Blog Post

DPDPA 2023 vs. GDPR: A Comparative Analysis of India’s & EU’s Data Privacy Laws

by Pameela George Puthenveeti
1. Introduction

India’s digital landscape has witnessed a remarkable expansion in recent times, with an increasing number of individuals embracing the internet on a daily basis. This digital revolution has also underscored the necessity for robust data protection and privacy legislation.

With a population of 1.5 billion, India is a major player in the global digital arena. But the country has also faced significant data breaches, like the infamous “Aadhaar leak case” reported in 2019. This, along with a rise in cyberattacks, underscored the urgent need for better data protection measures.

In 2023, the Indian government took a big step forward with the Digital Personal Data Protection Act (DPDP Act). This regulation aims to establish a robust legal framework that aligns with global standards while considering the unique features of India’s digital landscape.

2. The Evolution of Data Privacy Rights in India

The concept of privacy has been a fundamental element of human existence throughout the course of history. The protection of a certain level of privacy has been a major attribute of human society since the time of Adam and Eve, as evidenced by the need for privacy protection in the Ramayana. This illustrates that even in ancient times, humans possessed a fundamental comprehension of the necessity for privacy. The exponential growth of India’s digital economy and the rise in data breaches have underscored the urgent need for robust data protection laws.

India’s booming digital economy and data breaches made it clear that strong data protection laws were essential. The 2017 Puttaswamy ruling, which recognized the right to privacy as a fundamental right, further emphasized this need.

Following this landmark case, the Indian government formed an expert committee to draft a comprehensive data protection framework. This work resulted in the DPDP Act of 2023.

3. The Impact of the DPDP Act

With the DPDP Act, India joins a growing number of countries with comprehensive data protection legislation. This law focuses on safeguarding user data privacy, limiting the transfer of personal data across borders, and mandating data localization (meaning most data must be stored within India).

This presents a challenge for multinational tech companies operating in India, as they need to localize user data. However, the Act also allows for transferring copies of this data outside India for specific purposes.

The key features of the Act include:

  • Data Fiduciaries: This concept assigns responsibility for data handling to specific entities.
  • Right to Access: Individuals have the right to access their personal data.
  • Data Principal: The individual who controls their personal data and can exercise various rights under the DPDP Act.
  • Data Processing Board: An advisory body established under the DPDP Act to advise the central government on data protection-related issues.
  • Data Protection Board: This board is responsible for enforcing the Act.
  • Cross-Border Transfer Restrictions: Strict rules govern the transfer of personal data outside India.

While the DPDP Act has strong features, some aspects require further development. For example, the Data Protection Board currently lacks the power to create regulations, leaving that responsibility largely with the central government. Additionally, smaller Indian companies might struggle to comply with stricter data management practices, especially if they lack the necessary training or infrastructure.

It’s important to note that the Act only applies to digital personal data, not non-personal data. Additionally, personal data processed for personal use or made public is exempt.

Consent is a major focus of the Act, requiring clear, informed, and unambiguous user consent for data processing. This consent must be available in multiple languages and easily accessible.

While India has made significant progress in protecting individual privacy, more work is needed to fully guarantee citizen rights. Increased cooperation between public and private institutions could lead to more stringent data handling guidelines.

4. Comparing the DPDP Act to the EU’s GDPR

A comparison can be made between the DPDP Act and the EU’s General Data Protection Regulation (GDPR) across four key areas:

  • Scope and Global Reach: The GDPR applies globally to organizations processing EU residents’ data. The DPDP Act could benefit from expanding its territorial scope for better global recognition.
  • Individual Rights: The GDPR gives individuals more control over their data, including portability, the right to object to automated decision-making, and the right to restrict processing. India could adopt similar measures to empower its citizens. The key differentiator is the lack of an effective implementation and enforcement mechanism in India.
  • Organizational Obligations: The GDPR requires organizations to maintain accurate data records and handle grievances effectively. India might implement stricter data management regulations to improve compliance and accountability.
  • Data Protection: The GDPR protects sensitive data, including children’s data. India could benefit from similar categorizations to safeguard vulnerable groups.

India can strengthen its regulatory framework to build trust in data transfers and boost global data security. The GDPR provides valuable insights in this regard, with its focus on individual rights like data portability and processing limitations.

India can also learn from the GDPR’s requirement for organizations to document data processing and establish grievance redressal procedures.

The DPDP Act marks a significant step forward for data privacy in India. While challenges remain, the Act also opens doors to innovation, entrepreneurship, and sustainable growth. By balancing privacy protection with technological advancement, India aims to position itself as a leader in the digital economy while safeguarding the rights of its citizens.

5. The New Digital India

The DPDP Act lays the legal groundwork for regulating digital activities within India. It also paves the way for comprehensive data protection education at all levels, from primary to tertiary education. This will likely involve e-learning initiatives and educational reforms incorporating data privacy curriculums.

These efforts are driven by the global trend towards knowledge-based economies and the increasing digitalization of our world. The DPDP Act has the potential to create a societal framework that upholds human dignity and rights in the digital age. It can be a transformative development, empowering future generations and unlocking their creative potential.

This legislation is a significant step towards fostering digital autonomy and safeguarding individual rights in the digital world. As India embraces the DPDP Act to secure personal data, what challenges and opportunities can we foresee for its digital economy and privacy landscape? Will the DPDP Act empower users to have greater control over their data and its use?

This blog post summarises the key points from the author’s more comprehensive research paper. For a more in-depth analysis and complete information, please refer to the full paper available here.

Pameela George Puthenveetil is a successful entrepreneur and seasoned litigation lawyer from India, advancing her expertise at DCU with a focus on Data Protection and Privacy law and computing. Her major interest and research focus is on Artificial Intelligence and Data Protection.