The General Data Protection Regulation (GDPR), introduced by the European Union in 2018, has not only set a new benchmark for data privacy but has also significantly impacted global data protection frameworks. Its comprehensive and stringent requirements have prompted countries worldwide, such as India, to reevaluate and enhance their data protection laws.
In recent years, India has been actively working on enhancing its data protection regulations, drawing considerable influence from the GDPR. This blog explores existing data protection laws in India and how the GDPR has shaped the integrity of India’s data protection regulations.
Upgrade your organization’s data protection practices with UpGuard >
Understanding the GDPR
The General Data Protection Regulation (GDPR) is a comprehensive legislative package that unifies data protection laws across European Union member states and enhances individuals' privacy rights. The GDPR became effective in 2018, replacing the Data Protection Directive 95/46/EC, which was originally adopted in 1995. The Directive set basic standards for data protection, but its implementation varied across member states, leading to inconsistencies.
In 2012, the European Commission proposed the GDPR, leading to extensive negotiations and consultations with stakeholders such as businesses, privacy advocates, and government bodies. The regulation was adopted in April 2016, and organizations were given a two-year transition period to comply.
The GDPR is a significant milestone in data protection regulation, establishing strict standards for data privacy and personal data processing. Its comprehensive framework gives individuals more control over their data collection while placing strong obligations on organizations to safeguard data retention.
Key components
The GDPR introduced several significant changes and new requirements to strengthen data protection and ensure processing for only legitimate uses. Key components of the GDPR include:
- Data subject rights: Access, rectify, erase, restrict, port, and object to personal data
- Data protection principles: Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation adequacy, integrity, and confidentiality
- Legal obligations for controllers and processors: Data protection by design and default, conduct DPIAs, notify breaches within 72 hours, appoint data protection officers for large-scale sensitive data processing and decision-making
- Extraterritorial cope: Applies to non-EU businesses offering goods/services to, or monitoring, EU residents
- Penalties: Fines up to €20 million or 4% of global turnover for non-compliance
The global influence of GDPR has led to the adoption of stronger privacy protections in data protection laws and central governments worldwide, extending beyond the EU, including India.
Indian data protection before the GDPR
Before the influence of the General Data Protection Regulation (GDPR), limited regulations within Indian law governed India's data protection legislation, specifically the IT Act and SPDI Rules.
These data privacy laws aimed to address data protection and privacy concerns but had significant limitations and gaps, including narrow definitions, lack of comprehensive coverage for all jurisdictions, and no identified point of contact for implementation and oversight.
Information Technology Act, 2000 (IT Act)
The Information Technology Act, 2000 (IT Act) is India's primary law governing cyber activities. It aims to promote e-commerce and safeguard electronic transactions. Key components include provisions for giving legal recognition to electronic records and digital signatures, which make online transactions secure. Section 43A of the Act requires compensation for failure to protect personal data, and Section 72A penalizes unauthorized disclosure of information obtained legally.
Despite having a broad scope, the IT Act has significant limitations in terms of data protection. These limitations include:
- Section 43A and Section 72A do not cover all unauthorized disclosures or negligent data handling
- Penalties for non-compliance are too low to be a strong deterrent
- Data breach notifications are not mandated
- The Act does not provide comprehensive rights for individuals over their data
- No clear guidelines for cross-border data transfers
- There is no dedicated data protection authority, leading to fragmented oversight
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules)
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly known as the SPDI Rules, were established under the IT Act to enhance data protection in India. The rules mandate that organizations obtain consent from individuals before collecting sensitive personal data and implement reasonable security practices and procedures to protect this data. The rules also require organizations to formulate and publicly disclose their privacy policies and restrict the disclosure of sensitive personal data without the individual's consent.
Despite their contributions to data protection, the SPDI Rules have notable limitations and gaps, which include:
- A narrow definition of sensitive data that excludes broader personal information
- Reliance on self-assessment which leads to inconsistent security standards
- Weak enforcement mechanisms with limited oversight and accountability
- Lack of comprehensive rights for individuals over their data
- Inadequate data breach notification requirements
- No clear guidelines for cross-border data transfers
- Absence of a dedicated data protection authority results in fragmented oversight
GDPR’s influence on Indian legislation
The GDPR is a major regulation that sets strict standards for data privacy and protection and has become a global benchmark for governing personal data. In India, the GDPR's influence is clear in the formulation of the Digital Personal Data Protection Act (DPDPA), signifying a significant shift towards robust data privacy measures.
Learn more about the top cybersecurity regulations in India >
The Digital Personal Data Protection Act (DPDP)
The Digital Personal Data Protection Act (DPDP) represents a significant milestone in India’s journey towards comprehensive data protection. Following extensive consultations and recommendations by the Justice B.N. Srikrishna Committee, a new data protection law was formulated to address the growing need for robust data privacy measures in the digital age. Implemented to align with global standards like the GDPR, the DPDA aims to ensure that the processing of personal data is protected and used only for legitimate interests.
The Act was introduced to the Indian Parliament, underwent various stages of scrutiny and revision, and was finally enacted to provide a cohesive framework for data protection in the country. The Indian government has nominated the Data Protection Board of India as the regulatory authority to implement the provisions of the DPDP Act. Key components of the DPDA include:
- Definition and classification of personal data: Clearly defines categories of personal data, sensitive personal data, and critical personal data
- Data principal rights: Right to access, correction, data portability, erasure, and restrict processing
- Obligations of data fiduciaries: Conduct data processing lawfully, fairly, and transparently; process data for specific, clear, and specified purposes; collect and process only necessary data; implement appropriate security measures; provide clear information about data processing activities.
- Data Protection Impact Assessments (DPIAs): Assessments and periodic audits for processing activities that involve significant risks to individuals’ rights and freedoms
- Data breach notifications: Organizations must notify the Data Protection Authority and affected individuals in the event of a data breach
- Cross-border data transfers: Only permits transfers of personal data outside India to approved countries or entities.
- Establishment of Data Protection Authority (DPA): Enforces the provisions of the PDP Bill, monitors data processing activities, and addresses grievances related to data protection.
- Penalties for non-compliance: Substantial fines and penalties for violations to ensure adherence to data protection norms.
The DPDA has a few exemptions, including financial institutions and government bodies. By providing a robust constitution for data protection, the DPDA aims to foster trust in the digital ecosystem and safeguard the privacy of Indian citizens.
GDPR versus DPDP
The General Data Protection Regulation (GDPR) has set a global benchmark for data protection and privacy, influencing many countries to enhance their data protection frameworks. India’s Digital Personal Data Protection Act (DPDP) reflects the significant influence of the GDPR. Here’s a comparative analysis highlighting the key areas of influence and alignment:
Definition and classification of personal data
- GDPR: Defines personal data as any such data relating to an identifiable person and includes special categories for sensitive data such as racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.
- DPDP: Similarly, the DPDP defines personal data and includes categories for sensitive personal data, such as financial data, health data, biometric data, and sexual orientation. Additionally, the DPDP introduces the concept of critical personal data, which is data deemed crucial to national security or public interest.
Data subject rights
- GDPR: Grants extensive fundamental rights to individuals, including the right to access, rectify, erase (right to be forgotten), restrict processing, data portability, and object to processing.
- DPDP: Adopts similar provisions, granting individuals rights to access, correct, erase, and restrict such processing, as well as data portability. These rights reflect the GDPR’s influence, aiming to empower individuals with greater control over their data.
Obligations of data controllers and data processors
- GDPR: Mandates that data controllers and processors ensure lawful, fair, and transparent processing, data minimization, purpose limitation, accuracy, storage limitation, and integrity and confidentiality of personal data.
- DPDP: Mirrors these obligations, requiring data fiduciaries to process data lawfully, fairly, and transparently, adhere to purpose limitation and data minimization, obtain explicit consent (or parental consent), ensure data accuracy, and implement appropriate security measures.
Data Protection Impact Assessments (DPIAs)
- GDPR: Requires DPIAs for processing activities that are likely to result in high risks to individuals’ rights and freedoms.
- DPDP: This regulation incorporates these additional obligations, mandating DPIAs for high-risk processing activities (e.g., those that threaten electoral democracy) to assess and mitigate potential privacy risks, reflecting the GDPR’s proactive approach to risk management.
Data breach notification
- GDPR: Requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach and, in some cases, to inform affected individuals.
- DPDP: Includes similar provisions requiring data fiduciaries or consent managers to notify the DPA and affected individuals in the event of a data breach, emphasizing transparency, public order, and prompt response to data breaches as influenced by the GDPR.
Cross-border data transfers
- GDPR: Allows data transfers to countries with adequate data protection standards or under specific safeguards such as Binding Corporate Rules or Standard Contractual Clauses.
- DPDP: Aligns with this approach, permitting cross-border data transfers to approved countries or entities, ensuring that transferred data remains protected internationally, mirroring the GDPR’s framework for international data flows.
Establishment of a Data Protection Authority (DPA)
- GDPR: Establishes independent supervisory authorities in each member state to oversee compliance, handle complaints, and enforce the regulation.
- DPDP Bill: Establishes a Data Protection Authority to enforce the Act’s provisions, monitor data processing activities, and address grievances. This authority's creation is directly inspired by the GDPR’s model of independent regulatory oversight.
Penalties for non-compliance
- GDPR: Imposes severe penalties for non-compliance, with fines up to €20 million or 4% of the annual global turnover, whichever is higher.
- DPDP: Introduces significant penalties for violations, reflecting the GDPR’s stringent approach to enforcement and ensuring serious compliance. Significant data fiduciaries who experience a data breach after failing to install security safeguards will encounter the most severe penalties, extending to a maximum of 250 crore (million) rupees.
The future of data protection in India
The anticipated implementation of the Digital Personal Data Protection Act will transform data protection in India. This new legislation aims to provide a comprehensive framework for safeguarding personal data, drawing inspiration from global standards like the GDPR. It will enhance individual rights, mandate stringent data protection measures for organizations, and establish a robust enforcement mechanism through a dedicated Data Protection Authority.
As India continues to embrace digital innovation, the Act is poised to create a secure and transparent data ecosystem, fostering trust among citizens and businesses while positioning India as a global data privacy and protection leader.
Upgrade your organization’s data protection practices with UpGuard
UpGuard’s comprehensive cybersecurity management tools make monitoring your cybersecurity posture and vendors simple—all in one centralized dashboard.
UpGuard BreachSight illuminates your organization’s external attack surface, allowing you to discover and remediate risks ten times faster with continuous monitoring capabilities. Additional features include:
- Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect your domains, IP, and external assets with real-time scans.
- Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
- Detect stolen credentials: Know when your data or credentials are circulating online or at risk of unauthorized access. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.
UpGuard Vendor Risk provides comprehensive visibility of your third-party risk, helping you identify vendor risks sooner and complete risk assessments twice as fast. Additional Vendor Risk features include:
- Constant vendor monitoring: You'll be alerted whenever a third or fourth party's security posture changes. Continuous monitoring ensures you’re always the first to know.
- 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture of your service providers.
- End-to-end workflows: Forget spreadsheets and stale data. Transform your processes with a single platform for identifying and managing risk mitigation.