In 2016, The United Nations Conference on Trade and Development published a report titled “Data”. The report ultimately found that there is significant diversity in the data protection laws around the world, and there exists a remarkable degree of harmonization and coherence around the core data protection principles in international and regional guidelines. The only existing difference is the presence of diverse implementation procedures. The Data Protection and Privacy Act (DPDPA) represents a crucial legal framework established to ensure the protection of individuals’ personal data and privacy rights in an increasingly digital and interconnected world, with its provisions aiming to govern data handling, storage, and privacy practices.
The report further argues that there are eight core principles of data protection: openness, collection limitation, purpose specification, use limitation, security, data quality, access and correction, and accountability. These core principles appear in some form in all of the key international and national data protection regulations.
By reflecting the said observation, on August 11 2023, the Indian Digital Personal Data Protection Act 2023 received presidential assent and has been published in the official gazette. The date of enforcement is yet to be announced. By reading the provisions of this act it is evident that this act has been formulated to achieve a harmonized and uniform approach for data protection compliance. This article dives deep into the provisions of DPDPA 2023 and tries to explain the concept of how the said act aligns in harmony with other internationally reputed privacy legislations like GDPR, and CCPA.
Consonance in connotations:
According to Thomas Cottier, the phenomenon of harmonization has been defined as the adoption of single and uniform norms for all participating jurisdictions concerned. This in turn will create a level playing field and remove barriers to trade. In the case of DPDPA 2023, the key definitions of this act are also harmonized with GDPR and CCPA and in most cases, even the wording used in this act replicates the tone and intention of and other two regulations.
For instance, under DPDPA 2023 the term personal data has been defined as any data about an individual who is identifiable about such data. The simplified version is that: any data which identifies a person amounts to personal data. This core idea has been reflected in GDPR whereas, article 4 (1) stipulates personal data as any information relating to an identified or identifiable natural person. The same has also been reflected in CCPA which additionally describes the information that identifies, relates, describes, reasonably capable of being associated with or linked with a particular consumer as personal information.
Apart from personal information, the other common connotations including data processor, data breach, processing etc. have also been drafted in the same manner and in certain cases, placement of the same wordings ensures ease in compliance with DPDPA 2023.
Uniform compliance requirements:
In Justice B.N. Srikrishna’s committee report titled “Protecting Privacy, Empowering Indians” the honorable justice advocates that nation-states should strive towards harmonization in rules to create an enforcement regime that provides for effective information sharing.
Further to honor this suggestion, the new DPDPA 2023 has practically abolished the concept of data localization in most cases and ensures free flow of data transfer with proper compliance requirements. This attitude of ensuring free flow data transfer is being adopted from GDPR. The ultimate intention of GDPR is to strive for the free flow transfer of personal data among EU countries and other mechanisms like adequate country decision ensures that the said data is being transferred without any procedural barriers with a preconceived condition that the said data is being protected as it was being stationed in the European Union.
In the Indian Act, this concept has been further elevated and the entities are free to transfer personal data without any restrictions (subject to other sector-specific laws) with a single exception of restricting transfer to blacklisted countries.
According to article 32 of GDPR in case of large-scale processing of sensitive data or case of high-risk situations to large-scale populations etc., the act of conducting a proper DPIA is paramount.
The provisions of the CCPA also mandate a risk assessment in case of processing sensitive personal data or similar circumstances.
In the case of DPDPA 2023, even though this act fails to comprehend a separate category for sensitive personal data, section 10 of the act designates certain data fiduciaries as significant data fiduciaries. The factors that determine such designation include the similar conditions of sensitivity of personal data, volume of the data etc.
So rather than mandating DPIA for every entity, DPDPA has categorized a class of data fiduciaries as significant and mandates them to conduct similar, additional compliance requirements including appointing a DPO, conducting DPIA, periodic audits etc.
Rights of Data Principals:
Chapter III of DPDPA empowers data principles with four rights including:
- Right to access
- Right to erasure and correction
- Right to grievance redressal
- Right to nominate
Apart from the right to nominate, other three rights have originated from existing regulations like GDPR, CCPA etc. This is evident from the Justice Srikrishna report which does a comparative analysis of all such rights and meticulously explains the origin and existing issues while exercising such rights.
Incorporation of core data protection principles:
This tabulation has tried to effectively map the interconnection and the harmonized inheritance of the 8 core principles into the provisions of DPDPA 2023 and the uniformity of the said principles has been inspired by existing regulations like GDPR, CCPA etc.
|1.||Openness||Data fiduciaries shall provide proper notice about their data processing activities||Transparency is one of the principles relating to the processing of personal data||It is not explicitly mentioned in this act, but the business entities are obliged to provide adequate information about all the personal information collected.|
|2.||Collection limitation||The data shall be collected through consent or for legitimate uses||The personal data shall be collected by consent or on other basis like legitimate interest, vital interest, contractual obligation, public interest etc.||Mandatory notice shall be provided before the collection of consumer data and the said notice must contain all the categories of personal information collected|
|3.||Purpose specification||Notice under section 5 denotes the purpose for which personal data is collected.||Art 5(2) stipulates that personal data shall be collected for a specified, explicit and legitimate purpose||Notice shall be provided at the point of collection describing how they use the information|
|4.||Use limitation||A data fiduciary is obliged to process personal data for the specified purpose and if such purpose is completed, then the personal data shall be deleted ( see illustration II of section 7(a)||Article 5 restricts that processing of personal data shall not be incompatible with the specified purposes.||A business entity shall not collect additional categories of personal information or use personal information for additional purposes that are incompatible with the disclosed purpose for which the personal data was collected.|
|5.||security||The data fiduciary shall implement appropriate security safeguards to prevent a personal data breach||Article 32 mandates that the level of security measures implemented shall be appropriate to the anticipated risk and suggest measures including pseudonymization.||Security and integrity are key principles under CCPA. It denotes the ability of the business to detect security incidents.|
|6.||Data quality||Section 12 empowers data principals to update and complete the incomplete data.||Under Article 16 data subjects can complete incomplete data by filling in a supplementary statement.Further accuracy is a key principle under Article 5.||Upholds the accuracy by enabling consumers to correct inaccurate personal information|
|7.||Access and correction||The right to access and right to correction is enshrined in chapter III of the act.||Article 15 and Article 16 ensure the right to access and the right to rectification||Consumers have the right to correct inaccurate personal information and the right to access personal information|
|8.||accountability||Under general obligations, the data fiduciary is obliged to comply with the provisions of DPDPA.||Article 24 mandates appropriate technical and organizational measures to demonstrate compliance with GDPR.||Under General duties, the business shall implement reasonable security procedures and practices to ensure compliance.|
In a recent interview, the Indian information technology minister Rajeev Chandrasekhar mentioned that large technology firms like Netflix, Dell, amazon etc. which are already in compliance with global privacy laws such as GDPR will be only given 6 months to comply with the DPDPA 2023. Whereas every other entity will be given a minimum 12-month grace period. The substantial difference in grace period showcases the intention of the creators of the legislation. So it is safe to assume that it is inherently easier to comply with DPDPA 2023 if the said entity already complies with international privacy laws like GDPR etc.