Published on 7th April 2025
Authored By: Harini Sri B
The Central Law College,Salem
INTRODUCTION
The data are used in online and offline to collect the information as the numbers and facts, these data are used to examine, consideration and helps in decision making which can be stored in computer[1] . The General Data Protection Regulation and India’s Digital Personal Data Protection were the two unique regulations that regulates the data and its protection. Understanding and differentiating them is needed to survive in the modern era. Let us study them in detail.
GENERAL DATA PROTECTION REGULATION
While the data been used worldwide to store, transfer, collect. To protect the “data” the countries are started to make laws which are the “Data Privacy Law”.
In that, the European Union Data Protection Act is standing as a gold stone of all other. By 2016, the European union adopted the “General Data Protection Regulation “is the greatest achievements of the years which replaced the “Data Protection Directive” where this data protection directive helped other country to make their own privacy laws which makes difficulties in using the laws cause the need of multiple reference of privacy requirements and coping with them is mandatory. To overcome the issue “ General Data Protection Regulation” is introduced[2]
General Data Protection Regulation is focuses on the principles of data protection, accountability and data security. The Article 5.1-2: says that processing of data must be lawful, fairness and transparent. When you collect the data that should be used for the legitimate purpose only which are necessarily specified and the accuracy of the data should be ensured.
The General Data Protection Regulation also comes with certain scopes, responsibilities and penalties. It is our responsibility to know General Data Protection Regulation laws if we are offering goods and services to the European union. The penalties for violating the General Data Protection Regulation is high which would be 4% of global revenue and the data subjects have the right to seek compensation for the damages.
GENERAL DATA PROTECTION REGULATION – ARTICLE 6
1. The data subject should have given an unambiguous consent to process their data.
2. The legitimate interest of the person should be used wisely if you their data which is like child’s data.
3. Processing is mandatory to perform a task in the public interest, to carry out all the official functions.
4. To enter into a contact or to execute it processing is necessary.
GENERAL DATA PROTECTION REGULATION –RIGHTS
The privacy law of data subjects aims to give individuals several rights which are right to be informed, the right to be accessed, the right to be rectification, the right to erasure, the right to restrict processing and data portability[3].
DIGITAL PERSONAL DATA PROTECTION ACT – HISTORY
In early 2000s, DPDP came into effect along with the Information Technology Act 2000 to protect the data and cyber security laws of India. After the technology started to flourish the need of data privacy mainly observed.
In the landmark judgement, “ PUTTASWAMY CASE ” the importance of privacy emphasized and declared it has the Fundamental Right of the constitution[4].
KEY FEATURES OF THE DIGITAL PERSONAL DATA PROTECTION ACT
The laws seek to provide protection for the individuals over their personal data along with the right to access, erase and correct personal data. The Digital Personal Data Protection Act has introduced the concepts like the “data principles” and “data fiduciary” to ensure the data security and inform data breached etc. Where both the data principles and data fiduciary has the duty to protect and ensure the data protection they handle. The fiduciaries focus on the processing the personal data and data processor.
IMPACTS OF THE DIGITAL PERSONAL DATA PROTECTION ACT
The greater impact of the digital personal data protection act is “data literacy”. Especially in the field of human resources, law, Information technology, sales and marketing, finance, procurement and information security cause of the type of personal data that is collected, stored, retained and disposed in India.
PROVISIONS OF THE DIGITAL PERSONAL DATA PROTECTION ACT
- CONSENT: The ‘Personal Data’ of an individual can be processed only after getting their consent. A notice must be given before seeking for their consent.
- RIGHT OF DATA PRINCIPAL: The right to access from the data fiduciary which includes obtaining a summary processed data and the information on data. However, the right does not extend to the data that are shared legally for all the fiduciaries and investigate purposes.
- RIGHT TO GRIEVANCE AND REDRESSAL: The right to grievance and redressal allows the data principles to seek their resolution from the data fiduciary or consent managers within a prescribed time.
- RIGHT TO NOMINATE: The right to nominate gives the right for the data principles to transfer and access their data in case of death or incapacity of the data principle.
To monitor the data protection act and disputes the central government has established the “DATA PROTECTION BOARD OF INDIA” which aims to monitor the compliance and imposes penalties. In case of a data breach its directs the data fiduciary to take necessary steps and measures. The term of the board member is two years and they are eligible for re-appointment. The board can impose penalties upto $24M USD or INR 200 crore in case of non-fulfilment of obligations for the children and $30M USD or INR 250 crore for the failure to take security measures to prevent the data breaches[5].
COMPARISON BETWEEN “DIGITAL PERSONAL DATA PROTECTION ACT(DPDP)” AND “GENERAL DATA PROTECTION REGULATION (GDPR)”
The GDPR applies globally for the European union residents and their organizations, whereas the DPDP can expand its territorial scopes and organizations to get a better global recognition. GDPR focuses on the legitimate interests and contractual necessities where the consent should be free, unambiguous, specific, informed and unconditional that is similar to the DPDP. The DPDP provides that data only with the consent of the data principle the data fiduciary can be processed also for the certain specified “legitimate uses”. The voluntarily shared data of the data principle can be used for legitimate purpose which can be used for medical emergencies, employment purpose or to comply with the court order.
The DPDP requires a data breach notification where the data fiduciary must inform the data breaches to the newly created data protection board regardless of their magnitude data of the risk harm or the data breaches or the risk of harm of the data subjects. The Indian government has the power to classification certain data fiduciaries as significant based on the factors like the impact on processing on the data principles, sensitivity and volume of the data processed, those impact on the security, sovereignty and integrity of India. These data fiduciaries also had the additional obligations like appointing an independent data auditor and undertake the impacted data assessment. Other than those data mentioned in the jurisdiction the DPDP allows the cross border jurisdiction outside the India for all specific purposes and also the Indian government identifies the countries which are restricted to transfer the data otherwise the DPDP was not required the implementation of the transfer mechanism.
The right to access, the right to correction and the right to erasure are some rights lies with the GDPR data subjects which are similar to the DPDP whereas they also get benefits from number of new rights like right to readily available and effective means of grievance redressal that are unique to the DPDP. They also possess the right to individual who can possess the right of the data principle in case of death or incapacity of that data principle[6].
The digital personal data only applies to DPDP and the personal data which are made publicly available are exempt from DPDP application, whereas the GDPR is applicable for the non-digital data too. The DPDP does not differentiate between the special data, personal data and the sensitive data whereas in GDPR the data of the subjects reveals the political opinion, religious or ethical origin, their religious and philosophical beliefs, the genetic and biometric data to identify the uniqueness of the person, data concerning the sex life or sexual orientation and trade union membership. The data subjects of GDPR are whom the identified or identifiable relates with their personal data but in DPDP the if the natural person is a child then the data relates with the parents and lawful guardians of the child, for the disabled person their lawful guardian acting on behalf of their individuals. The DPDP protects all the data even the children data that the vulnerable groups categories. To maintain accountability and compliance India maintains a strict data management whereas the GDPR requires separate organizations to maintain the data and the grievances[7].
In GDPR the contracts are made with a prior permission of the data subject who is the party to a contract or in order to take steps in request of the data subject. Under DPDP processing the personal data for the performance of the contract is not considered as a legal basis for processing. These are the uses like compliance with the law, ensuring safety of an individual and performing of statutory duties, functions and employment purposes are known as the legitimate uses. If the data subjects were stayed outside of the country and their personal data also processed pursuant to a contract entered with any person not inside the territory of India, by any person of India.
Under the DPDP, a data fiduciary is permitted to process the personal data without the data principal’s explicit consent which is the data is required to comply with any decree, judgement or order issued under Indian law. To protect the vital interests of the data subjects or of another natural person processing is necessary. Under the DPDP, a data fiduciary is permitted to process the personal data without data principles is required for responding for a medical emergency which involves a threat to life or an immediate threat to the health of the data principal or any other data. In the public interest, the GDPR processing is necessary for the performance of a task that carried out in the public interest or in the exercise of the official authority which are vested in the controller where in DPDP a data fiduciary is permitted to permitted to access the personal data without explicit consent of the data principles where the data is required to provide safety person, assistance or during any disaster or breakdown of public order.
In an employment consent the GDPR does not require specific legal basis for processing personal data instead it focuses on the non-specified category in the employment context that inclusive of necessity to comply with a legal obligation, performance of a contract or legitimate interests. Under the DPDP, the data is needed for employment or something related to safeguard the employer from loss or liability, for the maintenance of confidential secrets, the intellectual properties and classified any information, benefit or profit sought by any data principle who is an employee. In case of Data processing agreements, in GDPR the processor can process the data with agreed purposes, upon termination can return or destroy the personal data, getting consent before contracting with the sub processor, to submit the audits and the inspections. when a breach found contacting the controller as soon as possible and in DPDP had the contractual relationship with the data processor they should ensure to comply rules and erase all the data where the consent is also withdrawn and take reasonable security measurements.
CONCLUSION
Both the GDPR and DPDP stand as a unique tool in protecting and managing the personal data, However, The Digital Personal Data Protection stand most prominent digital ecosystem which and also evolve as a balancing rod outside the territory with the local necessity. Understanding both the regulation is mandatory to maintain the efficient, fostering and innovative modern data world.
REFERENCES
[1] DATA-ENGLISH MEANING (CAMBRIDGE ACADEMIC COMNTENT DICTIONARY) (https://dictionary.cambridge.org/dictionary/english/data) assessed 18 FEBURARY 2025
[2] VIPRE – A BRIEF HISTORY OF GENERAL DATA PROTECTION REGULATION (Inspired e-learning)
(https://inspiredelearning.com/blog/a-brief-history-of-the-General Data Protection Regulation/) assessed 18 FEBURARY 2025.
[3] What is GDPR, the EU’s new data protection law? (2020| GDPR.EU (https://gdpr.eu/what-is-gdpr/) accessed 18 February 2025
[4] JUSTICE K.S. PUTTASWAMY VS. UNION OF INDIA (2017) 10 SCC 1
[5] Harsh Sahu | A Definitive Guide to DPDP: India’s Digital Personal Data Protection Act (March 2024) https://www.optiq.ai/blog-post/a-definitive-guide-to-dpdp-indias-digital-personal-data-protection-act
accessed on 19 FEBURARY 2025.
[6] LATMAN & WATKINS | India’s Digital Data Protection Act 2023 vs the GDPR: comparison (December 2023) | https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf accessed on 19 FEBUARY 2025
[7] PAMEELA GEORGE PUTHENVETTI | DPDPA2023 vs GDPR: A comparative Analysis of India’s & EU’s data Privacy laws (2024) ( https://emildai.eu/dpdpa-2023-vs-gdpr-a-comparative-analysis-of-indias-eus-data-privacy-laws/) accessed on 19 FEBUARY
