How does India’s new privacy law compare to GDPR?
The Journey So Far
The erstwhile regulatory framework governing data protection in India was fairly archaic, with laws primarily outlining basic data security requirements. This was governed by the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 formulated under the IT Act.
In 2017 the Indian Supreme Court issued a landmark judgement that established the right to informational privacy as a fundamental right of all persons. The Court also directed the Indian Government to enact a data protection law. An expert committee set up for this purpose by the Ministry of Electronics and Information Technology, and after some deliberations drafted the Personal Data Protection Bill, 2018 along with its report. A revised version of the 2018 bill was tabled in the lower house of the Indian Parliament on December 11, 2019. It is instructive to note that both the 2018 and 2019 versions were quite similar to GDPR – they borrowed concepts such as privacy by design, and legitimate purposes for data processing.
So, at least at the start, the intent in Indian law-making was to closely follow the global data protection standard, the GDPR. This would have the added benefit of (theoretically) making India a candidate for ‘adequacy’ rulings, something that its IT and BPO industry has craved for years. But this was not the only response the earlier 2018 and 2019 versions received.
The Backlash, and Backtrack
In early August 2022, almost exactly a year ago, news broke that the 2019 privacy bill had been formally withdrawn from Parliament by the Indian Government. It transpired that the bill was withdrawn due to opposition from digital business majors, civil society, and also from the Government’s own experts.
Data driven businesses in India were alarmed by restrictions on the use and export of Indian persons’ data in the 2019 draft law. Provisions that required compulsory localisation of undefined ‘critical data’, and provided for jail terms for certain breaches, proved predictably unpopular. The law went through a series of public consultation, and was referred to the Indian Parliament’s joint expert committee for their views. After extensive stakeholder consultations, in 2021 the committee recommended an overhaul of the draft bill – asking for 81 changes in a total of 99 provisions!
In the authors’ view, the 2018 and 2019 bills were likely unnecessarily complex and not a good fit for Indian regulatory aims; which are to promote business activity and economic growth. Concepts such as ‘privacy by design’, while laudable, are difficult to communicate and implement in a jurisdiction that is coming from a fairly low level of data regulation. In particular, the almost 100-sections long draft law did not fit into India’s stated aim of providing “ease of doing business” to companies.
The 2023 Act vs. GDPR
In November 2022 a much-simplified version of the privacy law was proposed, with comparatively simpler requirements pertaining to data localization, cross-border data transfers, and rights of data subjects. It was received much more positively by industry, for one. After a few tweaks based on public consultations, the DPDP was officially passed by the Indian Parliament in August 2023.
Here are seven (7) such areas of difference among the GDPR and DPDP:
1. The DPDP has wider scope: While the GDPR applies primarily to processing of EU data subjects’ data, the DPDP applies to processing of any data within India, or even abroad that has a connect to business activities in India. That said, a useful exemption has been provided to data of foreign subjects brought into India for processing as part of a contract, i.e., for BPO or IT outsourcing purposes.
2. For ‘Controller’, read ‘Fiduciary’: Obligations under the DPDP apply primarily to ‘Data Fiduciaries’, who are in fact defined very similarly to ‘Data Controllers’. ‘Data Fiduciaries’ alone or in conjunction with others determines the purpose and means of processing of personal data. (On a similar note, for Data Subject, read Data Principal.)
3. Legitimate Purposes vs. Legitimate Uses: The GDPR lists six (6) grounds for processing data, including consent, performing a contract, compliance with laws, legitimate interests, protecting life, and public interest. The DPDP’s legitimate uses are similar, but differ in significant ways; while similar in matters such as court proceedings, etc., they also allow processing for employment purposes or where data has been voluntarily provided.
4. No Special Categories of Data: Unlike earlier iterations of the bill, the final DPDP does not differentiate among data types based on sensitivity, criticality, etc. All data is protected in the same way as per the same procedures. The GDPR, of course, provides for protections for certain special categories of personal data, including racial or ethnic origins, trade union status, genetic and biometric data, etc.
5. Defining ‘Children’: Keep in mind that under the DPDP and Indian law in general, anyone below the age of 18 (eighteen) years is a child. The age varies among member countries who apply GDPR, but can be lower than this. This is important since processing children’s’ data is dealt with more strictly under the DPDP, with prohibitions around profiling and advertising.
6. Simpler Cross Border Transfers: GDPR allows transfer of EU subjects’ data overseas in fairly limited circumstances, including to jurisdictions holding the adequacy ruling as alluded to earlier, or SCCs. In theory, the DPDP places very few restrictions on transfers (data principal’s consent permitting); though this may change in the future as data transfer rules are framed.
7. Data Subjects’ Rights: Finally, it’s useful to keep in mind that the DPDP does not provide every right to its data principals, as is available to data subjects under GDPR; for example, a right against automated processing, or portability. In addition, certain rights under the DPDP can be exercised only with the help of the (forthcoming) Indian Data Protection Board.
How this affects Businesses:
The new DPDP is much more akin (in our view) to Singapore’s Personal Data Protection Act, 2012. That said, it is not completely alien to the GDPR either – a number of concepts such as processing under a legitimate interest (use) ground, data subjects’ (principals’) rights related to erasure, etc., are echoes of GDPR. But at the same time, there are a few important distinctions that are to be kept in mind. These are useful on a practice level as well, since they provide a good indication of the ‘delta’ change that one needs to carry out on GDPR policies and documents to make them match Indian DPDP.
Article provided by INPLP members: Vikram Jeet Singh and Prashant Mara (BTG Advaya, India)
Dr. Tobias Höllwarth (Managing Director INPLP)