India: New data protection law - how does it fare against GDPR?
The EU's General Data Protection Regulation (GDPR) is often touted as the 'gold-standard' for personal data protection and has been in force for more than five years. In August 2023, India enacted the much-awaited Digital Personal Data Protection Act, 2023 (the DPDP Act)1. While the DPDP Act may not be as granular as the GDPR in many aspects, it signifies a crucial milestone in India's journey towards upholding digital data protection. Harsh Walia, Supratim Chakraborty, Shobhit Chandra, Sumantra Bose, Sanjuktha Yermal, Shramana Dwibedi, and Vanshika Lal, from Khaitan & Co., provide a comparison between the GDPR and the DPDP Act and their approaches to areas such as data processor obligations, children's data, and cross border data transfers.
As the new law comes into force, various entities have started taking preparatory steps toward compliance with the DPDP Act. Among them, multinational corporations that already adhere to laws like the GDPR are particularly interested in identifying any deviations. For instance, one significant departure of the DPDP Act from the GDPR is that the former does not define or explicitly restrict profiling except in the cases of processing children's data. The GDPR explicitly defines and lays down the framework for profiling, such as data subjects need to be informed if they are being profiled. This will help them determine the incremental steps required to ensure compliance with the DPDP Act.
Comparing the GDPR and the DPDP Act
Categorization of personal data
Under the GDPR, personal data is classified into specific subsets, one of which is known as 'special categories of personal data.' This category encompasses sensitive information of individuals such as data relating to racial or ethnic origin, political opinions, and religious or philosophical beliefs, among others.
Handling special categories of personal data entails additional compliance requirements, particularly concerning the legal basis that can be used for processing such special categories of personal data.
In contrast to the GDPR, the DPDP Act applies to all personal data in the digital space without categorizing it as sensitive or critical. As a result, there are no separate compliance standards for different types of personal data under the DPDP Act. Consequently, a uniform standard will need to be applied to all classes of personal data.
Classification of data fiduciaries
The GDPR does not distinguish between classes of data controllers (akin to data fiduciaries under the DPDP Act) while prescribing compliances and obligations.
On the contrary, under the DPDP Act, the Central Government may classify certain data fiduciaries as 'significant data fiduciaries' based on the prescribed criteria, such as volume and sensitivity of personal data processed, risks to the rights of data principals (akin to data subjects under the GDPR), with increased compliance obligations, as opposed to data fiduciaries in general. Such additional obligations include the appointment of data protection officers (DPOs), residing in India, the appointment of an independent data auditor, undertaking periodic assessments, and so on.
Obligations of data processors
Under the GDPR, data processors are subject to certain compliances such as implementing appropriate organizational and technical measures to ensure the protection of the rights of a data subject. Fines can also be imposed on data processors according to the degree of responsibility of the processor and controller, among other factors.
The DPDP Act has no direct obligations for data processors. Accountability for obligations has been placed on data fiduciaries, who must ensure compliance for any processing done by it or by a data processor on its behalf. Additionally, similar to how the GDPR mandates the data controller and data processor to enter into a 'data processing agreement,' it is mandatory under the DPDP Act to have a valid contract between the data fiduciary and the data processor.
In contrast to the provisions under the DPDP Act, the GDPR mandates a more comprehensive privacy notice to be given to data subjects before or at the time of collecting their personal data. This includes third-party transfers of personal data, the contact information of the data controller, the retention period of personal data, etc.
On the other hand, the DPDP Act stipulates that notices must be furnished to data principals solely when the legal basis for processing their personal data is consent. The notice is required to outline the types of personal data sought to be collected, the purposes of processing, the manner in which the data principal may exercise their rights of withdrawal of consent and grievance redressal, and the manner in which the data principal may make a complaint to the Data Protection Board of India (the Board). Moreover, there is a requirement to provide an option to data principals to access the notice and consent request in local languages (which can be up to 22 languages). The translation obligation appears to ensure that data principals can easily comprehend the implications of their data being processed and accordingly provide their 'informed' consent.
While the GDPR and the DPDP Act both recognize the consent of individuals as one of the legal bases for processing personal data, the latter has introduced the novel concept of 'consent managers.' There is no equivalent concept under the GDPR. Consent managers will enable data principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. Every consent manager will be required to be registered with the Board, in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed.
Age of majority and exceptions for processing children's data
Another notable difference between the DPDP Act and the GDPR is the age of majority. According to the GDPR, individuals below the age of 16 years are considered children (such age may be lowered by EU Member States, provided it is not lowered below 13 years of age). However, the DPDP Act defines children as individuals who are below the age of 18 years, in line with the overall legal framework around the age of majority in India. The DPDP Act further vests the power of lowering the age of majority with the Central Government, only if the processing is done in a manner that is notified as verifiably safe by the Central Government. This disparity may lead to operational complexities as it may require different consent mechanisms, including parental consent, across jurisdictions.
Reporting of personal data breaches
While the GDPR follows a risk-based approach for notifying authorities about personal data breaches, the DPDP Act does not specify any such threshold. According to the GDPR, breaches that are likely to pose a risk to the rights and freedoms of data subjects must be reported to supervisory authorities. Additionally, data breaches must be communicated to the affected data subjects only if they are likely to result in a high risk to their rights and freedoms.
On the other hand, the DPDP Act does not establish a clear criterion or threshold for the obligation to notify personal data breaches to the Board and the affected data principals. However, it is expected that the form and manner of intimation of data breaches will be prescribed. Accordingly, further clarity is likely to emerge on this front. This also presents an operational challenge as there is a framework for breach reporting under the directions issued by the Indian Computer Emergency Response Team and various other sectoral regulators in India.
Right to be forgotten and right to erasure
Under the GDPR, the right to erasure is also known as the right to be forgotten. This right can be exercised by the data subject under the GDPR, barring certain exceptions.
The DPDP Act only grants the right to erasure to data principals unless retention is necessary for the specified purpose or for compliance with the law. However, it is important to note that the High Courts of various states in India have adopted contradicting views on the same. Several courts, including the Delhi High Court, the Karnataka High Court, and the Orissa High Court, have recognized the right to be forgotten as a part of the right to privacy of an individual. There have also been instances where courts, such as the Gujarat High Court, the Madras High Court, and the Kerala High Court, have refused to enforce this right except in certain cases like court judgments, matrimonial disputes, etc.
Appointment of a DPO
Both the GDPR and the DPDP Act provide for the appointment of a DPO. Under the GDPR, both the controller and the processor are required to appoint a DPO if processing personal data under certain prescribed circumstances, such as if the processing is carried out by a public authority (barring courts) or the core activities of the controller or processor involve the processing of sensitive categories of data, etc. The GDPR also provides for the qualification of the DPO.
On the contrary, the DPDP Act only mandates the appointment of a DPO by 'significant data fiduciaries.' Additionally, the DPDP Act, in its current form, does not provide details regarding the qualifications of a DPO.
Data Protection Impact Assessment
Under the GDPR, supervisory authorities are vested with the power to make lists of the activities that require a Data Protection Impact Assessment (DPIA). In certain cases, such as where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to conduct a DPIA based on certain factors laid down. Other instances, such as profiling, or the processing of personal data relating to criminal convictions, also require a DPIA.
Under the DPDP Act, a DPIA is required to be periodically conducted by significant data fiduciaries only. This would include a description of the rights of data principals, the purpose for the processing of their data, assessment and management of risk, and other measures as may be specified. However, the DPDP Act does not elaborate on the specifics of the processing activities that would require a DPIA. This may lead to an increased compliance burden as opposed to the GDPR.
Cross-border transfer of personal data
The GDPR provides various channels through which the cross-border transfer of personal data can be carried out. Under the GDPR, personal data may be transferred pursuant to an adequacy decision, and the use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and certain prescribed safeguards. Subsequent judicial pronouncements have also been critical in setting the standards and determining the manner in which cross-border transfer of personal data may take place.
However, the DPDP Act has prima facie prescribed a simplified process. Personal data under the DPDP Act may be transferred to other jurisdictions unless the Central Government, based on certain factors, has restricted the transfer to a country or territory.
It is essential to emphasize that if other laws, including sectoral laws, demand a more stringent level of data protection for cross-border transfers, those laws will remain applicable and should be complied with. Therefore, the compliance burden for entities regulated by sectoral regulators remains largely unchanged in this context.
Compensation to affected individuals
According to the GDPR, any individual who has suffered material or non-material damage due to any infringement of the GDPR has a right to receive compensation from the data controller or data processor for the damage suffered. On the other hand, the DPDP Act does not have any provision to compensate affected data principals. In fact, the provision under the existing law on data protection related to compensation to affected individuals has now been omitted. In the absence of any statutory compensation under the DPDP Act, affected data principals in India may have to exercise the option of availing civil remedies, under other prevailing laws, for any harm caused to them due to a breach of their personal data.
Penalties on individuals
The GDPR does not prescribe specific penalties for data subjects. Penalties and sanctions under the GDPR are typically intended to apply to organizations (data controllers and processors) that fail to comply with its provisions. Conversely, the DPDP Act prescribes certain duties on data principals, such as the duty to not impersonate another person and to not register a false or frivolous grievance or complaint, etc. In addition to this, the DPDP Act also sets out a penalty of a maximum of INR 10,000 (approx. $120) in case the data principal fails to observe the prescribed duties.
Right of data portability
In a departure from the GDPR, the DPDP Act does not provide a right of data portability in favor of data principals. While such a right was incorporated in the Personal Data Protection Bill, 2019, it has not been incorporated in the current version of the DPDP Act.
The way forward
While the GDPR and the DPDP Act share common objectives, the approach and methodology adopted by both legislations are palpably distinct. The GDPR is comparatively more prescriptive, whereas the DPDP Act outlines certain fundamental principles and leaves numerous implementation-related aspects to be addressed through subordinate legislations that will be brought into force subsequently. This approach may allow greater flexibility and adaptability in addressing various aspects of data protection as the legislative process evolves.
For entities who are already required to comply with the GDPR, being prepared for potential adjustments and fine-tuning to ensure compliance with the DPDP Act's requirements is necessary. As the law becomes effective, businesses will need to carefully navigate the additional groundwork required and adapt their practices accordingly to align with the new Indian framework.
Harsh Walia Partner
Supratim Chakraborty Partner
Shobhit Chandra Counsel
Sumantra Bose Principal Associate
Sanjuktha Yermal Associate
Shramana Dwibedi Associate
Vanshika Lal Associate
Khaitan & Co.
1. Please note that this Insight article refers to the current status of the DPDP Act 2023 as of September 2023. If there are any subsequent changes to the status of the Act, the article will be updated accordingly.