How the GDPR and India's DPDP differ? With the introduction of India's DPDP, multinationals are keen to see how it compare Europe's GDPR.
While they share the common goal of protecting the data of people, there are some differences between the two rules.
This presentation discusses the 5 key differences between India's Digital Personal Data Protection Act 2023 and EU/EEA's GDPR.
2. The Indian Parliament passed the Digital
Personal Data Protection (DPDP) Bill, 2023 in
August 2023.
It has now become the Digital Personal Data
Protection Act, 2023.
Which make it legally enforceable.
3. The GDPR was introduced a few years earlier:
May 2018.
4. At core, both regulations are similar in that
both laws aim to shield the privacy of their
users by protecting their data.
Yet there are significant differences between
the two.
5. This presentation takes you through 5 key
areas where Europe’s GDPR and India’s
DPDP are different.
7. 1. The enshrined principles
GDPR:
Seven principles lie behind the GDPR: lawfulness, fairness, and transparency;
purpose limitation; data minimization; accuracy; storage limitation; integrity
and confidentiality; and accountability.
DPDP:
No principles are listed out explicitly. However, the Justice B N Srikrishna
Committee mentions two guiding factors: Directive Principles of State and
idea of a self-disciplinary state that says to;; “prone to excess”.
9. 2. How the data is processed
GDPR:
Any piece data that’s a part of a database / filing system, if personal in nature,
needs to be protected and processed appropriately. That’s because the GDPR
applies to all types of data, not just processed by machines.
DPDP:
The DPDP applies only to data that is processed using automation: “wholly or
partly automated operation…” This is likely because India has already tons of
data, so the government is moving in stages.
11. 3. Data Protection Boards and enforcement
GDPR:
Member-states have their own supervisory authorities. If the data crosses
borders within the EU, the European Data Protection Board (EDPB) will step in
for consistent compliance to the regulations.
DPDP:
The Data Protection Board of India (DPBI) may pass orders, not laws. If you’re
not happy with the DPBI, you may appeal to the Telecom Disputes Settlement
Authority of India (TDSAI), and then to the Supreme Court.
13. 4. Consent and responsibility
GDPR:
The GDPR requires that you display notice at the time of collecting the
personal data. Data controllers as well as the data processors may share the
responsibility of compliance.
DPDP:
Unlike the GDPR, the DPDP expects only the data fiduciary responsible for
everything, including their data processors. That’s because the data fiduciary,
in almost all cases, is the only one who gains from data.
15. 5. Children’s data
GDPR:
Upto the age of 16, people are defined as children by the GDPR. Parental
consent is a must to process children’s data, except when providing
“preventive or counseling services directly to a child”.
DPDP:
People below 18 are defined as children. People with disabilities have been
put with the category of children, when it comes to guardian / parental
consent. Data fiduciary may not serve targeted ads to this category.
16. Summing up
Both the GDPR and the DPDP aim to protect people’s data.
Owing to several differences in geographies, precedents, and law structures,
the two laws are similar but not identical.
Compliance with one will make compliance easier with the other. But you
can’t take it for granted.