“India’s Digital Personal Data Protection Act, 2023 vs. the GDPR: Divergence, Convergence, and the Future of Cross-Border Data Regulation”

By
inkinccorporation@gmail.com
-
0
1


ABSTRACT

The Digital Personal Data Protection Act, 2023 (DPDPA) is essentially the present vital advancement in India’s data security scene, meant to safeguard personal data while furthering revolution and ease of business. This research paper carries a comparison between DPDPA and the EU General Data Protection Regulation (GDPR) looking at the aspects of convergence: consent by the user, obligations on data holders, and rights of individuals; as well as differences in scope, mechanisms for enforcement, and requirements for data localization. By discovering these similarities and differences, the study evaluates implications for cross-border data flow, regulatory interoperability and international cooperation. Research further assesses how Indian structure aligns with global data regime’s trends and which challenges are leading for multinational organizations run in courts. Ultimately, it provides insight into the future trajectory of paper regulation of data across different countries and has the ability to harmonize digital privacy standards in the world-level world.

KEYWORDS: 

Digital Personal Data Protection Act, General Data Protection Regulation, Data Privacy, Data Processing, Restrictions

INTRODUCTION 

Facebook collects a wide amount of personal information, personal photos and videos, human choice and uncounted, collects profiles of individuals followed by us. They should apply stringent data safety measures, providing options for users to manage their data preferences and to eradicate unnecessary information of users. Data privacy is a global anxiety as it is necessary to ensure that the organization handle and process the user data in a transparent manner. Data privacy protects the interests of individuals to keep ones information private and protected.

This Act was drafted and passes by the Indian Parliament. It is the main objective of this act to protect individuals’ personal credentials and process data for a valid and related purpose in the way that does not leak the user’s personal data. This applies to all regions of India and has been collected recently or recently. Meanwhile, GDPR is committed everywhere for the European Union until it collects data from people in the European Union. Rigid punishments increase for those who break the rules. The main objective of this research paper is to find out what it means to align India’s law and GDPR, where they are different, and global data regime and border data flow.

RESEARCH METHODOLOGY 

The study is comparative one and research is done through secondary sources aiming at thorough analysis of India’s Digital Personal Data Protection Act, 2023 vis-à-vis the General Data Protection Regulation (GDPR) of the European Union. Journal, article, and website are some of the secondary sources which have been used for conducting research.

OVERVIEW OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The Act provides protection to the digital data which was provided by the individuals for some specific purpose (i.e. data on which a person may be identified) by providing:

  • The responsibilities of data custodians (such as individuals, organizations, or government bodies) for data handling (such as gathering, storing, or any other activity involving personal information).
  • The obligations and rights of Data Principals (i.e., the individual to whom the data pertains)
  • Monetary sanctions for infringement of rights, obligations, and duties.
  • Creation of Data Protection Board of India 

What is Data?

“As stated in Section 2(h) of the Digital Personal Data Protection Act, 2023, the term ‘data’ encompasses a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.” 

What is Personal Data?

 “According to Section 2(t) of the Digital Personal Data Protection Act, 2023 “personal data” means any data about an individual who is identifiable by or in relation to such data.”

What is Injury to Personal Data or Personal Data Breach?

“Injury to Personal Data” means the fraudulent processing of personal data, accidental disclosure, record, share, use, alteration, destruction, or loss of access to personal data as inferred from Section 2(u) of Digital Personal Data Protection Act 2023.

Why do we need the ‘DPDP Act, 2023’?

The law aims to secure personal data of people and information, prevent the misuse of personal data, and to regulate cybercrime. The Act is intended to address the digital processing of personal data. This ensures that not only the right to secure information, but also the relevant legitimate issues are recognized by chance. The rise in India’s digital economy and the rise in cybercrime has led to an urgent need for strict data protection regulations. The rise in India’s digital economy and data injury have made it clear that the implementation of restrictive data protection regulations is urgently needed. Furthermore, the Supreme Court decision clearly shows the need for this 2017 law.

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The bill was implemented by the Indian Parliament in 2023. Its purpose is to provide protection to individuals’ personal data and regulate how companies and governments use it. The DPDP Act is a federal law in India that controls the processing of virtual private data of its citizens. The ambitions of the law attack a balance between the need to identify non-public information for many tasks, and it is appropriate to manipulate and protect individuals.

Like many data protection regulations around the world, the Digital Personal Data Protection Act 2023 Act is an extension of its scope and therefore applies to organizations working within and outside India, where Indian citizens and services are available and lead to the processing of personal data. The law allows for a legal basis for consent to data processing and data orders, but consent is required for many processing activities. The Digital Personal Data Protection Act of 2023, the Digital Personal Data Protection Act of 2023, is a designed version. On January 18, 2023, the government announced the Digital Protection Act for Personal Data Protection 2022 for public consultation and approved a revised version of the previous design that was published for Digital Data Protection Bill, 2023.

KEY FEATURES:

1. Inaccessible: Applies to data collected online or offline and is later converted into digital form. This also applies to the processing of personal data outside India if it is to provide goods or services in India. 

2. Consent: Personal data can only be processed for a valid reason after obtaining a person’s consent through clear and transparent notice. The notice should provide information about the type of personal data to be collected and the cause of its processing. For persons under 18 years of age, consent will be given by their parents or legal guardians. 

3. Data Fiduciaries’ Obligation: A data is any person or organization that determines the purpose and methods of processing personal data. Data Custodians must be: • To prevent a date violation, create proper safety safety measures • Inform the data protection board of India and inform the affected persons in case of breech • Erase personal data as soon as the objective is met.

4. India’s Protection Board: The Central Government established a body called Data Protection Board to oversee and regulate data protection in the country. 

Important functions:

• Monitoring of compliance and implementing punishment.

• Directing data fiduciaries to take necessary measures in the status of data breach. 

• Listening to complaints made by affected persons.

GENERAL DATA PROTECTION REGULTION (GDPR) 

General Data Protection Rules (GDPR) is under the European Union in the year 2018.

As per Article 4 (1) of GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’), an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, online identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity-related factors of that natural person”. 

Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data which is transmitted, stored or otherwise processed. (Article 4 (12) GDPR)

The goals of the GDPR are to:

 • Give control of citizens’ and residents’ data back to them.
• Streamline the regulatory climate for international business by having a uniform regulation in the EU
• Protect personal data from unapproved access, use, disclosure or destruction.

Geographical scope as per Article 3 of GDPR:-

The GDPR applies to the processing of personal data when exercising the activities of controllers or processors within the association, regardless of whether or not processing is carried out within the association. This regulation applies to the handling of personal data related to people living in controllers or processors that do not live in associations of the Union in relation to their relationship with the Union: 

1. The supply of any goods or services, whether or not a charge is made, to such persons in the union, or.

2. The observation of their actions within the union. This regulation applies to the handling of personal data by a controller who is not based in the union, but in a location where member state law is applicable due to public international law. 

As stated in Article 6 the legitimate uses are:
•When the data subject has provided consent for processing his or her personal data,
•To satisfy a data controller’s contractual obligations, or for activities at the request of a data subject in the course of entering into a contract,
•To satisfy a data controller’s legal obligations,
•In order to safeguard the essential interests of a data subject or other individual,
• for the administration of justice or in the exercise of official authority,
•For the legitimate interests of a data controller or another, except where the interests of the data subject or her or his rights under the charter of fundamental rights override them, particularly in the case of children.

KEY FEATURES:

  1. Lawfulness, fairness, and transparency: data must be processed in a lawful, fair, and transparent manner. 
  2. Purpose Limitation: The purpose of collecting data should be clearly defined and justified, ensuring that it serves a specific and legitimate objective. 
  3. Data Minimization: You should only collect the essential data required for the purpose of the project.  
  4. Precision: data must be precise and current. 
  5. Storage limitation: data should be stored in a format that allows for identification of data for necessary purposes only. 
  6. Integrity and confidentiality: ensure the data remains private and protected within security measures. 
  7. Responsibility: keep full responsible of all activities.

CONVERGENCE: Where the DPDP Act and GDPR are similar?

The GDPR and the DPDP Act are both comprehensive data protection laws that share a few similarities as follows:

They both provide individuals with various rights on their personal information, including the right to use, remove and object to their data processing. Organizations handling personal data are subject to certain obligations, including the need to implement adequate security measures and inform the appropriate supervisory authority in case of data violation. Both of them have measures for enforcement and results for those who do not follow the rules. Both laws are beyond national boundaries, ie. Despite its physical place, if a company is responsible for the management of data of citizens, it is important to ensure its safety. Both the European Union and India have their own independent data protection authority, with the European Data Protection Board (EDPB) in the European Union and the National Data Protection Authority in India (NDPA). Both laws offer unique security measures to children’s data. Both laws prioritize the consent of the individual and prohibit the processing of data only what is necessary.

DIVERGENCE: Where the DPDP Act and GDPR differ

The DPDP and the GPR has sharing some major clear differences as follows: 

GDPR applies to all organizations that handle individuals living in the European Union, whether the organization is based in the European Union or not. The DPDP Act applies to all organizations that handle individuals living in India, whether the organization is based in India or not. GDPR includes specific categories of personal data that can only be processed for specified purposes. The DPDP Act continuously applies to all forms of digital personal data. There are no additional restrictions on handling sensitive personal data or important personal data. GDPR implements more stringent conditions for transfer of personal data outside the European Union. The DPDP Act has more generous requirements for personal data outside India. GDPR applies to both individual and sensitive personal data. DPDP standardizes the treatment of all individual data. GDPR allows processing on the basis of valid interest, contractual agreements, legal obligations, etc. The DPDP gives more emphasis on obtaining consent with a low alternative basis for processing. Indian law provides extensive exemption to the government for national security, law enforcement and other matters, which raises concerns about civilian freedom. The GDPR also has more rigorous procedures for the government’s access. GDPR requires autonomous, adequately funded supervisors. India’s Data Protection Board lacks autonomy and clarity on enforcement capabilities. GDPR imposes adequate fine (up to € 20 million at 4%). Total revenue generated around the world (revenue generated globally). India’s punishment is limited and more limited. 

GDPR applies to all organizations that process individuals located in the European Union, regardless of whether the organization is located in EU or not. The DPDP Act applies to all organizations that process individuals in India, whether the organization is located in India, or not. GDPR includes special categories of personal data that can only be processed for specified reasons. The DPDP Act applies equally to all types of digital individual data. There is no additional control over processing sensitive personal data or important personal data. GDPR has strict requirements for transfer of personal data outside the European Union. The DPDP Act has less strict requirements for personal data outside India.

 GDPR applies to both individual and sensitive personal data. DPDP distinguishes all personal data equally. GDPR allows processing based on valid interest, contract, legal obligation, etc. DPDP focuses more on consent with less alternative grounds. Indian law gives the government a comprehensive exemption for national security, law enforcement, etc.- civic increases the concerns of freedom. GDPR also has a strict investigation for government access. The GDPR mandates independent, fully revived regulators. DPBI, India, lacks clarity on freedom and enforcement powers. The GDPR has massive fines (up to 4%of the global business up to € 20 million). India’s punishment is covered and less in scope.

Cross-Border Data Transfers

As per Article 4 (23) of GDPR, ‘border cross processing’ either:

A. Processing of individual data which is in the context of the activities of establishments in the union or more than one member of a processor in the state, where the controller or processor is established in more than one member state; Or

B. Processing of individual data that occurs in the context of the activities of a controller or single installation of a controller in the union, but which significantly affects or significantly affects or significantly affects data themes in the state.

The movement of individual information outside the European Union is ruled by stringent rules mentioned in GDPR. This enables those countries to transfer data that are considered through mechanisms such as adequate data security measures or standard contractual segments or corporate rules. In contrast, the DPDP Act allows the Central Government to limit the transfer of personal data in specific countries or regions outside India. The Act of the Act is estimated to be less rigid than the GDPR, emphasizing the government’s discretion and deciding which data transfer jurisdiction is considered safe. Although both laws prioritize consent and personal rights, DPDP restricts these rights primarily to reach and eradicate these rights, neglect important aspects such as data portability and objections. Additionally, GDPR guarantees a significant level of transparency and legal accountability, while India’s law provides more comprehensive powers for execution, causing concerns about inspection and possibilities of misuse. In terms of border -cross -border data flow, this difference in approach can disrupt India’s possibility of obtaining adequate decisions of the European Union, which may be implications for Indian companies handling European data. However, India’s model can be attractive to developing countries who are looking for a balance between digital progress and privacy. In the future, global data protection landscape is expected to be more fragmented until integrated outline or bilateral agreement. Legal experts and policy makers are struggling with important questions about sovereignty, digital rights and future of global data regime, especially in a world where geopolitical competition on digital intelligence and data flow is becoming more prominent.

What Are the Compliance Challenges for GDPR and Indian DPDP Act?

For businesses working in European Union

This can be a challenge as the two laws have several different requirements.

For businesses working in India
This can be a challenge for businesses that are not familiar with Indian data protection laws.

THE GLOBAL FUTURE: Moving towards Convergence or Fragmentation

Both laws are made on a general foundation of data controllers or fidaryi to ensure user-centered rights and transparency and accountability such as consent-based data processing, user-focused rights such as access and abolition. Nevertheless, adequate inequalities persist. GDPR takes a more broad and right-oriented approach, including detailed provisions for strong institutional mechanisms such as legitimate processing, data minimalization and European data protection boards. In contrast, DPDP prioritizes ease of simplicity and compliance, provides extensive discounts for government processing and low procedural security measures. In addition, the GDPR imposes strict punishment and implements data localization only in some cases, while India’s DPDP includes more centralized executive inspection based on specific conditions and more flexibility than the border. These variations suggest that although the principles have some overlap, real execution varies from one jurisdiction to another. As a result, the current global data security displays a trend towards the security scenario fragmentation, although shared principles indicate the possibility of gradual harmony in the future through international cooperation and mutual adequation agreements.

     SUGGESTIONS FOR STRENGTHENING DPDP ACT

1. Increase regulator autonomy: Convert the board into an independent body to TRAI/SEBI.

2. Include more data rights: Add the rights of the ban of portability, objection and processing.

3. Explain across the border rules: Start adequate-based assessment with public consultation.

4. Introduction to privacy by design mandate: Make DPIA and DPO mandatory for high -risk processing.

5. Construction Regional Guidelines: Develop wide field-specific rules for finance, health, etc.

6. Ensure legal support and prevention: Strengthen the complaint system with timelines and punishment.

     CONCLUSION

     While the DPDP Act marks a significant milestone in India’s digital evolution, it remains less comprehensive and rights-focused than the GDPR. India must move towards a more robust data protection framework by embedding constitutional values, strengthening institutional safeguards, and harmonizing with global standards. The future lies in balancing innovation, ease of doing business, and individual privacy rights.

 REFERENCES

                                                             Submitted by Ananya Aggarwal

                                              College- KCC Institute of Legal and Higher Education



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here