News
How does India’s new privacy law compare to GDPR?
India is now one-month into its grand experiment with data privacy regulation, having replaced a decade-old set of data security rules with a bespoke Digital Personal Data Protection Act, 2023. This new law has had an interesting journey that warrants examination, to see how it compares to the global ‘gold standard’ on data regulation, the European Union’s General Data Protection Regulation, 2016.
The Journey So Far
The erstwhile regulatory framework governing data protection in India was fairly archaic, with laws primarily outlining basic data security requirements. This was governed by the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 formulated under the IT Act.
In 2017 the Indian Supreme Court issued a landmark judgement that established the right to informational privacy as a fundamental right of all persons. The Court also directed the Indian Government to enact a data protection law. An expert committee set up for this purpose by the Ministry of Electronics and Information Technology, and after some deliberations drafted the Personal Data Protection Bill, 2018 along with its report. A revised version of the 2018 bill was tabled in the lower house of the Indian Parliament on December 11, 2019. It is instructive to note that both the 2018 and 2019 versions were quite similar to GDPR – they borrowed concepts such as privacy by design, and legitimate purposes for data processing.
So, at least at the start, the intent in Indian law-making was to closely follow the global data protection standard, the GDPR. This would have the added benefit of (theoretically) making India a candidate for ‘adequacy’ rulings, something that its IT and BPO industry has craved for years. But this was not the only response the earlier 2018 and 2019 versions received.
The Backlash, and Backtrack
In early August 2022, almost exactly a year ago, news broke that the 2019 privacy bill had been formally withdrawn from Parliament by the Indian Government. It transpired that the bill was withdrawn due to opposition from digital business majors, civil society, and also from the Government’s own experts.
Data driven businesses in India were alarmed by restrictions on the use and export of Indian persons’ data in the 2019 draft law. Provisions that required compulsory localisation of undefined ‘critical data’, and provided for jail terms for certain breaches, proved predictably unpopular. The law went through a series of public consultation, and was referred to the Indian Parliament’s joint expert committee for their views. After extensive stakeholder consultations, in 2021 the committee recommended an overhaul of the draft bill – asking for 81 changes in a total of 99 provisions!
In the authors’ view, the 2018 and 2019 bills were likely unnecessarily complex and not a good fit for Indian regulatory aims; which are to promote business activity and economic growth. Concepts such as ‘privacy by design’, while laudable, are difficult to communicate and implement in a jurisdiction that is coming from a fairly low level of data regulation. In particular, the almost 100-sections long draft law did not fit into India’s stated aim of providing “ease of doing business” to companies.
The 2023 Act vs. GDPR
In November 2022 a much-simplified version of the privacy law was proposed, with comparatively simpler requirements pertaining to data localization, cross-border data transfers, and rights of data subjects. It was received much more positively by industry, for one. After a few tweaks based on public consultations, the DPDP was officially passed by the Indian Parliament in August 2023.
Here are seven (7) such areas of difference among the GDPR and DPDP:
1. The DPDP has wider scope: While the GDPR applies primarily to processing of EU data subjects’ data, the DPDP applies to processing of any data within India, or even abroad that has a connect to business activities in India. That said, a useful exemption has been provided to data of foreign subjects brought into India for processing as part of a contract, i.e., for BPO or IT outsourcing purposes.
2. For ‘Controller’, read ‘Fiduciary’: Obligations under the DPDP apply primarily to ‘Data Fiduciaries’, who are in fact defined very similarly to ‘Data Controllers’. ‘Data Fiduciaries’ alone or in conjunction with others determines the purpose and means of processing of personal data. (On a similar note, for Data Subject, read Data Principal.)
3. Legitimate Purposes vs. Legitimate Uses: The GDPR lists six (6) grounds for processing data, including consent, performing a contract, compliance with laws, legitimate interests, protecting life, and public interest. The DPDP’s legitimate uses are similar, but differ in significant ways; while similar in matters such as court proceedings, etc., they also allow processing for employment purposes or where data has been voluntarily provided.
4. No Special Categories of Data: Unlike earlier iterations of the bill, the final DPDP does not differentiate among data types based on sensitivity, criticality, etc. All data is protected in the same way as per the same procedures. The GDPR, of course, provides for protections for certain special categories of personal data, including racial or ethnic origins, trade union status, genetic and biometric data, etc.
5. Defining ‘Children’: Keep in mind that under the DPDP and Indian law in general, anyone below the age of 18 (eighteen) years is a child. The age varies among member countries who apply GDPR, but can be lower than this. This is important since processing children’s’ data is dealt with more strictly under the DPDP, with prohibitions around profiling and advertising.
6. Simpler Cross Border Transfers: GDPR allows transfer of EU subjects’ data overseas in fairly limited circumstances, including to jurisdictions holding the adequacy ruling as alluded to earlier, or SCCs. In theory, the DPDP places very few restrictions on transfers (data principal’s consent permitting); though this may change in the future as data transfer rules are framed.
7. Data Subjects’ Rights: Finally, it’s useful to keep in mind that the DPDP does not provide every right to its data principals, as is available to data subjects under GDPR; for example, a right against automated processing, or portability. In addition, certain rights under the DPDP can be exercised only with the help of the (forthcoming) Indian Data Protection Board.
How this affects Businesses:
The new DPDP is much more akin (in our view) to Singapore’s Personal Data Protection Act, 2012. That said, it is not completely alien to the GDPR either – a number of concepts such as processing under a legitimate interest (use) ground, data subjects’ (principals’) rights related to erasure, etc., are echoes of GDPR. But at the same time, there are a few important distinctions that are to be kept in mind. These are useful on a practice level as well, since they provide a good indication of the ‘delta’ change that one needs to carry out on GDPR policies and documents to make them match Indian DPDP.
Article provided by INPLP members: Vikram Jeet Singh and Prashant Mara (BTG Advaya, India)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010