The world is changing its pace in the blink of an eye. The digital landscape is rapidly evolving, and undoubtedly, one thing that has caught everyone’s attention in the past few years is data. Personal information has transformed into an irreplaceable treasure, now taking top priority in the realm of safeguarding. But do we have a solution to safeguard our data?
While global leaders have initiated discussions and made pivotal decisions to protect our information, India has stepped up to join this collective effort. The Indian parliament passed the Digital Personal Data Protection Act in August 2023. The Act outlines a framework for handling digital personal data that respects both individuals’ rights to safeguard their information and the necessity to process such data for legitimate purposes, along with related or incidental matters.
India earlier had the Personal Data Protection Bill, 2019 (PDPB), but it was withdrawn from functioning due to several reasons. The initial bill seemed to favor commercial concerns at the expense of national security, lacking directives for localizing data, offering no clear framework for managing sensitive information during international transfers and omitting essential criteria for social media platforms.
Additionally, Forbes India reported, “There are concerns that the Bill, now being tabled in Parliament, gives the government blanket powers to access citizens’ data.” These issues resulted in the new DPDPA.
DPDPA Vs. GDPR
The DPDPA in India and the General Data Protection Regulation (GDPR) in the European Union stand as paramount pillars in the global mission to ensure the security of personal data. While both regulations share the grand objective of safeguarding data, a deeper dive unveils a captivating dance of similarities and distinctive strokes that define each framework. Let’s look at both of them in detail.
The DPDPA has introduced a new concept called “deemed consent,” which is further narrowed down to the process called “certain legitimate uses” in Section 7 of the Act.
In simpler terms, this implies that companies or data custodians might have the authority to handle the personal information of individuals for the explicit purpose for which the individual willingly shared their data unless they have expressly withheld consent for such use. Companies might misinterpret the meaning of this term and, therefore, it becomes necessary to provide more details about it.
Let’s understand this with examples.
1. Consent Requirements
• DPDPA: An e-commerce platform can acquire users’ consent for marketing emails through an opt-out model.
• GDPR: A social media network must secure explicit and affirmative consent before collecting and processing user data for targeted advertising purposes.
2. Children’s Data Protection
• DPDPA: A gaming app tailored to minors must establish robust age verification mechanisms to prevent unauthorized access.
• GDPR: A video streaming service is obligated to obtain parental consent for users under the age of 16 prior to processing their data.
3. Data Breach Notification
• DPDPA: A financial institution must promptly notify the digital protection authority and affected individuals within 72 hours of a data breach.
• GDPR: In the event of a breach, an online marketplace is required to expeditiously notify the relevant data protection authority within the same time frame.
4. Cross-Border Data Transfers
• DPDPA: A tech company operating in India is mandated to store and process sensitive data of Indian users within the geographical confines of the country.
• GDPR: A multinational corporation transferring personal data across EU member states must ensure adherence to standard contractual clauses to guarantee data protection during transfers.
5. Scope
• DPDPA: Covers digital data and specific sensitive datacategories. It’s important to understand the difference between data and sensitive data to make sure you follow and implement regulations carefully.
• GDPR: Encompasses all forms of personal data across the spectrum.
6. Penalties
• DPDPA: Imposes penalties of up to INR 250 crore for breaches.
• GDPR: Applies fines up to €20 million or 4% of the annual turnover for GDPR violations.
Conclusion
Tailored to their respective jurisdictions, these mandates echo the foundational tenets of user consent, data safeguarding and responsibility. By embracing and upholding the unique yet harmonizing principles of these regulations, both entities and individuals can collaboratively foster a more secure, accountable and conscientious digital realm.
Not to be forgotten, the concept of endorsing “legitimate uses” and reinforcing consent withdrawal rights not only streamlines processes and enhances transparency, but also necessitates a steadfast commitment to upholding data protection standards.
This holds significance not only for businesses but also for employees, granting them greater authority over their personal information. This underscores the imperative for organizations to cultivate an environment of trust and openness.
While some businesses may find it challenging to keep pace with these rapidly changing developments and tech leaders may offer critiques, it remains equally important to safeguard sensitive information in order to operate ethically and at the highest standards of integrity.
Leave a Reply