Upcoming Events
National Constitutional Quiz

Navigating Data Privacy: A Comparative Analysis of India’s DPDPA 2023 and Europe’s GDPR

Published by

Admin

on

Navigating Data Privacy: A Comparative Analysis of India’s DPDPA 2023 and Europe’s GDPR

Author Details:-

ADITYA BHATIA, BA LLB 1styear , AILMOHALI

Introduction: The Imperative of Data Privacy in the Digital Age

“Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.” — Supreme Court of India, Justice K.S. Puttaswamy (Retd) v. Union of India.[i]

The saying “Data is the new oil” is probably familiar to you, and it’s regarded as one of the most important resources for the future. Data can be utilized to improve corporate tactics and forecast an individual’s future behaviour. However, it’s a two-edged sword; if not used carefully, it may also be harmful.

Data protection and data privacy are the two elements at play here. Data privacy refers to the precise timing, manner, and scope of a consumer’s personal information sharing and communication with third parties. Name, residence, ethnicity, phone number, marital status, and so on are examples of personal information. Regulations pertaining to data privacy are desperately needed, as internet usage has grown over time. The legal shielding of data from loss, destruction, or corruption is known as data protection. Since data is being gathered at an unprecedented pace, safeguarding data from unauthorized sources is a major concern.

As the globe grows more digitally connected, protecting personal information has become a top priority for both the government and individuals. Given the rapid advancement of technology and the application of artificial intelligence (AI) in nearly every industry, regulations pertaining to personal data and privacy must also be created. In this context, the comparison between data protection and privacy laws in India and European countries reveals significant differences in the approach and implementation.

The supreme court of India has recognised the right to privacy as a fundamental right under article 21[ii] of the Indian constitution in the Justice K.S. Puttaswamy (Retd) v. Union of India[iii].Along with that there is a Digital Personal Data Protection Act (DPDPA) 2023 [iv]which boasts many salient features like right to data protection, data processing with consent of the individual, localization of data, establishment of a data protection board of India etc.

Meanwhile, the European union has established a regulation law for data protection and privacy in European union (EU) and the European Economic Area (EEA) which is known as the General Data Protection Regulation (GDPR). The GDPR’s main goals are to restore citizens’ and residents’ control over their personal data and, by harmonizing EU regulations, to streamline the regulatory landscape for global business. It accomplishes this by taking the place of the 1995 Data Protection Directive (Directive 95/46/EC). Since May 25, 2018, the regulation [v]has been in force.

It is crucial to comprehend the characteristics, parallels, discrepancies, and missing components of both acts in order to better comprehend them and to compare them.

Evolution Of Data Protection Laws: A Historical Perspective

Data privacy is not a new concept. It has been in existence since the Semayne case of 1604, where it was accepted that the house of everyone is to him as his castle and fortress. The concept of privacy evolved thereafter and was again brought to attention through an article titled, “The Right to Privacy,” written by Attorney Mr. Samuel Warren and Justice Louis Brandeis, where protection of the right to privacy was recognised as the foundation of individual freedom in the modern age. Later in 1984, privacy was recognised statutorily through the Universal Declaration of Human Rights (UDHR) by virtue of Article 12(4[vi]). Then came the Organisation for Economic Cooperation and Development (OECD) guidelines on the protection of privacy and transborder flow of personal data in 1980. Countries started framing their data privacy laws as early as Germany in 1970. The landmark General Data Protection Regulation (GDPR) came into effect on May 25, 2018, revolutionising data privacy and protection laws.

GDPR Unveiled: Europe’s Blueprint for Data Protection

The European Union’s comprehensive data protection law, the General Data Protection Regulation (GDPR), went into force on May 25, 2018, and it sets strict rules for the gathering and use of personal data. The GDPR places a strong emphasis on obtaining individuals’ explicit and affirmative consent before processing their personal data, which is one of its main elements. The right to be forgotten is also protected by this law, which enables people to ask for their personal information to be deleted when it is no longer required for the reasons it was gathered. The GDPR also encourages data portability, which makes it simple for customers to move their data between service providers. Privacy by design, which requires that data protection measures be incorporated into the creation of business processes and systems from the beginning, is another important component. Organizations are also subject to stringent transparency requirements under the rule, which include giving explicit information about the use and processing of personal data. Furthermore, it establishes severe penalties for non-compliance, with fines reaching up to €20 million or 4% of global annual turnover, thereby ensuring that organizations prioritize data protection. Overall, the GDPR not only enhances individuals’ control over their personal data but also fosters a culture of accountability and responsibility among organizations handling such information.

Indian Laws Related to Data Privacy: A Journey Towards Protection

In the Indian context, the question of whether or not the right to privacy is a fundamental right under part III of the constitution or not has been there for quite a long time.

When Mr. Kazi Syed Karimuddin proposed an amendment to the Constituent Assembly in 1948 to shield people from arbitrary state interference in their privacy, it was the first attempt to do so. The amendment was moulded after the American and Irish Constitutions..[vii] Then, in the 1954 case of MP Sharma v. Satish Chandra[viii], which concerned the search and seizure of documents belonging to certain Dalmia group companies after investigations into their affairs, they concluded that the Constitution does not contain language akin to the Fourth Amendment of the US Constitution and that there is no justification for introducing the idea of a fundamental right to privacy in search-and-seizures through what they referred to as a “strained construction.” Kharak Singh v. State of Uttar Pradesh (1962)[ix], In this case, the right to privacy was used to contest the police’s monitoring of an accused individual. The bench ruled that the right to privacy is not protected by the Constitution.

The most significant case for India’s right to privacy, Justice K.S. Puttaswamy v. Union of India was decided unanimously by a nine-judge Supreme Court bench on August 24, 2017. The key issues that were discussed in this case were 1. Is the decision in M.P. Sharma v Satish chandra, District Magistrate, Delhi is correct in law? 2. Is the decision in Kharak Singh v State of Uttar Pradesh is correct in law? 3.Is the right to privacy an intrinsic part of the right to life and personal liberty under Article 21 and a part of the freedoms guaranteed by Part III of the Constitution? The Supreme Court reversed the rulings in Kharak Singh v. State of Uttar Pradesh and M.P. Sharma v. Satish Chandra, District Magistrate, Delhi. According to Justice S.A. Bobde, the right to privacy is an essential component of individual liberty and is protected by Article 21 of the Constitution. Justice D.Y. Chandrachud, on the other hand, stated the necessity of developing a strong data protection regime to safeguard the interests of the State and its citizens. The right of privacy is a fundamental right. It is a right which protects the inner sphere of the individual from interference from both the State and non-State actors and allows the individual to make autonomous life choices.

In the year 2017, the government of India, through its Ministry of Electronics and Information Technology, appointed a committee of ten members under the chairmanship of Justice B.R. Krishna (a retired Supreme Court judge). This committee was supposed to submit a detailed report on the introduction of the data privacy law in India. The committee finally submitted its report on the data protection framework in July 27, 2018.

Many bills based on this report were proposed and after much consultation and amendment, the digital personal data protection bill of 2023 was finally passed and it received the president’s assent after six years.

Introducing the DPDPA: India’s Landmark Legislation for Data Protection

The Digital Personal Data Protection Act or DPDPA is the most significant step in bringing India’s data protection laws up to date by establishing a framework within which personal data can be processed: personal data which distinguishes between a wide variety of sensitively differentiated individual rights, referred to in this legislation as data principals, and their attempt under the Act itself to keep their information private in this increasingly digital world. The main feature of the DPDPA relies on taking affirmative consent from individuals as a prior requirement; personal data cannot be processed unless consent is free, informed, specific, and unambiguous. The Act enumerates data fiduciaries such as organizations collecting and processing personal data, as well as data processors like those entities handling data on behalf of fiduciaries directly for or on behalf of. In fact, there are provisions for companies processing massive volumes of sensitive personal data, which require them to be clear regarding their status as significant data fiduciaries (SDFs) attracting further obligations such as appointing a Data Protection Officer (DPO) based in India and undergoing frequent audits.

DPDPA also gives individuals several other rights concerning their personal data. This includes the right to access their personal information, get notice of data breaches, request corrections, or deletions, and get notifications of data breaches that may have occurred. Such a communication would be to notify the concerned data fiduciary of the breach and also notify the newly formed Data Protection Board of India- the body set up to oversee compliance and address grievances. The DPDPA, which is intended to be extra-territorial, is not limited to an Indian company but extends in its application to foreign entities engaged in the processing of personal data regarding Indian customers. Add to that, the provisions that place penalties, which run the gamut from INR 10,000 for individuals to a maximum of INR 2.5 billion for organizations with INR 50 million as fines for non-compliance at the higher end. Thus, one can reasonably conclude that overall DPDPA is going to be an important act.

The Digital Personal Data Protection Act (DPDPA) of 2023, while a significant step forward in establishing a framework for data protection in India, presents several issues that warrant attention. One of the most notable omissions is the absence of a clear provision for the right to be forgotten, which allows individuals to request the deletion of their personal data under certain circumstances. This right is crucial for empowering individuals to reclaim control over their digital footprints and mitigate the risks associated with data misuse. Additionally, the DPDPA has been criticized for granting broad discretionary powers to the government, raising concerns about potential surveillance and lack of accountability. The Act’s provisions also lack clarity regarding the timelines for grievance redressal, leaving individuals without a straightforward process to address data breaches or violations of their rights. Furthermore, certain categories of personal data, such as non-automated and offline data, are excluded from the Act’s purview, which could create gaps in protection. The delayed notification of detailed rules necessary for effective implementation has also led to uncertainties among businesses and consumers alike. Overall, while the DPDPA aims to enhance data protection in India, these issues highlight the need for further refinement to ensure robust privacy safeguards for individuals.

Similarities: Common Ground in Data Protection Approaches

The Digital Personal Data Protection Act (DPDPA) 2023 of India and the General Data Protection Regulation (GDPR) of Europe share several fundamental similarities, reflecting a global consensus on the importance of data privacy and protection in the digital era. Both regulations are aimed at empowering individuals by giving them robust rights over their personal data, which is increasingly vital as technology evolves. For example, both frameworks provide individuals with the right to access their personal data, enabling them to understand how their information is being used. They also grant rights to rectification and erasure, commonly referred to as the “right to be forgotten,” allowing individuals to request the deletion of their data under certain circumstances. This emphasis on individual rights underscores a shared commitment to enhancing user autonomy and control over personal information.

The DPDPA and GDPR, while addressing individual rights, place onerous obligations on organizations that process personal data. They include obligations to apply appropriate technical and organizational measures for data security and against unauthorized access or breaches. Both require that high-risk processing activities have assessments to ensure the potential risks to the privacy of the individuals are identified and addressed proactively. In addition, both regulatory frameworks require that data breaches be notified to affected individuals and relevant authorities in a timely manner, thus instilling a culture of accountability and transparency in data handling practices.

In addition, both DPDPA and GDPR have provided for strong enforcement mechanisms, including considerable fines for non-compliance. Under the GDPR, organizations could face fines of up to 4% of their worldwide annual turnover or €20 million, whichever is greater. The DPDPA similarly provides for penalties of a similar nature to dissuade violations and encourage observance of data protection standards. This similarity in enforcement means both jurisdictions take data protection and privacy seriously.

Despite certain provisions of India’s DPDPA differing considerably from those established by Europe’s GDPR, that is to say, when it comes to the scope of applicability, definitions of what constitutes personal data, and conditions which allow cross-border data transfer the overall aims at ensuring the protection of personal privacy and the promotion of responsible data practice indicate considerable convergence between Europe’s GDPR and India’s DPDPA, especially at a time that both regions have been experiencing increasingly difficult data protection demands.

Differences: Distinct Paths Towards Data Privacy

The Digital Personal Data Protection Act (DPDPA) 2023 of India and the General Data Protection Regulation (GDPR) of Europe, while both aiming to enhance data privacy and protection, exhibit several notable differences that reflect their distinct regulatory environments and cultural contexts.

One of the most significant differences lies in the scope of applicability. While it applies to all personal data, both in digital and nondigital formats, regardless of the location of the processing entity, if it interacts with data subjects in the European Union, the GDPR is somewhat limited to “digital personal data,” which includes only data collected in digital format or digitized after being collected, thus excluding the entire offline data. This makes it that some activities processing personal data that come under the regulation of GDPR would be outside DPDPA especially physical record keeping.

Legal bases to process the personal data vary greatly in these two. In GDPR, more wide range of lawfully justified basis to process the personal data including consent, execution of a contract, legal obligations and a legitimate interest. This flexibility allows the organization to determine which basis would best suit their operations. In contrast, DPDPA is primarily consent-based, with most processing activities having to be done based on explicit consent by data principals, with exceptions being granted for “certain legitimate uses” like compliance with a legal obligation or response to medical emergencies.

In terms of data transfer regulations, GDPR has an adequacy framework that is very strict and requires the transfer of personal data out of the EU to third countries that ensure an appropriate level of protection. In addition, it includes means such as Standard Contractual Clauses and Binding Corporate Rules. DPDPA is less strict, but it still allows cross border transfers unless prohibited by law in India. This approach is “blacklist,” while GDPR uses a “whitelist” methodology.

Another significant variation is the rights accorded to people. Although both pieces of legislation afford rights such as access and erasure, GDPR encompasses other rights, including data portability and protection against automated decision-making, which DPDPA does not explicitly enumerate. The DPDPA further introduces provisions like grievance redressal rights and also permits a person to appoint a representative to act on their behalf if he or she is incapable or deceased.

In addition, the regulatory frameworks vary in a very significant way. For instance, the GDPR lays specific direct obligations on data controllers and processors to comply directly with it and to assume responsibility for breaches and the implementation of appropriate security measures. On the other hand, the DPDPA recognises data processors but does not subject them to specific obligations; it leaves the responsibility to the data fiduciaries to achieve compliance.

Lastly, on breach notification, GDPR requires organizations to report to the authorities within 72 hours of the discovery of a breach if it causes a risk to the rights of individuals. The DPDPA does not set a time frame for the reporting of breaches and requires reporting with or without a risk assessment.

These differences reflect how India’s DPDPA absorbs the international standards to the peculiar setting and also maintains some leniencies in comparison to the more stringent framework provided by GDPR. This already generates huge amounts that are shaking the landscape of data protection under both regulations.

Conclusion

In conclusion, the emergence of the Digital Personal Data Protection Act (DPDPA) 2023 in India marks a significant milestone in the country’s journey towards robust data privacy and protection. While it shares several core principles with the General Data Protection Regulation (GDPR) of Europe, such as empowering individuals with rights over their personal data and imposing stringent obligations on organizations, the DPDPA also presents unique challenges and limitations that require careful consideration. The absence of a clear provision for the right to be forgotten, broad governmental powers, and gaps in coverage for certain types of data highlight areas where further refinement is necessary to ensure comprehensive protection for individuals. As both India and Europe navigate the complexities of data privacy in an increasingly digital world, ongoing dialogue and adaptation will be essential to harmonize their approaches, ensuring that individuals’ rights are safeguarded while fostering innovation and economic growth. Ultimately, the DPDPA represents a crucial step forward for India, but its successful implementation will depend on addressing existing shortcomings and aligning more closely with global best practices in data protection.

[i] AIR 2018 SC (SUPP) 1841

[ii] India Const. art. 21

[iii] Id. i

[iv] The Digital Personal Data Protection (DPDP) Act,2023

[v] The General Data Protection Regulation,2018

[vi] Declaration of Human Rights (UDHR). article 12, cl4

[vii] https://www.scobserver.in/journal/right-to-privacy-court-in-review/

[viii] 1954 AIR 300

[ix]  1963 AIR 1295

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

Hello,

We’re The BarErudite

The BarErudite is an MSME-registered legal education platform that stands at the forefront
of nurturing the next generation of legal professionals. Our mission is to bridge the gap
between academic learning and practical application in the legal field.

Let’s connect