Digital Law News

Discover the first newsletter dedicated to digital law authored by Elise Dufour, Partner, Joséphine Lenglart Frémont, Lawyer, and Valentin Mottelay, Lawyer at Bignon Lebray and Sangeeta Jhunjhunwala, Partner at Kgaitan Legal Associates.

Topic n°1: Main differences between Indian Digital Personal Data Protection Act and European GDPR:

Sangeeta Jhunjhunwala , Partner at Khaitan Legal and Associates summarized for us the main differences between  Indian Digital Personal Data Protection Act and European GDPR

On August 11, 2023, India notified the Digital Personal Data Protection Act, 2023 (“DPDP Act”).  After undergoing a development process from 2018, the DPDP Act incorporates several modifications in comparison to its preceding iterations and diverges from the European General Data Protection Regulation (“GDPR”) in specific facets. In this update, we analyze the key differences between the two landmark legislations.

 1. Territorial scope

The DPDP Act focuses on the processing of digital data within the territory India. If the processing carried out is in connection with any activity of offering goods or services to individuals within the territory of India, then the DPDP Act will apply even when the processing of digital personal data is done outside the territory of India.

Meanwhile, the GDPR covers people living in the EU and companies located outside the EU that provide products or services to EU citizens or observe their behavior. It also applies to the processing of personal data within the EU.

2.      No concept of special category personal data

While GDPR applies to any offline data which is part of a filing system, the DPDP Act restricts its applicability only to digital or digitized data. Moreover, unlike the GDPR, there are no special categories of personal data (in relation to racial/ethnic origin, political opinions, religious beliefs, sexual orientation, health data) in the DPDP Act…

3.      Data principals’ rights

Both frameworks recognize the need to give individuals control over their personal data. The GDPR grants the right to access by the data subject (individuals), the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability and the right to object. While the DPDP Act provides individuals a narrower set of rights, which includes the right to access information, the right to correction and erasure of personal data, and right of grievance redressal. The DPDP Act also expressly empowers individuals to nominate another person to exercise their rights on their behalf in the event of death or incapacity of the individual.

Another significantly distinctive aspect of the DPDP Act is the set of duties to be performed by individuals. These include compliance with all applicable laws when exercising their rights under the DPDP Act and refraining from registering false or frivolous grievances.

4.      Obligations of the data controller

In the GDPR, the data controller holds a detailed record of processing operations, shall take technical and organizational measures to ensure the security of processing, such as pseudonymization or encryption of data. He also shall notify the competent supervisory authority of any breach that may pose a risk to the rights and freedoms of individuals. He nominates a Data Protection Officer and shall respect and handle data subjects’ rights.

On the other hand, the DPDP Act not only requires data fiduciaries (regarded as data controllers under GDPR) to implement security safeguards to protect personal data in their possession or control, but also in respect of any processing carried out on their behalf by a data processor. The DPDP Act prescribes stricter breach reporting requirements, where a data fiduciary is obligated to notify all personal data breaches to the Data Protection Board and each affected individual.

Further, the DPDP Act creates a class of “significant data fiduciaries” based on the volume and sensitivity of personal data processed by the data fiduciary and tasks them will additional obligations to enable greater scrutiny of their practices, such as appointment of a Data Protection Officer and independent data auditor.  

5.      Transfer of data to other jurisdictions

The DPDP Act empowers the Indian Central Government to restrict the transfer of personal data to a country or territory outside India.

Under the GDPR however, permissibility of transfer of personal data ranges from free transferability to a country or an international organization covered by an adequacy decision, and conditional transfers (such as adopting standard contractual clauses), to limited permission to transfer under certain circumstances. While the GDPR contains broader and specific restrictions on cross-border transfer, as compared to the DPDP Act, supplementary rules may provide details on the cross-border data transfers under the DPDPA Act

6.      Consent of minors

The DPDP Act relies on the absolute age of 18 to give valid permission and must consider the graded approach used widely worldwide. Moreover, before an organization processes the personal data of a child, the organization must obtain “verifiable consent” of a child’s parent or lawful guardian.

The GDPR has chosen the graded approach too. The minimum age for legal consent in such circumstances ranges from 13 to 16 years, depending on the Member State.

7.      Data Protection Authorities

The DPDP Act provides for the creation of a Data Protection Board of India, which will be responsible for enforcing regulations and sanctions, and resolving complaints.

In contrast, the GDPR creates supervisory authorities in each EU member state, and the European Data Protection Board (EDPB) ensures that these authorities work together and are uniformly implemented.

8.      Penalties

The penalties for breaches and non-compliance under the DPDP Act do not take turnover into account, with the maximum penalty for various specified breaches by data fiduciaries ranging from INR 50 crores to INR 250 crores (approximately €5 million to €25 million). The DPDP Act does not provide for a maximum penalty that can be imposed on a data fiduciary in the event of multiple violations and instead provides penalties for each offense, which can then be aggregated to determine the maximum applicable penalty. The DPDP Act also prescribes a penalty of up to INR 10,000 (approximately €113) on individuals (data principals) for non-performance of their duties under the DPDP Act.

In summary, although the DPDP Act, in its current state, may not have the comprehensive scope of the GDPR, it does introduce significant deviations from the European regulation in specific areas. Consequently, organizations currently in compliance with the GDPR will need to carefully assess these deviations and establish a data protection framework that aligns with the rigorous provisions set forth in the DPDP Act.

Topic n°2: 25 million users ‘data stolen after LastPass breach


November 30, 2022: LastPass has informed its customers of another, far more serious security incident, which the company claims exploited data stolen in the August breach. The LastPass password management service revealed a breach in which hackers stole password vaults containing both encrypted and plaintext data for over 25 million users. Since then, a series of six-figure crypto-currency thefts targeting security-conscious individuals in the tech industry has led some security experts to conclude that crooks probably managed to open some of the stolen LastPass vaults

Investigation and revelations

Taylor Monahan, Senior Product Manager at MetaMask, a popular software crypto-currency wallet used to interact with the Ethereum blockchain, and other researchers have identified a set of highly reliable clues that they believe link the recent thefts suffered by over 150 people. Collectively, these people were robbed of crypto currencies worth over $35 million.

According to Mr. Bax, Director of Analytics at Unciphered, the only obvious commonality between the victims who agreed to be interviewed was that they had stored the boot phrases of their cryptocurrency wallets in LastPass.

Since 2018, LastPass has required a minimum of twelve characters for master passwords, which the company says,”significantly minimizes the possibility of brute-force password guessing”.

But Wladimir Palant, security researcher and developer behind the Adblock Plus browser plugin, said that while LastPass did improve its default master passwords in 2018, it didn’t force all existing customers with shorter master passwords to choose new credentials that would meet the 12-character minimum.

Palant believes that LastPass has also failed to upgrade many of its original customers to the more secure encryption protections that have been offered to new customers over the years. One of LastPass’ important parameters is the number of “iterations”, the number of times your master password is subjected to the company’s encryption routines. The higher the number of iterations, the longer it takes for an offline hacker to decipher your master password.

 Class action engaged!

A class action lawsuit was filed in the first week of January 2023 against LastPass following two breaches suffered by the software publisher in 2022. The case currently has over 100 members!

You know everything. 

See you soon! 🚀

⭐️ To access our content, you can join us on our Sharepoint: Our news Digital Law