How is the DPDP Act similar and different from that of GDPR?

How is the DPDP Act similar and different from that of GDPR? The GDPR is a law in the European Union (EU) and some nearby areas. It's all about protecting people's data and privacy. The main aims are to give individuals more say in what happens to their personal information and to make it easier for businesses in the EU to follow the rules. It started on May 25, 2018, and replaced an older data protection law from 1995. 

In contrast, the Digital Personal Data Protection Act (DPDP) is India's first comprehensive data protection law and is expected to become effective in early 2024. It is designed to safeguard the personal data privacy of Indian citizens. Both the DPDP Act of India and the GDPR of the EU grant individuals control over their personal data and impose data protection obligations on organizations. However, they differ in their specific provisions and regulations. 

Key Provisions and Regulations of GDPR

The following are the essential provisions of the GDPR:

• Data Subject Right

The GDPR gives individuals certain rights. They can ask to see their data, request its deletion, and refuse how their data is used.

• Responsibilities of Data Controllers and Processors

The GDPR also tells people and companies that handle data what they must do. They must ensure data is safe and notify the authorities if a data breach occurs.

• Penalties for Not Following the Rule

If organizations don't follow the GDPR, they can be fined a lot of money – up to 4% of how much they make in a year or €20 million, whichever is more. 

Key Provisions and Regulations of DPDP

The DPDP's key provisions include:

• Data principal rights

Under the DPDP, data principals have several rights, including the right to view their personal data, the right to have their personal data erased, and the right to object to data processing.

• Obligations of data fiduciaries and data processors

The DPDP imposes several obligations on data fiduciaries and data processors, including implementing appropriate security measures to protect personal data and reporting data breaches to the Data Protection Authority of India (DPAI).

• Penalties and enforcement

The DPAI has the authority to conduct investigations and enforce the DPDP. Organizations that fail to comply with the DPDP may face fines of up to 5% of their yearly revenue or Rs 500 crore, whichever is greater. 

Similarities Between GDPR and DPDP

Both the GDPR and the DPDP are comprehensive data protection legislation with some commonalities, including:

• They both give individuals certain rights over their personal data, including the ability to access, erase, and object to processing their personal data.

• Both require enterprises that process personal data to establish proper security measures and report data breaches to the competent supervisory authority.

• Both contain measures for enforcement as well as consequences for noncompliance. 

Dissimilarities Between GDPR and DPDP

Despite their similarities, the GDPR and the DPDP have several significant differences, including:

• The GDPR applies to all organizations that process personal data of EU residents, regardless of whether the firm is based in the EU. The DPDP applies to all organizations that process the personal data of individuals in India, irrespective of whether the organization is based in India.

• Special categories of personal data are included in the GDPR and can only be handled for specific purposes. The DPDP applies to all sorts of digital personal data similarly. No additional safeguards are in place to protect sensitive or essential personal data.

• The GDPR imposes strict regulations on transferring personal data outside the EU, while the DPDP imposes fewer restrictions on transferring personal data outside India.

 Individuals' Rights

Both the DPDP Bill and GDPR aim to give people control over their personal data. These rules allow individuals to access their data, ask for changes or removal of their information, choose someone to represent their data interests, and file complaints.

 Under GDPR, people have additional rights, such as moving their data to another place, correcting it, deleting it, and being protected from decisions made solely by machines. The GDPR also provides strong protections where automated decisions could harm people.

The DPDP Bill, on the other hand, doesn't provide as many rights to object to automated decisions, except for minors. GDPR is more detailed and says people should be told about their right to object to automated decisions, especially for marketing purposes.

 Penalties

 Penalties Under GDPR

• Data controllers and processors collaborate with Data Protection Officers (DPOs) to address complaints.

• Data subjects can directly contact DPOs to exercise their GDPR-guaranteed rights.

• Sometimes, data subjects can immediately approach the Supervisory Authority for legal remedies.

 Penalties Under the DPDP Bill 

• Data fiduciaries are responsible for maintaining effective grievance redressal procedures.

• Data subjects with concerns can contact the appointed officer, and issues must be resolved within 30 days.

• An appeal panel handles grievances resulting from decisions made by adjudicating authorities.

 Specifics of Penalties

• DPDP Bill outlines fines of up to Rs 500 crore for various offenses, to be determined by the Indian Data Protection Board.

• GDPR prescribes penalties of up to 20 million Euros or 4% of global revenue (whichever is higher) for severe violations as per Article 83(5).

• GDPR also lists fines of up to 10 million Euros or 2% of global revenue (whichever is higher) for less serious offenses as per Article 83(4).

• The DPDP Bill does not specify compensation to data principals.

Conclusion

The GDPR and the DPDP are comprehensive data protection laws with several similarities, including the rights they grant to individuals and their obligations to organizations. However, the two laws have some significant differences, such as the applicability requirements and the consent and data transfer requirements.

Organizations that process personal data of EU or Indian residents should carefully review the GDPR and DPDP to ensure compliance. By doing so, they can help protect the privacy of individuals' personal data while also building trust with their customers and partners.