India has drafted a new Digital Personal Data Protection (DPDP) Bill, which, once passed, would legislate greater personal data protections for individuals while providing organizations with rules for how to lawfully process personal data. Public comments closed in early 2023, and we expect it to be approved without significant changes from the final draft.
Tucows supports Indian resellers and registrants, as well as global service providers who offer services in India. Any time a new policy has the potential to impact our services, we make sure we’re prepared. In this case, we’ve carefully reviewed the current draft of the DPDP Bill, and we’re confident that our existing GDPR-compliant data minimization and processing procedures will comply with the DPDP. We’ll also be tracking any changes to the proposed DPDP.
We want to share with you a comparison of India’s DPDP and the EU’s GDPR. While they do differ in a few ways (outlined below), you’ll see how their important similarities leave us confident in our existing data processing practices.
Note that, in some cases, GDPR terms are different from their DPDP equivalents (e.g. GDPR’s data controller is DPDP’s data fiduciary); we’ve stuck with the terms that we hope will be most familiar to readers.
GDPR vs. DPDP: similarities and differences
Scope of applicability
Both laws apply to personal data processing taking place within the jurisdiction (Europe or India, respectively). They also both apply to personal data processing occurring outside the jurisdiction, although with a slight difference: the GDPR protects EU citizens’ data even while they are elsewhere in the world, and the DPDP applies to data processing that takes place outside India if anyone within India is receiving services (with no mention of citizenship).
Legal basis for processing data
Both laws require that a legal basis to process data is determined prior to processing and, though they’re laid out differently, the legal bases they allow for are very similar: the commonly-used “consent” and “performance of a contract” (“provision of any service or benefit” under the DPDP), as well as less-relevant (to our industry) bases such as public health and safety.
Disclosures to data subjects
Both laws require that data subjects (or, “data principals” in the DPDP) be informed about processing activities before or at the time of processing, and each provides requirements for what information must be disclosed to the data subject, including contact info for a data protection officer.
Data protection requirements
Both laws require that the data controller take technical and organizational measures to protect the data at a level appropriate to the risk to the data. There are also similar notification obligations in case of a data breach.
Right to access, correction, and erasure
Under both laws, the data subject must be able to access their data and it must be corrected upon verified request. Data must be erased when the legal basis for processing it no longer applies.
Data retention obligations
Both laws require that data be kept only as long as is necessary to perform the service and may be retained after that only if required for legal purposes. This is the corollary to erasure: we can only keep data as long as we need to, but we must keep it that long.
Data Protection Board/right of grievance redressal
Data controllers must have a complaints mechanism and respond promptly; data subjects may escalate complaints to a Data Protection Board.
Consent
The GDPR and the DPDP define “consent” in the same way, while the DPDP has a broader set of cases where consent applies. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes…” and the only change the DPDP has made to this definition is using “data principal” instead of “data subject.”
Under both laws, consent must be as easy to withdraw as it was to give and services cannot be conditional on consenting to data processing that is not necessary.
Despite these similarities, however, there is an interesting difference in how the two laws use the term consent. Under the GDPR, consent is a specific legal basis that applies in limited circumstances: when the data processing is not necessary (and therefore covered by another legal basis), but the subject wishes to allow it. The DPDP, on the other hand, allows for the broadly applicable “deemed consent” legal basis, which applies in situations that under the GDPR have a unique legal basis. This is where we find things like provision of a service or benefit (similar to the GDPR’s “necessary for the performance of a contract”), compliance with a judgment or legal order (GDPR’s “compliance with a legal obligation”), public health and safety, and “any fair and reasonable purpose” that balances the legitimate interests of the controller against the rights and expectations of the data subject (GDPR’s “legitimate interests” basis).
In addition to the inclusion of “deemed consent,” there are other interesting differences between the two laws, none of which are expected to affect our business or the ability for our resellers to provide domain registration services in India or to Indian people. Of specific interest are differences in terminology and in how the two laws limit the transfer of personal data to other jurisdictions.
Terminology & definitions
| Under the GDPR | Under the DPDP |
| The party that determines the purposes and means of the processing of personal information is called the “data controller.“ | The party that determines the purposes and means of the processing of personal information is called the “data fiduciary.” |
| An individual whose personal information is processed and, therefore, subject to data protection laws, is called a “data subject.” | An individual whose personal information is processed and, therefore, subject to data protection laws, is called a “data principal.” |
| A child is generally defined as an individual under 16, though this can be lowered to 13 years old by member state law. | A child is defined as an individual under 18. |
Extra-territorial data transfer & adequacy
Under the GDPR, personal data may be transferred (a) to countries that have adequacy status, (b) if the controller or processor provides appropriate, enforceable safeguards (such as Standard Contractual Clauses included in a Data Processing Agreement), or (c) if the transfer fits within a specific derogation for specific circumstances.
The DPDP only speaks to this issue briefly, in §17, “Transfer of personal data outside India,” saying that the Government may designate certain countries to which data may be transferred. There is no consideration of contractual protections or other mechanisms to transfer data.
That last piece is the biggest one, not just for Tucows or the domain industry but for any business that’s working on compliance with the DPDP. We assume that India will mirror current adequacy rulings by the European Commission and allow transfer of data to those approved jurisdictions, including Canada. Although the United States does not currently have adequacy status, work to resolve that is progressing, and we expect that to be in place before the DPDP takes effect. This will hopefully prompt India to include the US on their adequacy list.
We understand this is primarily of interest to reseller partners in India, but we want to reassure everyone who uses our platform that we’re staying on top of evolving privacy law, everywhere it impacts our resellers’ business.