India finally enacted its data protection law earlier this year, a crucial legislation in the rapidly expanding digital landscape. It establishes rules and guidelines for handling data, distinguishing the rights and responsibilities of digital citizens or nagriks and data custodians or fiduciaries. The law is rooted in principles that govern the ethical and lawful use of data in the digital economy.
India’s Digital Personal Data Protection Act (DPDPA) came into force five years after the European Union’s General Data Protection Regulation (GDPR). Given today’s cross-border global data flow and the cross-jurisdictional operations of digital tech-driven businesses, it’s imperative to discuss the points of convergence and divergence of GDPR with DPDPA.
Here, we focus on how these two regulations impact ‘data controllers’ as referred to in the GDPR or ‘data fiduciaries’ as referred to in the DPDPA. Let’s call them ‘service providers’—those persons or entities that determine the purpose and means of processing personal data.
While the DPDPA and GDPR share fundamental principles, they differ significantly on several parameters.
One of the commonalities of the GDPR and DPDPA is the extra-territorial application of both these regulations.
The GDPR applies to the processing of personal data of users in the EU by service providers that are not based in the EU. This includes data processing activities such as offering goods or services to users or monitoring their behaviour within the EU.
Similarly, the DPDPA’s jurisdiction encompasses digital personal data processed outside India if it relates to offering goods or services to users within India.
Another similarity is that the DPDPA and the GDPR impose many obligations on service providers. These include mandating certain service providers to undertake a Data Protection Impact Assessment (DPIA) to identify and mitigate risks linked to personal data processing, as well as appointing a Data Protection Officer (DPO) to oversee compliance with data protection regulations.
Service providers are also mandated to implement appropriate technical and organisational measures to protect personal data within their control. This includes erasing personal data when a user withdraws their consent, and ensuring the accuracy of the personal data they process.
Also Read: India’s KYC process is a privacy nightmare. FATF has given legal sanctity to mass surveillance
Points of divergence
A notable point of divergence is the obligations imposed on data processors—an individual or entity acting on behalf of a service provider, for instance a software provider that collects and stores customer data for e-commerce companies.
The DPDPA does not place any specific obligations on data processors, which perhaps puts the onus on the service providers themselves. The GDPR, however, places specific obligations on data processors. These include assisting service providers in case of a data breach, in conducting a DPIA, and in implementing appropriate technical and organisational measures to ensure compliance with the regulation.
Second, while both regulations mandate that service providers report data breaches to the regulatory authority or data protection board and the affected users, there are some key differences.
The GDPR only requires service providers to report those data breaches that pose a high risk to the rights and freedoms of users. In contrast, the DPDPA requires service providers to report all data breaches to both the board and the users. However, the rules for reporting data breaches under the DPDPA are yet to be formulated.
The third point of divergence is the data retention period. The GDPR does not prescribe a particular period for retaining the personal data collected, beyond what is necessary for the original processing purposes.
The DPDPA takes a more prescriptive approach. It provides for erasing personal data “as soon as it is reasonable to assume that the specified purpose is no longer being served”.
Fourth, the DPDPA allows users to get their grievances directly redressed by the service providers. They are accorded the right to approach the Data Protection Board of India (DPBI) only if they are not satisfied with the service provider’s grievance resolution. However, under the GDPR, a user has a right to file a complaint with the supervisory authority without necessarily having to approach the service provider first.
Fifth, the DPDPA provides for a blacklisting framework to restrict the transfer of personal data outside India—this means that data can go to most jurisdictions, except for those on a ban list. This is a significant departure from previous drafts, which leaned toward data localisation.
The DPDPA also recognises that other regulations may restrict the transfer of personal data by a data fiduciary or class of data fiduciaries outside India. For instance, the Reserve Bank of India requires all digital payments system data to be stored in India.
The GDPR, in contrast, provides for a whitelisting mechanism, which involves approving certain nations/organisations where personal data can be transferred. In this system, another country, or specific sectors there, or the international organisation in question, must guarantee an adequate level of data protection based on certain parameters.
It also requires data controllers and processors to provide appropriate safeguards, uphold enforceable data subject rights, and ensure that effective legal remedies are available.
Sixth, the DPDPA exempts processing personal data for the prevention, detection, investigation, or prosecution of an offence or contravention of any law, from certain provisions of the Act. In such cases, rules related to notice, consent, user rights and duties, and cross-border flow of data do not apply. Contrarily, the GDPR provides a blanket exemption to competent authorities for processing personal data for security purposes.
Lastly, the DPDPA exempts personal data from the ambit of its rules if it has been made public by a user or someone who is legally obligated to do so.
The GDPR, however, only exempts the processing of “sensitive personal data” if it relates to data made public by the users themselves.
Also Read: Modi govt tables long-awaited data protection bill in LS, critics fear ‘unchecked powers’
Toward harmonising DPDPA & GDPR
With India moving toward enabling ease of doing business, it is imperative to try and harmonise these diverging regulations in order to reduce the compliance burden on global digital-tech-driven businesses.
India has an advantage on this front, given that it is yet to draft rules under the DPDPA for certain key areas—including the process for reporting personal data breaches to the Data Protection Board, the determination of when the specified purpose is deemed as no longer being served, the procedures for conducting the DPIA, and the modalities for users to request service providers to erase their personal data, among others.
As the DPDPA takes its place alongside the EU’s GDPR, a new paradigm in global data protection standards emerges. Global organisations, having already tackled the complexities of GDPR compliance, have a significant headstart in adapting to the DPDPA’s requirements. Understanding the differences between these regulations is pivotal for ensuring seamless compliance with India’s regulations.
Dr Dhawal Gupta is group business director at Chase India, a leading public policy consultancy and advocacy firm. He was previously head of policy (cyber law) with the Ministry of Electronics and Information Technology. Antra Jain is an associate at Chase India. Views are personal.
(Edited by Asavari Singh)