“Demystifying India’s Recent Data Protection Regulations Act, comparison with the GDPR and the issues faced”

2nd February, 2024 - 6:06 am Categories: GDPR News & Updates 0 Comments

Introduction

The 2023 act makes, for the first time, a data privacy law in India. It needs to give consent before personal data is processed and specifies a small number of cases in the law where they do not need consent. It grants consumers the rights to access, rectify, modify and remove data as well as a right to designate some alter ego. It establishes extra safeguards with regard to children’s data processing. It imposes purpose limits, duties to give customers notice of data collection and processing procedures and security protection requirements in businesses. Businesses have to establish the grievance redress mechanisms according to the law. The DPB is also responsible for gripes and complaints, and it can impose fines in cases of non-adherence to the law.

India finally has a statutory framework for data protection. Besides, the law will take time to evolve into a minimum standard of behavior and compliance among data collecting businesses. The critical variable will be the approach of the government toward implementing and enforcing the law – for example, whether implementation would relate to data heavy businesses or across the economy overall.

Defining “Privacy”

The right, to privacy, plays a role in protecting our autonomy and preserving human dignity. It serves as the foundation for human rights. Privacy grants individuals the power to control their level of interaction with the world and shape their identity. It allows us to set boundaries and establish barriers that prevent influences from intruding into our lives. It also aids in determining who can access our information, locations, belongings, conversations well as our digital data and connections. Privacy protection regulations empower us to assert our rights when there are imbalances of power. While the Indian Constitution does not explicitly mention privacy as a provision the Supreme Court of India has established that it is indeed a right, under Article 21 despite its absence being explicitly stated.

[Image Sources: Shutterstock]

Digital Personal Data Protection (DPDP) Act, 2023

The Globe’s pace is skyrocketing. Of course, data has emerged as a major topic in recent years owing to the fast changes made within the digital world. Personal information is irreplaceable thus safeguarding it has become the ultimate priority. However, do we have a way to guarantee that our information will be secure?

India has also taken an active part in the cooperative venture of saving our information after long discussions and decisions were made by global leaders. In August 2023, the Indian government passed the Digital Personal Data Protection Act. The Act provides guidelines on the handling of digital personal data, creating legislation to safeguard individuals’ rights in terms of their data security while also taking care of the requirement to manipulate such kind of data as per the laws governing it and other related or unrelated issues.

India had introduced the Personal Data Protection Bill 2019 but due to various reasons, PDPB also became ineffective. The first version of the measure appeared to favour economic interests before national security. There were no directions for the localization of data, a full strategy for private data management during international relocation and requirements for social media platforms.

The Bill, which is now to be presented in Parliament has also drawn the attention of Forbes India because it allows the government vast powers to access data of individuals. These issues led to the creation of the new DPDPA.

Historical Context

DPDP Act was adopted in the early 2000s. 2001, Indian legislation on hacking began with the passage of the Information Technology Act. But as technology advanced and digital data grew exponentially, it was clear that a more reliable system needed to be implemented to protect this information. For instance, in the case of Puttaswamy which is a popular Indian court case.

The DPDP Bill was adopted by Parliament six years after the important case of Justice K.S Puttaswamy v. India Union. Therefore, India’s Supreme Court announced that all individuals in the country possessed a common right to privacy including the protection of confidential information through the “right to life” clause in their Constitution. A nine-member panel of judges at the Indian Supreme Court has stated that the Indian Government must create a well-organized hindrance to safeguard personal data. India has had multiple rounds of expert discussions and research towards the setting up of this system. In the years 2019 and 2022, two versions of the bill were introduced to Parliament.India rated privacy as a basic right under the Constitution and hence proved its importance. This decision opened the doors for even tougher laws that focus only on protecting information.

Comparison with the General Data Protection Regulation (GDPR)

The rollout of the GDPR has made privacy and data security an international standard. The DPDP Act has a number of GDPR attributes. It was based on international standards like these. For instance, both regulations require strict protocols to be followed in the case of data breaches and place user consent as the primary means for managing their information. 2016 brought about new concepts like “data fiduciary” and “data principal” introduced by the DPDP Act.These are designed to fit the peculiar economic and social environment of a nation.

The General Data Protection Regulation (GDPR) in the European Union and the Data Protection Act DPDPA, India arerecognized across the world as leading legislations aimed at protection of personal data. While the main goal of both laws is to ensure that data remains safe, a closer look shows an interesting synergy between similarities and differences, which defines each framework. Let us closely examine both.

The DPDPA introduced the idea of “deemed consent’’. This concept is more narrowly described in Section 7 of the legislation as “specific lawful purposes”

In short, this means that any entities or individuals having access to personal data can use the information for the stated reason specific for which such information is being disclosed as long as an individual does not clearly state his objection to using it in a way. It is necessary to give a more profound description of this word because companies may misunderstand the meaning of it.

1. Consent Requirements

According to the DPDPA, an e-commerce site can employ an opt-out mechanism for getting consumers’ consent to send them marketing messages.

GDPR:A social media platform has a right to gather and leverage user data for targeted advertising only if it gets users’ explicit and affirmative consent.

2. Children’s Data Protection

A children’s gaming app should have strong age verification tools to prevent unauthorized access to the application.

GDPR:Before processing data on users under the age of 16, a video streaming service must obtain consent from their parents.

3. Notification of Data Breach

As stipulated under DPDPA, a financial institution must notify the digital protection authority and individuals whose information has been compromised within 72 hours of a data breach.

GDPR:when there is a breach an online business has the responsibility of informing the appropriate data security authorities in the required time.

4. Cross-Border Data Transfer Dpdpa

A technology firm operating in India is required to hold and process confidential data belonging to Indian users within the physical boundaries of the country.

GDPR: A multinational corporation moving personal data between the European Union member states must use normal contractual agreements to protect the data throughout the transfer.

5. SCOPE:

The DPDPA covers both digital data and some groups of private data. Understanding the difference between data and private data is important in ensuring that strict compliance with regulations is maintained.

GDPR: It includes different kinds of personal information from various sources worldwide.

Issues in Legislation:

The 2023 DPDP Act does not enjoy the same level of strength as its 2019 version. It has less strict standards for businesses, and consumers have fewer rights. It makes the rules more understandable, but at the same time opens up even greater autonomy for central government in decision-making without restrictions of any kind.

1. Increased prevalence
2. Locating the data’s whereabouts
3. The responsibility of data fiduciaries
4. Liberation from Duty
5. Regulatory framework
6. Consent:- According to the DPDPA, there must be consent from individuals in advance before corporations get access to their personal information or use it as well as retain any such relevant detail in fact, necessary permission should always be freely given consensual and unambiguous; informative; clear when required.
7. Data localization:-The DPDPA requires that such types of personal data should be stored domestically within the borders of India. This covers private and sensitive information about individuals, including biological and financial data.
8. Data protection:-The DPDPA limits the spread of information about individuals to third parties. A firm can only disclose personal data to a third party using consent or if the data is required, for instance, for the initial purpose of obtaining such information.
9. Data subject rights:– According to the DPDPA, individuals have specific rights concerning their data – the right to request access to their data, correct it, delete it and object to the processing of these data.
10. Legislation enforcement:- The DPDPA sets up the Data Protection Authority to comply with the legislation. The Data Protection Authority can investigate complaints and order corporations, to issue penalties against individuals who violate the law.

Conclusion

Governments are altering their strategies in protecting data in response to the challenges of digital transformation. India is not an exception. With the DPDP Act, India achieved another milestone in its attempts to establish a strong data protection regime.

Overall, enterprises operating within the Indian territory need to understand and comply with these provisions not only from a legal standpoint but also because this would enable them to have confidence in their activities. Data is also sometimes called “the new oil” because it helps fuel development and give birth to new ideas. However, data has value not only because of the fact that it is collected but also because it is well managed. The DPDP Act shows that the significance of personal data, as not solely a fundamental right for individuals but also an asset capable of taking enterprises to great heights if handled properly, was acknowledged.

Overall, the DPDP Act includes various provisions that aim to change ways personal data is handled in India. Endpoint Protector and other similar tools are vital for securing the legal path. By using the features of the platform, businesses can ensure compliance with regulations and show ethical concerns towards privacy and data security.

Author: Shruti Sinha, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.

References

1. Pop, C., & Pop, C. (2023, November 22). India’s Digital Personal Data Protection Act: Key Provisions and Business Implications. Endpoint Protector Blog. https://www.endpointprotector.com/blog/indias-personal-data-protection-bill-what-we-know-so-far/
2. Castagna, R., &Lavery, T. (2021, January 29). General Data Protection Regulation (GDPR). What Is.

https://www.techtarget.com/whatis/definition/General-Data-Protection-Regulation-GDPR

3. Frankenfield, J. (2020, November 11). General Data Protection Regulation (GDPR) Definition and Meaning. Investopedia. https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp
4. The Digital Personal Data Protection Act of India, explained – Future of Privacy Forum. (n.d.). Future of Privacy Forum. https://fpf.org/blog/the-digital-personal-data-protection-act-of-india-explained/
5. Starting with the Supreme Court’s judgment declaring privacy to be a fundamental right in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.(10 SCC 1, Supreme Court of India, 2017).
6. The Personal Data Protection Bill, 2019 (Bill No. 373 of 2019), accessed December 16, 2019, http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.
7. Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.,(2017) 10 SCC 1