DPDP v. GDPR

Introduction

The security of personal data is now crucial in the digital era. Around the world, nations and organisations are passing laws to control the handling of personal data. In this blog post, we shall compare the General Data Protection Regulation (GDPR) of the European Union and the Digital Personal Data Protection (DPDP) Bill, a proposed law in India. We want to spotlight the parallels and differences between these two data protection systems by comparing their scope, enforcement methods, and punishments. 

Scope

The DPDP Bill’s primary focus is handling digital personal data within India, which includes both online and offline data. If processing includes providing Indians with products or services or profiling them, it also extends its authority to process personal data outside India. The GDPR, in contrast, covers individuals living in the EU and businesses outside the EU that provide products or services to or observe the behaviour of EU citizens. It also applies to the processing of personal data within the EU.

The GDPR has chosen a graded approach for the consent to process children’s personal data. According to the Member State, the minimum age for legal consent in such circumstances ranges from 13 to 16 years. Furthermore, the organisation must obtain parental approval to confirm that the parent gave consent reasonably. The DPDP Bill, like its predecessors, relies on the absolute age of 18 to provide valid permission and needs to examine the graded approach used widely worldwide. Another distinction made by the DPDP Bill is that if the business processing the data of a child has parental approval to do so, such consent must be “verifiable parental consent” by future regulations.

Legal Basis for Processing

The GDPR explicitly states in Article 5 that the basic standards governing the processing of personal data are Lawfulness, Fairness & Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity & Confidentiality, and Accountability. There is no explicit mention of any such concepts in the DPDP Bill. Nevertheless, a note of explanation explicitly emphasizes the same GDPR principles, clarifying that they are not directly part of the Bill. This raises questions about the enforceability of these concepts, as they are not contained within the Bill itself.

The GDPR and the DPDP Bill strongly emphasise the need for a legitimate reason to process personal data. The DPDP Bill requires getting a person’s consent for legitimate processing. However, in some circumstances, specific reasons may constitute deemed consent. According to the GDPR, processing can be justified on several legal grounds, including consent, contract fulfilment, legal requirements, vital interests, the public interest, and legitimate business interests pursued by the data controller or a third party.

The GDPR and the Bill offer a few other legal justifications for processing personal data on top of consent. “In this regard, the Bill differs from the GDPR by acknowledging that a data principal is ‘deemed’ to have given permission for processing when they voluntarily offer personal data to the data fiduciary, and it is reasonable to expect that they would provide such personal data. For example, by sharing their name and mobile number with a restaurant to reserve a table, a customer implicitly grants consent to the restaurant (i.e., the data fiduciary) to collect their name and mobile number. The Bill supplies this example to explain this section.

Individuals’ Rights

Both frameworks recognise the need to give people control over their personal data. The DPDP Bill gives people the right to access information, ask for its removal or modification, choose their representatives, and file complaints. Similarly, the GDPR gives people rights for data transfer, access, rectification, deletion, and protection against automated decision-making.

The GDPR provides strict and unambiguous protections for situations when an automated decision-making process may result in human injury. The PDP claims to require comprehensive evaluation for large-scale profiling, yet it only grants minors the right to object to automated profiling. In contrast, the GDPR covers this topic in greater detail, mandating that data subjects have the right to object to automated profiling used for direct marketing. Moreover, the GDPR insists on clear and precise communication to data subjects about their right to object.

Data Storage 

Data Storage According to the GDPR, data must be kept in an identifiable format for a specific period. Any lengthening of the storage time would follow specific exceptions. The application of the data for historical in nature, numerical, academic, or public interest purposes is one of these exceptions. The PDP mandates that data can only be stored as long as necessary to fulfill its purpose, after which it must be deleted. Additionally, the PDP stipulates that extending the storage period requires the data subject’s consent. Consequently, adhering to the PDP’s requirements may require compliance with GDPR’s data storage criteria.

Data Protection Authorities

The DPDP Bill calls for creating the Data Protection Board of India, which would enforce regulations, enforce penalties, and resolve complaints. The central government will specify the Board’s constitution and terms of appointment. In contrast, the GDPR creates supervisory authorities in each EU member state, and the European Data Protection Board (EDPB) guarantees that these authorities work together and that their implementation is uniform.

Penalties

Data controllers and processors should work with the DPO to resolve complaints in accordance with GDPR. The data subjects can contact the DPO directly to exercise their GDPR-guaranteed rights. In some circumstances, data subjects can also immediately contact the Supervisory Authority to seek legal redress. The PDP gives data fiduciaries responsibility for maintaining effective grievance redressal procedures. If the data subject has concerns, they can contact the appointed officer, who must resolve the issue within 30 days. An appeal panel can handle grievances resulting from decisions made by adjudicating authorities.

The DPDP Bill outlines sanctions of up to Rs 500 crore for various offences. The Indian Data Protection Board will decide on the specific fines. Contrarily, the GDPR stipulates that penalties structure can be up to 20 million Euros or, in the case of an undertaking, up to 4% of the entire global revenue of the prior fiscal year, depending on what is higher, for very serious violations, as mentioned in Art. 83(5) GDPR. But even the list of less serious offences in Article 83(4) GDPR stipulates fines of up to 10 million Euros or, in the case of an undertaking, up to 2% of its total global revenue for the prior fiscal year, whichever is larger. Moreover, the Bill does not prescribe compensation to data principals.

Conclusion

Data protection laws are essential for protecting personal data and preserving people’s right to privacy. While the GDPR has already established itself as a recognised global standard, the DPDP Bill, currently in the proposal stage, seeks to create a comprehensive data protection framework in India. The DPDP Bill and the GDPR prioritise consent, individual rights, and the creation of regulatory authorities for supervision and enforcement. However, the European Union and India have different approaches and legal systems, as seen by variances in the breadth, legal foundations, and sanctions.

Stay updated with Tsaaro about all the latest privacy compliance developments across multiple jurisdictions. Gain a better understanding of laws and regulations and their requirements through us. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Our insights will help you make informed choices to mitigate your privacy risks. Contact us by email at info@tsaaro.com.