HYDERABAD: When it comes to user data protection in India, there exists only the IT Act 2000 that provides any semblance of data protection. A brief comparison of the General Data Protection Regulation (GDPR) and India’s IT Act shows that though both laws are intended to govern data transfer for electronic commerce, the Indian IT law is in need of a dire upgrade.
The objective of both the laws is similar. However, GDPR specifically provides protection to users’ rights upon data processing, finds a study titled “GDPR and India” by Aditi Chaturvedi for The Centre for Internet and Society-India under creative commons. The laws are meant to ensure collection of data by anyone for lawful purposes and only necessary data should be collected for the specified purpose. The IT Act, however, does not have any regulations meant for data processing. The principles given in GDPR are more detailed as it gives the user control over their data. Both laws require companies to take user consent as a prerequisite for data collection and processing, but the IT Act does not have a provision that deals with the lawfulness of data processing in India.
The GDPR lists five additional conditions on the necessity of processing data and also confers upon fellow EU members the power to introduce specific requirements for processing. Similar conditions are not mandated under the IT Act. The IT Act does not define consent nor does it take into account the consent of children using the internet.
When it comes to rights of users, the IT Act has some rules that are loosely similar to rights granted under GDPR. But it has no reference to other user rights. GDPR has detailed the user rights under these sections.GDPR aims to bring more accountability among firms handling user data by appointing a data security officer, conducting privacy impact assessment and maintenance of records.