Global Relevance of DPDP Act, 2023 in the light of GDPR.

Introduction

In this age of advancing technology, data has become omnipresent in our lives. Naturally, it had become an unregulated territory. Data has become an umbrella term which includes all forms and types of information present in the digital realm. With such importance of the data, naturally came along those who sought to infringe this information, raising the crucial concern of data privacy. This concern was directly addressed by the honourable Supreme Court in Justice K.S. Puttuswamy (Retd.) and Anr. V. Union of India and Ors. (2017), wherein it recognised the “Right to Privacy”. In light of this case and to regulate this area of our lives, like any other, the need arose for targeted legislation. It was the result of this need that the central legislature in India enacted the Digital Personal Data Protection (DPDP) Act, 2023. However, it is widely accepted that the DPDP Act is heavily influenced by the European Union’s General Data Protection Regulation (GDPR). Yet it remains debatable whether DPDP Act stands the test of global standards, which is quite essential considering the non-territorially bounded nature of data.

Similarities between DPDP Act and GDPR

It is widely humoured that the DPDP Act is a replica of the European GDPR. Beyond the good humour, there is some truth in it. Many provisions of the DPDP Act seem influenced by the GDPR.

• Consent of data owner – Both DPDPA and GDPR consider consent of the data owner essential for utilisation or other processes of personal data. Section 6 of DPDPA provides that the consent must be free, specific, informed, unconditional, and unambiguous. Similarly, Article 4(11) of the GDPR defines it as freely given, specific, informed, and unambiguous. From this, we can observe the extent to which the consent provisions of the former are influenced by the latter.
• Rights of Data Principals – The role of data principals is crucial in data governance. Therefore, both DPDPA and GDPR have tried to enshrine the rights of these data principals against the Data Fiduciaries and to hold the latter accountable. The rights so protected by them include those regarding access, correction, erasure of data and consent, as well as of grievance redressal.
• Accountability of Data Fiduciary – The Data Fiduciary as the holder, and processor of data is a crucial element in ensuring data transparency, and therefore, they have been mandated with high compliance standards. Section 8 of the DPDPA lists out the obligations of these data fiduciaries including security safeguards and transparency. On a similar note, Article 24 of the GDPR is the provision regarding the responsibility of data controllers, some of which include conducting assessments and implementing protection measures.
• Mandated Notification in case of Breach – Since, data privacy is recognised as the right of individuals, naturally when this data is breached, there ought to be a quick-response process, involving notifying the concerned regarding such breach, for it is their right. Both GDPR and DPDPA have such provisions. DPDPA mandates reporting it to both the affected person and the Data Protection Board, while GDPR prompts notification to the Supervisory Authority within 72 hours.

Differences between DPDPA and GDPR

While the skeleton of DPDPA follows the GDPR, there exist some major omissions, making the former fall short of global standards.

• Consent - While both DPDPA and GDPR require the consent of the data principals, the nature of this consent is different in both. Former introduces the concept of “deemed consent”, implied through its provision under Section 7. While it is provided that this provision is regarding matters involving emergencies, public interest, employment, etc., the most significant bypassing of consent is under clause (a) of the section which allows data fiduciaries to process the data when an individual has not denied consent. Moreover, no limit has been defined for the subject-matter for which this section may apply. This provision seems to skilfully bypass the most significant principle of consent. Such provision is far off from the requirement of explicit consent and well-defined limitations provided in GDPR.
• Exemptions by the Government – Both DPDPA and GDPR specify exemptions to their provisions, yet these exemptions differ vastly in their degree. DPDPA under Section 17 allows greater exemptions to be made by the government through notification. These exemptions have no explicit requirement of proportionality specified. It confers upon the government wide discretionary powers to make temporary exemptions including those beyond those for national importance such as for start-ups, debt recovery, corporate restructuring, etc. Moreover, the safeguarding obligations provided for such cases are next to none. This varies significantly from the provision regarding exemption under Article 23 of GDPR which mandates the introduction of exemptions, limited to those necessary for public interest, through legislative means and standing the test of proportionality. Further, it also provides for detailed safeguards, such as informing affected persons, specifying the purpose, and specific category of data, etc.
• Independent Oversight - Sections 18 and 19 of the DPDPA provide for the establishment of the Data Protection Board, established and constituted by the Central Government. While the Board is recognised to be a body corporate, there is no explicit provision ensuring its independence. This creates major concern regarding its regulatory independence. Whereas, the GDPR mandates the formation of the Supervisory Authority with specific provisions of independence iterated in its Article 52, giving it total independence from political bodies.
• Procedural time-limits – Most of the laws in the country and around the world have prescribed time limits in procedure to ensure proper and just grievance redressal. However, DPDPA does not specify or set any time limit for grievance redressal or related requests and procedures. This is a stark contrast with GDPR which sets out clear procedural deadlines under articles 12 and 33.
• Cross-border Transfers – DPDPA under Section 16 provides discretionary power to the Central Government regarding restriction or otherwise for cross-border data transfers, provided through notification. It does not specify any mandatory safeguards or assessments. Meanwhile, GDPR permits such data transfers only when adequate safeguards such as Standard Contractual Clauses, etc., are in place, providing a layered protection.

The Need for Global Adequacy

While it is true that the DPDPA is a landmark step towards regulated data, it surely isn’t the final destination. Even though legislators have managed to incorporate a considerable number of principles globally relevant in the sector, it is still far off from the relevancy we ought to achieve. Many substantive provisions including compliance procedures, mandatory explicit consent, and independent data supervising authority have been omitted. As such our Indian model could very well be subject to misuse of data due to reduced user control. Moreover, it is crucial to note that India has limited global involvement in the international frameworks related to data privacy and processing. This risks isolation as well as inadequate implementation.

Therefore, it is necessary that we make appropriate amendments to our laws regarding data protection and also increase global engagement in the sector, to ensure that our regulations are relevant and adequate globally.

Conclusion

India might have taken a step towards an internationally relevant data protection regulation, but many more changes are yet to come. We need to recognise our shortcomings and introduce fallbacks in case of data breaches. We ought to make amendments to ensure that the aim of the Act so introduced is truly served. While there exist numerous drawbacks procedurally, we have also incorporated quite a few major principles creating a substantive framework to work on, and therefore, all we need to do is understand our weak points and make them stronger.

References:

1. The Digital Personal Data Protection Act, 2023, No. 30, Acts of Parliament, 2023 (India), https://www.meity.gov.in/content/digital-personal-data-protection-act-2023.
2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (GDPR), 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/eli/reg/2016/679/oj.
3. Sumit Panchal, Cross-Border Data Protection Laws in India and European Union: A Critical Analysis of the Complexities and the Legal Challenges (July 5, 2024), https://ssrn.com/abstract=4970259 or http://dx.doi.org/10.2139/ssrn.4970259.
4. Viraj Thakur & Ritika Agrawal, Efficacy, Inhibition, Facilitation: Comparative Perspectives on Digital Personal Data Protection Act, 2023, in Emerging Jurisprudence of Digital Transformation of Law (Integrity Educ. India 2024), ISBN 978-81-976436-1-3, https://ssrn.com/abstract=5214828 or http://dx.doi.org/10.2139/ssrn.5214828.

Note:

The author affirms that this article is an entirely original work, never before submitted for publication at any journal, blog or other publication avenue. Any unintentional resemblance to previously published material is purely coincidental. This article is intended solely for academic and scholarly discussion. The author takes personal responsibility for any potential infringement of intellectual property rights belonging to any individuals, organizations, governments, or institutions.