Territorial Realm
DPDPA scrutinises not only the data processing of digital personal data that occurs within India, but also, outside India. However, the same is limited only to any activity with respect to the offering of goods or services to data principals in India. GDPR, in addition to the aforementioned, applies to every entity outside the territory of EU, specifically targeting the EU markets by establishing a commercial interconnect between global entities and member states. The intent to offer goods and services through use of language, currency of any member state, personalised advertising or even mere monitoring of EU data subjects, will fall within the threshold of commercial interconnect. This showcases the broader sphere of GDPR as each and every entity keen on entering the EU market has no alternate modus operandi but to comply with the GDPR, thus expanding the scope of cross-border transaction of goods and services.
Scope of Personal Data
While the definition of personal data under the DPDPA carries “any digital data about an individual”, GDPR inscribes personal data as “any information relating to an identified or identifiable natural person.” This exhibits the wider scope of GDPR, inculcating both non-digitised data along with data already publicly available including such sensitive personal data. DPDPA is confined exclusively to private digital data, eliminating any and all publicised data.
Data Principal/Subject: Rights and Relief
Both DPDPA and GDPR enclose the rights of Data Principals/Subjects to access information regarding their personal data, receive a report in case of data breach and secure the right to completely erase or rectify the supplied data. Conversely, the two further embody unique provisions to themselves as well. Under the DPDPA, there has been an addition of right to grievance redressal along with the nomination right in supposed death of the data principal. This nominated individual shall bear the right to exercise over deceased principal’s data. Meanwhile, the GDPR allows data portability, which capacitates the data subject to move their personal data past varying IT platforms along with the right to voice an objection against automatic data processing and profiling.
Data Fiduciary/Controller
The new concept of Significant Data Fiduciary (SDF) has been introduced under the DPDPA. The Indian government designates such SDF as a specified classification under data fiduciaries. SDFs are identified considering the volume and sensitivity of data that they process and possess along with the amount of risk associated with the same. These fiduciaries have been classified due to the potential impact on security and public order. The SDF is required to appoint a Data Protection Officer along with an Independent Data Auditor for periodic maintenance of audit and compliance checks. In tandem with this, a periodic Data Protection Impact Assessment is mandated for the SDF. GDPR is unfamiliar to this concept of SDF, nonetheless, it ingrains the concept of Joint Data Controllers simpliciter, implying controllership of two or more data controllers bound to act in accordance with the general obligations of controllers.
Processing of data on children
Unlike the DPDPA, GDPR lacks auxiliary safeguard obligations when processing children’s data. GDPR accommodates just two provisions i.e. parental consent and transparency of information on children. Even though the DPDPA calibrates unique key responsibilities upon the data fiduciaries, the moral imperative set upon them to refuse processing of data only based upon predictions and discretions of their own, presuming the data processing may bring harm to the well-being of the child, is an incredibly unfeasible and superficial section included in the DPDPA. Another issue is the age of attaining majority which, under DPDPA, is 18 years. In GDPR, it differs depending on the member state, although the standard in most is 16 years.
Cross-border data transfer: A conundrum
Since the DPDPA is not yet in force, no out-and-out transfer mechanisms under the much awaited official procedural rules and regulations have been notified by the Indian government. At present, the Act equips transfer of personal data to every single country in the world, unless the Central government through notification imposes such restriction forbidding the data transfer to such notified countries. However, the GDPR enforces stringent data transfer rules. The first rule being, execution of transfer impact assessment (TIA) in order to ensure an adequate level of protection of personal data in a third country. Additionally, all the general corporate rules and international cooperation mechanisms shall be binding on the entity situated in the third country with the onus to include the standard contractual clauses as applied in EU for data protection.
Consent manager: The unique proposition
The DPDPA acquaints the unique idea of consent managers, who shall act as the mediator and aggregator connecting the data principal and the data fiduciary. This is a person enrolled with the Data Protection Board of India (DPBI) and is empowered to manage the data principal’s consent in every way through an interoperable platform. The further responsibilities shall be notified within the rules and regulations under the DPDPA. There is no such concept of consent manager under GDPR. However, DPDPA at present doesn’t engage in (i) a relationship between the data fiduciary and consent managers vis-à-vis contractual obligations or arrangements; (ii) roles, responsibilities and obligations of consent managers; and (iii) their capacity under the grievance redressal mechanism.
Data breach notification: Data fiduciary/controller
The two differing components of data breach notification ought to be adhered to by the data fiduciary/controller under the DPDPA and the GDPR are (i) the threshold in severity of breach; and (ii) the time frame stipulated to notify. While under the DPDPA, it is crucial to apprise the DPBI and the affected data principal with respect to the data breach, the Act falls short in allocating a time frame to notify the same. Meanwhile, under the GDPR, a time frame of 72 hours has been set for the data controller to inform the supervisory authority and the data subject of the data breach. Still, a breach low in risk, certainly not affecting the freedom of a natural person, may not be reported.
Data breach complaint
Both the DPDPA and the GDPR contain the right to lodge a complaint with the DPBI/supervisory authority when the data principal/subject demonstrates non-performance of obligations. However, over and above that, the data principal under the DPDPA has the avenue of grievance redressal which shall be exhausted before exercising the right to approach the DPBI. The grievance redressal mechanism is exclusive to DPDPA, warranting each and every data fiduciary to set one up.
Penalty: Distinct methodology
The penalties enumerated under the DPDPA and the GDPR conform to fundamentally contrasting methodologies contingent upon disparate situations. Under the DPDPA, the slew of penalties, as high as ₹250 crore, have been listed in a straight-jacket formula varying based on infringement of distinct obligations. Under the GDPR, an administrative penalty of 10 million or 20 million Euro may be imposed, consequent to the act of infringement, or the companies are bound to pay the administrative penalty of 2% or 4% of their global annual turnover for the preceding fiscal year, whichever may be higher. Additionally, the GDPR mandates compensation for the data subject, regardless the nature of the damage. Whereas, the DPDPA will gauge the compensation based on the nature and gravity of the damage. And lastly, data breach infringement not subject to administrative fines are slivered and specific to each member state under GDPR. This is an unparalleled distinction between DPDPA and GDPR.
Source: Barandbench
