Skip to main content

Key differences between GDPR and Digital Personal Data Protection Act, 2023(DPDPA)

Image
By

 


In an increasingly digital world where personal data has become a valuable commodity, the need for comprehensive data protection legislation has never been more critical. With the introduction of the Digital Personal Data Protection Act, 2023, businesses and individuals alike are bracing for a new era of data privacy regulations. In this blog post, we embark on a journey to explore and dissect the key distinctions between GDPR and the Digital Personal Data Protection Act, 2023. 

1. Classification of Personal Data

The Digital Personal Data Protection Act, 2023 (DPDP Act) encompasses all digital forms of personal data without the need for additional classification into special categories. On the other hand, GDPR categorizes personal data into specific groups, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, and more.

2. Extra-Territorial Applicability

The DPDP Act primarily focuses on handling digital personal data within India. If processing includes providing Indians with products or services it also extends its authority to process personal data outside India. However, the DPDP Act doesn't apply to processing done solely for the purpose of profiling individuals.

3. Consent Managers

The DPDP Act has brought forth an innovative concept known as 'consent managers,' a concept not found within the GDPR framework. Consent managers will be persons registered with the Data Protection Board of India (Board) and will act as a single point of contact to enable data principals to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform.

4. Classification of Data Fiduciaries

An intriguing aspect of the DPDP Act is the categorization of data fiduciaries based on criteria including the quantity and sensitivity of personal data they handle. Organizations regularly managing substantial volumes of individual personal data fall into the category of significant data fiduciaries. They carry additional responsibilities, such as designating a data protection officer and an independent data auditor, as well as conducting data protection impact assessments.

5. Children's Personal Data

The age of majority is different in the GDPR, which states that consent from a child aged under 16 years to use online services is only valid if authorised by a parent (that age can be reduced to 13 in any national legislation). Under the DPDP Act, a child is any individual who has not completed the age of 18 years. However, the DPDP Act allows the government to, in case of verifiably safe data processing activities of data fiduciaries, lower the age of majority from 18 years. 

6. Data localisation and cross-border data transfers

The DPDP Act allows for cross-border transfers to all countries unless specifically restricted by the Indian Government. This provides a much simpler approach to international transfers compared to the complex matrix of adequacy, SCCs, BCRs, and TIAs currently in placed under the GDPR.

7. Personal Data Breaches

While the GDPR adheres to a risk-based approach when reporting personal data breaches to authorities, the DPDP Act does not establish any particular criteria or thresholds for notifying the Board and the impacted individual or data principal about data breaches.

8. Mandate regarding notice

In contrast to the GDPR, the DPDP Act specifies that a notice is mandatory when the legal basis for processing personal data hinges on consent. Furthermore, there are obligations to deliver this notification in various local Indian languages.

9. Voluntary Undertaking

The DPDP Act empowers the Board to accept from a person facing action for non-observance, a voluntary undertaking, which may include a commitment – (i) to take action within a time frame, or (ii) to refrain from taking specified action, and/ or (iii) to publicize the voluntary undertaking. Once such a voluntary undertaking is accepted by the Board, it will constitute a bar on proceedings under the law as far as it relates to the contents of the voluntary undertaking.

10. Obligation of Data Processors

The DPDP Act places its primary compliance responsibilities on data fiduciaries, encompassing their processing activities conducted by data processors. Data processors themselves are not subject to specific obligations; rather, their obligations are majorly determined by the contractual terms established between the data fiduciary and the data processor. In contrast, the GDPR directly extends its applicability to data processors, imposing distinct responsibilities upon them.

11. Penalties

Unlike the GDPR, penalties for breaches and non-compliance of the DPDP Act are turnover agnostic, with the maximum penalty for different specified offences ranging from INR 50 crores to 250 crores. While determining the penalty on an entity the Board will consider factors such as the: (i) nature, gravity, and duration of the breach; (ii) type and nature of the affected personal data; (iii) amounts of gain or loss realised; and (iv) mitigating actions.

Conclusion

It becomes evident that these two data privacy frameworks offer unique approaches to safeguarding personal data in an increasingly digital world. The DPDP Act introduces innovative concepts such as consent managers and adopts a tiered approach to categorize data fiduciaries based on data volume and sensitivity. It's a regulation that keeps the Indian context in mind.

On the other hand, the GDPR, with its stringent standards, provides a comprehensive model for data protection and privacy across the European Union. It emphasizes a risk-based approach, and stringent consent requirements for minors, and holds data processors directly accountable for compliance. Understanding these differences is essential for businesses, organizations, and individuals operating in an interconnected global landscape. 

As the world of data privacy continues to evolve, staying informed about the intricacies of these regulations will be crucial. Whether it's the DPDP Act in India or the GDPR in the European Union, the overarching goal remains the same: to protect personal data and ensure its responsible and ethical use.


Labels:
Location: India

Comments

Post a Comment

Popular posts from this blog

Case Analysis :- Diebold Systems Pvt. Ltd vs The Commissioner Of Commercial Tax

By
Citation :-ILR 2005 KAR 2210, 2006 144 STC 59 Kar Decided on:- 31 January 2005 Background An important question as to whether an Automated Teller Machines(ATM) can be termed as a computer came up before the courts in this case. In the state of Karnataka under state tax law, electronic goods were taxed at rate of 12% while computer terminals were taxed at 4%. The question was at what rate will an ATM be taxed and under what schedule of the state tax law will it fall. Whether an ATM is an electronic good or a computer terminal was needed to be clarified by the court so as to decide what will be the tax that Diebold Systems will be liable to pay   Facts  This case came up before the Karnataka High Court as an appeal. The appellants in this case, which is Diebold Pvt Ltd is a company engaged in the manufacture and supply of Automated teller machines(ATM). The Company in order to clarify the rate of tax that is applicable on the sale of ATM approached the Advance Ruling Authority
Post a Comment
Read more

Time as the essence of Contracts

By
Introduction "Time is the essence" is a term in contract law which indicates that the parties to the agreement must perform by the time to which the parties have agreed. A common feature of many contracts is the clause stating "time is of the essence".Sometimes it's inserted without any negotiation as a boilerplate clause, while in some instances it is specifically demanded by the parties to be incorporated into the contract. Either way, very little thought is given to the clause or at times is inserted without a clear understanding. Usually, Explicit stipulation for delivery time of a product or service is universal in contracts. Some of the simpler examples of this could be Labour contracts within organizations,sub-contracting parts of a larger contract where strict deadlines are to be followed. A deadline may also be determined exogenously in the cases where the input involves a perishable good as failing to meet production deadlines could mean loss of in
1 comment
Read more

Relation of Partners with one Another :- Rights and Duties of Partners in a Partnership Firm

By
Introduction Partnership firms in India are governed by the Indian Partnership Act 1932. Partnership is a special kind of Contract. Section 4 of the Indian Partnership Act 1932 defines the term "Partnership" as the relation between persons who have agreed to share the profits of a business carried on by all or any of them acting for all. Persons who have entered into a partnership with one another are called individually as, “partners” and collectively “a firm”, and the name under which their business is carried on is called the “firm name”. Relation of Partners with One Another  The mutual relations between the partners of a firm come into existence through an agreement between all the said partners. Partners can determine their mutual rights and duties by a contract called partnership deed, which largely determines the aspects of general administration, such as which partner will do what work, what will be their share in profits, etc. The partnership deed may be varie
Post a Comment
Read more