Digital Personal Data Protection Act 2023 vs GDPR: A Comprehensive Comparison
1. Introduction to DPDP Act 2023 and GDPR
The Digital Personal Data Protection Act (DPDP Act) 2023 establishes a new data protection framework in India. It replaces certain sections of the Information Technology Act, 2000, and aims to enhance data protection and privacy. Conversely, the General Data Protection Regulation (GDPR) is a pivotal regulation in the EU that focuses on protecting personal data and privacy rights. This article provides a detailed comparison of these two significant data protection laws.
2. Scope and Application
Both the GDPR and DPDP Act 2023 have broad scopes but differ in their approach to data protection. The GDPR focuses on protecting natural persons regarding the processing of personal data and the free movement of such data. The DPDP Act aims to regulate the processing of digital personal data while protecting individual privacy.
3. Data Processing and Stakeholders
The DPDP Act extends its reach to all personal data, unlike the GDPR, which differentiates between personal and sensitive data. The Act introduces terms like ‘Data Principal’ and ‘Data Fiduciary’, similar to GDPR’s ‘data subject’ and ‘data controller’, respectively.
4. Exemptions and Cross Border Data Transfers
The DPDP Act emphasizes supporting startups with specific exemptions and has a significant impact on cross-border data transfers. Unlike GDPR, it allows international data transfers with minimal restrictions, pending governmental directives.
5. Consent and Data Processing Principles
Consent remains a crucial basis for data processing under both laws. The DPDP Act mandates stringent requirements for valid consent, mirroring the GDPR’s emphasis on informed and clear consent. However, the GDPR offers more legal bases for data processing compared to the DPDP Act’s limited “strictly defined consent” and “legitimate use.”
6. Children’s Data and Rights of Data Principals
Both regulations address children’s data processing, with the GDPR adopting a tiered approach based on member state regulations. The DPDP Act sets the age of consent at 18. Regarding data principal rights, both laws provide for access, rectification, erasure, and objection, but with differing conditions and extents.
7. Penalties and Enforcement
The DPDP Act and GDPR outline substantial penalties for non-compliance. The DPDP Act specifies a maximum fine of INR 250 crore, while the GDPR sets its highest fine at €20 million or 4% of global annual turnover. Both acts establish criteria for determining fines and offer various remedies for non-compliance.
8. Significant Data Fiduciaries and Appellate Authorities
The DPDP Act grants the government authority to designate ‘significant data fiduciaries’ with additional obligations. It also establishes the Data Protection Board of India for adjudication, unlike GDPR’s European Data Protection Board.
The Digital Personal Data Protection Act 2023 marks a significant step in India’s data protection regime, though it differs from GDPR in several aspects. The complete implications of the DPDP Act will become clearer once the Data Protection Board of India is established, and further rules are defined.