclusion, as the DPDP Act reshapes India’s data protection narrative, businesses must heed the call to review, adapt, and navigate the intricacies of this new regulation.