DPDPA Vs. GDPR: Key Differences in Data Protection Laws
Data Principal Rights: GDPR Vs DPDPB - A Closer Look
What is DPDPA (Digital Personal Data Protection Act) in India?
Introduction to DPDPA: The Digital Personal Data Protection Act, 2023 (DPDPA) is India's long-awaited personal data protection legislation, enacted on August 11, 2023. It is designed to regulate the processing of personal data in India. Key aspects of DPDPA include:
1. Scope: PDPA applies to data processing activities that take place within India or involve the processing of personal data for offering goods or services in India, irrespective of the location of the data subject.
2. Data Fiduciaries: DPDPA introduces the term "data fiduciaries," which are similar to data controllers under GDPR. Data fiduciaries are responsible for data processing and must ensure compliance with the law.
3. Consent: Personal data can be processed with the consent of the data principal, which is similar to the data subject in GDPR. Consent must be specific, informed, and affirmative.
4. Data Principal Rights: DPDPA grants data principals various rights, including the right to receive data breach notifications, the right to seek erasure of personal data, and the right to escalate grievances to the Data Protection Board.
5. International Data Transfers: DPDPA does not specify additional measures for international data transfers but allows for further regulations and government specifications.
6. Penalties: DPDPA imposes significant fines for non-compliance, with fines of up to INR 250 crores or around GBP 25 million.
7. Enforcement: The Data Protection Board is responsible for adjudicating grievances and penalising data breaches, while all rule-making powers lie with the Indian government.
What is GDPR (General Data Protection Regulation)?
Introduction to GDPR: GDPR is a comprehensive data protection regulation that came into effect in the European Union (EU) on May 25, 2018. It is designed to safeguard the privacy and personal data of EU citizens. Key aspects of GDPR include:
1. Scope: GDPR applies to all EU member states and extends its protections to data subjects, regardless of where data processing occurs, if it involves individuals residing in the EU.
2. Data Subjects: GDPR refers to individuals as "data subjects" and grants them extensive rights over their personal data.
3. Data Controllers and Processors: GDPR distinguishes between data controllers (entities that determine the purposes and means of data processing) and data processors (entities that process data on behalf of data controllers). Both have specific obligations and responsibilities under the regulation.
4. Consent: GDPR requires that data subjects provide clear, informed, and freely given consent for their data to be processed. They have the right to withdraw this consent at any time.
5. Data Protection Impact Assessments (DPIAs): Organisations must conduct DPIAs to evaluate and mitigate risks associated with data processing activities that may result in high risks to data subjects' rights and freedoms.
6. Data Portability: Data subjects have the right to request their personal data from one organization and transfer it to another.
7. Right to Be Forgotten: Data subjects can request the erasure of their personal data under certain circumstances, commonly known as the "right to be forgotten."
8. Data Breach Notification: Organisations must report data breaches to supervisory authorities and, in certain cases, to data subjects, typically within 72 hours of becoming aware of the breach.
9. Penalties: GDPR imposes substantial fines for non-compliance, with penalties reaching up to €20 million or 4% of the company's annual global turnover, whichever is higher.
Finally, GDPR is the data protection regulation of the European Union, while DPDPA is India's data protection legislation, both aimed at safeguarding the privacy and personal data of individuals but with key differences in terms of scope, lawful bases, and enforcement.
What are the Differences Between GDPR and DPDPB in India?
Here is the list of the main difference between GDPR and DPDPB -
GDPR (General Data Protection Regulation) is a data protection regulation in the European Union that sets comprehensive rules for the protection of personal data.
DPDPB (Digital Personal Data Protection Bill) is India's data protection legislation that focuses on regulating the processing of personal data within India.
GDPR distinguishes between data controllers and data processors, with specific obligations for each.
DPDPB uses the term "data fiduciaries" to refer to entities that hold data on behalf of data principals (similar to data subjects under GDPR), and these fiduciaries are expressly responsible for the actions of data processors they engage.
GDPR differentiates between personal data and sensitive personal data, imposing stricter requirements on the latter.
DPDPB treats all personally identifiable data in the same way, eliminating the distinction between personal and sensitive personal data.
GDPR mandates additional safeguards for international data transfers.
DPDPB does not specify additional measures for international data transfers but allows for further regulations and government specifications.
GDPR provides a range of lawful bases for processing personal data, including contract performance and legitimate interests of data controllers.
DPDPB permits processing of personal data only with the data principal's consent or for a "legitimate use," which is narrower than GDPR's lawful bases.
Both GDPR and DPDPB require "free, specific, informed, unambiguous, and affirmative" consent for data processing.
DPDPB may allow for less granular consent compared to GDPR, potentially making compliance easier.
DPDPB grants data principals the right to receive data breach notifications, seek erasure of personal data, and escalate grievances to the Data Protection Board.
Some data subject rights provided by GDPR, like data portability and protection against automated decision-making, are not explicitly included in DPDPB.
GDPR has national supervisory authorities with regulatory mandates, rulemaking powers, and administrative functions.
DPDPB establishes the Data Protection Board with a focus on adjudicating grievances and penalising data breaches, and all rule-making powers lie with the Indian government.
DPDPB includes significantly higher penalties, with fines of up to INR 250 crores or around GBP 25 million.
GDPR fines can be substantial but are not as high as DPDPB's penalties, and they vary based on the specific violation.
GDPR draws on the Charter of Fundamental Rights of the EU and has strong oversight by supervisory authorities.
DPDPB relies on the fundamental right of privacy established by the Supreme Court of India in 2017 and focuses on simpler, business-friendly regulations, potentially leading to greater interpretation and uncertainty.
Final Words:
In summary, while the DPDPB draws inspiration from GDPR, it is a distinct legal regime with several differences in terms of scope, lawful bases, consent requirements, data principal rights, enforcement, and penalties. International organisations operating in India must be aware of these distinctions and tailor their data protection compliance efforts accordingly.
Data Principal Rights PDDPB Vs GDPR GDPR vs DPDPB GDPR General Data Protection Regulation DPDPA Digital Personal Data Protection Act General Data Protection Regulation Vs Personal Data Protection Act India data protection legislation Data fiduciaries Consent requirements International data transfers Penalties for non-compliance Enforcement differences Data protection regulations
Comments
avenue17 Dec 19, 2023
You have kept away from conversation