DPDP Act of India and GDPR of European Union – A Comparative outline

While GDPR is well established and a gold standard in data privacy laws within the European Union, Digital Personal Data Protection Act in India has only been recently established in 2023. The DPDP Act in India will take some time to be well implemented across the nation and gradually evolve into a robust framework for implementation.

Here’s a comparison highlighting the main differences between DPDP and GDPR:

1. Scope and Applicability

GDPR: Applies to all organizations processing personal data of individuals within the EU, regardless of where the organization is located.

DPDP Act: Applies to the processing of digital personal data within India and covers data fiduciaries and processors within the country. It also applies to data collected offline but digitized for processing.

2. Data Protection Authorities

GDPR: Establishes independent supervisory authorities in each EU member state, collectively forming the European Data Protection Board (EDPB).

DPDP Act: Establishes the Data Protection Board of India to oversee and enforce the Act’s provisions.

3. Consent

GDPR: Requires explicit, specific, informed, and unambiguous consent for data processing. Consent must be freely given.

DPDP Act: Also requires explicit consent but places a significant emphasis on the need for specific and clear consent. Consent withdrawal mechanisms are emphasized.

4. Data Principal Rights

GDPR: Grants extensive rights to data subjects, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

DPDP Act: Provides similar rights, including access, correction, erasure, data portability, and grievance redressal. However, the specific implementations and procedures for exercising these rights may differ.

5. Data Protection Officers (DPO)

GDPR: Requires the appointment of a DPO for public authorities and for organizations engaged in large-scale systematic monitoring or processing of sensitive data.

DPDP Act: Requires significant data fiduciaries (determined based on criteria such as volume and sensitivity of data processed) to appoint a Data Protection Officer.

6. Cross-Border Data Transfers

GDPR: Allows data transfer to countries outside the EU that have been deemed to provide adequate protection by the European Commission. It also allows transfers using appropriate safeguards, such as standard contractual clauses or binding corporate rules.

DPDP Act: Permits cross-border data transfers to countries with adequate protection as recognized by the Indian government and requires appropriate safeguards for transfers to other countries.

7. Penalties and Enforcement

GDPR: Imposes significant penalties for non-compliance, up to 4% of global annual turnover or €20 million, whichever is higher.

DPDP Act: Also includes penalties for non-compliance, but the specific amounts and enforcement mechanisms differ from the GDPR.

8. Exemptions

GDPR: Allows exemptions for data processing for national security, law enforcement, and certain other public interest purposes but under strict conditions.

DPDP Act: Provides exemptions for national security, law enforcement, and public

9. Grievance Redressal

GDPR: Allows individuals to lodge complaints with supervisory authorities and provides a structured process for redressal.

DPDP Act: Establishes a grievance redressal mechanism through the Data Protection Board of India, ensuring timely resolution of complaints.

10. Amendments to Existing Laws

GDPR: Integrated within the broader legal framework of the EU and requires alignment with member states’ national laws.

DPDP Act: May lead to amendments in existing Indian laws to ensure comprehensive data protection.

While both GDPR and the DPDP Act share common principles of data protection and privacy, they differ in their regulatory approaches, enforcement mechanisms, and specific provisions tailored to their respective jurisdictions.