Data Privacy Laws: Comparing GDPR and Indian Data Protection Regulations

Introduction

The ability of an individual to regulate the timing, manner, and degree of sharing of their personal data with third parties is known as data privacy. Information such as their name, contact details, and online and offline habits can be included. Many internet users want to restrict or stop the collecting of specific kinds of personal data, just as someone could decide to keep some discussions private. The need to protect data privacy has increased in relevance as internet usage has increased. In order to provide their services, websites, apps, and social media platforms frequently depend on personal information. But some of these platforms might collect and use more information than users anticipate, which would compromise their privacy in the end. Platforms that don’t safeguard the data they gather may also experience breaches.

Many regions believe privacy to be a fundamental human right, which is why data protection regulations exist to preserve it. Furthermore, data privacy is critical because people must trust that their personal information will be treated appropriately before they engage online. Companies use data protection measures to reassure users and clients that their personal information is safe.^[1]

Historical background

Before delving into the concept of Indian Data Protection Regulations, let us understand the need for such laws in the country. Indian Data Protection Regulations are essential to safeguard personal and non-personal information, protect individuals’ privacy, and build trust. They help manage the growing digital footprints from social media platforms, foster innovation and economic growth, and prevent issues like identity theft, data breaches and fraud.^[2] Globally, the EU’s data protection regulations are widely considered to be the best. The guidelines needed to be assessed since technology has changed our lives in ways that no one could have predicted over the past 25 years. The EU’s most significant recent accomplishment was the adoption of the General Data Protection Regulation (GDPR) in 2016. At a period when the internet was only being started, the 1995 Data Protection Directive was replaced with this one. The EU has now ratified the GDPR as law. By the end of May 2018, member states have two years to make sure it is completely implementable in their nations.^[3]

In India, the concept of Data protection has evolved significantly over the past decade. Initially, the Information Technology Act 2000, along with its amendment in 2008, laid the groundwork by addressing information security rather than comprehensive data protection. Moreover, the concept of data protection and privacy has been debated in the judicial courts with some addressing it as a fundamental right. In contrast, others were not admitting it as a right under Article 21 of the Indian Constitution. The landmark judgment of the top Court in Justice K.S. Puttaswamy (Retd). & Ors. v. Union of India in 2017, recognizing the right to privacy as a fundamental right, accelerated legislative efforts. This led to the drafting of the data protection bill, resulting in the introduction of the Digital Personal Data Protection Act of 2023. The Digital Personal Data Protection Act, 2023 (DPDPA), marks a significant milestone as India’s first comprehensive legislation on data protection. This Act regulates the collection, use, and disclosure of personal data. Until this Act is fully operational, the Information Technology Act, 2000 (IT Act), and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, continue to govern the Indian data protection framework.^[4]

Overview of GDPR

The strictest privacy and security law in the world is the General Data Protection Regulation (GDPR). Despite being written and approved by the European Union (EU), it imposes duties on businesses worldwide as long as they target or gather information on EU citizens. The rule becomes operative on May 25, 2018. Penalties under the GDPR can amount to tens of millions of euros, and those who break its privacy and security criteria will face severe penalties. With the GDPR, Europe is demonstrating its strong commitment to data security and privacy at a time when more people are entrusting cloud services with their personal information and security breaches are happening on a regular basis. Because of the scope, breadth, and relative lack of detail in the rule, GDPR compliance is a frightening prospect, especially for small and medium-sized businesses (SMEs).^[5]

Key Principles of GDPR

1. Personal data shall be:

1. 1. Lawful, fair: Personal data must be handled in a lawful, equitable, and open manner concerning the data subject.
   2. Purpose Limitation: Data should be gathered only for clear, specific, and legitimate purposes and should not be processed further in ways that conflict with those purposes. Additional processing for public interest, scientific, historical, or statistical reasons is permissible, provided it aligns with the stipulations in Article 89(1).
   3. Data Minimization: Personal data must be relevant, adequate, and confined to what is necessary for the intended processing goals.
   4. Accuracy: The data needs to be accurate and updated whenever necessary. Every reasonable effort should be made to rectify or erase inaccurate information promptly, keeping in mind the purposes for which the data is processed.
   5. Storage Limitation: Data should be kept in a manner that allows for the identification of individuals only for the time required for its processing objectives. It may be stored for extended periods if used solely for research purposes in the public interest, scientific, historical, or statistical contexts, as long as appropriate measures are in place to protect individuals’ rights and freedoms as outlined in Article 89(1).
   6. Integrity and Confidentiality: Personal data must be processed in a secure manner, ensuring protection against unauthorized or unlawful processing as well as accidental loss, destruction, or damage. This necessitates employing appropriate technical and organizational measures to safeguard the data.^[6]

GDPR gives several rights including:

Rights of Individuals: GDPR gives several rights, including:

• Right of access: The right to request copies of their personal Data.
• Right to Rectification: The right to correct or incomplete data.
• Right to Erasure: The right to request the deletion of their data.
• Right to data Portability The right to oppose specific types of data processing, including direct marketing.
• Right to oppose: The ability to refuse certain types of data processing, such as for direct marketing purposes.^[7]

Enforcement & Penalties:

These types of breaches might result in a penalty of up to €20 million, or 4% of company’s worldwide annual revenue from the prior fiscal year, whichever is bigger.^[8]  

Indian Data Protection Regulations

The Digital Personal Data Protection Act (DPDPA) is a major regulation that safeguards people’ privacy in the digital age. This law, which went into effect on September 1, 2023, applies to all enterprises in India that manage people’s personal data. According to DPDPA, “personal data” means “any information that relates to a natural person who can be identified, whether directly or indirectly, through an identifier such as a name, identification number, location information, or an online identifier.” The broad meaning involves, but is not limited to, name, address, contact details, date of birth, gender, financial information (such as bank account and credit card numbers), online browsing activity, search histories, social media posts and messages, and geographic data (e.g., GPS coordinates). The DPDPA protects personal data handled in India, whether it was obtained domestically or internationally. It also covers the processing of personal data of Indian citizens, even if it is processed outside of India.^[9] 

Key Provisions of the Digital Personal Data Protection Act 2023

1. Scope and Applicability: The Act governs the processing of digital personal data within India and abroad, having an extra-territorial application with no restriction on international data transfers, provided the data pertains to offering goods or services within India. This includes data collected both online and offline that is subsequently digitized. DPDPA applies universally to all entities handling the personal data of Indian residents, irrespective of the entity’s geographical location.
2. Rights of Data Principals: Section 2(j)of the DPDPA defines ‘Data Principal’ as The person whose personal data is being processed, including parents or legal guardians for minors, and legal guardians for people with disabilities.
3. Obligations of Data Fiduciaries: Section 2(i)of the DPDPA defines a data fiduciary as any individual who, alone or in cooperation with other individuals, determines the purpose and means of processing personal data. Data fiduciaries implement robust security measures to prevent breaches and inform the Data Protection Board of India and affected individuals in case of data breaches. They must also delete personal data when its retention is no longer justified for legal purposes.^[10] 

Key Principle of Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023 is based on six key principles:

1. Lawfulness: Legality: Personal data must be handled in a legitimate, fair, and clear manner.
2. Purpose Limitation: Personal data must only be gathered for particular, explicit, and legitimate reasons, and cannot be used for purposes that are inconsistent with the original goal.
3. Data minimization involves collecting and processing only the essential personal data for the intended purpose, while ensuring that it is relevant and appropriate.
4. Accuracy: Personal data must be kept correct and updated as needed.
5. Storage Limitation: Personal data should be retained in a way that permits data subjects to be identified only for the time necessary to accomplish the purpose for which it was obtained.
6. Integrity and Confidentiality: Personal data must be treated in a secure manner, safeguarding it from illegal or processing, as well as accidental destruction, loss, or damage, using suitable technical and organizational methods.^[11]

Rights of data principals

• The right to access and receive a copy of their personal data.
• The right to correct incorrect or insufficient personal information.
• The right to request the deletion of their personal information.
• The right to restrict how their personal information is processed.
• The right to transfer personal information to another service or entity.
• The right to object to the processing of their personal data.^[12]

Enforcement & Penalties: The DPDPA is enforced by the Data Protection Authority of India (DPA), an independent organization tasked with regulating the Act’s implementation. The DPA has the authority to inquire into grievances, impose penalties, and require organizations to abide by the act. The PDPB prescribes penalties for non-compliance with fines up to ₹15 crore (approximately €1.8 million) or 4% of global turnover, whichever is higher.^[13]

GDPR Case law

1. Google Inc. v. Vidal-hall and others (2015)

This case, which dealt with compensation for grief brought on by violations of data protection regulations, was important even though it was before the GDPR was fully implemented. The claimants contended that Google had secretly tracked their surfing history via cookies, in violation of the Data Protection Act 1998 (the forerunner of the GDPR). The UK Court of Appeal decided that people could ask for compensation for emotional anguish even if they did not incur monetary losses as a result of a violation of data protection regulations. This decision established the foundation for the idea of non-material damages under data protection regulations, which are further supported by the GDPR’s compensation clauses.^[14]

Case for Digital Personal Data Protection

2. Justice K.S. Puttaswamy v. union of India (2017)

This historic case examined whether the Indian Constitution’s guarantee of privacy extends to the Aadhaar (biometric identification) system and its possible abuse. According to Article 21 of the Constitution, the Indian Supreme Court decided that the right to privacy is an inalienable component of the fundamental right to life and liberty. This decision established that personal data must be protected from arbitrary government involvement, with major implications for data privacy in India. It paved the ground for the drafting of the Personal Data Protection Bill (PDPB), which was later replaced by the DPDP Act.^[15]

Comparing GDPR and Indian data protection regulations

1. Lawfulness, Fairness, and Transparency: Lawfulness, Fairness, and transparency: One of the main distinctions between the GDPR and the DPDP is their commitment to fairness and openness. The GDPR explicitly states that fairness and openness must be evaluated from the standpoint of the data subject, assuring that the data processing meets the person’s reasonable demands. In contrast, the DPDP does not overtly emphasize this subject-centered approach, implying that it is focused less emphasis on the data subject’s perspective. This distinction improves GDPR’s ability to protect individuals’ rights and expectations during data processing.
2. Purpose Limitation: In terms of purpose limitation, both statutes mandate that data be acquired for specific, explicit, and valid reasons. However, the GDPR allows for exceptions to ongoing processing for reasons like as scientific research, historical archiving, or public interest, provided that safeguards are in place. In comparison, the DPDP is more limited, focusing solely on the initial goal and making no allowances for additional processing for study or archiving.
3. Data Minimization: The two regulations do not differ much in terms of data reduction. Both underline that the data gathered must be appropriate, relevant, and limited to what is required for processing purposes. The emphasis is on gathering only the most important information.
4. Accuracy: The idea of accuracy distinguishes the GDPR from the DPDP. The GDPR requires not only accurate data but also the rapid repair or removal of any possible incorrect data. It renders the concept of accuracy more enforceable under the GDPR, with explicit duties for rectification and erasure. While the DPDP emphasizes the need of accurate data, it does not expressly state the requirement to rectify or delete faulty information, which makes this commitment less clearly defined.
5. Storage Limitation: As long as measures (such anonymization) are put in place, the GDPR permits prolonged data preservation for uses like study, archiving, or the general public’s interest. With this flexibility, lengthier data retention is possible in some situations. The DPDP is more stringent, though, and only considers how much storage is required in relation to the processing goal. It also forbids long-term keeping for public interest or study.
6. Integrity and confidentiality: With a focus on integrity and confidentiality, both regulations demand that data be protected from loss, damage, and unauthorized access by means of suitable organizational and technical safeguards. There is no discernible difference between DPDP and GDPR in this regard.

Comparing Rights of GDPR and DPDP (Digital Personal Data Protection act 2023)

The scope and particulars of some rights are where the main distinctions between the rights provided by the DPDP (Digital Personal Data Protection) Act and the GDPR (General Data Protection Regulation) can be found. Similar fundamental rights, including the right to access, rectification, erasure, mobility, and objection to processing, are provided by both legislations. The “right to restrict processing,” which is not specifically mentioned in the GDPR, is introduced by the DPDP Act. The right to object, especially to direct marketing, is strongly emphasized by the GDPR, which also includes more extensive requirements for automated decision-making and profiling. The DPDP Act, on the other hand, is mainly concerned with restricting processing than with objecting to specific types. Furthermore, the DPDP Act defines “data fiduciaries” and provides avenues for individuals to directly address data breaches.

Conclusion:

In Conclusion, the shifting environment of data privacy and protection emphasizes the growing need of safeguarding personal information in the digital age. The General Data Protection Regulation (GDPR) established a global standard by providing strong privacy protections within the EU and influencing laws around the world. India has also made considerable strides in data privacy, with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), which represents a huge step forward in protecting its citizens’ personal data. Although lawfulness, data minimization, and purpose limitation are among the fundamental principles shared by the GDPR and the DPDPA, there are significant distinctions in how they are applied, especially with regard to storage restrictions and the range of rights afforded to persons. The DPDP Act takes a stricter approach, limiting data storage to the specified purpose of processing, whereas the GDPR allows for more flexibility in long-term data preservation under certain conditions. As the digital economy expands, these policies play an increasingly important role in fostering trust, protecting privacy, and maintaining responsibility. A comparison of the two frameworks reveals that they are critical for protecting individuals’ rights in an increasingly interconnected society.

References

^[1] (What is data privacy? | privacy definition | cloudflare) <https://www.cloudflare.com/learning/privacy/what-is-data-privacy/> accessed 16 November 2024

^[2] ‘Data Protection Laws in India: Current Scenario and Future Prospects, DPDPA 2023.’ (Free Law: Get Free Headnotes & Judgments, 19 June 2024) <https://www.freelaw.in/legalarticles/Data-Protection-Laws-in-India-Current-Scenario-and-Future-Prospects-> accessed 16 November 2024

^[3] ‘The History of the General Data Protection Regulation’ (European Data Protection Supervisor) <https://www.edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en> accessed 16 November 2024

^[4] ‘Data Protection Laws in India: Current Scenario and Future Prospects, DPDPA 2023.’ (Free Law: Get Free Headnotes & Judgments, 19 June 2024) <https://www.freelaw.in/legalarticles/Data-Protection-Laws-in-India-Current-Scenario-and-Future-Prospects-> accessed 16 November 2024

^[5] Wolford B, ‘What Is GDPR, the EU’s New Data Protection Law?’ (GDPR.eu, 29 August 2024) <https://gdpr.eu/what-is-gdpr/> accessed 16 November 2024

^[6] Ibid

^[7] ‘Chapter 3 (Art. 12-23) Archives’ (GDPR.eu) <https://gdpr.eu/tag/chapter-3/> accessed 16 November 2024

^[8] ‘What Are the GDPR Fines?’ (GDPR.eu, 14 September 2023) <https://gdpr.eu/fines/> accessed 17 November 2024

^[9] ‘What Data Does the India Digital Personal Data Protection Act 2023 Safeguard? Data Protection in India’ (https://secureprivacy.ai/) <https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-2023-guide-protected-data> accessed 17 November 2024

^[10] ‘Data Protection Laws in India: Current Scenario and Future Prospects, DPDPA 2023.’ (Free Law: Get Free Headnotes & Judgments, 19 June 2024) <https://www.freelaw.in/legalarticles/Data-Protection-Laws-in-India-Current-Scenario-and-Future-Prospects-> accessed 17 November 2024

^[11] ‘What Data Does the India Digital Personal Data Protection Act 2023 Safeguard? Data Protection in India’ (https://secureprivacy.ai/) <https://secureprivacy.ai/blog/india-digital-personal-data-protection-act-2023-guide-protected-data> accessed 17 November 2024

^[12] Ibid

^[13] Ibid

^[14] ‘Vidal-Hall v Google’ (5RB Barristers, 29 March 2015) <https://www.5rb.com/case/vidal-hall-v-google-inc/> accessed 18 November 2024

^[15] (Justice K.S.Puttaswamy(Retd) vs Union of India on 26 September, 2018) <https://indiankanoon.org/doc/127517806/> accessed 19 November 2024