SPEAKER_02 0:15

Hello, everybody, and welcome to the first episode of our series on global data protection regulations. I'm Maria Malone, Dr. Maria Maloney, and I'm head of research here at Privacy Engine. Myself and Katie are talking to you today about the Digital Personal Data Protection Act 2023 in India. And the reason why we've started with this for our first episode is because a lot of the act has come into effect in November 2025. So we thought it appropriate that we would start our series on international data protection law with the Indian data protection law. So as I said, I'm Dr. Maria Maloney and I'm head of research here at Privacy Engine. And my colleague Katie is just going to introduce herself now and then we can get started. So over to you, Katie.

SPEAKER_01 1:10

So I'm Katie Barch. I'm a data protection consultant at Privacy Engine. My title is Data Protection Legal Specialist. So outside of consultancy, I also do bits and pieces of research into global privacy laws.

SPEAKER_02 1:46

Yeah, great. So we'll get started. We have about 12 questions, and uh so I'm gonna start and then we'll take it, we'll alternate the questions between myself and Katie. So the Digital Personal Data Act, or what we call the DPDP Act, which is a bit of a tongue twister, um, is India's first comprehensive data protection law. It regulates how digital personal data is processed about individuals in India and how personal data or digital personal data is collected, used, shared, and stored. The act tries to balance two things, which I think it does quite well. And considering that we have the digital omnibus coming out of Europe uh recently, um, I think uh, you know, we have to with the GDPR, we're kind of going back to the drawing board, whereas with this DPDP act, they seem to have kind of almost gotten the balance right um initially at the at the beginning. So that it tries to balance two things. On the one hand, um it tries to balance an individual's right to privacy, and on the other hand, it the need for governments and businesses to be able to process data legitimately and without too much burden. So that I think and I think it creates a good a good balance there, and we'll go into that in more details um as we go through the questions. But um so so that it looks to balance those two things. Um the terminology is quite different to um the GDPR that myself and Katie are used to because you know we're we're based in Ireland, and so we have uh we've done a lot of work in the GDPR, but now we're looking into international data protection laws. So um we understand a data controller would be an organization that processes personal data, uh, but in the Indian law or in the PDPD Act, um, these data controllers are actually called data fiduciaries, um, but they have similar um obligations under the act. Um, also, if you know the GDPR, you are familiar with the term um data processors, and they're actually called the same thing under the PDBT PD Act. Um, it covers so the act covers per digital personal data as opposed to just personal data that the GDPR would cover. Um, so the GDPR would cover paper-based personal data, whereas um the Indian Act it just handles digitized uh personal data. Okay, um, so if you um your organization actually um is doing business with India and you're processing personal data of um Indian citizens, then this is um a data protection law that you need to understand. Um, at a high level, the act sets out rules um about how you can process data. So there's um the idea of consent, just like the GDPR, but um what's different is that it it uh sets out certain legitimate uses, um and it also has individual rights like the GDPR and security safeguards are also required. Um we also will be looking at data breaches because that's also part of the act, just like the GDPR. So that's kind of a kind of a broad overview of the similarities and the differences between the DPDP Act and the GDPR. Um and now, Katie, if it's okay with you, would you be able to give us a kind of a brief history of um where the act, the DPDP Act came from?

SPEAKER_01 5:41

Yeah, so the act kind of has its roots in a case that started in 2014 after Facebook acquired WhatsApp, um, where WhatsApp's data sharing policy was challenged by the Supreme Court. So the case Pudaswamy, it was decided in 2017, and it actually found that in India there is a fundamental right to privacy under the Indian constitution. So then they were kind of like, well, people have this fundamental right, how are we gonna facilitate that? So following this, the government set up a committee of experts to design a data protection framework, um which ended up in the actual we have today, but it went through three different drafts. The first draft came out a year later, the decision in that case, 2018. Um it imp it talked about conditions like data localization. Um, and at the time, technology firms actually weren't weren't really for it. They were quite lobbying against it. Um but the official bill came out actually the same year it was finalized, which was 2023. It was introduced in August as a bill, and it was passed the same month by presidential assent. So the 2023 law is the product of about eight years of legal, political, and technical debate following this judgment that took three years to come to the final conclusion on. Um the latest version of the act strips out a lot of the things that were seen in the original draft, but it's as Marie said, it kind of struck that balance that people are looking for. It was a lot better received among um both Indian and global tech firms uh because I suppose they're the ones facing the requirements at the end of the day, so it has to go down well with the people who are going to be working with it in their day-to-day work. So um NASCOM represents the main IT and technology firms in India. Uh, they said in a statement issued through their Data Security Council of India initiative that they welcomed the new the new legislation. They had a couple of problems that they that they raised around like parental consent and the deadlines for breaches and stuff. But I mean, that's almost stuff that you hear no matter what law, no matter what country it passes through. So I would still say that's quite a success to have that level of acceptance with the technology firms is kind of rare.

SPEAKER_02 8:48

I agree totally, yeah. You're you're not you're never gonna get them 100% happy, and even if you do get them 100% happy, then that might be a problem in itself. Do you know what I mean? It might be too lenient, then you know.

SPEAKER_01 8:59

Yeah, and like things like parental consent, you know, it there's no point having uh uh data protection law if you're not gonna include things like that anyway.

SPEAKER_02 9:08

So absolutely, yeah. What's it all for if you don't protect children? Do you know what I mean?

SPEAKER_01 9:13

Exactly.

SPEAKER_02 9:13

Yeah. And you you mentioned there that they weren't happy back in 2018 about the data localization um parts of the act. Data localization means in this context and not every context, but uh data sovereignty. I think it was about oh right. Data the the Indian government wanted the data to be kind of in the Indian uh within the Indian you know boundaries, regulatory boundaries.

SPEAKER_01 9:41

Yeah, so Maria, who does the act apply and what are data principles and data fiduciaries?

SPEAKER_02 9:51

Okay, so I kind of highlighted, I kind of explained what they were, the data fiduciaries and the data principles at the beginning and then my first question. But so basically the the the act applies to um largely data principles who and what we understand by data principles, if you know the GDPR again, uh they would be data subjects under under the the act. So data principles are the individuals to whom the personal data pertains. Um so I think it applies to uh anybody within within India and how their personal data is getting processed. We will be looking at children under the age of 18, which I think is a really good thing. Um, you know, with the GDPR, it kind of leaves it up to the member states to decide what is the legal age of consent, whereas um the the DPDP act is very, very clear. Um, a child is anybody under the age of 18, which is which is good. Um, I think we're going to be talking about that later on in in um other questions. But um, so you have the data principle, and then you have data fiduciaries, like I said before, is very similar to the data controller under the the GDPR. And we have the same kind of terminology for data processors. So in the Indian Act, that you have a data processor which would take the personal data from the data fiduciary and process it in some way for the data fiduciary, but the data producery, like the controller under the GDPR, is still responsible for the personal data that the data processes, the data processor processes. The act also creates a concept of um what they have called significant data fiduciaries, and these are large or high-risk organizations that must meet extra obligations under the act. Um, and these obligations would be things like appointing a data protection officer or conducting uh data protection impact assessments, and uh maybe also like um having to undergo periodic audits and so on. Um, the scope of the of the act applies, like I said before, where the personal data is digital or is going to be digital, um, and as well the processing is where that you know that it applies to where the processing of the personal data is within India, um, or it relates to offering goods or services to data principles in India. So when you think about it from the perspective of the DDPR, it's quite similar in that respect, the narrower focus because it looks more primarily at digital data as opposed to kind of the personal data that could be also paper-based under the GDPR. So um, question four, then Katie, for you would be when does the DPDP Act actually come into force? And what is its current status?

SPEAKER_01 12:54

I'll just start off answering that question with a kind of bit more to do with the history again, but the act itself actually replaces the Informational Technology Act of 2000. So that regime under that act remains in force until the end of the final implementation of the DPA, which is in different phases, so it's not all at once, basically. So uh the act itself, as I said, it was passed in August 2023, but uh, I mean, like a lot of legislation, that wasn't an overnight deadline for all these companies. Um the key structural provisions, including the definitions, the territorial scope, as you were saying previously, the creation and powers of the data protection board of India, that is what went into force this November, which is what we were saying earlier, um, alongside the personal data protection rules. So the law requires firms to safeguard the data of Indian citizens. Obviously, there is exceptions um for kind of official official state, what they call it as instrumentality. Um and they do actually enforce penalties for firms that breach those obligations. So they are gonna have to, you know, nothing's basically nothing is stopping firms from sharing information that kind of helps the state, you know, similar similar to GDPR, you know, like investigation of crime, your tax um financial regulations and stuff, employment regulations. Enforcement timeline itself is scheduled to kick in fully in 2026 and 2027. So for instance, data fiduciaries who collect and use personal data have until November 2026 to comply with a number of provisions, including hiring and integrating a DPO, a data protection officer, into their into their organization, um, which is something we're quite we're quite well versed in. Um so I mean that's that's not new, that's something that there's going to be a lot of resources out there to help Indian companies kind of adopt. Uh the same month, they are gonna need to bring in a consent manager framework, which allows firms to exercise data removal and amendment of rights on our behalf of data principles. And then the 2027 phase is for large technology firms to be subject to the full force of the act. So, and that's also when the data protection board of India are going to have their the ability to exercise their full powers. So basically, it starts this is last December or November, it starts last month and it's gonna be going on for two years to basically have full compliance with the act. So the number they've set the number of the data protection board, which is it's basically the Indian enforcement authority for this piece of legislation. They've set the number of members to four. They can they're gonna be able to hold inquiries in response to complaints, they're gonna be able to impose penalties uh in cases of data breaches. As of yet, they haven't chosen the board members, but they're gonna be appointed by the Ministry of Electronics and Information Technology. So basically, this is the first kind of window where organizations holding Indian digital personal data can kind of take a look at it and evaluate where they stand in relation to this legislation. And it's better to start early than never. You know, you have a a year to kind of get your DPO in order, but that year it's not going to be long creeping up.

SPEAKER_02 17:16

Absolutely, yeah. But it's good that they give them time to kind of get their ducks in order before it actually comes into effect.

SPEAKER_00 17:23

That is true.

SPEAKER_02 17:24

We had something similar with the GDPR, so we had two years, do you remember from before like uh the GDPR came into effect in 2016? No, sorry, the GDPR was passed in 2016, but they had the organizations in Europe had two years to become compliant before the 25th of May, which was 2018. So it was something similar. We have something similar with the EU data protection or the EU AI Act as well. So that's a phased implementation.

SPEAKER_01 17:57

What are the core components of the act, would you say, Maria? Like how would you how would you compartmentalize it?

SPEAKER_02 18:08

Okay, so I think um we have kind of covered a lot, but um I think what you what I mean again, there's various different layers. You can go into a lot of detail or you can kind of um give a kind of high-level overview of the act. You could break the act down into kind of five sections. Um, and these five sections for people that have already um worked with the GDPR, uh, I broke it, I've broken it down into five sections that would be kind of familiar to people um that have worked with the GDPR. So the first section would be kind of the lawful grounds for processing, the second would be notices and consent, the third would be data principal rights, um, and the fourth would be then the obligations of the data fiduciaries, and then we'll we'll talk about the enforcement and the penalties of the um of the act. So the first one, like I said, was lawful grounds for processing. So there's a few differences here between the GDPR. Um so processing must be for a lawful purpose and based either on consent or specific legitimate uses that are listed in the act. Okay, so you don't have article six like you do in the GDPR. Consent is kind of primary apart from specific uh use cases within the act. Um, legitimate uses that would be listed in the act include things like the provision of state benefits and subsidies to individuals, so the state would have to process their personal data, um, compliance with other other laws, and you mentioned you know the uh law enforcement there would be would be something to consider. And then you have things like um public emergencies, you may have to process people's information if there's an emergency or if there's a personal emergency for the individual. Um, so they would be taken into consideration, and then of course, certain employment purposes as well, where you don't actually have to process somebody's uh information without the requirement for specific consent. Um, I think what's important here, and a kind of a significant uh divergence between the GDPR and the Indian Act is they don't actually they don't create a special category for sensitive data. So there's no special category data under under the Indian Act as opposed to the GDPR, so there's no article nine. Uh it it so that the whole theory behind that would be that personal data is personal data and it it requires the highest protection, regardless of what type of personal data it is.

SPEAKER_01 20:43

So can I just ask you a question on the the lawful grounds of of processing? Are them legitimate uses? Is that an exhaustive list?

SPEAKER_02 20:54

I think so. I think that they're brought so there's a list within the the act, and they seem to be broad enough to actually uh include whatever's needed. Um I don't think, and I could be wrong now, but I don't think you're allowed, they're quite specific and they're quite um uh they're quite contained in that, you know, you like there, there's a list there and you have to abide by the list, from what I understand. So, like the you know, because of Article 6 under the GDPR, there's a lot of there's a lot of room for interpretation under the GDPR, whereas I don't think that's there in the Indian Act. So you either have to find you either have to get the individual to consent um or you have to find um a way to fit it into the legitimate uses. If you can't fit them into the legitimate uses, my understanding is then you have to get consent, otherwise, you just can't process the data. Notices and consent. Um, and I I think it's quite similar to the GDPR in this area. So data fiduciaries must give a clear Notice describing what data will be collected, for what purpose it's going to be collected, and what and how the individual can exercise their rights, and how they can, you know, the means for complaining to the data protection board as well, if they're not happy with the treatment and so on. Also, if the organization that's collecting the data has a DPO, they have to provide access or how to be able to contact the DPO of the organization. Or if they don't have a DPO, then they have to give access details to the grievance officer or the grievance contact in that organization. So if the individuals or the data principals have grievances, they they know how they can contact the organisation. Notices must be in English, and they and any kind of official Indian languages they you know that's necessary for providing to the individual. There's 22 Indian languages in total, so that could be quite a bit of work. And consent must be free, specific, informed, unambiguous, and signalled by a clear affirmative action. So it's it's very similar, in my opinion, to the GDPR. The data subject principal rights. So I won't get into too much detail here because I think we have a full question on this coming up, but so the data principles' rights are slightly more specific than the rights under the GDPR. I think there's four of them there. So the individual has the right to obtain a summary of the personal information that's being processed by the data fiduciary, and that's called the right to information. They have the right to seek the correction, completion, or updates of personal data, and the right to request erasure of data when the purpose has been met, or if they withdraw their consent, and that's called the right to correction and erasure. They have the right to have grievances addressed by the data fiduciary and to approach the data protection board if unsatisfied by the actions of the data fiduciary, and that's called the right to grievance redressal. Um, data principals also have the right to nominate another person to exercise rights in the event of death or incapacity, which is a really interesting right, and we'll get into that more in detail when we kind of have the specific question on uh data principal rights. But it doesn't exist in the GDPR, but if you know that you are, you know, if you have awareness that you're going to die or if you're going to be incapacitated, you can actually nominate another individual to assume your rights, your data protection rights. And I'll go into that in more detail in the next questions. Um, the obligation of data fiduciaries, they remain responsible for compliance, including any processing carried out by their data processors. They must ensure data accuracy where it affects decisions, put in place appropriate technical and organizational measures, again like the GDPR, to protect the data with reasonable security safeguards, and they must notify the board, the data protection board, and affected individuals in the event of a personal data breach. Then the fifth um area, the fifth category I kind of specified would be enforcement and penalties. And again, this is very similar to the GDPR in that they're quite um onerous, they're quite heavy fines for data fiduciaries if you know if they are found guilty of negligence. So a day the Tata Protection Board of India can investigate breaches and impose monetary penalties. The fines can range from 50 crore up to 250 crore per violation, and an example of a violation would be failing to take security measures or violating children's data obligations, which is taken very seriously under the act. So you're talking, if you're talking about 250 crore, you're talking about millions of euro, like tens of millions of euro. So again, like the GDPR, the the fines would be so heavy that you know it would encourage organizations not to breach the data or to to ensure that they're compliant with the data.

SPEAKER_00 26:20

It's deterrent.

SPEAKER_02 26:22

It's a deterrent. Absolutely, yeah. Yeah. Um, and like I said, we'll get into more details about the um data subject rights in the next few questions. But question six, Katie, what rights do individuals get under the DPDP Act and how do they differ from the GDPR? This is kind of more specific, so I kind of touched on the data subject rights or the data principle rights, but again, now we're getting more specific into the rights.

SPEAKER_01 26:49

So I think for this question, I might kind of present it in a way that's more focused on the actual data principles rather than the companies. So under the DP DP Act, individuals have the right to ask what personal data is being processed and get access to that information. They can request correction, completion, and the updating and erasure of their data. So I suppose uh equivalent to erasure and rectification. Um, you can raise grievances and escalate those grievances to the data protection board if they're not satisfied with the company that you raise that grievance with. I think that you do have to raise the grievance with the organization first, and then at that point where you're not satisfied with how they dealt with it, then you escalate it to the data protection board. And as Maria was saying, something quite interesting and unique to India, which is the ability to nominate someone to exercise those rights on your behalf in the case of death or incapacity. And I suppose, of course, you can, in a sense, nominate someone as in a family member or a solicitor to exercise your rights under the GDPR, but the main difference here is that it doesn't apply in the case of death. So in the Indian context, these laws still apply to a deceased individual's information, which is quite an interesting distinction because the GDPR applies explicitly to living individuals, and then so when an individual might become deceased, and if the relatives are kind of trying to make that process easier for them, trying to get their information back to make their own arrangements, it kind of can result in a bit of a block to that. So that's not going to be the case in India once this act comes into full force, which is kind of a nice, a nice thing for the families, to be honest. It's a nice distinction to have made.

SPEAKER_02 30:33

You can consider the fact that you know this often causes family feuds, disagreements in families. The data controller doesn't really know under the GDPR what they have to do or who they give the information to, and so on. So it just makes a very clear procedure for the for the data fiduciary and it eliminates all that kind of stress around illness and around death, you know, for the family. So I think it's a really good one.

SPEAKER_01 31:02

And I suppose the fact that the data principal nominates someone, you know, like there's kind of a transfer of authority there that the data fiduciary can be sure that, you know, whether they're family or not, they're not just releasing someone's personal data to, you know, someone who might not have the data principal's best interests at heart, you know, because they're the ones who made the nomination as well.

SPEAKER_03 31:29

Yeah, yeah, I agree. Yeah, yeah. That's very it's it's a good one, yeah. Yeah, for sure.

SPEAKER_01 31:34

So yeah, I suppose the other two biggest differences the GDPR does have a more extensive catalog of rights, like in the Indian Act, we don't see the right to data portability, we don't have we don't see the right to object at right to processing, and there isn't those specific provisions uh in relation to automated decision making and profiling that you do see in the GDPR. So there's no explicit obligation for data portability. So yeah, data portability, automated decision making, and objection, they're the three main GDPR rights that we don't see merge in the Indian PD PD. And another interesting one is that individuals actually have a duty, they they have a duty not to file false complaints or provide false information, and they they do have penalties uh for breach of those duties, which the GDPR doesn't have, which I think is kind of quite interesting. And personally, I quite like this because I know that you have the provision in the GDPR for the vexatious or manifest to be able to deny a vexatious or manifestly unfounded data subject access requests, but it's quite a high burden of proof for that. And you know, sometimes you can you take it on a case-by-case basis. So sometimes you're kind of you know wrestling with whether it is or not, whereas here the individual has the duty not to, I don't know, I feel like it's kind of a bit of a parallel in the sense, and it's actually saying, you know, don't waste people's time, you know, don't abuse these rights that you have in relation to your data, which I quite like.

SPEAKER_02 33:30

I totally agree because under the GDPR, again, there's no oblig there's no kind of um deterrent for people. So um, as you know, Katie, you know, um there's quite you can have quite a lot of vexatious uh requests, data subject requests, and they can go on for years sometimes. And um god, yeah. You know, so to avoid that for organizations, I think is a massive thing. Um, and the day the data principal in India will definitely think twice if they feel like there could be consequences for them um, you know, after one or two or three requests. Do you know what I mean? They may actually, you know, and it m it'll be it be easier for the organization as well to kind of push back and say, look, you know, this you know, uh you have obligations as well to not waste our time and so on. So I think it's a really good thing. I totally agree with you. I think that's one of the the weaknesses of the GDPR uh in that we it's very vague what vexatious requests are, you know. Um although the omnibus is dealing with that in in you know, it we don't know the final the final um wording, but it does it does touch on the fact that I think across Europe now everybody is aware that there's quite a lot of vexatious uh data subject access requests.

SPEAKER_01 34:56

It is true, yeah. And it's it's quite frustrating when you're spending days work full working multiple working days fulfilling a D SAR where you know the person actually they're not a pre they're like they don't actually want their data. They you know when you're doing all this work to get it ready and to send it out to them, and you know it's almost for nothing because they didn't kind of submit it in good faith.

SPEAKER_02 35:27

Yeah, and it's for another reason. It's not actually because they want to access their data, like you say, but it's another reason why they're doing it. Uh so yeah.

SPEAKER_01 35:36

You can't just throw throw it around willy-nilly either.

SPEAKER_02 35:39

Yeah, yeah, absolutely. There has to be a balance there again. Yeah, and that's why I said in the first question, it I think the the this act, the Indian Act, does get that balance well. It does get it right. And that's evidenced by the fact that you know there are obligations on the data principles, like we've just said, but as well, it's evidenced by the fact that now in Europe they're they've they're coming out with the digital omnibus um and they're making changes to the GDPR because um there has been feedback at a European level that the GDPR can be quite onerous for SMEs and so on. So yeah, so that's interesting.

SPEAKER_01 36:18

I suppose the GDPR is kind of like the first child of the family.

SPEAKER_02 36:23

Absolutely.

SPEAKER_01 36:24

Yeah, and the other apps are like learning from the eldest siblings.

SPEAKER_02 36:28

Yeah, it's great. Yeah, absolutely. They see what's going on in Europe and they can avoid those pitfalls for sure, yeah. Yeah.

SPEAKER_01 36:36

Um but yeah, so I think we'll move on now to how does the DPDP Act handle consent and how does that compare with consent under the GDPR?

SPEAKER_02 36:51

Okay, great. Thanks, Katie. So consent under the DPDP Act looks quite familiar if you're if you're if you've already worked with the GDPR. So it must be free, specific, informed, unambiguous, and indicated through a clear affirmative action. So that would be like a tick mark or something like that. Um explicit consent under the GDPR. So the act goes a step further by explicitly calling consent unconditional, which is not in the definition of in the GDPR. The idea being that access to essential services shouldn't be tied to unnecessary data collection. The act requires a concise, clear notice at or before the time of collection, explaining what data will be processed, for which purposes, how rights can be exercised, and how to complain to the data protection board. Um, very similar to the GDPR transparency requirements. Where the difference emerges between the DPDP and the and the GDPR is that the Indian Act uh leans heavily on legitimate uses. So these are what we call statutory carve-outs, like specific, a specific list where consent isn't needed at all, and that it relates to the you know the state processing uh individuals' personal data. So, like I said before in one of the other questions, um like when you know you're dealing with state sub subsidies, uh, legal claims, employment-related processing, and so on, the GDPR has multiple legal bases, but um the Indian list is drafted more as a set of legislative exemptions, and there's no and another important difference between the Indian Act and the GDPR is that there's no legitimate interests in um within the consent in the Indian Act. So we have the legitimate interest as one of the six legal bases under Article Six of the GDPR, and that doesn't exist under the Indian Act. So, like I said before, consent is much more specific. I have a table here as well, so I can go through that and kind of um outline the differences. So the definition of consent under the Indian Act is the words would be free, specific, informed, unconditional, and unambiguous. Whereas with the GDPR, it's consent must be freely given, specific, informed, and unambiguous. Um, the legal basis, so you have legitimate uses under the Indian Act, whereas you have the six alternative legal basis in the GDPR. Um, legitimate interest does not exist in the Indian Act, and it does exist um under the um the GDPR. Children's data as well, that's a significant difference in that children have to are defined as being under 18, whereas with um the GDPR, member states get to decide what is the legal age. So you sometimes you have it as low as 13, the age of you know, the age of consent is 13, and sometimes it's 16, and then 18 as well. So, in my opinion, I think that's better because it protects children more. There's no special category data under the Indian Act, whereas there is in in um the GDPR. Um, yeah, so that I think that's basically it. So, in terms of the differences and so on, yeah, I would say legitimate uses would be the main difference, and the fact that there's no special category data and there's no legitimate interests um under the Indian Act would be the three main things, I think. So, Katie, how are children's how is children's data you uh processed or handled under the Indian Act? And uh and can you talk to us a little bit about the sensitive use cases that would be referred to in the Indian Act?

SPEAKER_01 41:09

So I suppose you touched on that a bit by saying that a child is defined as under 18, which is a more strict approach than the GDPR has explicitly taken. I mean, whether an individual member state has chosen 18, I think in Ireland it is 18. Um but yeah, basically the whole yeah, that's 18 is the hard and fast rule for a child in as far as Indian data protection goes. Section 9 of the Act imposes strict and mandatory obligations on data fiduciaries when they deal with children's data. They need to obtain verifiable parental or guardian consent before processing their personal data. And I know that there was no kind of general data subjects' rights when it came to profiling, but it is a bit of a different case when it comes to children because the act does prohibit tracking, uh, behavioral monitoring, targeted advertising directed at children and any processing that's likely to cause a detrimental effect on child's well-being. So, you know, today's day and age that's quite important, and that could be interpreted quite broad. And this is also one of the aspects of the act that the tech companies had issue with. So I think that that says a lot that anyone would kind of have issue with these safety guards being put in place for children. Says a lot. So there's uh another table here that outlines more specifically the obligations on data fiduciaries. So from consent, it needs to be verifiable parental consent. It's mandatory before processing any data. And you're they're also going to need to make a reasonable effort to verify the age of the child. Processing without this consent is prohibited, so strictly prohibited. So if they want to find a way around that, then the processing is illegal.

SPEAKER_02 43:31

And I think there are some significant fines as well in terms of if you know if it's judged that they have uh breached uh children's rights, there are significant fines attached to that. So again, that's a deterrent.

SPEAKER_01 43:46

You know, yeah, which I mean, rightfully so. Again, like the this this is the kind of stuff that needs to be in place. Otherwise, what's the point? You know, if you're not putting safeguards for children in place, then what's the point of having A d digital data protection regulation in the first place, in my opinion.

SPEAKER_02 44:04

I agree. They're the most vulnerable in society, so they need protection. Yeah.

SPEAKER_01 44:09

Um so targeted uses, data fiduciaries must not process personal data of a child in a manner that is likely to cause a detrimental effect on the child's well-being. So I mean, you could argue that that's things like you know, social media, which you know, there's a lot of studies out there to say that it does affect grown adults' mental health, never mind children's. So, you know, that's an objective detrimental effect on their well-being.

SPEAKER_03 44:43

Absolutely.

SPEAKER_01 44:44

I wonder how that's I'm interested to see how that will actually translate into practice.

SPEAKER_02 44:49

Absolutely.

SPEAKER_01 44:51

Any changes, I don't know, but yeah.

SPEAKER_02 44:53

Can I can I just say one thing as well? You know, um, the GDPR came in in 2018, and I think um, like you say, Europe has kind of suffered from being the first mover in this area, so they didn't really put those laws into place to protect children. But then the Digital Services Act came in in 2024, and if you look at that, there's a lot of those that you see from the from the Indian Act, there's a lot of those kind of same protections in place now in the Digital Services Act. So, so yeah, again, we we kind of suffered from our own kind of first mover kind of um benefits there, in that you know, all the rest of the legislation across the globe saw what was happening in Europe, and then they can actually have one act that kind of covers everything. Uh, whereas Europe has to kind of bring in another act because you know the GDPR didn't really cover, didn't really um cover protection of children. Again, I think at the time at 2016 and even back in 2014 when they were writing the GDPR, it wasn't half as much of an issue as it is nowadays, you know. So but there there are those protections there, but but it's not the GDPR, it's more the Digital Services Act.

SPEAKER_01 46:12

Yeah, I think the drafters couldn't have known, and I suppose it's not all bad because it has served an as an example internationally, and I feel like that's kind of a win at the same time that these provisions are in the you know, are in the PDPD at the end of the day.

SPEAKER_03 46:32

Absolutely, yeah, yeah.

SPEAKER_01 46:34

They also have banned targeted advertising for children. I think that's quite a good thing.

SPEAKER_03 46:42

Yeah, and I agree.

SPEAKER_01 46:44

They they I think they do have certain exceptions, uh, there are narrow exceptions. Um certain classes of data fiduciaries, like clinics and educational institutions, are exempt from certain obligations like parental consent for processing every little piece of data when processing is necessary for specified purposes. And a couple of the specified purposes here are for providing health services, um, child safeguarding or essential services, which I mean that is necessary at the end of the day because there's always that question with kind of kids, schools and sports clubs about like we need to do this for a child, or we're worried about this child, but we don't know what our data protection obligations are in relation to that. So it's kind of hopefully we'll avoid that situation.

SPEAKER_03 47:44

Yeah, absolutely.

SPEAKER_01 47:46

So there are penalties, uh, violations of the obligations relating to the data of children can attract penalties of up to 200 crore. So I guess in the millions, so it's significant significant deterrent there. Yeah, in comparison to the GDPR. I mean, they're uh they are comparable, obviously. That's what we're doing here, but um the GDPR says that the age threshold can be as low as 13, and member states do have the authority to kind of decide where they're going to draw the line with children. And India has chosen uniform 18-year threshold. And as you said, Maria, that some of these provisions they're not in the GDPR, but they're still in Europe because it's kind of a bit of a trial and error. So it's just quite nice that they are all in the same piece of legislation, so people aren't kind of running over their tails as much, I suppose. And aside from children, they do also have sensitive use cases in the DPDP. This is not special category data, but it's basically uh applies the same high standard of data protection to all personal data, and where the draw of the distinction is what out is is a use case of the data. So it's not the data itself. The data becomes sensitive when it's being used in a certain way. So organizations are gonna need to figure out if they qualify as a significant data fiduciary because it's at this point that this classification give imposes on them stricter compliance obligations. It basically comes into play are you a significant data fiduciary or an ordinary data fiduciary? And it's not the data itself, it's the volume of data and what you're actually doing with the data that will impose the more stringent obligations.

SPEAKER_03 49:56

Very good.

SPEAKER_01 49:58

So I think we're gonna move on now to cross-border data transfers, which could be quite interesting considering the GDPR is European and we have kind of our own distinctions between data processing and you know, national or EU or outside the EU. So, where does it differ?

SPEAKER_02 50:21

Oh, it differs quite a lot, actually. So, this is where I think the Indian Act is is completely different to the GDPR, in that if you're again, if you're familiar with the GDPR, then you know that um when you process personal data and you have to transfer it outside of Europe, and you have to uh you have to have um standard contractual clauses, or you have to have you have to make sure that the country that you're sending the data to has an adequacy agreement. So you have to ensure that the you know the data that's being sent outside of Europe it will be will have the same level of protection as they they would have if they were um stored within Europe. Um so that's kind of like a it's a uh adequacy um model that the European or the GDPR follows. Here with the DPDP Act, it's a blacklist model. So um you can actually process, you can actually transfer data um to across across the borders to different countries um outside of India unless the Indian government has actually blacklisted the country that you want to send it to. And then that's if the the country has been blacklisted by the Indian government, then you cannot send personal data to that country. So as opposed to seeking adequacy um and ensuring that the you know the country that you're sending the data to has adequacy with the act, they are basing their transfer requirements on um blacklisting certain countries. So if you're not on the blacklist, uh if you're not on the blacklist, then there are no kind of other requirements that the the DPDP Act um puts on uh data fiduciaries when transferring personal data. Um and so far, and again, this is early days, but uh the blacklist uh hasn't been published by the Indian government, so um, you know, you can actually transfer data outside of India to countries um at the moment without um that you know, there's no kind of list, you don't have to check up on any list to ensure that they haven't been blacklisted because the list hasn't been published yet. But what I would say to you know, for people that are you know looking at this act and wanting to comply with the act is that you would, you know, make sure that you have some sort of contract in place to ensure that you know um your the personal data gets protected um to the same level as the you know as the act requires, because again, if you have a breach, the data produceries are you know they're they're responsible for the data anyway. So if you transfer your data to data processes outside of um India, make sure that you have some sort of contract in place just to ensure that you know you reduce the likelihood of of breaches and you ensure compliance. So, yeah, so that's an interesting thing that it's kind of kind of it moved away completely from the you know the way the Europe and the GDPR um transfers data. So that's that's something yeah interesting.

SPEAKER_00 53:35

Merriamage.

SPEAKER_02 53:36

Yeah, yeah, absolutely. So I think we're now at question 10. We're hopefully coming close to the end of the podcast. Um so Katie, can you talk to us a little bit about the penalties and the enforcement compared to the GDPR? Like how and we again we've discussed this throughout the podcast, but you know, can you be more specific about you know what are the penalties under the under the DPDP Act?

SPEAKER_01 54:02

Yeah, so I mean, as we have touched on it before, um, but it is focused on enforcement because at the end of the day, you know, it needs a bit of teeth for there. The there was pushback from the technology companies in the end, so there needs to be something to kind of make them kind of yeah, clean up your data and treat it properly. Um so the data protection board of India is, as I said previously, the central enforcement authority, and they have powers similar to the civil court. So they can call for evidence, they can examine witnesses, they can impose monetary penalties. The penalties for data fiduciaries are going to be able to go up to 250 crore per violation, so that can be stacked depending on how many violations an organization has committed or has you know neglected. So it could it can equate to roughly tens of millions of euro with a minimum of 50 crore for significant violations under the schedule. So there's a there's a floor, there's no ceiling for the fines basically. Um and children's data breaches and failure to notify breaches are explicitly called out. They do have a ceiling of around 200 crore, but again, this is a poor a per violation. So, you know, if if someone has a violation related to children's data and a violation related to breaches, you know, it's gonna stack up quickly. I'm gonna move on to the next question. If an organization is already GDPR compliant, what do they need to do to be DPDP compliant?

SPEAKER_02 55:59

That's a really good question. So again, we you know the GDPR is the gold standard of data protection legislation. Do you know what I mean? So you think if you're compliant with the GDPR, then you know, oh, we should be okay. No, there are certain things that you know you really need to take into consideration in order to be compliant with this Indian Act. So if you're compliant with the GDPR, you're probably about 60 to 70 percent covered for the um for the Indian Act. Um, so like if you're compliant, we're talking about you'd have your ropas in place, you'd have your uh data protection policies in place, you'd have your DPA DPIAs done, you'd have your data protection agreements in place and so on. Um so you're you're already in a very good place. You'd have your security protections in place and so on. Um, but uh there's a number of DPDP specific gaps that should be anticipated. Organizations must assess digital-only scope. So, again, it's not about paper-based uh personal data with the DPDP, it's uh uh you know the digital uh personal data. So you'd have to kind of look at that, you'd have to look at the territorial relationship of their processing activities, um, make sure that you have contracts in place and so on, and keep an eye on that blacklist, even though the blacklist hasn't been published yet. So if you're sending personal data outside of India, you would have to know exactly where you're sending that data. Um, so that would have to be done to ensure that if a blacklist is created, then you can very quickly either bring your data back into India or or be rest assured that you know your data is not on any of the countries that are blacklisted. So that would be something that you'd have to take into account. Again, looking at lawful bases, there's quite a significant difference there. You can't rely on legitimate interest, so you'd have to look at your legal bases and um see if you can like the primary uh data protection collection would be consent, so you you no longer would have those six legal bases under article six, so you'd have to kind of revise and how you collect data under you know, under what kind of uh lawful basis you collect data. Um, so that's another significant change. Um, in terms of data protection rights or data principle rights, I should say the DPD Act provides a more limited set of statutory rights than the GDPR. So existing GDPR-based procedures will often exceed the minimal legal threshold. Um, so you have to kind of decide: are we gonna keep these rights or are we gonna have specific rights to the to the DPDP? Um, so you you'd have to kind of create a policy around that um and decide what you're gonna do in terms of data principal rights. And another thing you'd have to do is you'd have to actually decide whether you are a significant data fiduciary. So, again, that doesn't exist under the GDPR, but it's important to be able to identify the fact that whether you are or are not one of these, and then if you are, then you'd have to look into what are your obligations under the DPDP Act to ensure compliance. So I think the main thing that you should do, even though even if you are GDPR compliant, the first thing you should do is um do a gap analysis. Look at what you have in place for the GDPR and identify the gaps and get a plan in place and like um the GDPR, start rolling it out and making sure that you're filling those gaps as you go forward. So, so yeah, so but rest assured that you're 60-70% there, so you're in a good place if you're already compliant with the GDPR. So we're finally at the last question, and this took a little bit longer than we anticipated. I thought it would take about 20 minutes, but it's taking a bit longer. Um so, Katie, for the last question, what is the big takeaway for you regarding the difference between the DPDP Act of 2025 or 2023, sorry, and the GDPR?

SPEAKER_01 1:00:10

Okay, so I'd say in a nutshell, the GDPR is principle-based, rights-driven, detailed obligations, strong independent DPAs, a long list of individual rights, and it's noteworthy that those DPAs are also in each individual member state within Europe. Whereas the DPDP Act is a more centralized legal framework and it applies to a lot more individuals than the GDPR at the end of the day. Um, it focuses on digital personal data. It does give a smaller bundle of rights, but I think that those rights are really meaningful, as we were saying earlier, that they've just given a couple of tweakments here and there that we really like, like the nominations and in relations to children's rights. Like I think that just because there's less rights doesn't mean there are it has less protections for the individual. Um it leans hard on consent and legitimate uses and the central board is quite powerful, and the fines, it's very it is enforcement focused because the fines are not you know something to just be brushed off your shoulder.

SPEAKER_03 1:01:38

Absolutely, yeah.

SPEAKER_01 1:01:39

Um so basically, I would although you said you're 60 to 70 percent there, I still wouldn't treat them as the same thing at the end of the day. It has its own model, it's only inspired to a certain extent by the GDPR, it's not completely based off it.

SPEAKER_02 1:02:01

Yeah, I agree. Yeah, and as well, I think a big takeaway that we have discussed throughout the podcast is that I think it has benefited from the fact that it is later than the GDPR. Um, and like you say, those eight years of legal kind of discussions and so on, it's quite a thoughtful act, and um, yeah, there's a lot of good kind of protections in there, um, not only for the data principles, but also for the data fiduceries. So I think the balance is very, very good between obligations and rights, which uh which maybe the GDPR needs to be revised slightly. Yeah.

SPEAKER_01 1:02:40

Yeah, I could there definitely is a few things we could take back today.

SPEAKER_02 1:02:47

Yeah, yeah, absolutely. Great. So um I just want to wrap up here then. Um this kind of completes our um discussion on um, and it's the first in uh a series of um podcasts that we'll be doing, and we'll be looking at international data protection rights. So I hope you enjoyed the the podcast, and hopefully very soon you'll see myself and Katie back again um with the second second episode in the series. So thank you very much for joining us and uh have a great day.

SPEAKER_03 1:03:20

Bye.