5 Ways India’s Digital Personal Data Protection Act 2023 differs from Europe’s GDPR

Mayank Batavia takes a deep dive into data protection mechanisms in India and Europe

In August 2023, the Digital Personal Data Protection Bill, 2023 was passed by the two houses of the Indian Parliament. As a result, it has now become the Digital Personal Data Protection Act, 2023, making it legally enforceable.

Elsewhere, data privacy laws of varying complexity have been introduced in different countries over time. Among them, the European Union’s General Data Protection Regulation (GDPR), is considered both comprehensive and strict.

Before comparing India’s Digital Personal Data Protection Act, 2023 and the GDPR, let’s take a moment to understand why data privacy is both important and complex.

The complexity of data explosion

Less than a century ago, important data was printed on paper and stored in books and bound documents. You needed physical space, so if you wanted to store five books instead of one, you’d need five times the space.

Digital data storage changed everything.

Dropbox estimates that about 6.5 MN pages of documents can be stored in a 1TB hard disc, a storage device about one-and-half-times the size of your palm. By the same measure, even a standard smartphone can store over 25 movies in HD.

And because such data storage is easily available to everyone, from governments to organizations and institutions to individuals, it becomes very difficult for a legal body to regulate data protection, storage and sharing.

About GDPR

The European Union brought the GDPR into effect in May 2018. You are expected to comply with the GDPR if you store, process, transfer, or access data of residents of the member-states (27 EU countries and 3 EFTA countries).

It is a forerunner to many privacy regulations, including India’s DPDP and the CCPA (California Consumer Protection Act). The GDPR requirements are stringent and the cost of non-compliance is stiff. For such reasons, the GDPR has become a model for other countries.

About India’s DPDP

India’s Digital Personal Data Protection Act (DPDP) came into effect half a decade after the GDPR. This gave the DPDP the advantage of studying the GDPR and other regulations.

Two key terms

It will help to keep in mind what the below two terms mean for these two regulations:

Data Controller: The natural or legal person that decides why and how the personal data should be processed. The DPDP uses the term Data Fiduciary instead of Data Controller.

Data Processor: The natural or legal person that processes personal data on behalf of the Data Controller.

How is the India’s DPDP different from the GDPR

The EEA and India operate under very different social, political, historical, and even commercial parameters. So, it’s only natural that their privacy laws have some differences.

For example, Article 9 of the GDPR has set out clear categories of data that cannot be processed. Processing data with the objective, say, determining the political beliefs or sexual orientation or a person is expressly forbidden. The DPDP doesn’t lay out these terms.

Here are the key differences between the Digital Personal Data Protection Act and the GDPR.

1. The enshrined principles

GDPR: The GDPR takes a defined route to establishing what data privacy is and what its guiding principles are. The seven principles that lie behind the GDPR are lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

DPDP: The Bill does not explicitly list out the principles like the GDPR. However, the report by the Justice B N Srikrishna Committee, appointed to examine the requirements, validity, scope, and other aspects of data protection, mentions two guiding factors that shaped the current law.

The first emerges from the Directive Principles of State Policy, which says that the state must act as a facilitator of human progress. Hence, the DPDP is drafted in a way to encourage the growth of the private enterprise without compromising an individual’s right to privacy.

The second is a self-disciplinary idea for the state: it admits that the state is “prone to excess”. Therefore, it’s important to empower individuals with fundamental rights, which they may use against the state if the state begins to border on the excess. They may also be used if private enterprises attempt to abuse the freedom the state grants these enterprises.

The data protection framework has been built so that the right to privacy, now a fundamental right in India, gets legal endorsement. This framework offers protection to the individual against both state and non-state actors.

2. How the data is processed

GDPR: If a piece of data is a part of a filing system and is personal in nature, the GDPR will apply to it. Whether it has been processed mechanically, manually, or electronically is immaterial for the GDPR.

DPDP: Against that, the DPDP is very specific. It clearly states that the processing of the data needs to be “…wholly or partly automated operation…”.

There could be several reasons why the DPDP limits the definition of processing in this way. One explanation is that if the scope had included all sorts of processing, the law would have been too complex and mammoth to enforce, thereby defeating its purpose.

The Indian government is pushing for digitalization and alongside that, Indian consumers are also showing a clear change in the way they share their personal information. So, in the next five years or so, a large chunk of data is set to be digitized anyway.

3. Data Protection Boards and enforcement

As technology lets us collect an increasingly wider variety of data, what is personal data isn’t always easy to define. That adds another level of complexity in enforcement of data privacy regulations.

For instance, role email addresses (the ones like sales@, admin@, or billing@) are rarely used to sign up for newsletters, because they are team addresses. And they are often publicly displayed on websites. And yet, marketers indiscriminately spamming role addresses need to be kept in check.

The GDPR and the DPDP have built elaborate mechanisms to ensure that they protect the privacy of people without making things unduly difficult for businesses.

GDPR: The GDPR brought into existence the European Data Protection Board (EDPB). The EU member states have designated independent, supervisory public authorities. Each of these supervisory authorities is the point of contact for the data controller or processor within each member-state. However, it’s the EDPB that will ensure that the enforcement is consistent across the EU and beyond.

There are national DPAs (Data Protection Authorities) which work with national courts in order to enforce the GDPR. If there are more than one member states involved, the EDPB will step in. That makes the EDPB a single-window enforcement.

DPDP: The DPDP Act has proposed a board called the Data Protection Board of India (DPBI). (As of 27 November 2023, the DPBI has yet not been formed.) The DPBI will have a chairperson, board-members, and employees.

Among other things, the DPBI differs from the EDPB (of the EU) in that the former doesn’t hold powers to formulate any rules, while the latter does.

The DPBI receives complaints, reviews them to understand if the complaint is worthy of inquiry, and passes interim and final orders. It will work with other law enforcement agencies if required. That means it can cast a wide net, if required. Besides, appeals from the DPBI are passed on to the Telecom Disputes Settlement Authority of India (TDSAI), and appeals from the TDSAI may be taken by the Supreme Court.

4. Consent and responsibility

GDPR: The GDPR has a long list of lawful bases for processing data. That means the consent for data processing is granular and detailed. The GDPR requires that you display notice at the time of collecting the personal data.

The onus of compliance is on the data controllers as well as the data processors, depending upon the nature of compliance or breach.

DPDP: It appears that the contents of the DPDP notice are relatively limited – nature of data, purpose of processing that data, guidelines for grievance redressal and a few other things. Against that, the GDPR notice is much more detailed.

Unlike the GDPR, the DPDP holds the data fiduciary responsible even for the data processors they engage. That means that in case of a breach of compliance, the DPDP would hold the data fiduciary responsible.

There are two likely reasons why the DPDP made this stipulation, instead of allowing a joint-and-several form of liability. One, it was the data fiduciary that defined the purpose of collecting and processing data, and will likely remain the sole beneficiary of the processed data (The data processor typically offers a service to process the data, but is unlikely to gain anything beyond the processing fees). Hence, the onus must lie with the data fiduciary.

Two, because of this stipulation, the data fiduciary will make sure that all the security measures it has in place are proportionately reflected in the measures that processor takes. That will make sure that the data fiduciary remains alert as regards the standards of every entity in its supply chain.

5. Children’s data

While both the EU and India actively seek to protect their children, there are some divergences in how this is approached.

Culturally, people in India look at family – and not the individual – as a unit of the society. As a result, some western conventions of privacy don’t apply. For instance, many children aren’t assigned a separate room for themselves. Even when a child has a separate room for themselves, they seldom keep it locked, and members of the family freely move around in and out of rooms of one another.

The average Indian parent engages their children in a way that’s different from the way an average European or American parent will. The Indian parent is more hands-on and involved: they believe sharing important information within the family is key to bonding, well-being, and even overall safety.

With all this context, it’s not unusual to routinely share account passwords within the family. That blurs the lines of privacy in the familial context. In the European Union, this would be extremely rare.

Finally, the legislature and the judiciary in India take cognizance of the unique relationship between parents and their offspring (e.g. Maintenance and Welfare of Parents and Senior Citizens Act, 2007). All this, in a small way, might partially account for some of the differences between the GDPR and the DPDP.

GDPR: The Article 57 specifically requires the supervisory authorities of member nations to pay attention to “activities addressed specifically to children” while promoting public awareness and understanding.

The GDPR sets an age limit of 16 years for the definition of child. That means a person below 16 years of age would qualify as a child, so parental consent will come into picture for processing their data.

There is, however, an interesting exception mentioned in Recital 38. It clearly states that when providing “preventive or counseling services directly to a child”, the consent from the guardian or parent is not necessary.

DPDP: A person who has not attained the age of 18 years is defined as a child under the DPDP. Before processing the data of children, a verifiable consent from parents (or legal guardians) is required.

One thing that’s not entirely clear is why, for the purpose of consent, the DPDP has clubbed people with disabilities with children. Among other reasons, it may be due to the fact that both groups receive considerable support from parents.

Another interesting feature of the DPDP is that it clearly prohibits a Data Fiduciary from processing data that can “cause any detrimental effect on the well-being of a child”. The Data Fiduciary is also clearly prohibited from tracking or monitoring children or serving targeted advertising directed at children.

To some extent, it places a certain onus on the Data Fiduciary. That’s because today children are some of the most heavy users of social media and digital platforms. As a result, an organisation may already be digitally collecting their behavioural data and serving ads accordingly. In case of a dispute or disagreement, it could be difficult to draw the lines.

Concluding remarks

Both the DPDP and the GDPR reflect a considered, mature, and yet a strict approach in protecting the privacy and the data of their people.

And yet it’s important to remember that the two sets of regulations aim at two different geographies and two different bodies. While compliance with one will make compliance with the other easier, there are some provisions unique to each of the two.

In a world where data is shared, stored, and processed more widely than ever before, organizations can profitably leverage data while remaining compliant with regulations.

Mayank Batavia works in the tech industry within the email organisation space.