1. Preface

The EU's General Data Protection Regulation (GDPR) is often referred to as the 'gold standard' of personal data protection and has been in effect for more than five years.In August 2023, India issued the long-anticipated '2023 Digital Personal Data Protection Act' (DPDP Act).Although the DPDP Act may not be as detailed as the GDPR in many aspects, it marks a key milestone in India's journey to maintain digital data protection. This article provides a comparison between the GDPR and the DPDP Act in areas such as data processing obligations, children's data, and cross-border data transfer.
With the implementation of new laws, various entities have begun to take preparatory steps to comply with the DPDP Act. Among them, multinational corporations that have already complied with the GDPR are particularly interested in the differences. For example, one important difference between the DPDP Act and the GDPR is that the former does not define or explicitly limit profiling (being profiled), unless it is in the case of processing children's data. The GDPR clearly defines and stipulates the framework for analysis, such as notifying the data subject if they are being analyzed.

2. Differences between GDPR and DPDP Act

2.1. Classification of Personal Data

According to the GDPR, one type of personal data is known as 'special categories of personal data', which includes sensitive information about individuals, such as data related to race or ethnic origin, political opinions, and religious or philosophical beliefs, among others.
Processing personal data of special categories requires additional compliance requirements, especially regarding the legal basis available for processing such special categories of personal data.
In contrast to the GDPR, the DPDP Act applies to all personal data in the digital space without classifying it as sensitive or critical. Therefore, according to the DPDP Act, there are no separate compliance standards for different types of personal data. Therefore, a unified standard needs to be applied to all categories of personal data.

2.2. Classification of Data Trustees

The GDPR does not differentiate between categories of data controllers when stipulating compliance and obligations, similar to the DPDP Act under the DPDP Act.
On the contrary, according to the DPDP Act, the central government can classify certain data trustees as 'Important Data Trustees' based on prescribed standards, such as the amount and sensitivity of personal data processed, the risk of rights of data subjects (similar to data subjects under GDPR), and increase compliance obligations, rather than general data trustees. Such additional obligations include appointing a Data Protection Officer (DPO) residing in India, appointing independent data auditors, conducting regular assessments, and so on.

2.3. Obligations of Data Processors

According to the GDPR, data processors must comply with certain compliance requirements, such as implementing appropriate organizational and technical measures to ensure the protection of the rights of data subjects. Among other factors, fines can be imposed on data processors based on the degree of responsibility of the processors and controllers.
The DPDP Act does not impose direct obligations on data processors. The responsibility for obligations has been assumed by the data trustee, who must ensure the compliance of any processing carried out by them or on their behalf. Additionally, similar to the GDPR's requirement for data controllers and data processors to enter into a 'data processing agreement', under the DPDP Act, data trustees and data processors must enter into a valid contract.

2.4. Notification Requirements

Contrary to the provisions of the DPDP Act, the GDPR requires a more comprehensive privacy statement to be issued to the data subject before or at the time of collecting their personal data. This includes the transfer of personal data to third parties, contact information of the data controller, the retention period of personal data, etc.
The DPDP Act stipulates that notification must be provided to the data subject only when the legal basis for processing their personal data is consent. This notification must outline the types of personal data sought, the purposes of processing, the methods by which the data subject can exercise the right to withdraw consent and appeal remedies, and the methods by which the data subject can complain to the Indian Data Protection Commission. In addition, it is also necessary to provide the data subject with the option to access the notification and consent requests in local languages (up to 22 languages). The translation obligation seems to ensure that the data subject can easily understand the meaning of their data being processed and provide their 'informed' consent accordingly.

2.5. Consent Managers - New (Consent managers)

Although both the GDPR and the DPDP Act recognize individual consent as one of the legal bases for processing personal data, the latter introduces the new concept of 'consent managers'. There is no equivalent concept under the GDPR. Consent managers will enable data subjects to provide, manage, review, and withdraw their consent through accessible, transparent, and interoperable platforms.

2.6. Age of Children

Another significant difference between the DPDP Act and the GDPR is the age of majority. According to the GDPR, individuals under the age of 16 are considered children (EU member states may lower this age, provided it is not below 13 years). However, the DPDP Act defines children as individuals under the age of 18, which aligns with the overall legal framework of Indian adult age laws. The民进党法 further empowers the central government to lower the age of majority, provided that the handling methods receive a verifiable security notice from the central government. This difference may lead to operational complexity, as it may require different consent mechanisms, including parental consent across jurisdictions.

2.7. Reporting Personal Data Breach

Although the GDPR follows a risk-based approach to notify authorities of personal data breaches, the DPDP Act does not stipulate any such thresholds. According to the GDPR, any violations that may pose a risk to the rights and freedoms of the data subject must be reported to the regulatory authority. In addition, only when a data breach may result in a high risk to the rights and freedoms of the affected data subject, is it mandatory to communicate the data breach to the data subject.
On the other hand, the DPDP Act does not establish clear standards or thresholds for the obligation to report personal data breaches to supervisory authorities and affected data subjects. However, it is expected that regulations will be stipulated on the forms and methods of data breaches. Therefore, further clarification may arise in this regard. This also brings operational challenges because, according to guidelines issued by the Indian Computer Emergency Response Team and other various regulatory authorities in India, there is an infringement reporting framework.

2.8. Right to be Forgotten and Right to Deletion

According to GDPR, the right to deletion is also known as the right to be forgotten. According to GDPR, data subjects can exercise this right, except for certain exceptions.
The DPDP Act grants the right of data subjects to be deleted unless it is necessary to retain it for specific purposes or in compliance with the law. However, it is noteworthy that the high courts of various Indian states have taken contradictory views on this. Some courts, including the Delhi High Court, the Karnataka High Court, and the Orissa High Court, have recognized the right to be forgotten as part of the right to personal privacy.

2.9. Appointment of DPO

Both GDPR and the DPDP Act regulate the appointment of DPOs. According to GDPR, if personal data is processed in certain situations, such as when processing is carried out by public authorities (except for courts), or if the core activities of the controller or processor involve the processing of sensitive categories of data, both the controller and the processor must appoint a DPO. GDPR also stipulates the qualifications of the DPO.

On the contrary, the DPDP Act only requires the appointment of a DPO by 'significant data trustees'. Additionally, the current form of the DPDP Act does not provide detailed information about the qualifications of the DPO.

2.10. Data Protection Impact Assessment

According to GDPR, supervisory authorities have the right to list activities that require data protection impact assessment (DPIA). In certain cases, for example, when a type of processing may pose a high risk to the rights and freedoms of natural persons, controllers must carry out DPIA based on certain prescribed factors. In other cases, such as the analysis or processing of personal data related to criminal conviction, DPIA is also required.
According to the DPDP Act, DPIA is regularly conducted by significant data trustees. This will include descriptions of the rights of data subjects, the purposes of processing their data, risk assessment and management, and other measures that may be specified. However, the DPDP Act does not provide detailed information on the specifics of DPIA processing activities. Unlike GDPR, this may lead to an increase in compliance burdens.

2.11. Cross-border Transmission of Personal Data

GDPR provides various channels through which cross-border transmission of personal data can be carried out. According to GDPR, personal data may be transmitted based on adequacy decisions and standard contractual clauses (SCC), binding corporate rules (BCR), and certain specified safeguards. Subsequent judicial decisions are also crucial in establishing standards and determining the methods of cross-border transmission of personal data.
However, personal data under the DPDP Act can be transferred to other jurisdictions unless the central government restricts the transfer to a particular country or region based on certain factors.
It must be emphasized that if other laws, including sectoral laws, require more stringent data protection for cross-border transfers, these laws will continue to apply and should be observed. Therefore, in such cases, the compliance burden for entities regulated by industry regulators will remain essentially unchanged.

2.12. Compensation for Affected Individuals

Under GDPR, any individual who suffers material or non-material damage as a result of a violation of GDPR has the right to compensation for the damage suffered from the data controller or data processor. However, the DPDP Act does not provide for any compensation for affected data subjects. In the absence of any legal compensation under the DPDP Act, Indian affected data subjects may have to exercise the option to seek civil remedies under other existing laws to address any harm caused to them by personal data breaches.

2.13. Penalties for Individuals

The GDPR does not specify specific penalties for data subjects. Penalties and sanctions under the GDPR are generally applicable to organizations (data controllers and processors) that do not comply with its provisions. In contrast, the DPDP Act stipulates certain obligations for data subjects, such as not impersonating others and not registering false or frivolous complaints or grievances, among others. In addition, the DPDP Act provides that if a data subject fails to comply with the prescribed duties, the maximum fine is 10,000 Indian rupees (approximately 120 USD).

2.14. Right to Data Portability

Unlike GDPR, the DPDP Act does not provide for the right to data portability. Although this right was included in the 2019 Personal Data Protection Act (which has been repealed), it is not included in the current version of the DPDP Act.

2.15. Right to Opt-Out/Withdrawal

The Privacy Act allows data subjects to oppose data processing through civil litigation on the grounds that such processing infringes on the data subject's right to privacy. However, once personal data is processed without infringing on privacy (for example, with the consent of the data subject), there is no established concept of the right to oppose processing. As of today, it is widely believed that Israeli data subjects do not have the right to withdraw their consent to processing.

3. Summary

Although GDPR and the DPDP Act share a common goal, the methods and strategies adopted by the two legislations are obviously different. The GDPR is relatively prescriptive, while the DPDP Act outlines certain basic principles and leaves many aspects related to implementation to be addressed through subsequent subsidiary legislation that comes into effect. As the legislative process evolves, this approach can provide greater flexibility and adaptability in dealing with all aspects of data protection.
For entities already required to comply with GDPR, it is necessary to make adjustments to ensure compliance with the DPDP Act. As the law comes into effect, companies will need to carefully understand the additional foundational work required and adjust their practices accordingly to align with the new Indian framework.