We are back today to conclude the analysis of the DPDPB, 2022. This piece presents a comparative analysis of the proposed data protection law of India with its international counterparts. Before calling out their differences, let’s see the similarities that place the bill on an equal footing with the data protection laws in force in other developed countries, such as the GDPR (General Data Protection Regulation) and the Privacy Act of 1988.
- Data Subject Rights: The laws provide individuals with certain rights concerning their personal data, including the right to access, rectify, erase, and restrict processing, and the right to data portability.
- Data Controller and Processor Responsibilities: The laws are also in sync in placing responsibilities on data controllers and processors to ensure the security of personal data, obtain valid consent for data processing, implement appropriate technical and organizational measures to protect data, and report data breaches to the relevant authorities.
- Privacy by Design and Default: The concept of privacy by design and privacy by default has been ingrained thus requiring organizations to implement privacy by design and default, which means that data protection considerations should be taken into account at the design stage of any new systems or processes that involve personal data.
- Cross-border Data Transfers: Both laws regulate international data transfers and require organizations to take appropriate measures to ensure that personal data is adequately protected when transferred outside their respective jurisdictions. Restrictions are placed in the form of conditions on the transfer of personal data outside the country, i.e., only allowed under certain circumstances.
In summary, the DPDPB share several similarities with its international counterparts, including data subject rights, the data controller and processor responsibilities, privacy by design and default, and international data transfers. These similarities indicate a global trend towards data protection regulation aimed at safeguarding personal data and privacy.
- Scope: GDPR applies to all organizations that process the personal data of EU citizens, regardless of whether the processing takes place within or outside the EU. DPDPB, on the other hand, applies only to entities based in India or those conducting business in India. The DPDPB applies to both government and private entities, while the Privacy Act 1988 applies only to private sector organizations.
- Data Localization: GDPR does not require data localization, which means that organizations can store data outside the EU, as long as they comply with other GDPR requirements. DPDPB, on the other hand, mandates the storage of sensitive personal data within India.
- Personal data: DPDPB has a broader definition of sensitive personal data, as it doesn’t categorise personal data into sensitive or critical. As such there is no statutory requirement to implement separate compliance standards and all sort of personal data is provided with reasonable security safeguard. The GDPR creates a category of sensitive personal data which consists of information related to a person’s race, ethnicity, political opinions, religion, health, or sexual orientation. Special categories of personal data are subject to distinct compliance requirements, especially the legal basis that can be adopted for the processing of such personal data.
- Penalties: The GDPR imposes severe penalties for non-compliance, with fines of up to 4% of an organization’s annual global turnover or €20 million, while the Privacy Act 1988 imposes fines of up to AUD $2.1 million for corporations and AUD $420,000 for individuals. DPDPB, on the other hand, proposes a penalty of up to Rs. 15 crores (approximately €1.7 million) or 4% of the total worldwide turnover of the preceding financial year, whichever is higher.
- Consent: A minor yet critical difference between the GDPR and the Bill is that the Bill provides that a data principal is deemed to have given consent for processing data if they voluntarily provide personal data to the data fiduciary in reasonable expectation. Such provision is not found in the GDPR which requires consent to be expressly taken from the user. This difference is easily understood in the illustration given in the bill. Herein, a person reserving a table is deemed to have consented to the collection of data asked by the restaurant for the reservation.
It can be observed here that GDPR is comparatively, more prescriptive whereas the Indian Bill lays down certain fundamental ideas and leaves many implementation-related aspects to subordinate legislations, rules, and regulations that will be brought into force post-promulgation. Thus, there are differences in their scope, definitions, enforcement, and penalties, reflecting the unique contexts and needs of the respective countries they belong to.