On August 11, 2023, India marked a significant milestone with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), ushering in a new era of data privacy regulation in the country. This comprehensive legislation, designed to safeguard personal data and privacy rights, holds paramount importance for international businesses operating in India or considering entry into its dynamic digital markets.
Evolution and Salient Features of DPDPA
In this detailed exploration, we’ll delve into the evolution of the DPDPA and its distinctive features, drawing comparisons with the well-established General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act 2012. While the DPDPA takes inspiration from the GDPR, it establishes its legal framework with significant deviations.
Focus on Data Fiduciaries
Unlike the GDPR, which places obligations on both data controllers and processors, the DPDPA zeroes in on data fiduciaries, mirroring the role of data controllers under the GDPR. Notably, data fiduciaries are held directly responsible for the actions of data processors engaged by them, distinguishing it from the GDPR’s approach.
A noteworthy departure from the GDPR is the absence of a distinction between personal data and sensitive personal data in the DPDPA. Instead, all personally identifiable data falls under the same regulatory purview. Additionally, the DPDPA excludes publicly available data from its scope, a departure from the GDPR’s protective stance on publicly accessible information.
International Data Transfers and Regulatory Landscape
Examining international data transfers, the DPDPA currently lacks explicit measures for such transfers. However, it leaves room for subsequent regulations to specify these measures, and the Indian government may identify jurisdictions where data transfers are restricted. Companies must navigate existing sector-specific restrictions and other laws governing data transfers, adding a layer of complexity to cross-border data flows.
Lawful Bases for Processing: A Comparative Analysis
The DPDPA outlines two primary lawful bases for processing personal data: explicit consent from the data principal or processing for a legitimate purpose. This contrasts with the GDPR, which provides a more extensive list of lawful bases, including processing for contractual purposes and legitimate interests.
Data Principal Rights: Empowering Individuals
A comprehensive set of data principal rights is a hallmark of the DPDPA, offering individuals rights such as absolute notification of data breaches, the right to seek erasure, and escalation to the Data Protection Board for grievance resolution. Notably, the DPDPA introduces the concept of consent managers, third parties registered with the Data Protection Board, empowering data principals to actively manage their consents.
Enforcement Landscape and Penalties
While the GDPR grants broad regulatory authority to national supervisory authorities, the DPDPA establishes a Data Protection Board primarily focused on adjudicating grievances and penalizing data breaches. This unique structure leads to a more streamlined and potentially business-friendly regulatory approach. The DPDPA imposes substantial penalties, with fines reaching up to INR 250 crores, signaling a stringent enforcement regime.
Preparing for DPDPA Compliance: Key Takeaways
As the Indian Data Privacy bill awaits implementation, organizations must anticipate a phased rollout and closely monitor forthcoming rules. While parallels exist with GDPR concepts, organizations must navigate critical differences, emphasizing that one size does not fit all in global data protection compliance.
The Paradigm Shift for Indian Businesses
There are some practical implications for Indian businesses, emphasizing the need for a paradigm shift in how personal data is handled. From meticulous documentation of data collection purposes to the appointment of consent managers, businesses face the challenge of adapting to a more stringent regulatory landscape.
Striking a Balance: Simplicity vs. Stringency
The DPDPA strikes a delicate balance, offering a simpler and less prescriptive framework suitable for India’s nascent data privacy compliance landscape. However, the law introduces strict elements not present in the GDPR, reinforcing the idea that data protection compliance is not a one-size-fits-all endeavor.
The Journey Toward Compliance
The focus shifts to the road ahead for Indian businesses as they embark on the journey toward DPDPA compliance. The law’s unique features and its impact on diverse sectors underscore the need for a proactive and disciplined approach to data privacy, setting the stage for a transformative period in India’s data protection landscape.
