The Digital Personal Data Protection Act, 2023 (DPDP Bill) passed on August, 2023 is intended to regulate the collection, processing, and use of personal data by both private and government entities in India.

The DPDP Act defines personal data as any information that can be used to identify an individual, directly or indirectly. This includes information such as name, address, email address, phone number, and financial information. The Act gives individuals certain rights over their personal data, including the right to:

• Access their personal data
• Correct their personal data
• Delete their personal data
• Object to the processing of their personal data
• Port their personal data to another organization

DPDP Act and GDPR Comparison

The DPDP Act of India and the General Data Protection Regulation (GDPR) of the European Union are two of the most comprehensive data protection laws in the world. Both laws give individuals control over their personal data and require organizations to protect that data. However, there are some key differences between the two laws.

Scope: The GDPR applies to all organizations that process the personal data of individuals located in the European Union, regardless of the organization’s location. The DPDP Act applies to all organizations that process the personal data of individuals located in India, regardless of the organization’s location.

Consent: The GDPR requires organizations to obtain explicit consent from individuals before processing their personal data. The DPDP Act allows organizations to process personal data without consent in certain cases, such as when the processing is necessary for the performance of a contract or when the processing is in the public interest.

Data Localization: The GDPR requires organizations to store the personal data of individuals in the European Union unless certain exemptions apply. The DPDP Act does not require organizations to store personal data in India.

Data Breaches: The GDPR requires organizations to notify the relevant data protection authority within 72 hours of becoming aware of a data breach. The DPDP Act requires organizations to notify the Data Protection Board and affected individuals within 72 hours of becoming aware of a data breach.

Penalties: The GDPR imposes fines of up to €20 million or 4% of global annual turnover, whichever is higher, for violations of the law. The DPDP Act imposes fines of up to INR 250 crores for law violations.

Overall: The GDPR is generally considered to be a more stringent data protection law than the DPDP Act. The GDPR has stricter requirements for consent, data localization, and data breach notification. The DPDP Act, on the other hand, allows organizations to process personal data without consent in certain cases and does not require organizations to store personal data in India.

For more information refer to:

DPDP Act, 2023: https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

GDPR: https://gdpr.eu/what-is-gdpr/