On August 11, 2023, the Digital Personal Data Protection Act, 2023 (DPDP) obtained the Presidential assent, bringing India’s long-awaited data protection law one step closer to being fully implemented. The DPDP aims to replace India’s current disorganised system of privacy and data protection rules and regulations, which were characterised by a consent-is-prime attitude and few penalties for noncompliance. The DPDP will now bring about this adjustment. EU privacy and data protection regulations, known as the General Data Protection Regulation. The goal of the General Data Protection Regulation (GDPR) is to provide EU people with a unified and consistent approach to privacy within the EU.
No distinct or unique class of data Personal data is categorised under the GDPR into a number of distinct subsets. These categories of personal data, along with the reason for processing them, are subject to different compliance requirements. However, compliance with the DPDP is equivalent for all types of personal data and is not reliant on whether the data is of a specific type. GDPR’s applicability to offline data is limited by the DPDP Act to digital or digitised data, although any offline data that is part of a file system is covered by it.
Penalties and the duty of the processor: Under the GDPR, a processor is accountable for their activities. This means that if the processor violates personal data, they will be held financially accountable. Under the Data Protection Board, only the data fiduciary is accountable under the DPDP; any bilateral disputes arising between the data processor and the data fiduciary must be resolved through the data processing contractual agreement. This suggests that, under the DPDP, the data fiduciary is subject to a greater compliance burden and penal liability than the data processor. As a result, the data fiduciary must make sure that the contractual provisions protect the fiduciary if the processor fails or lapses.
The DPDP mandates a notice for data principals to provide consent, including information about the nature of personal data, purpose, withdrawal methods, grievance redressal, and complaint procedures. Under the GDPR, the notice should include details about the data controller, data protection officer, processing purposes, legitimate interest, recipients, cross-border transfer, retention period, and data subject rights.
The Data Protection and Protection of Privacy (DPDP) allows the Central Government to restrict the transfer of personal data to foreign jurisdictions, allowing it to be freely transferred, except for countries on the government’s blacklist. The GDPR, on the other hand, limits the transfer of personal data, requiring standard contractual clauses, conditional transfers, and limited transfer permissions, making it more comprehensive.
A child is defined by the GDPR as an individual who is 13 to 16 years old. On the other hand, a person under the age of 18 is considered a kid under the DPDP. Higher levels of compliance are required under DPDP, and data fiduciaries are not allowed to handle kid data for behavioural monitoring or targeted advertising, nor are they allowed to do any other processing that might have a negative impact on the child’s wellbeing. Furthermore, data fiduciaries must obtain verifiable parental or guardian consent before processing any child data.
Data breach notification period: Under GDPR, firms that are affected must inform data breaches as soon as possible and, in any case, no later than 72 hours after learning of the breach. Information security incidents must be notified within six hours of the entity observing the occurrence or learning about it, according to Section 70B96 of the Information Technology Act. To find out if the regulations specify a different timeline, one must wait to see them.
Penalties: The GDPR stipulates penalty slabs, which range from €10–20 million or 2–4% of a company’s sales, depending on the type of violation. The maximum penalty amount allowed by law for each infraction has been established by DPDP. Up to INR 250 crore in fines may be imposed by the Data Protection Board. These are the maximum amounts; the actual amount of the penalty may be less than the maximum specified based on many circumstances, including the type, extent, and length of the breach, the type of personal data compromised, the efforts taken to lessen the impact of the breach, etc.
It is anticipated that the DPDP when accompanied by regulations, will cause notable modifications to the current privacy policies that companies doing business in India have developed. Entities that are General Data Protection Regulation (GDPR) compliant must review their policies, procedures, and systems to ensure compliance with DPDP standards, given the distinctions between GDPR and DPDP.