In the past few years, the demand for a robust data protection regime in India has been rife especially in light of the Supreme Court's landmark 2017 ruling in K.S. Puttaswamy v. Union of India1 ("Puttaswamy") which held that the right to privacy is a fundamental right under Articles 14, 19 and 21 of the Constitution of India. These demands led to the constitution of the Srikrishna Committee which prepared India's first draft legislation in an attempt to lay down a dedicated data protection legislation. The draft has undergone several changes over the years with the latest attempt being – the Digital Personal Data Protection Bill, 2022 ("DPDP"). The Indian government has made some sweeping changes to the earlier iteration of the data protection bill, which had drawn a lot of its inspiration from the European Union's ("EU") General Data Protection Regulation, 2016 ("GDPR")2 , often regarded as the benchmark for data privacy by legislators around the world. The DPDP is a much simpler version compared to its previous iterations, however, it retains some key concepts of the GDPR. Given the significance of data protection and data privacy of individuals in today's times and across jurisdictions, it is relevant to compare and test how the DPDP as a legislation fares against the data laws of other key jurisdictions, to gain a better understanding of where India stands in protecting the data of its citizens. This article attempts to compare the DPDP with the GDPR and the recently proposed American Data Privacy and Protection Act, 20223 ("ADPPA")4 , which is the first federal data protection legislation in the US (currently at a draft stage).
2. DPDP vs. GDPR vs. ADPPA
|1.||Applicability||Applies to the processing of 'personal data' within India, collected online or collected offline and then digitised. Also applies to the processing of digital personal data outside India, if such processing is in connection with profiling of, or the activity of offering goods or services to Data Principals5 within India.6||Applies to the processing of 'personal data' wholly or partly by automated means or by non-automated means where personal data forms part of a filing system or is intended to form part of a filing system. 7||Applies to collection, processing or transfer of 'covered data' which includes information that identifies or is linked or reasonably linkable to an individual or a device linkable to an individual and includes derived data and unique identifiers.8|
|2.||Data Categorisation||Personal data has not been categorised further.||Personal data is further categorised into 'special categories' of personal data which includes information that reveals racial or ethnic origin, political opinions, religious beliefs, etc. 9||Covered data is further categorised into 'sensitive covered data' which includes government identifiers such as the social security number and sensitive information related to finance, health, race etc. 10|
|3.||Consent from children||Parental consent is required for11 processing personal data of individuals below the age of 18 (eighteen). 12||Parental consent is required for processing data of individuals below the age of 16 (sixteen), which can be lowered up to 13 (thirteen) by member states of the EU.13||No parental consent is prescribed for processing covered data of individuals below the age of 17 (seventeen), however, parental consent may be sought for transferring their covered data. 14|
|4.||Consent requirements||Does not mandate specific or heightened standards pertaining to consent or processing of any data. However, recognises the concept of 'deemed consent'15 where express consent of the Data Principal is not sought under certain circumstances.||Processing of 'special categories of personal data' is allowed only with either explicit consent16 of the data subject or if certain specific conditions are met.17||Collection, processing and transfer of 'sensitive covered data' is allowed with user's 'affirmative express consent'18, unless a specific exception applies.19|
|5.||Cross-Border Data Flows||Cross border flow of personal data is allowed to countries notified by the Indian government. 20||Cross-border flow of personal data is allowed as long as the country to which the data is being transferred provides adequate level of protection. 21||Cross border flow of data is not expressly permitted or prohibited. 22|
|6.||Data Portability23||Does not provide for the right to data portability.||Provides for the right to data portability. 24||Provides for the right to data portability. 25|
|7.||Data Breach Notifications||Data Fiduciaries26 are required to notify the Data Protection Board27 and each affected Data Principal without any exceptions in case of any data breach. 28||Data Controllers 29 (i.e., the equivalent to a Data Fiduciary under the DPDP) are required to notify30 the supervisory authority as well as the Data Subjects31 (i.e., the equivalent to a Data Principal under the DPDP) of the data breach except under certain circumstances.32||There is no separate requirement. The respective state's law will take precedence regarding notification requirements.33|
|8.||Right to be Forgotten34||Does not recognise the righ||Recognises the right.35||Does not recognise the right.|
|9.||Significant Data Fiduciary||Certain Data Fiduciaries have been categorized as 'Significant Data Fiduciary' and have additional obligations. 36||No such categorisation has been made for Data Controllers||Certain Covered Entities37 have been categorized as 'large data holders' and 'covered high-impact social media company' based on definite factors38 and have additional obligations.|
|10.||Penalties and Compensatio||Penalty of up to INR 500,00,00,000/- (Indian Rupees Five Hundred Crores) can be imposed by the Data Protection Board for non-compliance.39||Fines up to 20,000,000 Euros (Euros Twenty Million) , or 4% (Four Per Cent) of the worldwide annual revenue can be imposed. 40 The Data Subject has a right to seek compensation in case of an infringement.41||There is no fixed penalty. The individual has a right to seek compensation (including attorney fees) and injunctive relief in case of an infringement. 42|
The legislative intent of the DPDP, the GDPR and the ADPPA seem to be alike and aim to provide for the processing of personal data in a manner that safeguards the right of individuals and provides them with foundational data privacy rights. However, unlike the GDPR and the ADPPA, the DPDP, does not extend its provisions to non-digital data, leaving a chunk of an individual's personal data out of its scope. The DPDP also does not categorise personal data into 'critical personal data' and 'sensitive personal data' (as was the case under the previous versions of the bill) or into 'personal data' and 'sensitive personal data' (as is the case under the extant Information Technology Act, 2000 and the rules made thereunder), subjecting all personal data to the same standards of protection. Further, unlike the GDPR and the ADPPA, the DPDP recognizes the concept of 'Deemed Consent' where the power to specify the grounds to process personal data without the Data Principal's consent vests with the Indian government. This is concerning as provisions of the DPDP do not provide direct parallels to the cardinal principles of data processing such as data minimization, purpose limitation, proportionality - that the GDPR and ADPPA explicitly recognize. With respect to data portability, the DPDP allows for transfer of data by the Data Fiduciary with the consent of the Data Principal, which is not the same as giving the Data Principal the ability to effectuate transfer of such data and does not further their right to have meaningful control over their data. Further, whereas the requirement to notify data breaches to Data Principals within the DPDP is laudable, it must also be considered that not every data breach is problematic and may not impact the Data Principal's rights, hence certain exceptions similar to the GDPR could be laid down.
On another note, the introduction of Consent Managers in the DPDP is novel and will help Data Principals in managing their data requirements more efficiently. The DPDP also places additional obligations on Significant Data Fiduciaries which is expected to ensure added protection to a Data Principal's data. However, the absence of provisions vesting in affected Data Principals the private right to be compensated for losses, disincentivizes them from seeking redressal under the DPDP.
The analysis establishes that the DPDP has enshrined multiple concepts and principles similar to the key data legislations prevalent in the EU and the US. However, the DPDP is relatively more fundamental in nature and even though it may be said that the conciseness and simplicity of the DPDP serves to make it more accessible, business-friendly, broad, and amenable to the swift changes in technology; on the flipside it may be considered inadequate to deal with certain intricacies. Hence, it is hoped that before it is notified, the DPDP includes some of the standards that form part of global data laws such as the GDPR and the ADPPA, such as data localisation, data portability and the right to be forgotten, which will go a long way in providing comfort to Data Principals. Further, given that the concept of 'deemed consent' is relatively new and untested across jurisdictions, one will need to wait before any assessment on its impact can be made. That said, the DPDP appears to be principally in alignment with globally adopted key data protection laws and more importantly is a huge stride made by the Indian government from the existing IT Act framework in India that failed in adequately protecting the rights of Data Principals.
1. K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
4. The US did not have a comprehensive federal data protection law like the EU's GDPR until ADPPA. As per the status quo, states in the US have enacted their own data protection laws, such as the California Consumer Privacy Act followed by privacy acts in Colorado, Connecticut.
5. Section 2(6) of the DPDP defines 'Data principals' as individuals to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
6. Section 4(1) of the DPDP.
7. Article 2 of the GDPR.
8. Section 2(8) of the ADPPA.
9. Article 9 of the GDPR.
10. Section 2(28) of the ADPPA.
11. Section 10 of the DPDP.
12. Section 2(3) of the DPDP.
13. Article 8 of the GDPR.
14. Section 205 of the ADPPA.
15. Deemed consent refers to circumstances where express consent of the data principle is not sought for processing of personal data for "public interest" or "any fair and reasonable purpose" inter alia, after taking into consideration certain factors. 'Deemed consent' may be inferred for any kind of personal data, if used for the purposes enumerated in Section 8 of the DPDP.
16. Explicit consent is not defined, however taking guidance from the guidelines issued by the European Data Protection Board, explicit consent means that the data subject must give an express statement of consent.
17. Article 9(2) of the GDPR
18. Section 2(1) of ADPPA defines affirmative express consent as an affirmative act by an individual that clearly communicates the individual's freely given, specific, and unambiguous authorization for an act.
19. Section 102 of the ADPPA provides for such exceptions.
20. Section 17 of the DPDP.
21. Article 45 & 46 of the GDPR. Further, it states that transfer shall take place in pursuance of an "adequacy decision" by the European Commission.
23. The right to data portability allows individuals to receive the personal data concerning him or her provided to an entity collecting the data and transmit it to another entity without hindrance.
24. Article 20 of the GDPR.
25. Section 203 of the ADPPA
26. Section 2(5) of the DPDP defines 'Data Fiduciary' as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
27. As per Section 19, the Central Government will set up the Data Protection Board.
28. Section 9(5) of the DPDP.
29. Article 4(7) of the GDPR defines a 'Data Controller' as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
30. Guidelines by the European Data Protection Board.
31. As per Article 4 of the GDPR, an identified or identifiable natural person is a 'Data Subject'.
32. The breach requires no notification unless the personal data breach is "unlikely to result in a risk to the rights and freedoms of natural person" or is encrypted, inter-alia.
33. Section 404 of the ADPPA.
34. The right to be forgotten is a right of an individual to get his / her personal data erased when, inter-alia, the data is no longer required to be retained, or when the consent is withdrawn.
35. Article 17 of the GDPR.
36. Section 11 of the DPDP. Further, the section has clarified that the Central Government may notify any Data Fiduciary as Significant Data Fiduciary, on the basis of an assessment of certain relevant factors.
37. Section 2(9) of the ADPPA defines a Covered Entity as "any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data".
38. Section 2(21) of the ADPPA.
39. Section 25 of the DPDP.
40. Article 83 of the ADPPA.
41. Article 82 of the GDPR.
42. Section 403 of the ADPPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.