INTRODUCTION:-
The European Union’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act (DPDPA) are two major milestones in data protection and privacy legislation. The GDPR, which came into force in May 2018, is a universal and cross-border data privacy legal framework that applies to all member-states within the EU and the European Economic Area. The legislation is not only about the safeguarding of personal data but also about the availability of data for smooth international transfer beyond the EU’s jurisdictional boundaries. Its primary objective is to give control of personal data back to EU citizens and residents. Besides, the regulation intends to smoothen the flow of data while constituting a high standard for the protection of personal data over regulatory harmonization to stimulate international trade. On the other hand, DPDPA, which was introduced in India in the month of August 2023 anticipating to be effective in early 2024, is another big step taken to protect the privacy of personal data for the citizens of the nation. Like the GDPR, the DPDPA aims to implement a comprehensive data protection regime, yet its efforts are directed towards the unique inherent socio-legal conditions within India.
WHO IS A DATA SUBJECT?
1. GDPR
Under the General Data Protection Regulation, a data subject is defined as an identifiable natural person whose personal data is being processed. This encompasses any individual within the European Union or the European Economic Area whose personal information is collected, used, or stored by organizations or entities subject to the GDPR’s jurisdiction. The term “identifiable natural person” refers to an individual who can be identified, directly or indirectly by reference to an identifier such as a name, identification number, location data, online identifier or other factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
2. DPDPA
A Data Principal is an individual whose personal data is under discussion in the Digital Personal Data Protection Act. This includes individuals of all ages, but special provisions apply in certain cases:
- For children, the Data Principal also includes their parents or lawful guardians.
- For individuals with disabilities, the Data Principal includes their lawful guardian acting on their behalf.
KEY PRINCIPLES OF DATA PROTECTION
1. Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly, and transparently. This means that data processing must have a legal basis, be conducted fairly and individuals must be informed about how their data is being processed.
2. Purpose limitation
Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
3. Data minimization
Personal data collected should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy
Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data is rectified or erased without delay.
5. Storage limitation
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6. Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
7. Accountability
Data controllers are responsible for ensuring compliance with the GDPR’s principles and must be able to demonstrate compliance with these principles.
RIGHTS UNDER GDPR
1. Right to Information (Articles 13 and 14)
Data subjects have the right to be informed about the collection and processing of their personal data. This includes information such as the identity of the data controller, the purposes of processing, and the rights of the data subject.
2. Right to Access (Article 15)
Data subjects have the right to obtain confirmation from the data controller whether their personal data is being processed and if so, to access that data and receive additional information about how it is being processed.
3. Right to Rectification (Article 16)
Data subjects can request the correction of inaccurate or incomplete personal data held by data controllers.
4. Right to Erasure (Right to be Forgotten) (Article 17)
Data subjects have the right to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for its original purpose or when the data subject withdraws consent.
5. Right to Restriction of Processing (Article 18)
Data subjects can request the restriction of processing of their personal data in certain situations such as when the accuracy of the data is contested or when the processing is unlawful.
6. Right to Data Portability (Article 20)
Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit that data to another data controller.
7. Right to Object (Article 21)
Data subjects can object to the processing of their personal data in certain circumstances, such as for direct marketing purposes or when the processing is based on legitimate interests.
8. Rights Related to Automated Decision Making and Profiling (Article 22)
Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
RIGHTS UNDER DPDPA
1. Right to Access Information (Section 11)
Data Principals have the right to request specific details about their personal data processing. This includes:
- A summary of all personal data being processed and related processing activities.
- The identity of data processors and Data Fiduciaries with whom personal data was shared.
- Any other prescribed information related to personal data processing.
However, if data is shared with another authorized data fiduciary for cyber incident prevention or prosecution, certain rights may not be enforceable.
2. Right to Correction and Erasure of Personal Data (Section 12)
Data Fiduciaries are required to take specific actions upon receiving requests from Data Principals, including:
- Correcting misleading or inaccurate personal data.
- Updating personal data to ensure its accuracy.
- Completing incomplete data where necessary.
- Erasing personal data, unless mandated by law to retain it.
3. Right to Grievance Redressal (Section 13)
Section 13 provides Data Principals with accessible grievance redressal mechanisms through Data Fiduciaries or consent managers. These mechanisms ensure prompt responses within prescribed timeframes. Before seeking higher authorities, Data Principals must exhaust this redressal opportunity, promoting effective dispute resolution. If dissatisfied with the redressal mechanism, Data Principals can turn to the Data Protection Board. Data Fiduciaries have the option to appeal Board decisions to the Telecom Dispute Settlement and Appellate Tribunal within 60 days, promoting accountability and resolution.
4. Right to Nominate (Section 14)
Section 14 allows Data Principals to nominate individuals to exercise their rights in case of death or incapacity.
WHEN ARE HIS RIGHTS INFRINGED?
The rights of a data subject are infringed whilst any of their facts protection rights as outlined in statistics protection laws which include the GDPR or the DPDP Act are violated.
When personal data is processed without the data subject’s consent or for purposes other than those for which it become accrued, their rights are infringed.
If there may be a protection breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or get admission to personal data, it constitutes an infringement of the data subject’s rights.
If the data controller fails to offer data subject with right of subject to their personal information upon request or refuses to rectify misguided or incomplete records, it constitutes an infringement in their rights.
- If the data controller fails to respond to the requests of the data subject to exercise his rights, it constitutes an infringement.
- Data subjects have the right to be informed about the processing of their personal data. If companies fail to offer clear and transparent statistics about how their facts is being processed, it infringes on their rights.
LIABILITY
1. UNDER GDPR
- Data Controller
The data controller determines the purposes and means of processing personal data. They have primary responsibility for ensuring compliance with the GDPR’s principles and obligations. If a data controller infringes upon data subject rights, they are directly liable for the violation.
- Data Processor
A data processor processes personal data on behalf of the data controller and is subject to the instructions of the controller. While data processors have obligations under the GDPR, such as implementing appropriate security measures, they are not directly liable for infringement of data subject rights. However, if a data processor fails to comply with GDPR obligations or acts outside the controller’s instructions, they may be held liable under a contract with the controller or under the GDPR in certain circumstances.
- Joint Controllers
In some cases, two or more entities jointly determine the purposes and means of processing personal data. These entities are considered joint controllers and share responsibility for compliance with the GDPR’s requirements. Each joint controller may be held liable for infringements of data subject rights.
- Data Protection Officers
DPOs are responsible for advising and monitoring compliance with the GDPR within organizations. While DPOs themselves may not be directly liable for infringements, they play a crucial role in ensuring organizations' adherence to data protection requirements.
2. UNDER DPDPA
- Data Fiduciaries
These entities, which include businesses and organizations, are responsible for ensuring compliance with the DPDPA. They must adhere to various obligations, including ensuring the accuracy and completeness of data, implementing security safeguards, reporting data breaches, and erasing personal data when necessary. If a data fiduciary fails to fulfill these obligations or infringes upon data subject rights, they will be liable for the violation.
- Government Entities
While government entities are also considered data fiduciaries under the DPDPA, there are certain exemptions. For instance, storage limitation and the right to erasure may not apply to government entities in certain cases.
- Data Protection Board of India
The Board, established by the central government plays a key role in monitoring compliance with the DPDPA and imposing penalties for non-compliance. However, the Board itself is not liable for infringements of data subject rights.
OTHER LEGISLATION GOVERNING DATA PROTECTION
1. Indian Constitution
- Article 21 (Right to Life and Personal Liberty)
The Supreme Court has interpreted the right to privacy as implicit in the right to life and personal liberty under Article 21.
2. Information Technology Act, 2000
- Section 43A (Compensation for failure to protect data)
This section imposes liability on a body corporate that possesses, deals with or handles any sensitive personal data or information in a negligent manner, resulting in wrongful loss or gain to any person.
- Section 72A (Disclosure of information in breach of lawful contract)
This section deals with the punishment for disclosure of information in breach of a lawful contract. It imposes penalties for disclosure of personal information in breach of a contract or without the consent of the person concerned.
- Section 79 (Intermediaries not to be liable in certain cases)
This section provides safe harbor to intermediaries, such as internet service providers and social media platforms for third-party content hosted on their platforms, subject to certain conditions.
3. Indian Penal Code
- Section 378 (Theft)
According to this section, a person is guilty of theft if they dishonestly take movable property out of the possession of any person without that person’s consent.
- Section 403 (Dishonest Misappropriation of Property)
It states that anyone who dishonestly misappropriates or converts to their own use any movable property, intending to take wrongful gain or cause wrongful loss to another person, commits an offense of dishonest misappropriation.
- Section 405 (Criminal Breach of Trust)
It outlines that when a person entrusted with property dishonestly misappropriates or converts that property for their own use in violation of any direction of law or any legal contract, they commit the offense of criminal breach of trust.
- Section 409 (Criminal Breach of Trust by Public Servant or by Banker, Merchant or Agent)
It states that if any of these individuals, while in a position of trust, dishonestly misappropriate or convert to their own use any property entrusted to them, they commit the offense of criminal breach of trust.
PENALTIES
1. GDPR
Infringements of certain provisions of the GDPR can result in administrative fines of up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. For less severe infringements, the maximum fine can be €10 million or 2% of the total worldwide annual turnover, whichever is higher.
2. DPDPA
- Violations by Data Principals
Fines of up to INR 10,000 for violations committed by data principals, such as individuals or entities controlling the data. This emphasizes the need for accountability in data handling.
- Violations without Prescribed Penalties
Fines of up to INR 50 crore for violations where specific penalties are not prescribed. This includes failures to comply with transparency requirements, such as disclosing cookie usage on websites.
- Security and Data Breach Violations
The most severe penalties apply to security and data breach violations, with fines of up to INR 250 crore. This highlights the critical importance of safeguarding personal data and implementing robust security measures to prevent breaches and unauthorized access.
COMPARISON BETWEEN GDPR AND DPDPA
Criteria | GDPR | DPDPA |
Scope |
Applies to the processing of personal data of individuals in the European Union and European Economic Area |
Applies to the processing of digital personal data within India and has extraterritorial effect for processing related to offering goods or services to individuals in India. |
Purpose |
Aims to give control back to citizens and residents over their personal data and simplify the regulatory environment for international business. |
Aims to protect the privacy of Indian citizens’ personal data and establish a comprehensive data protection framework in India. |
Enforcement |
Enforced by supervisory authorities in each EU member state. |
Enforced by the DPBI, once established. |
Rights of Data Subject |
Grants data subject various rights, including right to information, erasure and data portability. |
Grants similar rights as GDPR, except data portability. |
Penalties |
Fines for violations can be up to €20 million or 4% of the company’s global annual turnover, whichever, whichever is higher. |
Fines vary based on the type of violation, ranging from INR 10,000 to INR 250 crore. |
Exemptions |
No specific exemptions for government entities. |
Government entities are exempt from certain provisions, such as storage limitation and the right to erasure. |
Territorial Application |
Applies to data processing activities regardless of where the processing takes place if it involves individuals in the EU. |
Applies to data processing activities within India and has extraterritorial effect for processing related to offering goods or services to individuals in India. |
RELEVANT CASE LAWS
1. Google LLC v. CNIL
In this case, the Court of Justice of the European Union ruled that the right to be forgotten, as established under the GDPR, applies only within the EU. Google was not required to delist search results globally, but only within the EU’s jurisdiction.
2. Facebook, Inc. v. Duguid
In this case, the U.S. Supreme Court clarified the definition of an “automatic telephone dialing system” under the Telephone Consumer Protection Act. The decision has implications for data privacy as it addresses the use of automated systems for communication and marketing purposes.
3. K.S. Puttaswamy v. Union of India
This landmark case recognized the right to privacy as a fundamental right under the Indian Constitution. The judgment laid the foundation for data privacy laws in India and influenced the drafting of the Personal Data Protection Bill, 2019.
CONCLUSION
The domain of data privacy laws is in a state of upheaval, both globally and in India. Key decisions from the courts, and visionary legislation such as the GDPR in the European Union and the DPDPA in India, reflect the determination to give strength to individuals’ privacy. The new data protection legislation marks a significant phase in the evolution to establish a culture that covets and protects personal data. Moreover, the extent to which we are able to deal with new challenges and new opportunities that rapidly developing technology offers, would be dependent upon constant vigilance, responsive regulation, support of effective enforcement, and enhancement of public awareness. It is only with these foregoing factors that we can create a future where citizens will own and command their data and trust will rein in the digital domain. The path to data privacy will bear results only when State, businesses, civil society and individuals come together and look beyond the current challenges of technology and privacy, to work together and protect citizens.
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"
Tags :Others