00:06
Adam Stofsky
Hey, I'm here with Provir and nyajas from JSA India, and we're here talking about India's new privacy law, the DPD. And what I want to ask you guys is what are some key differences between the DPD and the privacy laws we all know and love at this point, particularly the GDPR, but also the CCPA and other major privacy laws? What are some key differences that make this law unique?
00:34
Probir Choudhury
Thanks, Adam. Thanks for having us on the platform. I think the first, and there is really a laundry list, but the first is data categorization. The DPD, which is India's law, it applies uniformly to all personal data. You know, the only exclusion is publicly available data. So that's. There is no special category of data, unlike GDPR, which, you know, recognizes special categories of data, such as race, ethnicity, political views, biometrics. So it really recognizes categories of data and gives that protection, whereas India's law doesn't really have that categorization. That would be the biggest sort of exception. And that's why it's important for companies operating india to realize that this law is unique and different in that aspect. Because just because you are not collecting someone's race or biometric information, it doesn't mean the law doesn't apply to you.
01:32
Probir Choudhury
It applies to anything and all information collected about citizens of India.
01:37
Adam Stofsky
So does this mean that, like, all data gets, like, a heightened level of scrutiny or all data kind of gets a lower level of scrutiny, or is it. Or am I kind of misunderstanding how it works?
01:47
Probir Choudhury
No, it is that all data gets scrutinized irrespective of whether it's, you know, biometrics or whether it's something as simple as a residential address.
01:56
Adam Stofsky
Right.
01:57
Probir Choudhury
It could be your telephone number, it could be your email id, it could be a birth date. So that's like the first. That's the first most important, and you just can sort of fill in on.
02:06
Yajas Setlur
Yeah, I think the second thing is definitely the sort of grounds for processing. GDPR has sort of very clearly established the. So has sort of gives companies broader and I guess, a wider range of legal basis or grounds to process data, you know, contractual necessity, legitimate interest. These are all things, I think, that we've all sort of now gotten used to hearing. But the indian law has taken a slightly different approach. Our list is a lot narrower. It's a sort of consent based framework. So the indian lawmakers, in their wisdom, have felt that a data subject's consent is. Should be the most relevant consideration. And that sort of forms the lawful sort of basis for almost, I would say, 95% of all data processing that the government is trying to regulate.
02:59
Yajas Setlur
So it's a heavily consent based framework, and there are only a few limited exceptions, which most companies in their general day to day operations are unlikely to be able to rely on.
03:13
Adam Stofsky
What's the, what's next? What's the third? What's the third?
03:17
Probir Choudhury
The types of actors, which is basically, india, we call the controllers fiduciaries. And it's a very interesting concept because, you know, when you're supposed to be a fiduciary, you have the fiduciary obligation to take care of the data that you collect. So you have data fiduciaries who are basically data controllers and you have processors. And interestingly, the government has also come up with a category known as significant data fiduciaries, which would basically be any organization who is processing any specific type of data, which is sensitive, which is critical, which could have an impact on the economy, and what those criteria is or are, is going to be notified by the government subsequently. Now, in the GDPR, of course, you just have two simple concepts. You have the controller and the processor. And also very interesting that india, the processor actually has no direct obligations.
04:16
Probir Choudhury
The primary focus and the obligation on how data is processed, collected, retained, everything is on the data fiduciary. So that's why it's important for an organization to realize what role they are playing in the ecosystem of this whole data collection and processing.
04:36
Adam Stofsky
I think that's, I kind of like fiduciary as a way of explaining what a sort of data controller is. I think it's interesting that three laws have three different concepts. You have fiduciary india, you have controller in Europe, and you have company in the US, and under the CCPA, company versus service provider. I don't know. It's a cool way of thinking about it. Yeah, cool in a kind of nerdy way, I guess, if you know what I mean.
05:04
Probir Choudhury
Or some may actually say it's a bit dated because companies don't really look at it as a fiduciary obligation and duty to protect. But that's what the government's intention is. You have an obligation to protect my data. You know, that's why you're a fiduciary language.
05:21
Adam Stofsky
Yeah.
05:21
Probir Choudhury
You're safeguarding my data.
05:23
Adam Stofsky
I think it's very interesting.
05:25
Probir Choudhury
Yeah. I think safeguarding would probably lead to the next most important point, which is just on children's data.
05:30
Yajas Setlur
Exactly. Yeah. Which is how indian law deals with children's data. And a couple of important sort of differences here is that one, india, a child, under our law, a child is anybody who is below 18 years of age. And this sort of stems from our sort of british, the legacy that we have of the british empire. So all our contract law, all our essentially common law principles treat anybody under 18 as a child. And so we're sort of continuing that trend with our data privacy laws. And I think your viewers know that under the GDPR, a child is essentially somebody below 13. So there's a huge gap there which companies need to think about. Companies that work outside India and process information belonging to teenagers will really have to rethink how they operate india.
06:22
Adam Stofsky
Under Kappa as well in the US, if I recall.
06:26
Yajas Setlur
Absolutely. Absolutely, exactly. Absolutely. And the second thing is, what do they need to do with that data or how do they need to process it? In India, the collection and processing of any child's information requires the company to get verifiable parental consent. So again, you can see that consent is the sort of, is the fountain of all sort of rights and obligations. You need to be able to get parental or guardian consent. And not only do you need to get that consent, you have this higher threshold of that consent needing to be from the parent, and you need to be able to justify or verify that it is from the parent.
07:07
Adam Stofsky
And it's not just the kid and the faking the signature, but you're actually getting a verifiable parental consent for collection of data.
07:15
Yajas Setlur
That's right. And this is probably one of the aspects of our law which is the most contentious right now.
07:22
Adam Stofsky
Any other major differences if we hit the main ones?
07:25
Probir Choudhury
Yeah, I think just three more. One is on retention timeline. So unlike the GDPR, the weather controller actually determines how long they are going to retain the data and they have to justify the period which they're retaining data. In India, the law says that the government or the load makers will come up with specific timelines and you can only retain data for that, you know, to be, again, waiting for the rules to be enacted. But again, you don't have the endless possibility of retaining data. It will be specified and you have to purge the data from there. I think the next two are really. You can talk about breach notification. That would be interesting.
08:08
Yajas Setlur
Sure. Yeah. Happy to. So breach notification requirements are another major sort of difference between the two. GDPR, of course, has, while it does require breaches, data breaches to be notified, there are thresholds, so trivial, non significant breaches don't need to be reported and for the most part, reporting only needs to be made to the regulator. But under our indian law, what the lawmakers have tried to do is to, in their effort to sort of simplify matters and keep the language very simple and light, they may have sort of gone overboard and undone some of the sort of good that GDPR did, which is under our law currently, any data breach needs to be reported to both the regulator as well as the data, each impacted data subject. There's no threshold for what a data breach is.
08:59
Yajas Setlur
So strictly speaking, even a trivial or insignificant data breach would need to be reported to the regulator and to the data subject. So lots of questions about how the regulator is going to be dealing with that many notifications and sort of reports. But this is not without precedent. India has had laws previously which have been drafted in a similar manner, so it's not surprising.
09:24
Adam Stofsky
Interesting. And there was one more. You said, right?
09:28
Yajas Setlur
That's right. The last one, I think I cross border data flows, and I think, like Prabhi sort of hinted towards in the beginning of this conversation, cross border data is something that the indian lawmakers have been grappling with. There have been rumors about data localization and what sort of the scope and extent of localization. It's really been a cause for concern for a lot of multinational companies. Well, the good news is we don't have localization anymore in the law. Sort of personal data can be freely transferred outside India generally, but the law says that the government is empowered to come up with a blacklist, which means that they can publish or notify a list of countries to which personal data cannot be transferred. And it seems to be a much more simpler approach.
10:21
Yajas Setlur
The government is looking at this to try and simplify the rules around this. We'll have to see on what basis the government decides which jurisdictions are blacklisted, whether it's going to be a decision based purely on political tensions and geo sort of politics, or is it going to be some. Is it going to be a decision based on actual data protection, adequacy and in the interest of consumers, we'll really have to wait to tell.
10:47
Adam Stofsky
Wow, interesting. So Europe offers a standard for determining when you can just freely transfer data to a country, an adequacy decision, right?
10:57
Yajas Setlur
That's right. That's right. You have adequacy decisions and you have sort of the instruments through which you can transfer data to certain territory, to certain jurisdictions. You have your standard contractual flow clauses, you have other measures through which you can transfer data to certain countries. India doesn't seem to want to take that sort of an approach, and they're looking at this far more simplistic blacklist approach.
11:20
Adam Stofsky
Interesting sanction.
11:22
Probir Choudhury
Let's call it sanction.
11:23
Adam Stofsky
Sanction. Sorry, the data sanctions list. Yeah.
11:27
Yajas Setlur
Good.
11:27
Adam Stofsky
I like that. Wow. Thank you, guys. That was really substantive and interesting. You're going to be useful to a lot of people who are intending to or doing business india. Thanks so much.
11:39
Probir Choudhury
Thanks for having us over.
<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/914869305?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="12036_Differences Between the DPD and Other Privacy Laws"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>