Digital Personal Data Protection Act 2023 (DPDP)

Digital Personal Data Protection Act 2023 (DPDP)

Subject : Polity

Section: Legislation in news

The DPDP Act is India’s comprehensive legislation for personal data protection. Enacted in 2023, it regulates the processing of personal data and establishes the rights of individuals over their data.

Key features include:

1. Scope:
   • Applies to organizations processing personal data of individuals in India.
   • Applicable to entities both within and outside India, if they process data of individuals in India.
2. Consent:
   • Allows data processing without explicit consent in specific cases, such as contractual obligations or public interest.
   • Emphasizes the right to be forgotten and the right to erasure.
3. Data Localization:
   • Does not mandate the storage of personal data within India.
   • Provides for the cross-border transfer of data, subject to certain conditions.
4. Data Breaches:
   • Requires organizations to notify the Data Protection Board and affected individuals within 72 hours of becoming aware of a data breach.
   • Establishes obligations for data fiduciaries to implement security safeguards.
5. Penalties:
   • Imposes fines up to INR 250 crores for violations.
   • Includes penalties for failure to conduct a data impact assessment or follow breach notification procedures.

General Data Protection Regulation (GDPR):

GDPR is the European Union’s data protection regulation implemented in 2018.

It sets out rules for the processing of personal data and the rights of individuals.

Key aspects include:

1. Scope:
   • Applies to organizations processing personal data of individuals in the European Union.
   • Extraterritorial application, impacting organizations worldwide.
2. Consent:
   • Requires explicit consent for processing personal data.
   • Individuals have the right to withdraw consent.
3. Data Localization:
   • Generally, requires the storage of personal data within the EU.
   • Permits data transfers based on adequacy decisions, binding corporate rules, or standard contractual clauses.
4. Data Breaches:
   • Mandates notifying the relevant data protection authority within 72 hours of a data breach.
   • Emphasizes the principles of data protection by design and by default.
5. Penalties:
   • Imposes fines up to €20 million or 4% of the global annual turnover for serious violations.
   • Focuses on accountability, transparency, and data protection impact assessments.

Both DPDP and GDPR aim to safeguard individuals’ privacy but differ in certain approaches, such as consent requirements, data localization, and penalty structures.