INDIA'S DPDP ACT, 2023 VS. EU'S GDPR: KEY DIFFERENCES & SIMILARITIES

RAHUL Y – FINAL YEAR OF B.C.A LLB (HONS)

THE TAMIL NADU DR AMBEDKAR LAW UNIVERSITY

1. ABSTRACT

The European Union’s General Data Protection Regulation (GDPR), enacted in 2018, has long stood as the global benchmark for personal data governance, influencing regulatory frameworks far beyond European borders. In 2023, India joined this evolving global landscape with the introduction of the Digital Personal Data Protection Act (DPDP Act), a comprehensive attempt to balance individual rights with business compliance and state sovereignty. While both laws are grounded in universal privacy principles such as purpose limitation, accountability, transparency, and the protection of personal rights, the DPDP Act reflects India’s specific socio-political context and digital-first economy. Unlike the GDPR’s expansive scope that encompasses all forms of personal data, the DPDP restricts itself to digital data while excluding publicly available records, thereby marking a narrower ambit of regulation. Another crucial difference lies in the treatment of legal bases for processing: the GDPR allows multiple justifications such as legitimate interest, contractual necessity, and compliance obligations, whereas the DPDP is markedly consent-centric, pushing organizations to adopt stricter user consent models. Rights of individuals also diverge: GDPR grants broad powers such as data portability, objection to processing, and protection against automated decision-making, while the DPDP prioritizes grievance redressal, nominee rights, and simplified consent withdrawal, aligning more with the realities of India’s governance structure. Cross-border transfer frameworks further reflect the contrasting philosophies: GDPR’s adequacy-based system is rigorous and assessment-heavy, while India retains discretion to permit transfers unless specifically restricted by the government. Enforcement mechanisms are another area of divergence: GDPR fines can scale up to 4% of global turnover, while the DPDP caps penalties at ₹250 crore, with additional duties imposed uniquely on individuals themselves. For multinational corporations, the DPDP presents new compliance challenges in age gating, language localization, and the absence of legitimate interest as a processing ground. Overall, the GDPR emphasizes harmonization and private-sector accountability, while the DPDP underscores sovereign control, accessibility, and digital governance. The trajectory of both laws highlights a growing convergence of global privacy standards, yet their divergences illuminate how cultural, political, and economic factors shape the architecture of data protection regimes.

Keywords

1. Consent-Centric Regulation – Refers to India’s DPDP Act prioritizing user consent as the main legal basis for data processing, unlike GDPR’s broader bases that include legitimate interest and contractual necessity.
2. Digital-Only Scope – The DPDP applies only to digital personal data, marking a narrower scope than GDPR which also covers offline and non-digital records.
3. Significant Data Fiduciary (SDF) – A unique category under DPDP referring to large or high-risk data processors who must comply with enhanced obligations such as audits and Data Protection Impact Assessments.
4. Cross-Border Data Transfers – The frameworks for moving data across national boundaries, where GDPR requires adequacy or safeguards, while DPDP allows transfers by default unless restricted by the government.

2. INTRODUCTION

Data protection has emerged as one of the defining policy debates of the 21st century, balancing the imperatives of innovation, governance, and individual autonomy. The European Union’s GDPR, which came into force in May 2018, was the first law to articulate data privacy as a fundamental right with harmonized enforcement across member states. It has since served as the global reference point for designing privacy regimes. India, with its massive digital population and growing technological ecosystem, entered this field in 2023 with the Digital Personal Data Protection Act (DPDP Act). The Indian law signifies both convergence with global norms and departures reflecting national priorities. A comparative analysis of GDPR and DPDP offers important insights into how jurisdictions adapt data governance to their unique contexts, while also aligning with a broader global movement toward protecting personal information.

3. SCOPE AND APPLICABILITY

The GDPR casts a wide net, covering all personal data of EU residents regardless of whether the data is digital or offline. This includes handwritten records, paper forms, and any other non-digital format, ensuring that privacy rights extend across all spheres of interaction. Additionally, GDPR’s extraterritorial scope is among its most influential aspects, as it applies to entities outside the EU whenever they process the data of EU residents or offer goods and services to them. India’s DPDP Act, while also extraterritorial, is more limited in scope. It only applies to digital personal data, including data that originates offline but is digitized later. Publicly available data and records made lawfully accessible are explicitly excluded, reflecting an approach tailored to India’s social and administrative realities. This narrower scope significantly reduces compliance obligations in certain areas but also raises questions about whether offline records, still significant in India’s governance landscape, may receive insufficient protection. This difference in scope underscores the DPDP’s emphasis on regulating India’s growing digital economy while GDPR seeks to maintain comprehensive coverage of personal information regardless of medium.

4. DEFINITIONS AND CATEGORIZATION OF DATA

One of GDPR’s distinctive features is its categorization of data. It identifies general personal data and special categories that require heightened protections, such as health information, biometric data, political beliefs, or religious affiliations. GDPR also regulates the processing of criminal conviction data under specific safeguards. By contrast, the DPDP Act adopts a uniform approach: all digital personal data is treated alike, without creating separate categories for sensitive data. This may simplify compliance for organizations since they are not required to implement varying degrees of safeguards depending on data sensitivity. However, the lack of special categorization may also reduce protections for information that is inherently more vulnerable to misuse, such as health or biometric data. This reflects a policy trade-off between regulatory simplicity and substantive protection, highlighting GDPR’s granular approach against DPDP’s streamlined model.

5. LEGAL BASES FOR PROCESSING

The foundation of any data protection regime lies in determining the conditions under which personal data can be processed. GDPR provides a wide range of lawful bases, including consent, contractual necessity, legal obligations, protection of vital interests, legitimate interests of the processor, and public interest tasks. This broad menu allows organizations significant flexibility in justifying processing while still maintaining accountability to data subjects. By contrast, the DPDP Act is primarily consent-driven. Consent must be free, specific, informed, unconditional, and unambiguous, setting a high standard for organizations to meet. While the Act recognizes legitimate uses such as compliance with law, responding to emergencies, employment-related purposes, and voluntary disclosure, it notably excludes contractual necessity and legitimate interest as standalone bases. This exclusion has profound implications: activities that businesses might lawfully pursue under GDPR’s legitimate interest must either be discontinued in India or restructured under consent-based models. Thus, DPDP represents a more restrictive and individual-empowering regime, while GDPR balances individual control with organizational flexibility.

6. RIGHTS OF INDIVIDUALS

Individual rights stand at the heart of both GDPR and DPDP, but they diverge in scope and emphasis. GDPR grants a wide range of rights, including access, correction, erasure, restriction of processing, portability, objection to processing, and protection against automated decision-making. The right to data portability and objection to processing empower individuals to exert control over how their information is shared and used in digital ecosystems. DPDP grants core rights such as access, correction, erasure, and withdrawal of consent, but does not explicitly provide for portability, objection, or protection against automated decision-making. Instead, it emphasizes practical grievance redressal, mandating that data fiduciaries establish timely complaint mechanisms. Uniquely, it introduces the right for individuals to nominate another person to exercise their rights in case of death or incapacity. This approach reflects India’s prioritization of accessible remedies and pragmatic governance rather than expansive but complex entitlements. GDPR’s rights framework is broader and future-proofed for digital autonomy, while DPDP focuses on usability and alignment with Indian socio-legal contexts.

7. CHILDREN’S DATA

The treatment of children’s data is another area where the two frameworks diverge significantly. GDPR requires parental consent for minors under an age that can vary between 13 and 16 depending on the member state, with explicit safeguards against profiling and targeted advertising directed at children. DPDP takes a stricter position: it sets the threshold uniformly at 18 years and mandates verifiable parental consent for any processing. Moreover, it categorically prohibits tracking, behavioral monitoring, and targeted advertising directed at children. This creates a much higher compliance burden for organizations operating in India, requiring stricter parental verification mechanisms and avoiding entire categories of digital marketing practices. India’s higher threshold reflects its protective stance toward minors but may also restrict innovation in youth-oriented services compared to the EU’s more flexible regime.

8. DATA FIDUCIARIES, PROCESSORS, AND THE CONCEPT OF SDFS

GDPR distinguishes between controllers, who determine the purpose and means of processing, and processors, who act on behalf of controllers. Both parties bear direct obligations and liabilities. Large-scale or high-risk processing may trigger the appointment of a Data Protection Officer and the conduct of Data Protection Impact Assessments. The DPDP Act mirrors the distinction but places fewer direct obligations on processors. Instead, it introduces the category of Significant Data Fiduciaries (SDFs), defined on the basis of volume, sensitivity, or risk of processing. SDFs must comply with enhanced responsibilities, including appointing a resident Data Protection Officer, undergoing regular audits, and carrying out mandatory impact assessments. This unique categorization reflects India’s risk-based approach, where obligations scale with the size and influence of data processors, rather than imposing uniform obligations across all entities.

9. CONSENT MANAGERS: A DISTINCTIVE INDIAN FEATURE

One of the most novel contributions of the DPDP Act is the creation of Consent Managers. These are registered entities that act as neutral intermediaries, assisting individuals in granting, managing, and withdrawing consent through accessible digital interfaces. This mechanism reflects India’s emphasis on accessibility and digital inclusivity, particularly given its multilingual and diverse population. GDPR, while rigorous in its consent framework, does not institutionalize such intermediaries. Consent Managers represent a uniquely Indian attempt to make privacy rights more operational and practical, especially for populations with varying levels of digital literacy.

10. TRANSPARENCY AND NOTICE OBLIGATIONS

Transparency is a cornerstone of both laws, but their requirements differ in scope. GDPR mandates detailed notices at or before the point of data collection, covering processing purposes, data categories, retention periods, transfer mechanisms, rights, and the possibility of automated decision-making. DPDP simplifies notice requirements but emphasizes clarity, accessibility, and availability in 22 Indian languages. The multilingual mandate reflects India’s linguistic diversity and ensures that privacy information is not confined to English-speaking populations. While GDPR’s model maximizes comprehensiveness, DPDP prioritizes inclusivity and accessibility, embodying two different strategies for ensuring transparency.

11. DATA BREACH NOTIFICATIONS

Under GDPR, organizations must notify authorities and affected individuals within 72 hours of a data breach if the breach poses risks to rights and freedoms. The notification is risk-based and proportionate. In contrast, DPDP mandates universal notification to both the Data Protection Board and affected individuals, regardless of the breach’s magnitude or risk level. Moreover, the Act does not specify a strict timeline, leaving it to subsequent regulation or interpretation. This creates a stricter but less precise framework, requiring organizations to prepare for blanket disclosure obligations while navigating uncertainty around timelines.

12. CROSS-BORDER DATA TRANSFERS

Perhaps the most striking difference lies in cross-border transfer frameworks. GDPR permits transfers only to countries deemed “adequate” or through mechanisms such as Standard Contractual Clauses and Binding Corporate Rules. This creates a heavily scrutinized and harmonized system, though often criticized for being rigid and bureaucratic. India’s DPDP, on the other hand, adopts a default-permissive approach: transfers are allowed to all jurisdictions unless specifically restricted by the government. This reflects India’s sovereign and flexible approach, giving the state discretion to shape data flows based on national interest rather than pre-established adequacy criteria. While this may ease business operations in the short term, it also creates uncertainty depending on future government restrictions.

13. PRIVACY-BY-DESIGN AND IMPACT ASSESSMENTS

Both GDPR and DPDP recognize the importance of embedding privacy considerations into the design of systems and processes. GDPR imposes privacy-by-design obligations broadly across all organizations, requiring consideration of data protection principles at every stage. It also requires Data Protection Impact Assessments for high-risk processing. DPDP requires all fiduciaries to adopt reasonable security practices but mandates DPIAs and audits only for Significant Data Fiduciaries. This tiered approach reduces compliance burdens on smaller entities but may also leave gaps in broader privacy integration compared to GDPR’s universal standard.

14. ENFORCEMENT AND PENALTIES

Enforcement under GDPR is decentralized but coordinated: national supervisory authorities oversee compliance in member states, coordinated by the European Data Protection Board. Penalties are significant, scaling up to €20 million or 4% of annual global turnover. DPDP creates a single adjudicatory body, the Data Protection Board of India, with penalties capped at ₹250 crore (approximately €28 million). Unlike GDPR, which focuses entirely on organizational liability, DPDP uniquely imposes duties on individuals themselves, including penalties for frivolous complaints. This inclusion of data principal duties reflects India’s concern with regulatory efficiency and preventing misuse of grievance mechanisms. While GDPR enforces with greater financial stakes, DPDP blends accountability with citizen duties, embodying a distinctive governance philosophy.

15. INTEROPERABILITY AND COMPLIANCE CHALLENGES FOR BUSINESSES

For global corporations, the divergence between GDPR and DPDP introduces significant compliance challenges. Systems designed for GDPR may require re-engineering to align with DPDP’s consent-centric model, absence of legitimate interest, and higher threshold for children’s consent. Privacy notices will need localization into multiple Indian languages, and grievance redressal mechanisms must meet DPDP’s stricter standards. At the same time, businesses can draw on their GDPR compliance infrastructure as a foundation, given the shared emphasis on accountability, data minimization, and privacy-by-design. The interplay of convergence and divergence necessitates adaptive compliance strategies for multinational operations.

16. INTERGOVERNMENTAL COOPERATION AND FUTURE PROSPECTS

The global convergence of data protection principles has spurred discussions of interoperability between frameworks. The EU–India Trade & Technology Council has indicated the possibility of “partial adequacy” for simplifying data transfers between the two regions. While not yet operational, such moves suggest a future trajectory of greater alignment. The challenge will lie in reconciling GDPR’s harmonized adequacy system with DPDP’s government-driven approach to cross-border transfers.

17. CONCLUSION

The GDPR and DPDP Act share a common philosophical foundation: protecting individuals by regulating how organizations process personal data. Both emphasize principles of purpose limitation, accuracy, accountability, and transparency. Yet, their divergences reflect the socio-political contexts in which they operate. GDPR is expansive, harmonized, and flexible in its legal bases, reflecting Europe’s emphasis on individual rights balanced with business viability. DPDP, in contrast, is narrower in scope but stricter in consent requirements, more protective of children, more accessible in language, and more sovereign in its approach to data flows. It is also unique in creating Consent Managers and imposing duties on individuals. For global businesses, GDPR may offer more operational flexibility, while DPDP demands adaptation to India’s regulatory and cultural landscape. As data protection regimes continue to evolve globally, these two models demonstrate how common principles can produce distinct frameworks shaped by local priorities.

18. REFERENCES

[1]https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf 

[2] https://www.taxmann.com/post/blog/dpdp-act-vs-eu-gdpr-compliance 

[3]https://www.jisasoftech.com/digital-personal-data-protection-act-2023-vs-gdpr-key-similarities-and-differences/ 

[4] https://www.leegality.com/consent-blog/gdpr-vs-dpdp 

[5] https://secureprivacy.ai/blog/comparing-gdpr-dpdpa-data-protection-laws-eu-india 

[6]https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-differences-and-compliance-implications/ 

[7] https://www.azbpartners.com/bank/indian-data-protection-law-versus-gdpr-a-comparison/ 

[8]https://www.globalprivacyblog.com/2023/12/indias-digital-personal-data-protection-act-2023-vs-the-gdpr-a-comparison/ 

[9]https://emildai.eu/dpdpa-2023-vs-gdpr-a-comparative-analysis-of-indias-eus-data-privacy-laws/ [10]https://www.seqrite.com/blog/gdpr-vs-dpdp-a-guide-for-businesses-navigating-global-data-privacy/