ABSTRACT:

Digital age has become inevitable and has incomparable benefits for both a private individual and businesses. The Internet has evolved in  a significant manner which avails service to users and various online resources, etc., And it is capable of storing data and personal information. The moment when the information is started storing, the threat to data protection and privacy begins. This information on the internet becomes highly sensible and most valuable. Thus there is a chance of data theft and probability of committing fraudulent activities. This is because these data and information are considered essential, as this can create impact in the freedom and rights individuals possess. Thereby data protection and privacy come to the rescue. Since 1970 the progression of data protection laws has emerged in the globe. At present we have cyber security and data protection laws in Europe, Asia, America, Africa, almost every continent. India is especially showing rapid evolution in Data Protection with the enforcement of Digital Personal Data Protection Act,2023 (hereinafter referred to as ‘DPDP Act’). Correspondingly, the General Data Protection Regulation of the European Union (hereinafter referred to as ‘GDPR’) has been a priority and pioneer  policy of privacy and data protection. This paper primarily aims at establishing a comparative analysis between the DPDP Act of India and GDPR of the European Union, both similarities and differences. Further shed light on other legislations such as Information Technology Act, 2000,  Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. The paper also proposes some measures to bridge the gap between data protection, privacy laws of India and GDPR of the European Union. The paper also shed some light on the issues of AI and some recent trends in this arena.

KEYWORDS: Data Protection, Privacy, DPDP Act, GDPR, IT Act, IT and SPDI Rules, 2011, Artificial Intelligence.

INTRODUCTION:

The notion of data protection and privacy began by 1890 with the recognition of “the right to be left alone”. This is because, technology is identified as a root cause of invasion of private and domestic life, and the urgent need for data protection is disseminated^[1]. Then the focus shifts to safeguarding the personal information and to eliminate misuse of the personal data. The ambit of data protection extended with The General Data Protection Regulation, which is a European Union Law which was implemented on May 25, 2018 to safeguard personal data and uphold privacy^[2].  It replaced the European Data Protection Directive of 1955. The regulation highlights the seven principles of data protection and facilitate eight different privacy rights^[3]. GDPR is considered as the toughest privacy and security law in the world^[4]. GDPR has been a landmark piece of data protection legislation in the European Union. Indistinguishably, the DPDP Act, 2023 of India has come a long way since 2017 (Recognition of right to privacy as fundamental right and B N Sririshna committee report). Then in 2018 Personal Data protection bill was submitted, in 2019 Personal Data Protection Bill was introduced. The 2019 bill was revised in 2021 which passed in both houses of the parliament on 7th and 9th August 2023. Finally published in the official gazette after the President’s assent on 11th August 2023. The ultimate moto behind these legislations are to protect personal data and to ensure the legitimate use of such data. Both these regulations have different protection mechanisms, however have similar key features and differences.

COMPARISON BETWEEN DPDP ACT AND GDPR:

I. KEY DIFFERENCES:

a. Objectives

DPDP Act: Aims to protect the rights of individuals by regulating the processing of digital personal data and to protect the same by ensuring that the need for such processing is for lawful purposes.

GDPR: Aims at the protection of natural persons, their fundamental rights, the freedom of natural persons and their particular right to the protection of personal data. Further concentrates on the freedom of movement of such data^[5].

b. Definition of personal data:

DPDP Act: Section 2(t) defines personal data as any data about an individual who is identifiable^[6]. This definition is very narrow,flat, and flexible in nature, which has its own advantages and disadvantages.

GDPR: Article 3(1) provides comparatively an exhaustive and  broad definition of “personal data”. The definition includes the information of an identified or an identifiable natural person. The personal data includes name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person^[7].

Additionally the DPDP Act applies only to the data found in digital form, whereas GDPR applies also to the data in non-digital form.

c. Exemptions:

DPDP Act: The Act fundamentally excludes the obligations for the personal data made available in public. Besides, Section 17 of the Act specifies the grounds where the chapter II (Obligation of Data Fiduciary), Chapter III (Rights and Duties of Data Principle) and Section 16 (Processing of personal data outside India) shall not apply in certain conditions namely: Enforcing legal rights, Performance of judicial / quasi-judicial/ regulatory/ supervisory functions, Interest of prevention, detention, investigation etc.,^[8]

GDPR: The exemption granted in GDPR is completely different from DPDP. The exemption exercised by the member states includes: Journalistic purposes, academic purposes, artistic or literary purposes if they are essential for exercising the right of freedom of expression and information^[9].

d. Classification of data:

DPDP Act: The Act does not categorize data as GDPR does.

GDPR: The statute recognizes the special category of personal data i.eSensitive personal data. The personal data about as prescribed under Article 9.^[10] Such differentiation has been made to provide high compliant and protection measures for the special category of personal data.

e. Stakeholders and classification:

The terminology of the stakeholders in respective statutes differs as mentioned below.

DPDP Act: The individual to whom the personal data relates is referred as “data principal” and the person / entity who determines the purpose and process of the individual’s personal data is referred as “Data Fiduciary”. An individual who acts on behalf of the data fiduciary is a data processor.

GDPR: The individual to whom the personal data relates is referred as “Data Subjects” and the person / entity who determines the purpose and process of the individual’s personal data is referred as “Data Controller”. An individual who acts on behalf of the data controller is a data processor.

Over and above DPDP designate a class of data fiduciary as significant data fiduciary under the aegis of Indian Government. However, GDPR has no such equivalent classification. To add more, GDPR has no equivalent concept to consent manager which is present in the DPDP Act.

f. Processing:

Both GDPR and DPDP Act has its own set of definitions for the term processing. These definitions are broad enough and exhaustive in their own nature. The definitions include the operation performed on personal data such as collection, recording, structuring, etc.,

Nevertheless, the mechanism of processing  children’s data is distinguished. The DPDP Act authorizes additional obligations for processing the children’s data.

DPDP Act: The age of majority under Indian law is 18 years^[11]. The obligation of processing children’s data are that such processing should not cause any detrimental effect to the wellbeing of children and processing should not track or engage in behavioral monitoring^[12].

GDPR: The position in the EU differs as the age of majority is 16 years and the obligations are very basic in nature. They are transparency in the information of children and the mandate of obtaining consent from parents/ guardians^[13].

g. Transparency

DPDP Act: The notice for obtaining personal data from the  data principle must contain the purpose, the manner in which they exercise their rights, the redressal mechanism available^[14]. The consent request notice must be provided in an option of language specified in the eighth schedule (22 languages) of the Indian Constitution^[15].

GDPR: The information sent to the data subjects are the same as DPDP, with some additional concern to the name and contact details of the subjects. The information provided to the data subjects must be in clear and plain language.

h. Restriction on transfer of data outside the territory:

DPDP Act: The central government can restrict the transfer of personal data by data fiduciary to any country or territory outside India by notification^[16].

GDPR: It includes stringent protective measures in case of transfer of personal data outside the territory of the EU.

i. Rights of Data Principal / Data Subjects:

Both the DPDP Act and GRDP guarantee the rights of the data principal / data subjects. The list of rights have minor variation among themselves in distribution.

DPDP Act: The rights guaranteed to data principals are right to be informed. Right to access, right to rectification, right to erasure, right to withdraw consent, right to grievance

redressal, right to nominate.

GDPR: Some of the rights guaranteed in DPDP are absent and have inclusion of a few rights. The rights guaranteed to the data subjects are right to be informed, right to access, right to rectification, right to erasure, right not to be subjected to automated decision making, right to withdraw consent.

j. Notification of breach:

The DPDP Act does not contain any magnitude for the breach of personal data, as in GDPR.

k. Legal grounds for processing Personal data:

Contract: Processing of personal data becomes necessary at the request of the data subject while entering the contract. DPDP Act has no such legal criteria.

Voluntary disclosure: A data fiduciary or significant data fiduciary can process the personal data when the data principal has voluntarily provided the data for a specific purpose. GDPR has no such specific legal basis for processing.

Legitimate interests: DPDP Act mentions only about the legitimate purpose not legitimate interest which is a legal basis of processing under GDPR^[17].

The above mentioned is the detailed difference between the DPDP Act and GDPR in various aspects. The author also emphasizes that there are not only differences but also similarities in their mechanisms.

II. KEY SIMILARITIES:

 Notwithstanding the key differences, the major scope of these data protection laws lie in the similar concept and similar mechanism they possess. These similarities are differentiated into two categories by the author for the purpose of understanding. They are:

1. Same scope, different terms
2. Same scope and terms

1. Same scope, different terms: The stakeholders of the respective statutes will come under this category. The scope and definition of data principle(DPDP Act) is equivalent to the data subjects(GDPR). A data fiduciary(DPDP Act) is equivalent to a data controller(GDPR).
2. Same scope and terms:

i) The scope, definition, and term of the data processor is same in both statutes. An individual who acts on behalf of the data fiduciary is a data processor (DPDP Act). An individual who acts

 on behalf of the data controller is a data processor (GDPR).

ii) The Consent, legal obligation of the state for compliance, necessity to protect public health / medical emergency and public interest are considered common grounds for processing the personal data of the data principal and data subjects under DPDP Act and GDPR.

iii) The rights guaranteed to the data principal / data subjects that are identical in DPDP Act and GDPR are the right to access, right to rectification, right to erasure, and right to withdraw consent.

1. iv) The notion of data processing agreements is akin in both the statutes. Data processing agreements are the establishment of contractual relationships between the data fiduciary/data controller to the data processor. The data fiduciary/data controller are obliged to ensure the compliance of rules and to take reasonable security safeguard measures to prevent the data breaches.

These common principles in different existence facilitates concise navigation into the nuances of the data protection regime and results in the compliances of the same. These similarities are remarkable in that they provide a common framework which surpasses the various distinguished factors of religion, territory, culture, and jurisprudence.

COMPARISON BETWEEN GDPR AND IT ACT, 2000

  The law precedent to DPDP Act which governs the online data is Information Technology Act, 2000 (IT Act) and Information Technology ( Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The enactment is to give legal recognition for the transactions carried out by means of electronic data interchange and other means of electronic communication^[18]. In comparison with DPDP Act, the scope of IT Act is narrower in nature however, the Act provides both civil and criminal liability for unauthorised access. This section aims at bringing out the key differences and similarities between IT Act and GDPR.

1. KEY DIFFERENCES:

a. Objectives:

GDPR aims in the protection of natural person’s personal data and the freedom of movement of such data. The IT Act has no such objectives.

b. Principles: Data processing is the important principle of GDPR whereas Information collection and usage are the only principles of IT Act. The principles like data integrity, protection from unlawful processing, accountability, fairness and transparency are peculiar only to GDPR, which is absent in IT Act^[19].

c. Processing data: GDPR specifies conditions in which member states can process the personal data without requisite consent. The IT Act has no such equivalent lawful processing.

d. Consent: The IT Act no specific provision on definition of consent or the special requisite of child’s consent. On the other hand, GDPR’s scope mainly revolves around the definition and its key nuances.

e. Sensitive data: GDPR emphasizes numerous categories of personal data that are absent in the IT Act.

f. Rights guaranteed: IT Act only provides a vague description on the rights guaranteed, whereas the GDPR furnishes a detailed description on the rights conferred.

g. Security measures: GDPR is known for its measures on protecting personal data and data processing such as appointment of data security officer, maintenance of records etc., which the IT Act lacks.

h. Redressal mechanism: IT Act deals with redressal available for the infringement of rights but there is ambiguity regarding the forum required to be approached for redressal. GDPR considered redressal only as a matter of right. There exist differences while approaching the redressal mechanism.

i. Nature of liability: GDPR emphasizes civil liability in data breaches, whereas, the IT Act emphasizes criminal liability.

j. Damages: GDPR formulates compensation mechanism for the aggrieved individual, altho IT Act formulate penalty mechanism.

II. KEY SIMILARITIES:

i) Both the statutes deal with the data processing in electronic means and mandate the lawful collection and storage of data.

ii) Both the laws mandates the requirement of consent before data processing and categories the sensitive data in their own framework.

iii) The right to rectification, right to be informed, right to withdraw consent is guaranteed to the data subjects in twain laws.

iv) IT Act and GDPR guarantees the redressal mechanism, award compensation from the damages of infringement.

The study on key differences resembles the fact that the IT Act is less competent in comparison with GDPR while dealing with matters of privacy and data protection. But the fortunate apparatus is that we have specific legislation called the DPDP Act for governing these matters which has its foundation from the IT Act, 2000.

BRIDGING THE KEY GAPS – DPDP ACT’S COMPLIANCES:

As we observe some of the material gaps between the GDPR and DPDP Act, these gaps have to be abridged by taking significant additional compliance action to comply with the DPDP Act. These abridgements can take the data protection laws in another dimension.

i) The additional classification of significant data fiduciary in GDPR with additional obligations of appointing a data protection officer which carry out the efficient risk mitigation measures as DPDP Act.

ii) The requirement of an organisation such as consent manager subject to the nomination by the data principal assisted moreover by the guidelines and rules framed by the state are required to be enhanced in GDPR.

iii) In the matter of processing of a child’s data, additional obligations are required to be prescribed in GDPR, which could restrict processing that are detrimental to the child  and to prevent inadvertent processing, mandating the child’s parietal consent to process such data.

iv) DPDP Act can extend its scope by permitting processing of data according to the contract in compliance with the statute as in GDPR.

v) The concept of “legitimate interest” in processing the data can be made available in DPDP obedience.

vi) The restriction on data transfer to the countries notified by the Indian Government should be backed by the specific mechanism and adequacy determination by the central government.

vii) The time framework for rectifying the grievances of data principal by the data fiduciaries has to be implemented likely in GDPR.

viii) The right to nominate by the data principal can be implemented at the hands of the data fiduciaries equivalent to DPDP Act in GDPR.

CONSIDERATION OF DATA PROTECTION IN THE ERA OF ARTIFICIAL INTELLIGENCE:

The Artificial Intelligence services employ large language models in its operations. The operation involves a two-tier process. The first tier is to analyse the data input which is known as the training phase. The second tier is to produce output from learning in the first stage. The exact concern arises when the personal data is included in the input of the large language models. The AI is not authentic enough to provide the origins of the data sources from which the result has been drawn. This apparatus weakens the basic principles of data protection such as lawfulness, fairness, transparency, accountability, confidentiality,accuracy and others^[20]. The common challenges related to Artificial Intelligence to comply with data protection laws specifically GDPR are,

1. The black boxes found in AI algorithms seem challenging to the transparency guaranteed while decision making.
2. AI systems can complicate the access of rights guaranteed such as right to access, rectify, or erase the data of data principals and subjects. It led to the practical issues in exercising the rights of the data subjects/ data principles.
3. The decisions made by AI (Automated decision making) have the overriding effect on the compliances and regulation of the data protection laws.
4. Another significant risk in AI is that sometimes the data controllers/ data fiduciaries employ AI which has its own disadvantages in the deprivation of privacy of the individuals.
5. AI can facilitate easy cross border data transfers which is restricted in India (DPDP Act) and has stringent regulatory ordinance in EU (GDPR)^[21].

Therefore, the advent of Artificial Intelligence results in the failure of  foundational and ultimate objectives of the personal data protection mechanism all over the globe. Considering the risks,the UK government  published a white paper in March 2023, regarding “A pro-innovation approach to AI Regulation” focused on adopting existing legislations^[22]. The shift is now on the focus  of AI regulations.

CONCLUSION:

With all attention and focus, data protection has been at the top of mind with evolving legislations, in terms of best practices, awareness, and risk. The European Union has introduced the Data Protection and Digital Information Bill with more intent to promote accountability and clarity to protect the consumer’s privacy and their data.  Throughout 2024, we expect the enforcement of various data protection legislations across the globe namely the Montana Consumer Data Privacy Act, the Texas Data Privacy and Security Act, the Florida Digital Bill of rights etc. The spotlight has now been in deriving data privacy from environmental, social and governance factors.  These are some of the recent trends in data protection.  The data protection regime is still expanding and more amendments are expected to be introduced to fill the gaps more specific to the AI regulations.

^[1]Bhavika Lohiya, Evolution of Data Protection Laws across the Globe, AMLEGALS (June. 21, 2024, 11.22 AM), https://amlegals.com/evolution-of-data-protection-laws-across-the-globe/#

^[2] EU General Data Protection Regulations (GDPR), https://

ec.europa.eu/info/law/law-topic/data-protection/reform/rulesbusiness-

And-organisations (last visited on June 21, 2024 at 11.30 AM)

^[3] Dr. Brijesh Kumar Gupta, General Data Protection Regulation and Its Impact on Indian Enterprises, AJAY KUMAR GARG COLLEGE, https://www.akgec.ac.in/wp-content/uploads/2020/10/4-Dr_Brijesh_Kumar.pdf

^[4]GDPR.EU, https://gdpr.eu/what-is-gdpr/ (last visited on June 21, 2024 at 11.50 AM)

^[5] General Data Protection Regulation, § 1, Regulation 2016/679, (EU)

^[6] Digital Personal Data Protection Act, 2023, § 2(t), No. 22, Acts of Parliament, 2023 (India).

^[7]supra note 5, at 3(1)

^[8] supra note 6, at 17

^[9] supra note 5, at 85(2)

^[10] Id.,  at 9

^[11] The Majority Act, 1875, § 3(1), No. 9, Acts of Parliament, 1875 (India).

^[12] supra note 6, at 9

^[13] supra note 5, at 40(2)(g)

^[14] supra note 6, at 5(1)

^[15] Id., at 5(3)

^[16]  Id., at 16

^[17] India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison, Latham & Watkins, (last visited on June 22,2024), https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf

^[18] The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).

^[19] Supra at 3

^[20] Martin Brazier, Data Protection Considerations for Artificial Intelligence (AI),URM blogs, (June 26, 2024, 10.45 AM), https://www.urmconsulting.com/blog/data-protection-considerations-for-artificial-intelligence-ai

^[21] Basanta Kumar Sethi,Decoding the GDPR’s influence on AI: Balancing innovation with data protection,

KELLTON BLOGS (June 26, 2024, 11:00 AM), https://www.kellton.com/kellton-tech-blog/decoding-the-gdpr-influence-on-ai

^[22] Id.,