A Comparative Analysis of GDPR and Indian Data Protection Laws: Implications for Privacy and Compliance

Introduction

In this world of digital technologies, with rapid growth in the internet, personal data protection has now become the number one priority. The General Data Protection Regulation, enacted in May 2018, forms new international data protection and privacy standards inside the European Union. This provides safeguards to the privacy of rights citizens have and brings stringent measures of requirements on businesses dealing with personal data not only inside but also across the border limits in the EU, affecting multi-national corporations. This, so far, has been such pioneer legislation that inspires others to draw their versions of data protection systems as well, and India happens to be one of the examples that have worked exceptionally for the protection of rights associated with personal data. In 2019, India introduced the Personal Data Protection Bill (PDPB), which is working to address issues with data protection in the framework of the rapidly growing country’s digital economy. To date, the PDPB is the most monumental legislative effort toward protecting individual data privacy and demanding greater openness in data processing procedures and how corporations must control their usage of personal data – this is, however, under review. The article attempts to bring forth a comparative analysis of GDPR and India’s proposed data protection law by bringing to mind their likeness and differences along with the implications they generate in terms of privacy, compliance, and obligations that lie on both the shoulders of individuals and companies. This shall further elaborate on penalties, the procedure of enforcement, and the obligations of compliance under both the regimes of regulation and enlighten challenges being faced by international organisations in meeting such obligations.

Background and Purpose of Data Protection Laws

The GDPR: A Brief Overview

European Union passed the General Data Protection Regulation, an all-rounded piece of legal framework. All this aimed at shielding other people’s data in addition to ensuring data protection regulations were the same size in all the members who formed the European Union. It is not limited regulation as it includes non-EU-based organisations because they are also protected regarding the use of an EU citizen’s data. This GDPR tries to put people in a better position to control their data, encourage openness on how businesses process personal data and clarity who should be held responsible for what happens with the practices of data processing. One of the central tenets of the GDPR is data minimisation, the idea that personal information should be collected only to achieve specific legal goals and used as much as possible to achieve those goals. This calls for the transparency mandate on all the organisations in a request that they provide a way through which data subjects will be getting information as clearly and easily as needed about the intention and scope that the information collected should address. It makes an organisation accountable for compliance with GDPR through the provision of various activities, including documentation and regular audits, in a bid to prove proof of such compliance. The GDPR thus grants a wide range of rights to data subjects, access to their data, rectification of it, erasure under specific circumstances, the “right to be forgotten,” and objection to certain data processing activities. It looks to create an all-rounded privacy environment by imposing strict mandates on businesses dealing with personal data, which puts a very strong emphasis on people controlling their data.

 Data Protection in India

This bill presented in December 2019 has been a major step toward the increasing need for stringent data privacy regulations against the backdrop of the increasingly rapid growth of the digital economy, but India’s data protection framework is still in an early stage of development. The PDPB aims to protect Indian residents’ personal information while promoting innovation and digital development. It puts a significant emphasis on the principle of consent-based data processing, further strengthening individual autonomy over data by insisting on explicit consent from the data subject before processing any personal data. The PDPB further adds control over sensitive data with data localisation regulations, compelling specific types of personal data to be dealt with and kept within the borders of India. For this purpose, the Bill grants a rights package not so dissimilar to that provided under the GDPR, through which there is a right to inspection, rectification, and erasure of personal data. The PDPB makes clear that data processors are distinguished from data fiduciaries. Data fiduciaries are fiduciaries who employ third-party service providers that, on their behalf, process the personal data. On the contrary, data fiduciaries are institutions charged with collecting, storing, and making decisions about the purpose and the means of processing data. The other major feature of the Bill is the establishment of a Data Protection Authority. It shall be a statutory body charged with the roles of compliance, enforcement, and redress. It attempts to make a complete legislative structure by finding out the proper balance between demand for technical development and growth in India’s digital economy and rights with the privacy help of these clauses.

Scope and Applicability

Territorial scope of the GDPR

Because of its extraterritorial scope, the GDPR applies to both EU and non-EU organisations that sell products or services to citizens of the EU or keep track of their activities in the EU. For these reasons, companies not in the EU, such as those in the US, India, or China, must comply with GDPR if they process the personal data of EU citizens. This wide applicability brings significant implications to multinational companies, which should align the data processing procedure with regulations on data protection in Europe.

India’s PDPB Territorial Scope

Both domestic and foreign organisations come within the scope of India’s Personal Data Protection Bill as long as data processors or fiduciaries process that data or conduct business operations in India, even though such processing might be wholly overseas. Moreover, it extends extraterritorial. Hence, foreign companies that handle the private information of those who dwell in India, for instance, when selling their commodities or their products to Indians or simply by tracking them, fall within its remit. That is what the extraterritorial extent is. Like the extraterritorial reach provided under the GDPR, PDPB guarantees that even a multinational firm dealing with private information regarding Indian residents is not beyond its bounds.

Key Principles of Data Processing

Consent

A key tenet of data processing under the GDPR and India’s PDPB is consent. Consent is required by the GDPR to be explicit, unambiguous, free, and informed. To guarantee control over personal data, consent should be as simple for people to revoke as it is to grant. Organisations must keep records of consent to prove compliance with the GDPR, which also mandates that consent be given through a clear affirmative action. Similar to this, but with some extra clauses, the PDPB requires consent before processing personal data. Notably, the PDPB ensures a higher degree of approval by requiring “explicit” authorisation for sensitive personal data, like financial or biometric information. People must also be made aware of their ability to revoke consent at any moment, which can stop data processing. Both regulations emphasise the value of informed, voluntary agreement in data processing and seek to give people more control over their personal information.

Data Subject Rights

Individuals’ rights are given precedence over their data under both the GDPR and the PDPB, guaranteeing that they have authority over the handling of their data. The right to rectification, which enables people to correct incomplete or inaccurate data; the right to erasure (also known as the “right to be forgotten”), which gives people the ability to have their data deleted under certain circumstances; and the right to access, which enables people to request access to their data and details of its processing. Although these rights are essentially the same under both regimes, the GDPR emphasises that they must be used within stringent timeframes, such as replying to requests for access and rectification within a month. Although it has less strict deadlines, the PDPB is comparable in that it seeks to give people significant control over their data. The significance of individual liberty and consent in data processing is emphasised by both regulations.

Data Minimization and Purpose Limitation

In ensuring that personal data is processed responsibly, the GDPR and the PDPB were founded on strong bases for the notions of data minimisation and purpose limitation. Data minimisation requires that personal information must be collected only to the extent necessary for the purposes for which it was being collected and not retained any longer than necessary. This effect represents yet another aspect of purpose limitation, wherein information may be used only for the specific, justified reasons for which it was first collected and not in a manner that is inconsistent with those uses. For this reason, data must be processed in such a manner that it does not collect superfluous or excessive data, and such processing should be both necessary and proportionate to the original purpose. Similarly, the PDPB undertakes the same approach when demanding data; fiduciaries collect personal information for specific purposes and retain it for as long as it is necessary. Both regulations strive to provide a better, safer, and more privacy-sensitive environment by preventing the misutilisation and overcollection of personal information.

Needs and Obligations Compliance

PDPB and the GDPR outline key duties and requirements that organisations dealing with personal information must follow in conducting their activities, such as especially DPO roles, impact evaluations, and full record keeping.

Some organisations are mandated by the GDPR to appoint a DPO, especially those that process large volumes of sensitive data or whose core operations require routine and systematic monitoring of data subjects. In addition to advising the organisation on its obligations and acting as a communication bridge between supervisory bodies and data subjects, a DPO is also responsible for ensuring compliance with data protection acts. While this does indicate that certain types of data fiduciaries need to make an appointment for a DPO, the PDPB has not made it a prescription. It would be envisaged that the Data Protection Authority or DPA will give general guidance on when appointments of the DPO and what role that DPO needs to fulfil. The data protection impact assessments, which the PDPB and GDPR direct that need to be undertaken, pertain to any organisation performing high-risk processing activities. The GDPR requires DPIAs for operations that would likely affect data subjects, such as processing large volumes of personal data or making use of new technology. Likewise, the DPA will move to make regulations specifying the nature and extent, but the PDPB calls for DPIAs for certain types of data processing. Above that, the legal system always promotes record-keeping by a transparent and accountable rule for each legal system. An organisation needs to keep records for their data processing activities about GDPR, including categories of data processed, purposes or processing, and any categories of third-party recipients. Similarly, the PDPB makes a point that data fiduciaries need to ensure records that guarantee transparency in data processing; however, further details are provided by the DPA for these requirements. These requirements of compliance are crucial in making sure there is a responsibility, promoting proper handling of data, and ensuring public trust about how companies deal with personal data.

Enforcement Mechanisms and Penalties

The GDPR has procedures for enforcing compliance and penalties in India PDPB, so strict adherence to the data protection laws is ensured.

The European Data Protection Board (EDPB) oversees the national supervisory authorities of each member state that implement the GDPR. Severe penalties are meted out for non-compliance. Grave infringements incur penalties of up to €20 million or 4% of yearly global turnover, whichever is greater. Apart from monetary fines, the organisations can also be issued warnings, admonitions, or orders to cease certain data processing operations. These fines are aimed at ensuring accountability and encouraging the companies to have stringent data protection policies. Similarly, the Data Protection Authority is responsible for monitoring compliance, investigating violations, and enforcing the law under the PDPB. The PDPB proposes to impose a major penalty in the case of non-compliance – for grave violations up to ₹15 crores or 4 per cent of worldwide revenue. To further the aim of holding organisations liable for any contravention of the data protection requirements, administrative procedures such as issuing a warning, reprimand, or stopping or deleting the processing of personal data are envisaged. Both frameworks have a proactive approach to data protection in that they use financial penalties and corrective measures to prevent future non-compliance.

Conclusion

Although both share common data protection principles that include permission, data minimisation, and transparency, the GDPR and India’s PDPB have different implementations in several aspects. The PDPB is still in its development stage and can be changed at a later date, whereas the GDPR is more mature and developed, with a better and more stringent mechanism of enforcement. Hence, international business operators need to understand these differences so that they are complying with both legal systems. With the increasing expansion of the digital economy, the GDPR and PDPB are still important benchmarks in the development of data protection regulation across the globe.

References

1. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison (December 2023), < https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf>
2. GDPR vs. India’s DPDPA: Analyzing the Data Protection Bill and Indian Data Protection Landscape, (2024), < https://secureprivacy.ai/blog/comparing-gdpr-dpdpa-data-protection-laws-eu-india>
3. Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth, India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison (2023) < https://www.globalprivacyblog.com/2023/12/indias-digital-personal-data-protection-act-2023-vs-the-gdpr-a-comparison/>
4. Hemalatha G, Saikrupaa K, COMPARATIVE ANALYSIS OF GDPR AND DIGITAL PERSONAL DATA PROTECTION ACT, (2023), IJCRT < https://www.ijcrt.org/papers/IJCRT2312087.pdf>