Published on 21st March 2025
Authored By: Aseem Srivastava
United University
Abstract
Moment’s digitally connected world necessitates securing particular data to avoid sequestration breaches, unauthorized access, and non-compliance penalties. As individualities decreasingly partake their particular data with online platforms and services, governments and nonsupervisory bodies have legislated comprehensive data sequestration regulations to cover their particular data. Two foundational pieces of data sequestration legislation are the European Union’s General Data Protection Regulation( GDPR), approved by the European Parliament in 2016 and legislated in 2018, and the lately legislated India’s Digital Personal Data Protection Act, 2023( DPDP Act), passed by the Parliament on 9th August and gazetted on 12th August 2023. In this companion, we examine these two pivotal pieces of legislation in- depth, fastening on their crucial vittles and their counteraccusations for individualities, associations, and the global data frugality.
Essence of Privacy in Modern Global Era
The data are stored in computers and there is a connection between the internet and computer and this whole system is accessible throughout the globe as it exhibit all of the data and because of which the society is heavily relied on the Cyber Technology . Even though it ensures a set of convenience to the users there is still a great threat of being revealed to the whole world and despite the danger of discharge of confidential knowledge whether it may be mercantile or personal[1]. The only way out to counter this situation is to be in touch with the pace of this new evolving technology and no other as it makes every person in contact throughout the globe in respect to all the enhancements in this era of cut throat competition of trade and commercialisation it is impossible to survive without the existence of Internet and Computers.
The term Privacy of Internet constitutes , the rights or any kind of compulsion regarding the personal privacy of an individual in terms of the storage, accommodation, handing over it to third parties and exposing the information related to oneself by means of the internet privacy as it enshrine both Personal Identifying Information and Non-Personal Identifying Information[2]. Personal Identifying Information basically entails the information that can utilise to identify a person. Such as, Social Security Number, Zip Code and Age and Residential Address are adequate to identify the person without exposing their name, as these elements are uniquely adequate to specifically identify a person.[3]
The right of Privacy is a matter of concern of personal life or commercial expertise of a person making it a valuable asset and is not allowed to be infringed by any entity not concerning how strong it may be. Hence, the arrival of internet technology there was huge demand arise from different sections of the various industries for the promulgation of a well-furnished law as to regulate the act of cyber intrusion.[4]
The Rise of General Data Protection Regulation, 2016 in European
General Data Protection Regulation( GDPR), which came into effect on May 25, 2018, is a data protection legislation which lays down rules for processing, storing, managing data from people who are presently within the European Union( EU, 2016).[5] This new legislation strengthens EU’s data protection to meet the new sequestration challenges brought by the development of digital technologies. While the GDPR only protects EU citizens, its impact is bound to be global in nature, affecting any association that targets the European request or provides services and hold tête-à-tête identifiable information on EU resides. GDPR gives consumers a high degree of control, similar as the right to withdraw concurrence (Art. 7), to be forgotten (Art. 17). At the same time, high conditions are put forward for data regulators and processors, including data protection by design and by dereliction (Art. 25), recording all processing conditioning (Art. 30). GDPR says that associations should get stoner concurrence to collect data and “apply applicable specialized and organizational measures” to cover particular data of EU resides. Associations that process data related to EU resides will be held responsible for resistance with GDPR. In particular, GDPR poses both a new challenge and a implicit occasion for technology companies, pall service providers, data center providers and marketers which will have to borrow stricter security measures, norms and processes to cover, process and manage particular data to insure their compliance with GDPR. Else, they will probably to admit potentially large forfeitures from the EU. GDPR defines particular data as anything that can be used to identify an individual person. This includes tête-à-tête identifiable details similar as names, dispatch addresses, social security number, IP addresses, telephone figures, position data, birth dates as well as other information related to inheritable, profitable, artistic or social identity. Large technology companies like Google, Facebook, and Amazon have formerly streamlined their sequestration programs and practices to misbehave with the GDPR.[6] The associations which are biddable with GDPR will probably have a competitive advantage over their challengers who aren’t biddable. GDPR represents the most important change in data sequestration regulation in the last 20 times. As similar, it’s unnaturally reshaping the way particular data is reused in every sector, from healthcare to banking and beyond, not only in the EU, but around the world, depending on what data is reused and where it’s reused. Significance of the right to the protection of particular data (in relation to health) is also underscored by the case law of the European Court of Human Rights and the EU Court of Justice 2016.[7]
Brief Legal History and Necessity of Digital Personal Data Protection Act, 2023 in India
Previously India had been unsuccessful to include any statute or code which specifically recognises the right to privacy of an individual or any commercial entity. However, there were some judicial decisions by the Supreme Court of India which provide the elements for the requisite and standards of Right to Privacy. Which are as follows:
In the case of R. Rajgopal v. State of Tamil Nadu of 1994,[8] the Apex court observed that a person has the ultimate right to protect his own privacy, his marriage, ménage or family and its ancestry or parenting among other matters. And no one can publish anything regarding the matters just as given above without the consent of that specified person whether it is genuine or laudatory or for any other provided reason. And in case, if he does any act which would result into the violation of right to privacy of that specified person then such action would be taken as an offence and that person would be liable to punishment for violation of such right of that person.
In the case of People’s Union for Civil Liberties v. Union of India of 1997,[9] the court held that tapping of telephone would be taken as violation of right of privacy of that person which is guaranteed under Article 21 and also provided under Article 19(1)a of the Constitution of India.
In the case of Kharak Singh v. State of Uttar Pradesh of 1964,[10] the Supreme court observed that, the domestic visit at midnight of 236th Regulation of UP Police Regulations is an open violation of Article 21 and strike down the regulations as they were unconstitutional from the perspective of the essence of liberty under Article 21 of the Indian Constitution which enshrines right to privacy of a person as a fundamental right.
Later in the case of Justice K.S. Puttaswamy and Anr. V. Union of India and Ors,[11] the Court declared that right to privacy of a person is an inherent fundamental right enshrined under Article 21 of Constitution of India and the right to informational privacy is also a part of it. However, the judgement does not mentioned any specified provisions for the counter of such offence but directed the center to formulate the laws regarding the privacy of an individual as soon as possible.
And after this recommendation the Central government formulated Digital Personal Data Protection Act, 2023.The Digital Personal Data Protection Bill was firstly tabled in the year 2022 and was latterly got the assent of both the Houses of Parliament and the assent of President in August 2023 to become The Digital Personal Data Protection Act of 2023 (also known as DPDP Act) .[12] by this the law came into the effect on August 11, 2023 and had mostly covered and regulated personally collected data of a citizen in one of the most populous country in the world, which ultimately brings the need of accountability within the spheres of government and those large industries or sectors which contain the data of the people of the nation in a humongous amount, which basically includes those sectors who mainly operate and thrive through multimedia and mobile applications. The law applies to realities that collect and process digital particular data in India in the course of offering goods and services. It also applies to the processing of particular data outside of India if the processing is connected with an exertion relating to offering goods or services to Indian citizens.[13]
The term personal data basically state about those data which is sufficient to specify the individual by gaining the information from that personal data as that person was in relation with such data. Mainly, the personal data is been generated and accumulated in a digital format. The Digital Personal Data Protection Act, 2023, operates on the basis of the consent of the Data Principal.[14] The term Data Principal basically refers to a person in whose relation the data exists (Data Principal mainly referred as a minor or the parent or guardian of that minor) and he must freely specifically, unconditionally and unambiguously by clear affirmation shall indicate or signify his agreement to process his own personal data which will be only for the specified motive and must be within the limit of such purpose and it shall be clearly stated to the Data Principal.[15]
Major Differences between General Data Protection Regulation, 2016 and Digital Personal Data Protection Act, 2023
The GDPR applies to all associations that reuse particular data of individualities located in the EU, anyhow of whether the association is located in the EU or not. The DPDPA applies to all associations that reuse particular data of individualities located in India, anyhow of whether the association is located in India or not. [16]
The GDPR includes special orders of particular data that can only be reused for specified reasons. The DPDPA applies slightly to all types of digital particular data. There are no fresh controls on recycling sensitive particular data or critical particular data. The GDPR has stricter conditions for the transfer of particular data outside of the EU. The DPDPA has lower strict conditions for the transfer of particular data outside of India.
India’s DPDP Act and the EU’s GDPR are significant laws representing a large member of the world’s population. The DPDP Act is a testament to the country’s trouble to cover digital information and promote responsible data running practices. The DPDP Act outlines expansive vittles that solely cover an existent’s particular data and bear a legal base for recycling their data. It also empowers individualities ( data headliners) with the right to exercise how their data is being reused by assessing scores on data fiduciaries( data instructors regulators) and outlines the penalties for non-compliance. On the other hand, the EU’s GDPR has told laws worldwide with its comprehensive approach to data sequestration and data protection. It sets a transnational standard of regulations for handling particular data across EU member countries, giving individualities lesser control over their data while assessing stricter conditions on associations that reuse data. It also introduces data processing principles and has an extraterritorial reach.[17]
Conclusion
The GDPR and DPDP Act are both comprehensive data protection laws that partake a number of parallels, including the rights they grant to individualities and the scores they put on associations. still, there are also some crucial differences between the two laws, similar as the connection conditions and the conditions for concurrence and data transfers. Associations that process particular data of individualities located in the EU or India should precisely review the GDPR and DPDP Act to insure compliance. By doing so, they can help to cover the sequestration of individualities’ particular data and make trust with their guests and mates.
References
[1] S.R. Myneni, Information Technology Law (Cyber Laws) (4th ed. 2023
[2] Amisha Rerru Singh, Right to Privacy in Cyberspace, 1 Cyber Law Reporter 34
[3] Kumar N.H, A Study on Right to Privacy and Data Protection in the Cyberspace, 6 JCRT 34 (2010).
[4] Arpana Sharma, Navigating the Digital Frontier: Safeguarding the Right to Privacy in Cyberspace, 5 International Journal for Multidisciplinary Research 15 (2023).
[5] General Data Protection Regulation, Regulation (EU) 2016/679, 2016 O.J. (L 119) 1 (EU)
[6] Li, H., Yu, L., & He, W. (2019). The Impact of GDPR on Global Technology Development. Journal of Global Information Technology Management, 22(1), 1–6. https://doi.org/10.1080/1097198X.2019.1569186
[7] India’s Digital Personal Data Protection Act, 2023 (DPDP Act) vs GDPR, securiti (Jan. 24, 2024).
[8] R. Rajgopal v. State of Tamil Nadu, (1994) 6 SCC 632 (India)
[9] People’s Union for Civil Liberties v. Union of India, (2003) 4 SCC 399 (India)
[10] Kharak Singh v. State of U.P., AIR 1963 SC 1295 (India)
[11] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India)
[12] Digital Personal Data Protection Act, 2023, No. 13 of 2023 (India
[13] Charru Malhotra & Udbhav Malhotra, Putting Interests of Digital Nagriks First: Digital Personal Data Protection Act 2023 of India, 70 Indian Journal of Public Administration (2024).
[14] Khyati Anand & Melissa Cyrill, India’s Digital Personal Data Protection Act, 2023: Data Privacy Compliance, India Briefing (Sept. 18, 2023).
[15] CS Deshwal, Digital Personal Data Protection Act, 2023: Key Features and Implications for Data Privacy in India, Lexcomply (Oct. 17, 2024). https://lexcomply.com/blog/digital-personal-data-protection-act-2023-key-features-and-implications-for-data-privacy-in-india/
[16] Anahad Narain, Difference between GDPR and DPDP Act, Leegality (Dec. 19, 2023). https://www.leegality.com/consent-blog/gdpr-vs-dpdp
[17] Rachit Bahl et al., Indian Data Protection Law versus GDPR- A Comparison, AZB & PARTNERS Advocates and Solicitors (Aug. 18, 2023), https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/.
