India's Data Protection Act 2023 vs. GDPR Overview

Personal data carries both moral and commercial significance and therefore it becomes crucial to protect the personal data. Morally, it safeguards individual privacy, builds trust, and prevents potential harms such as identity theft or discrimination. On the commercial side, personal data has immense value, which is why it is often referred to as the “new oil.” Many people may be shocked to realize the true worth of their personal information, particularly in the context of social media, where data drives vast economic value.

What incidents prompted the central government to propose the data protection framework?

Justice K.S. Puttaswamy case v. Union of India (2018)

The Judgement held that the right to privacy is intrinsic to the fundamental right to life and personal liberty. The constitution must be interpreted liberally to allow growth and development with technological changes. The judgement held information privacy to be a part of right and noted the need for a data protection law.

The landmark Supreme Court verdict in the Justice K.S. Puttaswamy case was a significant event that led the central government to propose the data protection framework.

Who made the proposal for data protection?

The DPDA Act is proposed by Justice BN Srikrishna Committee. The committee is constituted by India’s Union ministry of Electronics and Information Technology in 2017 to identify key issues of data protection and ways to address them including the mandate to propose a Draft Bill. The committee released its report in 2018 and proposed the personal data protection bill.

The important recommendation in the proposed personal data protection bill were:

It should be technology-neutral, adaptable to evolving technologies and compliance standards.
It should apply to both private organizations and the government.
The consent must be genuine.
Data processing should be minimal and limited to essential purposes.
There should be strong penalties for improper data processing.
Data localization may be required in specific sensitive sectors, but it is not recommended to enforce it universally.

DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (DPDA ACT, 2023)

The DPDA Act of India is enacted on 11th August, 2023. DPDA is an Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. DPDA Act applies to processing within India and outside India in connection with the offerings of any goods/services within India.

With the proposed Draft of Justice BN Srikrishna Committee, most of the stakeholders had one major concern which is data localisation as proposed by the committee. Keeping in consideration the concern of stakeholders, in the final version of the Section 16(1) of the DPDA Act the cross-border data transfer is permitted by default. It does not include any adequacy decision requirement and does not contain requirement of implementation of any transfer mechanism. But Central Government can designate certain countries where data transfer can be prohibited. Also, the transfer of data is subject to any higher degree of restrictions applicable under any other law.

The DPDA Act has not been enforced, however, the Draft Rules has been published on January 03, 2025 for public consultation. The Draft Rules shall be taken in consideration after 05^th March 2025.

The most crucial Rules to discuss of this Draft DPDA Rules are:

Rule 3: Rule 3 requires that Data Fiduciary must provide a clear, standalone notice to the Data Principal with details on the personal data being processed, its purpose, and the services involved. It must also include easy-to-understand instructions for withdrawing consent and exercising rights under the law. This ensures informed consent and transparency in data processing.

Issue: In cases where a company processes vast amounts of personal data let’s say for training of an AI model providing a clear and itemized description for each type of data and its purpose might be challenging, leading to hinderance of economic growth in a developing country like India where the latest technology such as AI modelling is still under the development phase.

Rule 5: The State and its instrumentalities can process personal data to provide subsidies, benefits, services, certificates, licenses, or permits under law, policy, or using public funds. The processing must adhere to specified standards in the Second Schedule. These provisions apply to actions taken under legal powers, governmental policies, or funded by public resources.

Issue: It would be difficult to clearly identify and hold accountable the individuals or departments responsible for data processing as in the large organization different departments are involved in a single process.

Rule 6: This rule mandates that Data Fiduciaries implement reasonable security safeguards to protect personal data from breaches. These measures include encrypting or masking data, controlling access to computer resources, monitoring for unauthorized access, maintaining logs for investigation and remediation, ensuring data backups for continued processing in case of data loss, and retaining logs for one year.

Issue: For Small organization it would be an additional financial burden implement reasonable security safeguards.

RULE 12: ADDITIONAL OBLIGATION TO SIGNIFICANT DATA FIDUCIARIES

Significant Data Fiduciary must conduct a Data Protection Impact Assessment and an audit every 12 months to ensure compliance with data protection laws. They must also verify that any algorithmic software used does not risk the rights of Data Principals and take measures to ensure that specific personal data, as defined by the Central Government, is not transferred outside India. Additionally, reports on the assessments and audits must be submitted to the governing Board.

Issue: No clarification has been provided in the DPDP Rules for what classes of data fiduciaries will be notified as significant data fiduciaries. Significant data fiduciaries will have additional obligations for data localization. To meet this requirement companies have to establish their data center in India which require investment in high-performance servers, cloud infrastructure, and secure facilities. Specifically, the foreign companies may hesitate to invest in India because of the additional financial burden.

Rule 13 (2): Rights of Data Principals

To exercise the rights of the Data Principal under the Act to access information about personal data and its erasure, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights.

Issue: The situation would become very complicated when the AI model is still in the training period and the Data Principal withdraw their consent to process the data whom he or she has previously given consent.

Rule 14: Processing of personal data outside India

This rule mandates that the transfer of personal data by a Data Fiduciary to any country outside India, whether the data is processed within India or outside in connection with offering goods or services to Data Principals in India, is subject to restrictions. The Data Fiduciary must comply with requirements set by the Central Government, which may include conditions for making personal data available to foreign states or entities under their control or agencies.

Issue: The present Draft Rules do not specify which countries will be blacklisted.

GDPR AND DPDA ACT

DPDA Act broadly follows the same principles to GDPR and therefore it has few similarities and differences with GDPR of European Union. Terms that have equivalent meanings in the DPDP Act and GDPR include:

“Data Principal” (DPDP Act) corresponds to “Data Subject” (GDPR).
“Data Fiduciary” (DPDP Act) is equivalent to “Data Controller” (GDPR).

SIMILARITIES OF GDPR AND DPDA ACT

Both regulate the handling of personal data.
Processing personal data is allowed for health emergencies, public interest, or legal obligations.
Consent is mandatory for processing personal data.
Data Subjects/Data Principals have the right to access, correct, and/or delete their personal data.
Data Subjects/Data Principals have the right to withdraw consent.

DIFFERENCE OF GDPR AND DPDA ACT

DPDA is applicable only to digital personal data.
In DPDA Act designation of certain organisations as Significant Data Fiducaries is done by the Central Government so these Significant Data Fiducaries would have additional obligations.
DPDA Act does not have any explicit provision regarding processing personal data for contractual necessity or legitimate interests.
DPDA does not have any provision dealing with special categories of personal data.
Data Principals do not have the right to data portability or to opt-out of automated decision-making.
In DPDA Act Data Principal can nominate another person to exercise their rights after death or incapacity.
In GDPR Cross-border transfer of data is restricted in the absence of adequacy decision requirement. In DPDA act cross-border data transfer is allowed by default until unless restricted by the Central Government by way of giving notification.
DPDA Act of India has stringent requirement when processing the personal data of a Child. As per Section 9(1) of the DPDA Act “any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed”. Breach in observance of additional obligations in relation to children under Section 9 may cause the penalty extend to two hundred crore rupees.