- Introduction
India is undergoing significant transformation with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), to comprehensively gauge the significance of the DPDPA, it becomes essential to engage in a comparative exploration, against two influential global counterparts: the European Union General Data Protection Regulation (EUGDPR) which came into effect in 2018 and Singapore Personal Data Protection Act, 2012 (PDPA). While these regulations share common objectives, they also carry distinctive features borne from their respective socio-economic contexts, making such a comparative analysis indispensable for understanding the dynamics of data protection in an increasingly interconnected world.
To better understand the implications of India’s Digital Personal Data Protection Act, 2023 (DPDPA) in a global context, this article begins by examining the concept of voluntary provision and deemed consent, followed by the significance of business contact information. The article then addresses the pressing issue of illegal data scraping and its impact on data protection. Further, it explores the right to erasure as a crucial aspect of data privacy rights. Lastly, the article delves into the concept of specific- purpose based consent provision.
It is important to note that this article does not delve into the DPDPA Rules 2025, as they remain in draft form and are yet to be finalised.
- Voluntary Provision/ Deemed Consent
Under India’s DPDPA a Data Fiduciary is permitted to process the personal data of a Data Principal only for the specific purpose for which the Data Principal has voluntarily provided consent and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data[1].
This notion of “voluntarily” providing one’s personal data can be compared with the concept of “deemed consent by conduct” found in Singapore Personal Data Protection Act (“The Singapore PDPA”), In Singapore an individual is considered to have consented to the use or disclosure of their personal data if they voluntary provide their personal data[2].
- Business Contact Information
India’s DPDPA[3] requires that a Data Fiduciary must publish the business contact information of a Data Processor. However, the phrase “business contact information” remains undefined.
Singapore’s PDPA defines “business contact information” as an individual’s name, title, business telephone number, business electronic address or fax number and any other similar information about the individual not provided solely for personal purposes[4].
The Indian legislature can choose to fill this gap by referring to the wider definition provided in the Singapore PDPA.
- Illegal Data Scraping/ Publicly Available Data
The DPDPA does not apply to personal data that is made public. However, it includes an illustration concerning publication of personal data on the social media platforms. It is quintessential to note that data available on social media platforms is often prone to data scraping- A technique used by software to extract publicly available information from online sources.
To combat this issue, on August 24th 2023, twelve (12) international data protection and privacy regulators issued a joint statement[5] regarding their “global expectations for social media platforms and other sites to safeguard unlawful data scraping”. The statement serves as a call to action for Social Media Companies (SMC) to address this rising concern and sets out standards that SMC’s should adhere to.
The joint statement recommends establishing teams to detect, monitor and address data scraping activities while blocking suspicious IP addresses.
- Right to erasure/ Right to be Forgotten
Under India’s DPDPA a Data Principal has rights regarding correction, completion, updating, and erasure of their personal data for which she has previously given consent[6].
In the year 2019, the Delhi High Court in Zulfiqar Ahman Khan v. Quintillion Business Media Pvt.Ltd[7], ordered the Defendants to remove the articles written against the Plaintiff on their website (www.quint.com). These articles were based on harassment complaints levelled during the MeToo movement. Here, the court recognized that the “Right to be Forgotten” is an inherent aspect of the fundamental right to privacy.
The “Right to be Forgotten” is deeply rooted with the principles of EUGDPR [8] . In 1995, the European Council enacted a directive aimed at protecting individuals concerning the processing of personal data and ensuring the free movement of such data. This foundational directive laid the groundwork for subsequent legal interpretations.
A pivotal case in this context is, Google Spain SL v. Agencia Española de Protección de Datos[9], the EU Court of Justice (CJEU) interpreted that the directive establishes a presumption requiring internet search engines to delete hyperlinks to personal information upon request from a data subject[10]. This case originated when Spanish citizen- Mario Costeja González, filed a complaint with the Spanish Data Protection Agency Google Spain (SL) and Google Inc. He argued that when searching for his name on Google revealed information about a a foreclosure auction of his home, even though the legal proceedings had been resolved. He requested removal of his name from the Google’s search results.
During the stage of appeal, several questions were referred to the CJEU for interpretation of this directive. The Court concluded that internet search engines primarily act as a Data Controller, because they determine how the personal data is processed, including how it is collected, organised and displayed in search results. While they may also perform functions typical of Data Processors when handling data on behalf of other entities, their key role in this context is that of Data Controller[11]. As a result, the Court directed Google to comply with this Directive[12]. Thus, by establishing Google as a Data Controller, the ruling holds the company accountable for its handling of personal data. This means that individuals have the right to request the removal of links to their personal information, reinforcing the concept of the “Right to be Forgotten.” This legal accountability is vital for protecting individuals’ privacy rights in the digital age.
This ruling emphasises the responsibilities of search engine operators under EU data protection laws, particularly regarding their role in processing personal data responsibly and to adhere to requests for data removal from individuals.
- Purpose Based Consent/ Specific Consent
India’s DPDPA stipulates that consent provided by a Data Principal is limited only to that specific purpose for which it is sought by the Data Fiduciary[13].
A similar concept regarding specific consent is in EUGDPR where CJEU in one of its judgment [14] declared that consent “must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes[15]”. In context of this judgment, CJEU concluded that if a user selects the participation button for the promotional activities, it does not imply consent for sharing of their data with commercial partners or for other marketing purposes.
In other words, every consent sought from users should only be used for that specific purpose for which it is sought and not for any other purpose.
- Conclusion
India’s Digital Personal Data Protection Act, 2023 (DPDPA) is poised to significantly impact the data privacy landscape within the country. As demonstrated in this comparative analysis with the European Union’s GDPR and Singapore’s PDPA, the DPDPA shares common principles with these global counterparts, such as voluntary consent and specific consent for data processing. While also featuring distinct nuances, like undefined terms such as “business contact information” and its approach toward publicly available data.
One notable aspect is the DPDPA’s stance on data scraping, a growing concern in today’s digital age. While it currently excludes publicly available data from its purview, it is expected that incoming rules and regulations will address this issue more comprehensively.
Furthermore, the DPDPA recognizes the “Right to be Forgotten,” drawing parallels with EUGDPR principles that safeguards individual recognition privacy rights.
Lastly, the emphasis on specific consent underscores transparent and ethical practices for businesses handling personal data. This principle resonates with EUGDPR’ s requirement for consent to be specific, ensuring that data is used only for its intended purpose.
With the draft rules for India’s DPDPA now released, though not yet final, the regulatory landscape is beginning to take shape. It will be important to observe how the framework continues to evolve and address these key nuances, particularly in light of global benchmarks in data protections such as EUGDPR and Singapore’s PDPA.
[1] See, Section 7(a) of DPDPA.
[2] See, Section 15(1) of Singapore PDPA.
[3] See, Section 8(9) of DPDPA .
[4] See, Section 2 of the Singapore PDPA.
[5] https://ico.org.uk/media/about-the-ico/documents/4026232/joint-statement-data-scraping-202308.pdf
[6] Section 12 of India’s DPDPA.
[7]2019 SCC OnLine Del 8494
[8] See, Article 17.
[9] Case C-131/12.
[10] Data Subject is a person to whom the date relates. Under India’s DPDPA, Data Fiduciary has the same meaning as of a Data Subject.
[11] Data Controller is equivalent to a Data Fiduciary under India’s DPDPA.
[12] For a critical analysis of this judgment refer to, https://harvardlawreview.org/print/vol-128/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos/
[13] Section 6(1) of India’s DPDPA.
[14] Case C- 673/17 Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.
[15] See, Para 58.