Introduction
The security of personal data is now crucial in the digital era. Around the world, nations and organisations are passing laws to control the handling of personal data. In this blog post, we shall compare the General Data Protection Regulation (GDPR) of the European Union and the Digital Personal Data Protection (DPDP) Bill, a proposed law in India. We want to spotlight the parallels and differences between these two data protection systems by comparing their scope, enforcement methods, and punishments.
Scope
The DPDP Bill’s primary focus is handling digital personal data within India, which includes both online and offline data. If processing includes providing Indians with products or services or profiling them, it also extends its authority to process personal data outside India. The GDPR, in contrast, covers individuals living in the EU and businesses outside the EU that provide products or services to or observe the behaviour of EU citizens. It also applies to the processing of personal data within the EU.
The GDPR has chosen a graded approach for the consent to process children’s personal data. According to the Member State, the minimum age for legal consent in such circumstances ranges from 13 to 16 years. Furthermore, the organisation must obtain parental approval to confirm that the parent gave consent reasonably. The DPDP Bill, like its predecessors, relies on the absolute age of 18 to provide valid permission and needs to examine the graded approach used widely worldwide. Another distinction made by the DPDP Bill is that if the business processing the data of a child has parental approval to do so, such consent must be “verifiable parental consent” by future regulations.
Legal Basis for Processing
The GDPR explicitly states in Article 5 that the basic standards governing the processing of personal data are Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality, and Accountability. There is no explicit mention of any such concepts in the DPDP Bill. Nevertheless, the same GDPR principles are emphasised in a note of explanation that is explicit that it is not a part of the Bill directly. Since these concepts are not contained in the Bill, how enforceable they might be is questionable.
The GDPR and the DPDP Bill strongly emphasise the need for a legitimate reason to process personal data. The DPDP Bill requires getting a person’s consent for legitimate processing. However, in some circumstances, specific reasons may constitute deemed consent. According to the GDPR, processing can be justified on several legal grounds, including consent, contract fulfilment, legal requirements, vital interests, the public interest, and legitimate business interests pursued by the data controller or a third party.
The GDPR and the Bill offer a few other legal justifications for processing personal data on top of consent. The GDPR and the Bill differ in this regard in that the Bill acknowledges that a data principal is “deemed” to have been permitted for processing when the data principal voluntarily offers personal data to the data fiduciary, and it is reasonable to expect that the data principal would provide such personal data. By sharing their name and mobile number with a restaurant to reserve a table, a customer is presumed to have granted an agreement to the restaurant (i.e. the data fiduciary) collecting their name and mobile number. The Bill supplies this example to explain this section.
Individuals’ Rights
Both frameworks recognise the need to give people control over their personal data. The DPDP Bill gives people the right to access information, ask for its removal or modification, choose their representatives, and file complaints. Similarly, the GDPR gives people rights for data transfer, access, rectification, deletion, and protection against automated decision-making.
The GDPR provides strict and unambiguous protections for situations when an automated decision-making process may result in human injury. While it is claimed that comprehensive evaluation is required for large-scale profiling under the PDP, the law grants no rights to persons to object to automated profiling except minors. This topic is covered in considerably more detail by the GDPR, which requires that data subjects have the right to object to automated profiling for direct marketing. The GDPR also requires that the data subject be informed clearly and precisely about their right to object.
Data Storage
Data Storage According to the GDPR, data must be kept in an identifiable format for a specific period. Any lengthening of the storage time would follow specific exceptions. The application of the data for historical in nature, numerical, academic, or public interest purposes is one of these exceptions. Data can only be kept in storage under the PDP for as long as is necessary to achieve its goal. It needs to be removed after serving its role. According to the PDP, the data subject must express agreement when the data is to be kept longer. This suggests that maintaining compliance with the PDP may only be possible if GDPR compliance criteria for data storage are met.
Data Protection Authorities
The DPDP Bill calls for creating the Data Protection Board of India, which would enforce regulations, enforce penalties, and resolve complaints. The central government will specify the Board’s constitution and terms of appointment. In contrast, the GDPR creates supervisory authorities in each EU member state, and the European Data Protection Board (EDPB) guarantees that these authorities work together and that their implementation is uniform.
Penalties
In accordance with GDPR, data controllers and processors are expected to work with the DPO to resolve complaints. The data subjects can contact the DPO directly to exercise their GDPR-guaranteed rights. In some circumstances, data subjects can also immediately contact the Supervisory Authority to seek legal redress. The PDP gives data fiduciaries responsibility for maintaining effective grievance redressal procedures. The appointed officer can be contacted if the data subject has concerns, in which case the issue must be resolved within 30 days. An appeal panel can handle grievances resulting from decisions made by adjudicating authorities.
The DPDP Bill outlines sanctions of up to Rs 500 crore for various offences. The Indian Data Protection Board will decide on the specific fines. Contrarily, the GDPR stipulates that penalties structure can be up to 20 million Euros or, in the case of an undertaking, up to 4% of the entire global revenue of the prior fiscal year, depending on what is higher, for very serious violations, as mentioned in Art. 83(5) GDPR. But even the list of less serious offences in Article 83(4) GDPR stipulates fines of up to 10 million Euros or, in the case of an undertaking, up to 2% of its total global revenue for the prior fiscal year, whichever is larger. Moreover, the Bill does not prescribe compensation to data principals.
Conclusion
Data protection laws are essential for protecting personal data and preserving people’s right to privacy. While the GDPR has already established itself as a recognised global standard, the DPDP Bill, currently in the proposal stage, seeks to create a comprehensive data protection framework in India. Consent, individual rights, and the creation of regulatory authorities for supervision and enforcement are prioritised in the DPDP Bill and the GDPR. However, the European Union and India have different approaches and legal systems, as seen by variances in the breadth, legal foundations, and sanctions.
Stay updated with Tsaaro about all the latest privacy compliance developments across multiple jurisdictions. Gain a better understanding of laws and regulations and their requirements through us. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Our insights will help you make informed choices to mitigate your privacy risks. Contact us by email at info@tsaaro.com.
