THE MYTH OF MYSTIKÓTITA: A Comparative Analysis of the GDPR and the DPDPA

INTRODUCTION

A little Greek in a title never hurt anyone but could have confused a few. ‘Mystikótita’ is Greek for privacy – a concept that is largely believed to be a myth, yet forms an integral portion of people’s rights, subjecting it to regulation by legislation. The sheer volume of data generation, combined with gaps in effectivity of regulatory legislative measures, as well as in awareness on the part of the average internet user, only aggravates the issues that come with protecting people’s privacy across domains, safeguarding them from cybercrimes and remedying cases where such safeguards have been breached by not just notorious cybercriminals but even corporations and the government.

The European Union law – General Data Protection Regulation (GDPR) – is hailed as the strongest data protection law in the world today.[1] While the reasons behind it shall be further discussed much more comprehensively, it essentially has to do with its foundational principles intertwined with the high priority accorded to individual rights. Discussions pertaining to data privacy would be remiss in not critically analyzing the Indian State’s take on data protection, given that the country is one of the strongest proponents of digitization today. While India has made great strides vis-à-vis data privacy and protection, from enacting legislations and framing policies such as the Information Technology Act, 2000, Sensitive Personal Data Rules, 2011 and the latest Digital Personal Data Protection Act, 2023, to improving on these legislations with trailblazer judgments such as those in Shreya Singhal[2] or K. S. Puttaswamy[3], it would be constructive to compare and contrast the latest data protection law that India has to offer, against the strongest one in the world.

This comparison will not only pertain to the provisions of each law but also prove to be instrumental in gauging the adequacy of the latest Indian data protection law to tackle the vulnerabilities that India’s dense data generation value is exposed to, and whether the GDPR can prove to be a suitable blueprint for Indian legislature to follow and apply in the Indian context.

THE GENERAL DATA PROTECTION REGULATION – AN OVERVIEW 

The Origin

On the 24^th of October 1995, Directive 95/46/EC, also known as the Data Protection Directive, had been enacted by the European Parliament and Council, to protect natural persons (referred to as ‘data subjects’) within the territory of the European Union, regarding not only how their personal data is processed but also the free movement of said data within the European Union, in order to achieve the larger goal of not compromising people’s fundamental rights.[4] The issuance of the directive was at a time when the internet was nascent. While the internet showed great promise, it also meant that regulating it would only become more challenging in the future.

The challenges eventually cropped up, not only because of technological advancements, but also because different members of the European Union had implemented the directive at varying degrees of rigidity, which made data protection inconsistent across the territory.

The rectification of the drawbacks of the directive is set into motion in 2012 when the European Commission makes a proposal that the 1995 directive ought to undergo a thorough reform in the interest of people’s right to privacy online, as well as Europe’s “digital economy”.

Following a lot of deliberation in the coming years, the European Parliament, the Council and the European Commission reached an agreement on the General Data Protection Regulation on the 15^th of December 2015. It finally came into effect from the 25^th of May 2018, replacing the Data Protection Directive of 1995.

Key Principles

Article 5 of the General Data Protection Regulation lays down the seven principles that controllers must abide by when collecting and processing personal data[5], which are listed in brief as follows:

1. Lawfulness, Fairness, and Transparency: The processing of personal data must not only be carried out by GDPR-recognised and authorized controllers but must also be compliant with the GDPR requirements. Along with this, such processing must be carried out fairly with respect to the individuals concerned, and they must be provided with concise and comprehensible information about the processing of their data, by controllers.
2. Purpose Limitation: The collection of personal data must be restricted to specified and legitimate purposes and their processing too must be in accordance with those purposes. Exceptions do apply when it comes to processing data for archiving for public interest, science, history, or statistics.
3. Data Minimization: Along the lines of purpose limitation, controllers should strive to collect the most relevant and the most minimum amount of data for their purposes.
4. Accuracy: Controllers must aim at collecting accurate and up-to-date data and rectify any inaccuracies that they may encounter without delay.
5. Storage Limitation: Not only must personal data be collected for specified and restricted purposes but also must not be held by controllers for any longer than necessary, again excluding archiving purposes.
6. Integrity and Confidentiality: Controllers, when collecting personal data, are also legally required to take up the responsibility of setting up adequate security measures to prevent any harm to said data.
7. Accountability: A new principle under the legal framework of data protection, it states that controllers are not only bound to comply with legal standards, but also be able to demonstrate such compliance, by having appropriate codes, policies, processes and records in place.

Rights of Data Subjects

Chapter 3 of the General Data Protection Regulation has been dedicated to setting out the rights of data subjects, under five broad sections where the first four are the rights that the data subjects have, and the last one lists out the restrictions on said rights.

1. Transparency and modalities: The reason why controllers are expected to be transparent with what data they collect and how they process it, is because it reinforces the right to transparency that the data subjects already possess in other domains.
2. Information and access to personal data: In the interest of upholding transparency, the data subjects are entitled to obtain various details about the controller, data protection officer, purpose and legality of processing, etc.
3. Rectification and erasure: A special right that is categorically recognized in the European Union and in some other European nations, it permits the data subject to obtain rectification of the inaccuracies in their personal data, as well as erasure of any personal data that is no longer being utilized by the controller.
4. Objection: Data subjects are entitled to object at any stage of the processing of their data and upon such objection, the controller shall no longer continue with said processing unless they demonstrate that their objectives override the interests and rights of the data subjects.
5. Restrictions: The final section of Chapter 3 of the General Data Protection Regulation states that the municipal laws of the member states of the European Union may restrict the scope of the rights under the GDPR, provided that they respect the fundamental rights of the data subjects and are in place proportionately and only out of necessities such as national security or general public interest. 

Remedies and Penalties

Chapter 8 of the GDPR titled “Remedies, liability and penalties” affords data subjects the right to judicial remedy not just against a controller, but even against a supervisory authority. Members of the European Union are free to devise their own penalties for breach of any provisions of the GDPR.

THE DIGITAL PERSONAL DATA PROTECTION ACT – AN OVERVIEW

Evolution of data protection laws in India

India made its first attempt at data protection with the enactment of the Information Technology Act, 2000 at a time where along with a boom in digital transactions, there was an increase in cyber threats. It has a wide ambit from giving legal recognition to electronic documents and electronic signatures to penalizing breach of privacy, among various other things.

However, the wide ambit was still within the boundaries of cybercrime which made it far from comprehensive. Thus, in a bid to further data protection, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules were introduced in 2011. These rules aimed at imposing strict security requirements on corporations that retained and dealt with sensitive personal information of users. Data such as bank account details, health records and even sexual orientation is deemed to be “sensitive personal data” under these regulations.[6] Consent has formed a key feature of these rules since information providers (those who provide data to body corporates) possess the right to refuse or withdraw consent to body corporates regarding the collection of sensitive personal information.

Strides followed in the judicial realm when right to privacy was recognized as a fundamental right under Article 21 of the Indian Constitution[7], which prompted the government to form the B.N. Srikrishna Committee to draft a dedicated data protection framework. The Committee recommended the expansion of data protection to all personal data and not just sensitive personal data among other things and those recommendations found their way into the draft Personal Data Protection Bill of 2018, which also proposed the establishment of a Data Protection Authority for efficient enforcement of the Bill.

While this Bill was subject to multiple years of scrutiny and deliberation and eventual withdrawal, it paved the way for the introduction of a fresh Bill called the Digital Personal Data Protection Bill, 2023 which got enacted in the month of August of that year.

Key Principles[8]

The Digital Personal Data Protection Act encompasses the principles of purpose limitation and collection limitation, which means that not only must personal data be processed for the lawful purpose for which the data principal (same as data subjects under the GDPR) has given their consent, but also only necessary personal data must be collected.

Key Highlights

1. Treatment of personal data: The DPDP Act applies strictly to personal data which might have either been collected in a digital form to begin with or might have been subsequently digitized. The Act extends its application and protection to all personal data, rectifying the drawback of the SPDI Rules, 2011.
2. Consent and Notice: The data principal must signify consent that is free and unambiguous to set the processing of their personal data in motion. Such consent can be as easily withdrawn at any stage of the processing as it was given, and such withdrawal does not impugn the legality of the processing that had been done based on the now withdrawn consent. The data principal is also entitled to be notified about what personal data of theirs has been utilized for processing, for what purpose it is being processed, and how they may avail grievance redressal.
3. Significant Data Fiduciary (SDF): The data fiduciaries must comply with the DPDP Act in their dealings with the data principals’ personal data and they shall be identified by the government after analyzing the volume and sensitivity of the personal data in consideration.[9]
4. Data of Children and Persons with Disability: Processing of personal data of children and persons with disabilities requires the consent of a parent or a lawful guardian, as the case may be. The Act prohibits targeted advertising at children and empowers the Central Government to prohibit their behavioral monitoring.
5. Data Protection Board of India: The DPDP Act enables the establishment of a Data Protection Board which shall enforce the provisions of the Act and receive information on data breaches, inquire into them and penalize them. Any order by the Data Protection Board may be appealed against before the Telecom Disputes Settlement and Appellate Tribunal.

Rights of Data Principals

It is evident that the DPDP Act has been modelled after the GDPR since it affords similar rights to data principals as the GDPR does to its data subjects such as the right to seek clear and understandable information on how their data is processed, the right to have inaccuracies in their data rectified, the right to have unnecessary data be erased, and the right to grievance redressal.

The DPDP Act also provides for a right to nominate where data principals can nominate other individuals to exercise the aforementioned rights on behalf of them in case of death or incapacitation.

Penalties and Compensation

The Data Protection Board is statutorily empowered to impose a monetary penalty of up to INR 250 crores, depending on the nature and gravity of breach, and other pertinent factors.

A significant deviation that the DPDP Act makes from the IT Act, 2000, is that it does not provide for any compensation to data principals whose personal data had been compromised. Along with this the latest Act also imposes various duties on the data principals, the breach in whose observance may be penalized up to INR 10,000.

A TABULATED COMPARISION OF THE GDPR AND THE DPDP ACT

Aspect	GDPR	DPDP Act
Jurisdiction and Scope	Applies to EU-based entities and those processing EU residents’ data (extraterritorial).	Applies to digital personal data processed in India, including data of Indian residents by foreign entities offering goods/services.
Regulatory Authority	Independent Data Protection Authorities (DPAs) in each EU country, overseen by the European Data Protection Board (EDPB).	Data Protection Board of India (DPBI) oversees compliance and enforcement.
Types of Data Covered	Covers all personal data and categorizes sensitive data (health, biometrics, race, religion, etc.).	Covers only digital personal data (including digitized offline data), without a clear distinction for sensitive personal data.
Legal Basis for Processing	Requires lawful basis (consent, contract, legal obligation, vital interests, public interest, legitimate interest).	Processing is mainly consent-based, but allows deemed consent in cases of public interest, employment, state functions, etc.
User Rights	Extensive rights: Right to access, rectification, erasure (right to be forgotten), portability, objection, restriction, and automated decision-making review.	Basic rights: Right to access, correction, erasure, and grievance redressal. No explicit data portability or restriction rights.
Obligations on Companies	Requires Data Protection Officers (DPOs), impact assessments, record-keeping, security measures.	Only Significant Data Fiduciaries (SDFs) need additional compliance, but no DPO requirement.
Penalties for Non-Compliance	Fines up to €20 million or 4% of global turnover, whichever is higher.	Fines up to ₹250 crore per violation.
Government and State Exemptions	Governments must comply with GDPR, but national security exemptions exist.	Broad government exemptions for national security, law enforcement, and public interest.
Overall Approach	Comprehensive, strict, and principle-based, emphasizing user rights and accountability.	Business-friendly, flexible, and compliance-light, but with potential government overreach.

CONCLUSION

As mentioned earlier, it is evident that that DPDP Act has been modelled after the GDPR in various aspects. In spite of that, the legislations clearly differ in their priorities. While the GDPR prioritizes fundamental rights of the data subjects, the DPDP Act prioritizes ease of statutory implementation, compliance and grievance redressal. This contrast points towards a need for global data protection alignment, which does not necessarily mean each country modelling their data protection laws after the GDPR, but it would also not be a weak starting point.

 

REFERENCES

[1] Ben Wolford, What is GDPR, the EU’s new data protection law?, GDPR.EU, https://gdpr.eu/what-is-gdpr/.

[2] Shreya Singhal v. Union of India, AIR 2015 SC 1523.

[3] Justice K S Puttaswamy (Retd.) and Anr. v. Union of India and Ors., AIR 2017 SC 4161

[4] EUROPEAN DATA PROTECTION SUPERVISOR, https://www.edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited Feb. 14, 2025).

[5] INTERSOFT CONSULTING, https://gdpr-info.eu/ (last visited Feb. 15, 2025).

[6] Ravi Singhania, SPDI Rules 2011: Taking a step towards securing Data, SINGHANIA & PARTNERS, https://singhania.in/admin/blogimages/doc-4114474.pdf

[7] See supra note 3.

[8] AZB & PARTNERS, https://www.azbpartners.com/bank/digital-personal-data-protection-act-2023-key-highlights/ (last visited Feb. 19, 2025).

[9] Lalit Kalra, Decoding the Digital Personal Data Protection Act, 2023, EY (Aug. 23, 2023), https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023