Category

Comparison

Analysis

Applicability

The GDPR is technology agnostic and applies to both digital personal data and non-digital personal data that is processed as part of a filing system. On the other hand, the DPDPA only applies to personal data in digital form or personal data that is initially non-digital but later digitized.

While the GDPR extends its reach to manual records such as hospital files, the processing of personal data in paper format is unregulated under the DPDPA. However, the DPDPA becomes applicable when paper-based records containing personal data are digitized.

Territorial scope

The GDPR applies to organizations in the EU if personal data is processed in the context of their activities, irrespective of whether the actual processing takes place in the EU. The GDPR also extends to organizations outside the EU if they process data in connection with the sale of goods or services to persons in the EU or where they monitor the behavior of persons located in the EU.

The DPDPA applies to: (i) organizations that process personal data in India; and (ii) organizations that process personal data outside India where the processing is connected to offering goods and services to persons in India. However, most provisions of the DPDPA are exempted if personal data of persons outside India is processed by an Indian data processor under a contract with a foreign controller or processor.

The territorial scope of the DPDPA is comparatively narrower than that of the GDPR. Unlike the GDPR, the DPDPA does not apply if data is processed outside India in the context of activities of an organization in India. Even where processing takes place in India, most provisions of the DPDPA are exempted if personal data of foreign individuals is processed by an Indian data processor under a contract with a foreign controller or processor. This exemption aims to reduce the compliance burden for India's offshore IT services industry. Conversely, the GDPR makes no such exemption and imposes obligations on controllers and processors within the EU, even when they process the personal data of individuals outside the EU.

Furthermore, unlike the GDPR, the DPDPA does not explicitly cover situations where foreign organizations monitor the behavior of individuals in India.

However, both the GDPR and the DPDPA are similar in so far as they are applicable to organizations that offer goods and services to persons in the EU and India respectively. It has been clarified that for the GDPR to apply in such instances, there must be a deliberate intent to offer goods and services to persons in the EU. Though further clarity is awaited from the Indian Government in this regard, it can be reasonably concluded that the DPDPA is likely to follow a similar approach and will only be applicable if there is a targeted offering of goods and services to persons in India.

Lawful basis for processing

Both the GDPR and the DPDPA permit processing based on consent, fulfillment of legal obligations and response to medical emergencies. However, there are divergent grounds present in each law. For instance, the DPDPA does not recognize 'legitimate interest' and 'performance of contract' as legal bases for processing but does permit processing for 'employment purposes' or where the data subject has voluntarily provided their personal data for a specified purpose (referred to as 'Voluntary Provision').

The omission of 'legitimate interest' as a processing ground under the DPDPA has sparked controversy. In the absence of legitimate interest, 'consent' would be the most suitable legal basis to process personal data. This could pose a challenge for many organizations given the stringent criteria for valid consent outlined in the DPDPA. Moreover, over-reliance on consent could potentially dilute consent conditions over time, thereby raising concerns about the erosion of privacy standards.

Consent

Consent requirements under the GDPR and the DPDPA are almost identical as both laws require consent to be free, specific, informed, and unambiguous with a clear affirmative action. Additionally, the DPDPA also requires consent to be 'unconditional.' The ease of granting and withdrawing consent must be the same under both laws and both laws require data controllers to be able to demonstrate that the consent granted is valid.

Where possible, organizations in the EU often opt to avoid relying on consent under the GDPR due to its stringent conditions. With India's consent criteria mirroring those of the EU and considering that the alternate grounds for processing are largely not relevant for businesses, navigating the consent requirements under the DPDPA would be quite a challenge for organizations. In fact, the DPDPA appears to go a step further by mandating that consent be unconditional. There is currently no clarity on what is meant by 'unconditional' consent and how it differs from the other characteristics of consent.   

Notice

The GDPR upholds the principle of fairness and transparency by mandating controllers to provide data subjects with information regarding the processing of personal data, regardless of the legal basis for processing or the source from where personal data is collected. In contrast, the DPDPA relaxes this principle by stipulating that the provision of information to data subjects is only required if personal data is processed on the grounds of consent. In such cases, a notice for consent must be presented before or alongside a request for consent. Additionally, under the DPDPA, data subjects should have the option to access the notice and request for consent in English or any of the 22 languages specified in the 8th Schedule of the Constitution of India.

Both the GDPR and the DPDPA necessitate that notice should include information regarding the personal data collected and the purpose for processing. However, there are divergences in the additional information required by each law. For instance, the DPDPA requires notices to disclose information such as the way the data subject can withdraw their consent, the manner in which the data subject can raise a grievance before the data controller, and the manner in which the data subject can raise a complaint before the Data Protection Board of India (DPBI). However, the DPDPA does not expect data controllers to disclose in their notice certain categories of GDPR-mandated information such as information on the recipients of personal data and cross-border data transfers.

Unlike the GDPR, the DPDPA does not expect entities that process personal data on grounds other than consent to provide a notice to data subjects.  Furthermore, a GDPR notice is more comprehensive, aiming for transparency and thoroughness in informing data subjects, while a DPDPA notice serves as a basic overview of processing activities, prioritizing awareness of data subject rights and enforcement procedures.

The leniency in notice requirements under the DPDPA contrasts sharply with the obligation to provide the notice in 22 languages (apart from English), which can be quite onerous, particularly for smaller entities. Moreover, this obligation might not be of much help to data subjects unfamiliar with English, if the rest of the contents on the relevant website or digital application are made available only in English.  

Personal data breach

Under the GDPR, only personal data breaches that are likely to pose a risk to individuals' rights have to be reported to the supervisory authority and such breaches have to be notified to data subjects only if they present a high risk to the rights and freedoms of individuals. On the other hand, the DPDPA mandates reporting of all personal data breaches, regardless of the severity of the breach, to both the DPBI and the affected data subjects.

The GDPR employs a risk-based approach to breach notification, with varying thresholds for notifying the supervisory authority and the data subjects. Minor breaches of low risk are not required to be reported under the GDPR. In contrast, the DPDPA lacks a risk assessment framework for breach notifications and imposes stricter requirements compared to the GDPR. The DPDPA's insistence on notifying data subjects of all breaches, including inconsequential breaches, could run the risk of breach fatigue where data subjects become indifferent to breach notifications.

Rights of the data subject

The GDPR grants data subjects a comprehensive set of rights, including the right to access, rectify, erase, port, restrict, or object to the processing of their data, irrespective of the lawful basis for processing. In contrast, data subject rights under the DPDPA are limited to the right of grievance redressal and the right to access, correct, complete, update, and erase personal data. The said rights are only available if data is processed on the grounds of consent or Voluntary Provision. However, the DPDPA does afford data subjects the universal right to nominate another individual to exercise their rights in case of: (i) their death; or (ii) their inability to exercise their rights as a result of mental or physical illness.

Unlike the GDPR, data subjects under the DPDPA possess a narrower array of rights and the availability of such rights is contingent upon consent or Voluntary Provision being the lawful basis for processing. Specifically, the DPDPA does not provide data subjects with the right to data portability or the right to object to the processing of their personal data. However, an additional right present in the DPDPA and absent in the GDPR is the data subject's right to nominate representatives to act on their behalf in the event of their death or if they are unable to exercise the rights themselves due to illness. Unlike other rights under the DPDPA, the right to nominate is available even when data is processed on grounds other than consent.

International data transfers

The GDPR permits international data transfers through the following mechanisms: (i) an adequacy decision in favor of the importing country; (ii) appropriate safeguards such as Standard Contractual Clauses and Binding Corporate Rules; or (iii) specified derogations such as grant of explicit consent from the data subject.

The DPDPA does not prescribe any specific restrictions or compliance requirements for international data transfer. However, the DPDPA permits the Government to restrict transfers to specific countries via notification, leaving data controllers free to transfer data to all other non-blacklisted nations.

Both laws adopt distinct approaches in determining the permissibility of cross-border data transfers. Under the GDPR, in the absence of an adequacy decision, organizations can justify cross-border data transfers only on the basis of an adequacy decision or if the transfer falls under any of the specified derogations. The DPDPA, on the other hand, permits unrestricted data transfers to all countries except the blacklisted countries. The Government has however not issued any notification in this regard as of now.

Sensitive personal data

The GDPR identifies specific categories of data, such as racial origin, political opinions, and religious beliefs, as sensitive personal data. Processing such data is prohibited except under specified circumstances, such as explicit consent from the data subject or where processing is necessary for the data controller to establish or defend legal claims. In contrast, the DPDPA does not incorporate the notion of sensitive personal data. Without this distinction, there are no separate legal bases for processing potentially sensitive personal data under the DPDPA.

The absence of the concept of 'sensitive personal data' under the DPDPA alleviates the heightened requirements typically associated with the handling of sensitive personal data. The primary objective of this absence is to ease the compliance burden on smaller Indian controllers who process such data. Instead, the DPDPA empowers the Indian Government to designate certain classes of data controllers as 'significant data fiduciaries' if, amongst others, they handle sensitive personal data on a large scale. These significant data fiduciaries are subject to more stringent obligations. Therefore, while the DPDPA does not explicitly define or acknowledge sensitive personal data, the Indian Government can still ensure that larger companies extensively dealing with such data undertake additional measures to safeguard it. Apart from this, India also has sector-specific regulations that impose additional restrictions on the processing and storage of certain categories of data such as financial and insurance-related personal data.

Accountability requirements

The GDPR requires a controller or processor to appoint a data protection officer (DPO) and undertake a Data Protection Impact Assessment (DPIA) if, amongst others, their core activities consist of processing sensitive personal data or if they monitor data subjects on a large scale.

Under the DPDPA, only a 'significant data fiduciary' is required to appoint a DPO or undertake a DPIA. A 'significant data fiduciary' is a category of data controller notified by the Indian Government on the basis of an assessment of factors such as volume and sensitivity of personal data processed, risk to the rights of the data subject, and risk to public order as a result of the processing activities. A significant data fiduciary is also subject to other additional obligations which include the appointment of a data auditor to carry out data audits.

The concept of 'significant data fiduciary' is unique to the DPDPA.  While the GDPR directly prescribes the conditions under which a controller has to appoint a DPO or undertake a DPIA, the DPDPA reserves the said obligations for data controllers designated as significant data fiduciaries. Essentially, the GDPR compels all entities, irrespective of their size, to appoint a DPO or conduct a DPIA if their processing activity meets the specified conditions whereas the DPDPA expects an entity to appoint a DPO or conduct a DPIA only if it has been specifically designated as a 'significant data fiduciary' by the Indian Government.

Reportedly, one of the primary motives behind the introduction of the concept of a 'significant data fiduciary' is to fasten additional obligations only on notified businesses, thereby easing compliance levels for smaller unnotified businesses involved in processing sensitive or large volumes of data.

It is also important to note that, unlike the GDPR, the duty to appoint a DPO or conduct a DPIA under the DPDPA does not extend to data processors.

Accuracy

The GDPR requires data controllers to ensure the accuracy of personal data at all times. In contrast, the DPDPA necessitates data controllers to ensure that personal data is accurate, complete, and consistent only if it is utilized to influence decisions that affect the data subject or if the data is disclosed to another controller.   

The obligation to maintain the accuracy of personal data is significantly relaxed under the DPDPA. It is likely that the accuracy provisions have been made flexible to decrease the compliance burden on entities falling within the ambit of the DPDPA.

Automated decision making

The GDPR provides data subjects with the right not to be subject to a decision based solely on automated processing, including profiling, if it has a legal or significant effect on the data subjects.  Although the DPDPA does not include a similar right, as stated above, it obligates a data controller to ensure the completeness, accuracy, and consistency of personal data if it is used to make a decision that affects the data subject.

Given the absence of any prohibition on automated processing under the DPDPA, organizations developing or utilizing artificial intelligence (AI) systems for automated decision-making are likely to find India to be a more conducive environment than the EU.

Security safeguards

Both the GDPR and the DPDPA contain similar provisions regarding the security measures to be adopted by entities processing personal data. Both laws mandate entities to implement technical and organizational measures and adopt reasonable security safeguards to prevent personal data breaches. However, while the GDPR extends this obligation to both data controllers and data processors, the DPDPA confines the obligation to data controllers. Nonetheless, the DPDPA explicitly requires data controllers to ensure that their data processors implement security safeguards to prevent the breach of personal data processed by such processors.

Under the GDPR, both the controller and the processor can be independently held accountable for failure to implement appropriate security safeguards. In contrast, the DPDPA holds the data controller responsible for the data processor's failure to implement security safeguards. Therefore, it is recommended that data controllers under the DPDPA be cautious while engaging data processors and obtain indemnity from processors in case of the processors' negligence in implementing reasonable security safeguards to protect the personal data processed by them. 

Storage limitation 

The GDPR imposes strict limitations on the storage of personal data, allowing it to be retained only for as long as is necessary for the purpose for which it was processed. This restriction is not applicable where personal data is processed for archiving, scientific, historical, or statistical purposes.

The storage limitation provisions of the DPDPA, however, only apply if the lawful basis for processing is consent. In such instances, the controller must erase personal data upon: (i) withdrawal of consent by the data subject; or (ii) if the data subject fails to contact the controller for the performance of the purpose for which their data is processed and fails to exercise their rights within a timeframe notified by the Indian Government (note that the specific timeframe has not been published as on the date of writing this article). However, erasure is not required if retention is mandated by other existing Indian laws.

While the GDPR's storage limitation principle is universally applicable without exception, the DPDPA reserves the retention mandate to situations where personal data is processed on the grounds of consent. Furthermore, the GDPR allows data controllers to subjectively determine the period for fulfilling the purpose for which data was processed. In contrast, under the DPDPA, where data is processed on the basis of consent, the purpose for processing data is deemed to be expired if the data subject does not contact the data controller for the performance of the purpose and exercise their rights within the timeframe notified by the Indian Government.

Penalties

The GDPR and the DPDPA empower their respective supervisory authorities to impose penalties or fines on entities that violate the said laws. Both laws require the authorities to consider factors such as the nature, gravity, and duration of the offense, the category of personal data affected, and the infringer's past record while determining the penalty amount. Additionally, the quantum of penalties under both laws depends on the nature of the offense.

For instance, under the GDPR, failure to undertake reasonable security safeguards may result in fines of up to 2% of the total worldwide annual turnover of the preceding financial year, while failure to comply with cross-border data transfer requirements could lead to fines of up to 4% of the total worldwide annual turnover. Similarly, the DPDPA specifies penalties of up to INR 2 billion (approx. $24 million) for failure to notify a personal data breach to the DPBI or affected data subjects and penalties of up to INR 2.5 billion (approx. $30 million) for failing to observe security safeguards.

Unlike the DPDPA, the GDPR grants affected individuals the right to seek compensation from the infringer for any material or non-material damage suffered due to the infringement.

In contrast to the GDPR, the DPDPA allows infringers to submit voluntary undertakings to the DPBI under which they agree to perform or refrain from performing certain actions, provided that such undertakings are made public. If a voluntary undertaking is accepted by the DPBI, no further proceedings will be initiated against the infringer.

While both laws impose substantial penalties to discourage violations, the DPDPA lacks a compensation framework for affected data subjects. The absence of the same could potentially discourage individuals from reporting violations to the DPBI, as they have no avenue for compensation.

Given the early stages of data protection compliance in India, the provisions enabling voluntary undertakings under the DPDPA could be useful for companies struggling with compliance and unintentional errors.

Processing children's personal data

Both the GDPR and the DPDPA mandate controllers to secure verifiable parental consent before processing the personal data of children. However, there are notable distinctions on the threshold for classification as a child.  Under the DPDPA, a child is defined as any individual below the age of 18, while the GDPR classifies children as individuals below the age of 13 to 16, depending on member state discretion.  Furthermore, the DPDPA grants the Indian Government the authority to exempt certain controllers from obtaining parental consent while the GDPR does not contain any such exemption.

Additionally, unlike the GDPR, the DPDPA explicitly prohibits data controllers from engaging in processing activities that could potentially harm the well-being of a child and also prevents tracking, behavioral monitoring, or targeted advertising directed at children, unless exempted by the Indian Government.

Given that many countries, including EU member states, typically set a lower age threshold for defining children, multinational corporations may need to implement additional precautions and compliance measures while offering products and services to children in India.

Data processors

Both the GDPR and the DPDPA stipulate that controllers can engage processors only by way of valid contracts. While the DPDPA is silent on the contents of the contracts, the GDPR provides comprehensive guidelines on the information to be covered in such contracts.

Additionally, the GDPR imposes several obligations directly on processors, including the obligation to implement appropriate technical and organizational measures, notify the controller regarding personal data breaches, and, in certain cases, appoint a DPO. In contrast, the DPDPA does not impose any direct obligations on data processors. Instead, it holds controllers accountable for their processors' actions.

The absence of direct accountability for data processors under the DPDPA means that controllers must exercise extra caution while engaging processors. Any violation of the DPDPA by a processor could result in penalties for the controller. Therefore, it is advisable for controllers to conduct thorough due diligence on their processors and ensure that their data processing agreements are robust. These agreements should include detailed indemnity clauses, wherein the processor agrees to indemnify the controller for any penalties imposed on the controller due to the processor's actions.