Why GDPR Compliance is not DPDPA 2023 compliance

Posted on December 8, 2023 by Vijayashankar Na

While discussing the DPDPA 2023 compliance in the industry, the standard response we derive is “We are already GDPR Compliant which is a “Gold Standard” for Privacy and hence Indian data privacy law can only be a subset of GDPR and we should be already compliant with it”.

This is a myth and a risky assumption.

DPDPA 2023 is applicable for Digital Personal Data and not for other forms of Personal Data and one has to look for additional provisions under the Constitution or other laws to understand certain aspects of responsibilities of an industry on Personal Data Protection in toto.

Though GDPR has the principles of “Consent”, the “Legitimate Interest” concept of GDPR and the non-consent based legal basis acceptable under GDPR are not the same as the “Legitimate Use” concept under DPDPA.

Similarly the rights protected under GDPR for a Data Subject are not the same as the rights provided to data principals under DPDPA.

The Right of Grievance Redressal and Right of Nomination provided under DPDPA 2023 are not available under GDPR.

The “Duties” of Data Principal are not provided under GDPR.

The concept of “Data Fiduciary” under DPDPA is different from the concept of “Data Controller” under GDPR.

The recognition of minors and other persons with legal guardians is handled differently under DPDPA.

The powers of the DPB are different from the powers of the Supervisory authority under GDPR.

The penalties under DPDPA 2023 are different from penalties under GDPR.

The impact of GDPR on Data Processors is direct where as in DPDPA it is only through the contract with the Data Fiduciary with direct liability under ITA 2000.

GDPR has a strict Data Localization where as DPDPA 2023 is flexible.

DPDPA 2023 respects the sovereignty of different countries and recognizes the redundancy of making a Data Fiduciary/Controller/Processor liable under two different data protection laws. It has provisions to enable segregation of obligations. GDPR does not respect the sovereignty of the other countries and tries to extend its hegemony over other countries.

In view of these and other differences, compliance to GDPR cannot be considered as compliance with DPDPA 2023. In fact we can positively state that “Compliance to GDPR is non compliance of DPDPA 2023).

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.