Comparison of Digital Personal Data Protection Act, 2023 (DPDP Act) with GDPR, PDPA and HIPAA

The Digital Personal Data Protection Act, 2023 (DPDP Act) is an Indian law that regulates the governance of personal data collected by organizations, with the objective of providing standards for handling digital personal data in a way that respects both people's rights to privacy protection and the need to handle personal data legally. The DPDP Act prescribes penalties for non-compliance with its provisions, ranging from up to INR 10,000 to up to INR 250 Crores for different offences, depending on the nature and severity of the breach. The DPDP Act also prescribes duties for data principals, such as not impersonating another person, not suppressing material information, furnishing only verifiably authentic information and not making frivolous complaints. The DPDP Act lays down principles for data processing, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, accountability and security.

The General Data Protection Regulation 2018 (GDPR) is a European Union regulation on Information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR imposes administrative fines up to EUR 20 million or 4% of global annual turnover (whichever is higher) for non-compliance with its provisions. The GDPR prescribes rights for data subjects, such as right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability and right to object. The GDPR lays down principles for data processing, such as lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

The Personal Data Protection Act 2012 (PDPA) is a Singaporean law that establishes a baseline standard of data protection in Singapore for the private sector. The PDPA prescribes financial penalties up to SGD 1 million for non-compliance with its provisions. The PDPA prescribes rights for individuals, such as right of access, right to correction and right to withdraw consent. The PDPA lays down principles for data protection obligations of organizations: consent; purpose limitation; notification; access and correction; accuracy; protection; retention limitation; transfer limitation; openness; accountability; do not call registry.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA imposes civil monetary penalties up to USD 1.5 million per violation per year for non-compliance with its provisions. HIPAA prescribes rights for individuals, such as right of access, right to request amendment and right to an accounting of disclosures. HIPAA lays down standards for privacy of individually identifiable health information: notice of privacy practices; individual access; uses and disclosures with an opportunity to agree or object; uses and disclosures for which an authorization is required; uses and disclosures requiring an opportunity for the individual to agree or object; other requirements relating to uses and disclosures of protected health information.



Comparison of DPDP Act with GDPR, PDPA and HIPAA

Scope

DPDP Act: Applies to digital personal data collected online or offline and later digitized within or outside India, if it involves providing goods or services to data principals in India or profiling of such data principals.

GDPR: Applies to personal data processed by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not, and to personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to offering goods or services to EU citizens or monitoring their behavior within the EU.  

PDPA: Applies to personal data collected, used or disclosed by organizations in Singapore, unless exempted by the PDPA or any other written law, and to personal data transferred outside Singapore, subject to certain conditions.     

HIPAA: Applies to protected health information transmitted or maintained by covered entities and their business associates in the United States, unless exempted by HIPAA or any other federal law.

Data Protection Obligations

DPDP Act: The DPDP Act imposes nine data protection obligations on data fiduciaries (i.e., entities that determine the purpose and means of processing digital personal data): (1) fair and reasonable processing; (2) purpose limitation; (3) collection limitation; (4) lawfulness of processing; (5) notice; (6) data quality; (7) data storage limitation; (8) accountability; and (9) security safeguards.

GDPR: The GDPR imposes six data protection principles on controllers (i.e., entities that determine the purposes and means of processing personal data) and processors (i.e., entities that process personal data on behalf of controllers): (1) lawfulness, fairness and transparency; (2) purpose limitation; (3) data minimization; (4) accuracy; (5) storage limitation; and (6) integrity and confidentiality. In addition, controllers and processors must also comply with the principle of accountability.      

PDPA: The PDPA imposes nine data protection obligations on organizations: (1) consent; (2) purpose limitation; (3) notification; (4) access and correction; (5) accuracy; (6) protection; (7) retention limitation; (8) transfer limitation; and (9) openness. 

HIPAA: HIPAA imposes two sets of rules on covered entities and business associates: The Privacy Rule establishes standards for protecting individuals’ medical records and other identifiable health information. It requires appropriate safeguards to ensure the privacy of personal health information, sets limits on how such information may be used or disclosed without patient authorization.

Principles

DPDP Act: Lays down principles for data processing, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, accountability and security.

GDPR: Lays down principles for data processing, such as lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.         

PDPA: Lays down principles for data protection obligations of organisations: consent; purpose limitation; notification; access and correction; accuracy; protection; retention limitation; transfer limitation; openness; accountability; do not call registry.

HIPAA: Lays down standards for privacy of individually identifiable health information: notice of privacy practices; individual access; uses and disclosures with an opportunity to agree or object; uses and disclosures for which an authorization is required; uses and disclosures requiring an opportunity for the individual to agree or object; other requirements relating to uses and disclosures of protected health information.

Duties

DPDP Act: Prescribes duties for data principals, such as not impersonating another person, not suppressing material information, furnishing only verifiably authentic information and not making frivolous complaints.      

GDPR: Prescribes rights for data subjects, such as right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability and right to object.

PDPA: Prescribes rights for individuals, such as right of access, right to correction and right to withdraw consent.

HIPAA: Prescribes rights for individuals, such as right of access, right to request amendment and right to an accounting of disclosures.

Cross-border transfer of personal data

DPDP Act: Requires data fiduciaries to ensure that any transfer of personal data outside India is subject to adequate safeguards, such as standard contractual clauses, binding corporate rules, or other mechanisms approved by the Government of India. The DPDP Act also requires data fiduciaries to obtain explicit consent from data principals before transferring their sensitive personal data outside India.

GDPR: Prohibits the transfer of personal data outside the EU or EEA unless the recipient country ensures an adequate level of protection for personal data, or appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules, or other mechanisms approved by the European Commission. The GDPR also prescribes rights for data subjects to obtain a copy of their personal data being transferred outside the EU or EEA.

PDPA: Requires organizations to ensure that any transfer of personal data outside Singapore is subject to appropriate safeguards, such as standard contractual clauses, binding corporate rules, or other mechanisms approved by the Personal Data Protection Commission. The PDPA also requires organizations to obtain consent from individuals before transferring their personal data outside Singapore.

HIPAA: Permits covered entities and business associates to transfer protected health information outside the United States if certain conditions are met, such as obtaining written assurances from the recipient that it will safeguard the information and complying with other requirements under HIPAA. HIPAA also prescribes rights for individuals to obtain a copy of their protected health information being transferred outside the United States.

Consent & Notice

DPDP Act: Requires data fiduciaries to obtain consent from data principals before processing their personal data. The DPDP Act also requires data fiduciaries to provide notice to data principals about the purpose, nature and categories of personal data being collected, the sources of such personal data, the recipients of such personal data, and the rights of data principals. The DPDP Act also prescribes duties for data principals, such as not impersonating another person, not suppressing material information, furnishing only verifiably authentic information and not making frivolous complaints.

GDPR: Requires controllers to obtain freely given, specific, informed and unambiguous consent from data subjects before processing their personal data. The GDPR also requires controllers to provide notice to data subjects about the purpose, nature and categories of personal data being collected, the sources of such personal data, the recipients of such personal data, and the rights of data subjects. The GDPR also prescribes rights for data subjects to withdraw their consent at any time.

PDPA: Requires organizations to obtain consent from individuals before collecting, using or disclosing their personal data. The PDPA also requires organizations to provide notice to individuals about the purpose, nature and extent of personal data being collected, used or disclosed by them. The PDPA also prescribes rights for individuals to withdraw their consent at any time.

HIPAA: Requires covered entities to obtain written authorization from individuals before using or disclosing their protected health information for purposes other than treatment, payment or health care operations. The HIPAA also requires covered entities to provide notice to individuals about their privacy practices and their rights under HIPAA. The HIPAA also prescribes rights for individuals to request restrictions on uses and disclosures of their protected health information.

Data Protection Authority

DPDP Act: The DPDP Act contemplates the establishment of a Data Protection Board ("DPB"), as an enforcement body, which will have powers, inter alia, to direct any urgent remedial or mitigation measures on receipt of intimation regarding a personal data breach, inquire into such breach, impose penalties for non-compliances, inspect any document, summon and enforce attendance of any person etc.

GDPR: The European Data Protection Board (EDPB) is established under the GDPR as an independent European body composed of representatives of the national data protection authorities and the European Data Protection Supervisor. The EDPB ensures the consistent application of the GDPR throughout the EU and promotes cooperation among the national data protection authorities. The EDPB has powers to issue guidelines, recommendations and best practices, adopt binding decisions on disputes between national data protection authorities, and advise the European Commission on any matter related to the protection of personal data.

PDPA: The Personal Data Protection Commission (PDPC) is established under the PDPA as an independent statutory body responsible for administering and enforcing the PDPA. The PDPC has powers to issue directions, guidelines and codes of practice, conduct reviews and investigations, impose financial penalties and directions, and take any other action as may be necessary.       

HIPAA: The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA’s Privacy Rule and Security Rule. The OCR has powers to investigate complaints, conduct compliance reviews, provide technical assistance and guidance, impose civil monetary penalties and corrective actions, and refer criminal cases to the Department of Justice.

Penalties

DPDP Act: Prescribes penalties for non-compliance with its provisions, ranging from up to INR 10,000 to up to INR 250 Crores for different offences, depending on the nature and severity of the breach. 

GDPR: Prescribes administrative fines up to EUR 20 million or 4% of global annual turnover (whichever is higher) for non-compliance with its provisions.   

PDPA: Prescribes financial penalties up to SGD 1 million for non-compliance with its provisions.         

HIPAA: Prescribes civil monetary penalties up to USD 1.5 million per violation per year for non-compliance with its provisions.

Exemptions

DPDP Act: Exempts certain categories of data processing from its provisions, such as processing for national security, legal proceedings, research and archiving, journalistic purposes, and manual processing by small entities. The DPDP Act also does not apply to the processing of data for personal or domestic purposes, or to publicly available data.

GDPR: Does not apply to the processing of personal data by individuals for purely personal or household activities. The GDPR also exempts certain categories of data processing from its provisions, such as processing for national security, law enforcement, public health, scientific research and archiving.

PDPA: Exempts certain categories of data processing from its provisions, such as processing for personal or domestic purposes, journalistic purposes, artistic purposes, research and archiving. The PDPA also provides for certain exceptions to the consent requirement for specific purposes.

HIPAA: Does not apply to certain categories of entities that handle health information, such as life insurers, employers, workers' compensation carriers and most schools and school districts. HIPAA also provides for certain exceptions to the privacy rule for specific purposes.

Comments

Post a Comment

Popular posts from this blog

Comprehensive Guide to Conducting a Detailed Data Audit for GDPR Compliance

Image
  Conducting a data audit is a crucial step in implementing GDPR or any other data privacy law like Digital Personal Data Protection Act, 2023. A thorough audit helps organizations understand what personal data they hold, how it is processed, and ensures compliance with relevant regulations. Here’s a step-by-step guide to conducting a detailed data audit: Step-by-Step Guide to Conducting a Detailed Data Audit 1. Establish the Scope and Objectives Objective: Define the scope of the audit and its goals. Actions: Identify the departments, systems, and processes that will be included in the audit. Determine the objectives, such as compliance with GDPR, identifying data flows, and assessing data protection measures. Outcome: A clear and defined scope and objective for the data audit. 2. Assemble an Audit Team Objective: Create a cross-functional team to conduct the audit. Actions: Include members from IT, legal, compliance, HR, marketing, and any other relevant departments. Assign roles...
Read more

Understanding Record of Processing Activities (ROPA) and Its Role in Global Privacy Compliance and DPDP Act 2023 Implementation

Image
  A Record of Processing Activities (ROPA) is a detailed documentation that organizations are required to maintain under various privacy regulations, most notably the European Union’s General Data Protection Regulation (GDPR). It serves as a comprehensive record of all personal data processing activities carried out by an organization. Key Elements of ROPA under GDPR Data Controller Details: Name and contact details of the organization and its representatives. Purposes of Processing: Clear description of the purposes for which the data is processed. Categories of Data Subjects and Personal Data: Types of data subjects (e.g., employees, customers) and categories of personal data (e.g., contact details, purchase history). Recipients of Personal Data: Any third parties with whom the data is shared, including contractors and service providers. Transfers to Third Countries: Information on data transfers to countries outside the EU, including documentation of appropriate safeguards....
Read more

Data Protection Officer: Roles and Responsibilities under DPDPA & GDPR

Image
With the recent enactment of the Digital Personal Data Protection Act, 2023 (DPDPA) in India, there's a heightened emphasis on ensuring the privacy and security of personal data. This has propelled organizations to align their operations with the new legal framework. Central to this adaptation is the consideration of appointing Data Protection Officers (DPOs) to oversee and ensure compliance. The Data Protection Officer (DPO) is pivotal in ensuring that an organization adheres to its data protection obligations. Their responsibilities span across compliance with the data protection mandates and reporting directly to the organization's apex leadership. The appointment and role of a DPO are entrenched in Section 10(2) of the DPDPA. The GDPR leans towards ensuring the DPO's independence from the organization's executive board. However, under India's DPDPA, the DPO must report to the highest echelons of management and represent significant data fiduciaries. This raises...
Read more