Author: Sanya Jain, Uttar Pradesh State Institute of Forensic Sciences.
Abstract
In recent times, the use of the Internet has escalated remarkably. It delivers excellent services to the individuals, Internet sites, and multimedia system platforms, and conspicuously individual’s personal information, which includes name, contact information, and real-world behaviour. Data privacy matters because if data spills to the vicious hand, it can ruin the character of the individual, business, and government agency. India has shown a trend setting move in the form of Data Personal and Data Protection Act, 2023 has been approved by the President of India on 11th August 2023 and then gazetted. Although the DPDP Act, 2023, has been enacted, it has an element of doubt as to whether or not the law in India is consistent with the GDPR and facilitates cross-border transfers. Although the DPDPA is a landmark step to give a legal status to digital privacy in India it also highlights major gaps in relation to the same, as in the GDPR. All its new functionalities, such as Consent Managers and Significant Data Fiduciaries, are very promising, however, they must be implemented in a robust manner. Updating these lacunae is important in order to fulfil the international norms, facilitate global interoperability, and increase India's role as an engine of digital economy.
Keywords
Data Privacy Laws, Digital Personal Data Protection Act (India), GDPR (General Data Protection Regulation), Cross-Border Data Flow.
Introduction
Data is defined as representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form or stored internally in the memory of the computer. While privacy is defined as the right to be let alone; the right of a person to be free from any unwarranted publicity; the right to live without any unwarranted interference by the public in matters with which the public is not necessarily concerned.
By 2023 India now has the biggest data market in the world with more than 800 million internet users, fast developing into a global IT services outsourcing centre. The IT and BPM sector, which has a pivotal role in the global digital economy, is expected to grow to US $227 billion in 2025, NASSCOM estimated. Nevertheless, growth in reliance on digital ecosystems has encouraged data privacy concerns, whose intensity has further been boosted by a number of high-profile data breaches. For instance, the breach of Aadhaar in India in 2018 revealed the weaknesses in the Indian data protection mechanism.
Globally, regulatory standards, for example, the General Data Protection Regulation (GDPR) of the European Union, have imposed norms that are met in privacy law. At present, the principles of data minimization, limited purpose, and strict penalty are suggested under the current regulation. Since cross-border data transfer represents an integral part of cross-border trade and cooperation, a nation's ability to enforce legislation in line with international standards is of particular importance. India's newly enacted Digital Personal Data Protection Act, 2023 (DPDPA) is an important step forward, but its provisions may be analyzed in terms of their capacity to meet global standards of competitiveness and adequacy fitness for international partnerships.
How much does India's Digital Personal Data Protection Act, 2023, resemble international standards, e.g., GDPR; and what is missing in it to facilitate cross-border data flows?
The article is provided as a comparison of the compliance of the Digital Personal Data Protection Act of 2023, with the corresponding international guidelines, such as the GDPR. Examine the effectiveness of law in realizing India's vision as a global leader in digital space driving the seamless exchange of data across borders.
Tightening the loopholes on India's data privacy law will allow India to build up trust as a secure and stable data storage centre, attract foreign capital and enhance economic collaborations, and guarantee compliance with international trade laws to enable adequacy decisions in similar European data protection laws, like the general data protection regulation (GDPR).
Under Srikrishna Committee’s draft, the ‘right to be forgotten’, is defined differently — right to restrict or prevent continuing disclosure of personal data. Since the Supreme Court of India has acknowledged Justice K.S. In Puttaswamy v. Union of India (2017), privacy is a fundamental right. Subsequently in the case of People’s Union for Civil Liberties (PUCL) v Union of India the Hon’ble Supreme Court clearly held that we have, therefore, no hesitation in holding that right to privacy is a part of the right to “life” and “personal liberty” enshrined under Article 21 of the Constitution.
Literature review
The current state-of-the-art is analyzed in order to clarify the effect of the DPDP Act, especially with respect to the balancing between the DPDP Act and international standards, such as the GDPR, and its applicability for cross-border data transfers. The increasing reliance on big data analytics has raised substantial concerns regarding individual privacy and the legal frameworks that govern data protection. With the entry into force of the DPDP Act those goals are brought into line, with similar protective actions to those that gained implementation through the GDPR. Comparative Analysis of Data Protection Laws, a significant body of research has focused on the enforcement of data protection laws across different jurisdictions. Houser and Voss (2018) highlight the weaknesses in US privacy statutes, especially in light of the Cambridge Analytica situation, and highlight the imperative for US companies to reformulate their business strategies so as to conform with GDPR requirements. This adaptation is particularly important for India, since it is the one who has to implement the DPDP Act, raising issues about its compatibility with GDPR requirements, and how to apply the GDPR for cross-border usage of data (Houser Voss, 2018). Additionally, Harding et al. (2019) further compares the California Consumer Privacy Act (CCPA) and GDPR, implying that both regulatory frameworks are within a broader movement toward more restrictive data privacy legislation, as in the case of the GDPR and the CCPA. This trend is of importance to India in the process of drafting its data privacy laws and actively working to make sure they are in line with international best practice (Harding et al., 2019) cross-border data flows. The background of the DPDP Act, however, is an issue of much discussion concerning the consequences of the cross-border data flows. Recent work has implicated both bottlenecks in data flow and economic effects due to data protection policies at a country level. These findings highlight the need of a decision that takes into account, on one side, economic and privacy consequences and, on the other side, the law's objective of international data transfers. Technological innovations have been proposed as solutions to enhance cross-border data privacy and accountability with respect to data sharing. Consent and Transparency in Data Processing also point out the necessity of legally compliant procedures for obtaining consent—as such an important component of the DPDP Act. This work also aids India's efforts to establish targeted consent frameworks that are centred on the right of the individual to privacy. Moreover, the ethical issues of data management in the health care setting as raised by Kirschner et al. (2014) are in tune with the DPDP Act principles. Problems in data privacy law have always been problematic, and this applies both to the professionals and to the lawmakers. Focusing on a comparative approach, it is possible to guide India on the way out how such data protection legislation should be structured regarding health data management (Greenleaf, 2014). A major knowledge gap is with regard to the detailed know-how of the operationalization of the DPDP act in real life. There is a gap that needs to be filled with empirical research to explore the DPDP Act's capability in safeguarding personal data and its adherence to international best practices. Additionally, given that India is aiming to become a global digital economy powerhouse, there is a demand for further research on the implications of the cross-border provision of data, which includes artificial intelligence and machine learning. One of the key challenges in building an innovative, yet secure, datalink ecosystem will be figuring out how these technologies affect data privacy regulations. The coming into effect of the DPDP Act, 2023 will be a pivotal step in the evolution of India towards a strong data protection culture. By mirroring its laws in line with the global standards, such as the GDPR, India can along with that provide enhanced individual privacy shields at the same time boost data transfer across national boundaries. Future research should address knowledge gaps, improve the understanding of compliance strategies and ensure protection of privacy in an evolving digital world.
Methodology
Research Design
The present study adopts qualitative and comparative design to analyze how far the Digital Personal Data Protection Act of India, 2023, is consonant with international standards. For example, the General Data protection Regulation (GDPR). The article will attempt to have a stock-taking view of presently applicable legal and regulatory frameworks, interdisciplinary critical writings, and policies so as to understand the possible effects of the Act on the internationalization of data flows (as restricted cross-border flows) into the Indian digital economy.
Research involves
Primary Subject - Legislative framework including DPDPA 2023, and main legal instruments namely GDPR.
Secondary: Research articles; expert reports by think tanks such as Data Security Council of India (DSCI), Centre for Internet and Society (CIS), and privacy laws of EU and CCPA.
Data Collection
Data for the study was collected through:
Documentary Analysis: Legal texts, official documents and international conventions (e.g., GDPR, DPDPA).
Secondary Literature Review: Peer-reviewed journal articles, policy papers, and industry reports.
Case Studies: Significant data breaches from high-profile cases in India (e.g., Aadhaar) and GDPR-framing enforcement cases.
Tools used include
Databases of the law like SCC Online and Manupatra used for Indian case law.
Online repositories for international legal texts and scholarly articles (e.g., JSTOR, HeinOnline).
Data Analysis
Thematic Analysis: Themes identified and characterized, e.g., individual's rights, state waivers, and enforcement procedures.
Comparative Analysis: Measured contrasts and commonalities between DPA and GDPR with respect to their effect on cross-border data transfers and regulatory standards.
Critique of Gaps: Highlighted deficiencies of DPDPA based on benchmarks defined by GDPR and other international regulatory frameworks.
Results
The first passages from the Digital Personal Data Protection Act, 2023 (DPDPA) embody the role that the act could play in elevating India's standing in the global digital economy at times and in the process also scolding the act for having to be improved and having to bring India in line with global standards as exemplified by the General Data Protection Regulation (GDPR).
Extraterritorial Scope
Similarly to GDPR, the DPDPA can be extraterritorially invoked for the processing of digital personal data outside India when such personal data is processed relating to individuals in India. This extends India’s regulatory reach globally. Although it illustrates India's will to protect the personal data of its citizens abroad, it may create practical difficulties in enforcing the compliance to regulations in the cross-border dimension.
Legal Basis for Data Processing
DPDPA is mainly based on data processing consent and there are supplementary provisions for certain justified data processing applications (e.g., legal compliance, employment and emergency).
Strengths: The informed consent requirement is rigorous, demanding that the consent be informed, free and clear, that is, commensurate with GDPR's requirements.
Limitations: The absence of bases like “contractual necessity” or “legitimate interests” (provided under GDPR) restricts operational flexibility for businesses.
Data Principal Rights
The Act confers certain rights on data access, data correction and data erasure etc. and special provisions such as grievance redressal and nominee of representatives in case of death or incapacitation, etc.
Strengths: These features enhance transparency and accountability.
Challenges: Key rights provided by GDPR, like data portability and curtailment of processing, are not available, thus restricting the capacity of individuals to assert their control over their data.
Cross-Border Data Transfers
Data can be moved to most countries, except those which are specifically prohibited by the Government of India, under the DPDPA.
Strengths: This flexibility reduces bureaucratic barriers to international data flow.
Concerns: The option of the government to impose certain limitations on specific countries incurs the risk of creating unpredictability which can affect global collaboration.
Significant Data Fiduciaries
Governments may categorize some entities as significant data fiduciaries on the basis of volume and sensitivity of data through which they operate.
Advantages: This provision ensures greater scrutiny of high-risk entities.
Challenges: For startups and small businesses, it can be hard to scale up because of enhanced compliance requirements if they fall into this category.
S. No | Issue | Does GDPR cover this? | Does DPDP cover this? | Gap |
1. | Personal Data | Yes | Yes | The DPDPA applies only to “digital personal data”, whereas the GDPR applies to personal data even if that data is non-digital. In addition, personal data that is made publicly available is exempt from PDPA obligations. |
2. | Sensitive / Special Category Data | Yes | No | No additional compliance obligations will need to be undertaken to comply with the DPDPA. GDPR- compliant controllers are likely to meet the requirements under the DPDPA, as a higher degree of protection is offered to “special categories of personal data” under the GDPR. |
3. | Data Controller | Yes | Yes | Minimal difference |
4. | Significant Data Fiduciary (SDF) | No | Yes | The DPDPA identifies a class of data fiduciaries as SDFs based on the aforesaid parameters, and applies additional obligations to those SDFs. There is no equivalent concept under the GDPR |
5. | Data Processor | Yes | Yes | Minimal difference |
6. | Consent Manager | No | Yes | There is no equivalent concept under the GDPR. (Consent managers are entities registered with the Data Protection Board under the DPDPA and act on behalf of data principals to review, provide, manage, and withdraw consent.) |
7. | Processing Children’s Data | Yes | Yes | The DPDPA prescribes additional obligations with respect to processing children’s data. It is also pertinent that the relevant age of the child varies under the GDPR and national EU Member State law and UK law implementations (i.e., 16 years or less) and the DPDPA (18 years) |
8. | Privacy Policy Disclosures | Yes | Yes | The GDPR provides a more detailed set of Requirements regarding notice |
9. | Consent | Yes | Yes | Minimal difference |
10. | Legal Obligation | Yes | Yes | Minimal difference |
11. | Public Health Emergency | Yes | Yes | Minimal difference |
12. | Public Interest | Yes | Yes | Minimal difference |
19 | Legitimate Interest | Yes | No | The DPDPA does not recognise the equivalent exemption for legitimate interests for processing without consent. |
20. | Employment | No | Yes | The GDPR does not have the equivalent “employment” legal basis for processing |
21. | Transfer Mechanism | Yes | No | Subject to additional guidance in the form of rules from the Indian government, the DPDPA does not provide for specific transfer mechanisms. |
22. | Right to Be Informed | Yes | Yes | The disclosures provided under the DPDPA need to be made according to and upon the request of the data principal, while under the GDPR, specific information must be disclosed before the collection of personal data or within a specific time frame in case of indirect data collection. |
23. | Right of Access | Yes | Yes | Minimal difference |
24. | Right to Erasure | Yes | Yes | Minimal difference |
25. | Right to Object to and Restrict Processing | Yes | No | The DPDPA does not provide specific instances in which data principals may object to, or restrict, the processing of personal data |
26. | Right to Data Portability | Yes | No | Not provided for in the DPDPA |
27. | Right to Withdraw Consent | Yes | Yes | Minimal difference |
28. | Right to Grievance Redressal | No | Yes | Under the DPDPA, data fiduciaries will need to have in place a grievance redressal mechanism and redress grievances as per the guidelines issued thereunder |
29. | Right to Nominate | No | Yes | The GDPR applies only to living individuals; there is no ability for data subjects to authorise another person to make data subject requests on their behalf after the data subject’s death. |
Analysis
The contrast of GDPR and DPDPA illustrates the changing awareness of India in respect to data protection and revealing important gaps in order to be globally interoperable.
Scope and Applicability
Although the GDPR has the scope for all personal data, the DPDPA is limited to digital personal data, and excludes publicly available and non-digital data. This narrower scope limits comprehensive data protection.
Special Categories of Data
DPDPA does not require sensitive data classes, in contrast with the GDPR, which provides a stronger level of protection. This gap diminishes the security of the most sensitive information, including health and biometrics.
Innovative Provisions
The DPDPA introduces concepts, such as Significant Data Fiduciaries (SDFs), and Consent Managers, which are pertinent to the Indian digital ecosystem. However, their effectiveness depends on robust implementation.
Children’s Data and Privacy Policies
Higher age limit for children's data (18 years) in India is inconsistent with the 16 years in the GDPR which adds further complexity to compliance.
Individual Rights
Fundamental GDPR rights, including data portability, objection, and restriction of processing, are not available in the DPDPA, which constrains user control. On the other hand, the DPDPA introduces new rights such as grievance redress mechanism and nomination to cater to local requirements.
Cross-Border Data Transfers
The GDPR does, however, offer unambiguous transfer mechanisms, whereas the DPDPA is based on "government approved jurisdictions", resulting in a trade-off with which the potential blockage of international data flows is not compatible.
Practical Impacts
The unavailability of a "legitimate interests" provision in the DPDPA limits flexibility for business, while the inclusion of "employment" as a legal activity accommodates India's employment-oriented economy.
Implications for India
The light compliance of DPDPA may promote domestic implementation, while falling short of GDPR's full protections. Closing these deficits is critical to India's vision as a global digital power.
1. Interpretation
India's Digital Personal Data Protection Act, 2023 (DPDPA) is a step towards the regulation of digital data privacy, which is a result of growing digital rights awareness. Nevertheless, its narrower scope with respect to the GDPR as well as the dependence of enforcement on governmental discretion weaken its strength. The restriction of use of freely available resources and the absence of rights such as portability and opposition render it less comprehensive.
2. Comparison
Numerous countries, such as Japan and South Korea among them, have put in place data protection frameworks that match the adequacy standard and are now recognized under GDPR. This makes the international transfer of data much smoother between these countries. Deeming DPDPA as such, with no provision for cross-border transfer and having no basis in law for legitimate interest, will only serve to drive foreign investments away from India.
3. Implications for India
India GDPR alignment is needed to remain competitive in the IT and outsourcing sectors. In particular, provisions on cross-border data flow are of great importance because they underlie global partnerships and global trade. Furthermore, filling the gaps can improve India's reputation as a safe and trustworthy data hub, supporting the ambitions for Digital India.
4. Limitations
It is not known how much of the DPDPA in its entirety can be brought into the fold by new technologies emerging on the ground (e.g., artificial intelligence or the Internet of Things). Specifically, since the law was recently promulgated, there is a scarcity of empirical evidence regarding the enforcement and effectiveness of the law, which turns out to be very difficult for us to make long-term predictions with an empirically guaranteed confidence levels.
Conclusion
India's DPDPA is a worthwhile contribution toward more comprehensive data privacy regulation by, amongst other key examples, providing regulations around Significant Data Fiduciaries and Consent Managers. Nevertheless, the legal framework did not meet the global standards, such as the GDPR, especially with respect to broad safeguards and transborder mechanisms of data transfer.
Recommendations
Amend the DPDPA to scale back state waivers and enhance scrutiny.
Develop bilateral or multilateral agreements for the uncontested and secure cross-border transfer of international data.
Extend coverage to include legitimate interest, sensitive, and all categories of personal data for comprehensive protection.
Future Research
Examine the industry specific impact of the law, particularly in e-commerce and fintech where data is relevant.
References
Arjun Goswami, Varun Mehta & Yashika Sachdeva Data Protection, Cyril Amarchand Blogs, https://corporate.cyrilamarchandblogs.com/category/data-protection/
Linklaters, India: The Digital Personal Data Protection Act, DigiLinks Blog, https://www.linklaters.com/en/insights/blogs/digilinks/2023/august/india-the-digital-personal-data-protection-act
India: Key Features of the Digital Personal Data Protection Act, DataGuidance, https://www.dataguidance.com/opinion/india-key-features-digital-personal-data-protection
Latham & Watkins LLP, India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison (Dec. 2023)
Economic Laws Practice, Data Protection & Privacy Issues in India (Sept. 2023)
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India)
Information Technology Act, 2000, No. 21 of 2000, § 2(1)(o) (India)
Garner, B. A. (Ed.). (2014). Black's law dictionary (10th ed.). Thomson Reuters.
NASSCOM. (2019). IT-BPM sector in India 2019: Decoding digital
Aadhaar data leak | Personal data of 81.5 crore Indians on sale on dark web: report. (2023, October 31). The Economic Times.
European Union. (2016). General Data Protection Regulation (GDPR). Official Journal of the European Union
Puttaswamy v. Union of India, (2017). Supreme Court of India. 10 SCC 1
People’s Union for Civil Liberties (PUCL) v Union of India (2015) 8 SCC 735
Related Posts
