Comments
Digital Personal Data Protection Act 2023 (DPDP) is India’s flagship personal data protection legislation, that is widely expected to impact India in the same manner that was seen when the General Data Protection Regulation (GDPR) was legislated in 2016.
There are several corporates and organisations which have headquarters in the European Union and subsidiaries/ joint ventures in India. One aspect which they need to evaluate is whether the current processes and systems are enough to comply with DPDP or if they need to undertake additional safeguards to comply with it. In this context, it is critical to analyse certain areas, where the DPDP introduces stricter compliance requirements, as compared to the GDPR.
Category of personal data: The DPDP does not provide a special category of data, or distinguish between personal data and sensitive personal data, unlike the GDPR and even DPDP’s predecessor — the SPDI Rules, 2011 (under the Information Technology Act). This means that same measures of security are required for every category of data irrespective of whether it has personal information (such as names, addresses etc.) and/or sensitive personal information (such as passwords, biometrics, financial data etc.)
Processor’s role and penalties: Under GDPR, a processor is responsible for their actions, i.e. should any action by the processor result in breach of personal data, such processor is held liable and subject to monetary penalties. However, under DPDP, only the data fiduciary is liable to the regulator (Data Protection Board), and any bilateral claims between the data fiduciary and data processor, are to be addressed under the data processing contractual agreement. This implies, that the data fiduciary’s compliance burden and liability for fines is higher compared to the data processor under the DPDP. Consequently, the data fiduciary will need to ensure that the contractual terms safeguard the fiduciary, in the event of failure or lapse at the processor’s end.
Data Transfer: Under GDPR, data transfer outside Europe can be completed based on EU Adequacy Decision, Binding Corporate Rules, or Standard Contractual Clauses. Under DPDP, cross border transfer is permitted except where it is to a country which is restricted, or the entity is regulated by any sectoral laws which restricts data transfer. This means, entities will need to evaluate sectoral laws impacting the business and standard contractual clauses is not a base for data transfer overseas
Child data: Under GDPR, a child is defined as individuals between 13-16 years of age. However, under DPDP, an individual below the age of 18 years is defined as a child. DPDP prescribes higher degree of compliances to be undertaken and data fiduciaries are prohibited from processing child data for behavioral monitoring/targeted advertising, and not undertake processing which may cause detrimental effect to the child’s well-being. Further, when processing child data, data fiduciaries need to seek verifiable guardian/parental consent.
Breach notification period: GDPR requires that the relevant businesses notify data breach without undue delay, and in no case later than 72 hours after becoming aware of the data breach. Section 70B96 of the Information Technology Act mandates that information security incidents have to be reported within six hours of the entity noticing such incident or being informed of the incident. One will need to wait for the rules to see if they prescribe different timeline
Penalties: Depending on the nature of breach, GDPR prescribes penalty slabs, i.e., €10-20 million or 2-4 per cent of a company’s turnover, whichever is higher. DPDP has provided for maximum penalty amount for each breach under the law. These slabs are the maximum amounts and depending on factors such as the nature, gravity and duration of the breach, nature of personal data affected, whether actions were taken to mitigate the impact of the breach etc., the penalty amounts can be lower than the maximum prescribed.
When implemented along with rules, the DPDP is expected to trigger significant changes in existing privacy practices adopted by businesses operating in India. Given the differences between GDPR and DPDP, entities which are GDPR compliant, need to evaluate their policies, processes and systems to comply with provisions of the DPDP.
Dhama is Partner and Kaushal is Manager, Deloitte Touche Tohmatsu India LLP
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.