India’s much-anticipated data protection law, the Digital Personal Data Protection Act, 2023 (DPDP), took a significant stride toward formal implementation with the granting of Presidential assent on August 11, 2023. This development marks a substantial departure from India’s previous data protection landscape, which relied on a relatively straightforward consent-centric approach with limited consequences for non-compliance. The DPDP is poised to revolutionize this framework.
The DPDP’s emergence is rooted in the ongoing tension between respecting individuals’ privacy and enabling data processing by business entities. The Indian government has long recognized the need for a comprehensive and globally aligned data protection regime. This article is an insightful overview of the DPDP while drawing comparisons with the European Union’s General Data Protection Regulation (GDPR).
The GDPR first released in 2018 has been considered the “gold standard” when it comes to compliance and regulation around data protection. GDPR is a complex regulation, but it is important for organizations to understand and comply with it. Failure to comply with the GDPR can result in significant fines, as is the case with the DPDP.
The GDPR has been a pioneering force in advocating for individual privacy rights in a globalized world. Consequently, it comes as no surprise that the DPDP exhibits notable parallels with and resonates closely with the GDPR in certain aspects.
1. Treatment of Anonymized Data: Both the GDPR and DPDP distinguish between personal data and anonymized data, excluding the latter from their respective regulatory scopes.
2. Legitimate Data Processing Without Consent: Both legislations permit data controllers to process personal data without explicit consent in specific circumstances, subject to certain obligations.
3. Quality of Consent: Consent is a foundational principle in both the GDPR and DPDP, emphasizing that it should be free, specific, and informed. Additionally, both legislations require a legitimate purpose for processing personal data.
4. Significant Data Fiduciary: The DPDP introduces the concept of a significant data fiduciary, imposing additional obligations based on factors such as the volume and sensitivity of data processed, akin to the GDPR’s requirements for certain data controllers.
While the DPDP shares common ground with the GDPR, it also charts its own distinctive course.
1. Absence of Data Categories: Unlike the GDPR, which categorizes personal data into subsets with specific compliance requirements, the DPDP does not differentiate based on data types, applying its provisions uniformly to all personal data.
2. Applicability to Offline Data: While the GDPR encompasses offline data that is part of a filing system, the DPDP confines its applicability to digital or digitized data.
3. Notice Requirements: The DPDP mandates notice only when consent forms the basis for data processing, whereas the GDPR’s notice requirements extend to data collection from data subjects, irrespective of consent.
4. Contents of Notice: The DPDP prescribes specific elements that must be included in consent notices, facilitating data principals’ informed decisions. In contrast, the GDPR outlines a broader set of details to be provided to data subjects, encompassing various aspects of data processing.
5. Children’s Data: The DPDP places explicit restrictions on behavioral monitoring and targeted advertising aimed at children, backed by stringent requirements for verifiable parental consent. In contrast, the GDPR does not expressly prohibit such practices.
6. Grievance Redressal: Unlike the DPDP, the GDPR does not mandate data subjects to seek redress from data controllers before lodging complaints with regulatory authorities or courts.
7. Cross-Border Data Transfer: The DPDP enables the Central Government to restrict the transfer of personal data to specific countries or territories outside India, except those on a predefined negative list. The GDPR imposes broader and more detailed restrictions on cross-border data transfers.
8. Data Breach Notification: The DPDP requires data fiduciaries to promptly notify both the Data Protection Board and affected data principals in the event of a data breach. In contrast, the GDPR mandates data subject notification only when a high risk to individuals is identified.
9. Consent Managers: The DPDP introduces the novel concept of “consent managers” registered with the Data Protection Board, acting as intermediaries for data principals to manage consents through accessible platforms. This concept is absent in the GDPR.
10. Voluntary Undertakings: The DPDP empowers the Data Protection Board to accept voluntary undertakings from entities facing non-compliance allegations. These undertakings may involve specific commitments, akin to deferred prosecution agreements, and constitute a bar to legal proceedings under certain conditions.
The DPDP is inspired by global best practices but has its own Indian twist. For example, it uses the term “data fiduciary” to emphasize the importance of trust in Indian law. While it’s similar to the GDPR in some ways, it also has its own unique approach to data protection. This approach has been praised by some for being balanced and nuanced, but it’s also been criticized by others for not going far enough to protect privacy rights. Opposition parties and human rights organizations have expressed concerns about the potential impact on cross-border data flows and data localization requirements.
The bill requires data fiduciaries to store copies of personal data in India in certain cases, such as when the data is processed for a significant economic value or when the data is sensitive in nature. This could make it more difficult for companies to transfer data to other countries, such as the United States, where data protection laws are less stringent.
The bill also gives the government broad powers to access personal data, including without a warrant. This has raised concerns about the potential for government surveillance.
The Indian government has defended the bill, saying that it is necessary to protect the privacy of Indian citizens and to promote the growth of the digital economy. The government has also said that it will work with industry to address any concerns that may arise.
It remains to be seen how the DPDP Bill will be implemented and enforced. However, it is clear that the bill has the potential to have a significant impact on the way that data is collected, processed, and used in India.
Here are some of the specific concerns that have been raised about the DPDP Bill:
- The data localization requirements could make it more difficult for companies to operate in India and could lead to higher costs.
- The government’s broad powers to access personal data could be used for surveillance purposes.
- The lack of clear definitions in the bill could lead to uncertainty and legal challenges.
The Indian government has said that it will address these concerns through regulations and guidance. However, it remains to be seen how effective these measures will be.
The section of the new privacy bill concerning data localization has emerged as a topic of significant contention. Essentially, this provision mandates that data fiduciaries must maintain “at least one serving copy” of personal data within a server or data center located in India.
Notably, the government wields the authority to grant exemptions for specific categories of personal data and can also designate certain data categories as “critical,” mandating their exclusive storage within India. In practice, this could entail that prominent foreign internet intermediaries and services, including Facebook, Uber, Google, Twitter, Airbnb, Telegram, WhatsApp, and Signal, may all be compelled to physically host user data within India. The primary impetus behind this requirement appears to be streamlining access for law enforcement agencies.
The second major concern with the bill lies in its provision that permits the government to process personal data for the purposes of national security and law enforcement. This includes the handling of data for activities such as preventing, detecting, investigating, and prosecuting offenses or breaches of the law. This broad authority potentially opens the door for the government to access and amass personal data on a massive scale, without any form of judicial oversight.
This poses a significant threat to the right to privacy in India, particularly in light of the limited safeguards against state surveillance. Moreover, the data localization requirement, which compels companies to store personal data within India, exacerbates this issue. It grants the government unprecedented access to information pertaining to Facebook and other social media users, potentially enabling tracking, monitoring, and intimidation.
In conclusion, the success of the DPDP is contingent upon a confluence of pivotal factors. Effective implementation and enforcement demand the establishment of a robust data protection authority, generously equipped with necessary resources. Public awareness and active engagement are equally vital, necessitating an extensive governmental campaign to educate citizens and promote their exercise of rights under the law. Moreover, industry collaboration is paramount, with businesses playing a pivotal role in adhering to DPDP requirements and implementing essential data protection measures. When these elements synergize harmoniously, the DPDP stands poised to become a triumphant legislative force, diligently safeguarding the privacy of individuals throughout India.
K. K. Mookhey (CISA, CISSP) is the Founder & CEO of Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of cybersecurity and privacy. He has published numerous articles, co-authored two books, and presented at Blackhat USA, OWASP Asia, ISACA, Interop, Nullcon and others.