Indian Data Protection Law vs. GDPR: Key Differences and Implications on International Businesses
On August 11, 2023, India enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”). In the context of the rapidly expanding digital economy, DPDPA holds significant relevance for numerous international businesses operating in India, depending on Indian service providers, or exploring opportunities in Indian markets.
The DPDPA aims to replace the fragmented framework of existing data protection and privacy laws in India, which previously relied on a consent-centric approach with minimal penalties for non-compliance. This new law marks a pivotal shift in India’s data protection landscape. Furthermore, balancing the competing demands of safeguarding individual privacy and enabling data processing for business purposes has long been a pressing need. The DPDPA addresses this by establishing a comprehensive, globally-aligned data protection regime. This article provides an overview of the DPDPA, comparing it to the European Union’s General Data Protection Regulation (“GDPR”) and examining its implications for international businesses operating in India.
Background
Until 2023, data protection in India primarily relied on the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). However, these laws had notable limitations. In an era of growing digital reliance, expansion of international businesses and increasing concerns over personal data privacy, the enactment of the DPDPA marks a much-needed development.
The foundation for a robust privacy framework was laid in 2017 with the landmark judgment in Justice K. S. Puttaswamy v. Union of India AIR 2017 SC 4161; where the Hon’ble Supreme Court of India recognized the right to privacy as a fundamental right derived from the right to life and personal liberty. This historic decision highlighted India’s urgent need for a comprehensive data protection law.
Since 2018, the Indian government has been working toward creating a standalone data protection framework. Multiple drafts of the proposed data protection bill were released over the years, evolving into the DPDPA. The DPDP Bill, 2023 was eventually approved by both the Lok Sabha and Rajya Sabha, further receiving President’s assent before being officially published in the Gazette of India.
Similarities Between DPDPA and GDPR
The GDPR stands as one of the pioneering frameworks for establishing the importance of individual privacy in an increasingly interconnected world. Recognizing the absence of a comparable comprehensive law in India, the DPDPA draws significant inspiration from the GDPR, leading to various parallels between the two regulations. Key similarities between the two laws are elucidated herein below:
- Exclusion of Anonymized Data: Both laws exclude anonymized data from their scope. The GDPR explicitly states its inapplicability to data that cannot be linked to an identifiable individual. Similarly, the DPDPA exempts data that is sufficiently anonymized to prevent identification.
- Processing data without consent in certain circumstances: The DPDPA allows data fiduciaries (data controllers) to process personal data without consent for specified “legitimate uses,” such as employment-related activities, responding to medical emergencies, legal compliance, and the delivery of state-provided services. The GDPR also permits data controllers to process personal data without consent under certain lawful bases, subject to regulatory obligations.
- Quality of Consent: Consent remains a cornerstone of both frameworks, requiring that it be free, specific, and informed. Both DPDPA and GDPR mandate a legitimate purpose for processing personal data and place the burden of proving compliant consent on the data fiduciary/controller. The DPDPA goes further by requiring that consent requests be accessible in multiple languages (specified in the Eighth Schedule to the Constitution) at the data principal’s discretion.
- Significant Data Fiduciary Designation: Like GDPR’s provisions for designating data controllers with higher obligations based on the nature and volume of data processed, the DPDPA introduces the concept of a “Significant Data Fiduciary.” This designation imposes additional requirements, such as appointing a Data Protection Officer, aligning with similar GDPR standards.
Key differences between DPDPA and GDPR
While the DPDPA shares several foundational principles with the GDPR, it also presents distinct differences that reflect India’s unique regulatory approach.
| Aspect | DPDPA | GDPR |
| Data categorisation | Applies uniformly to all personal data; excludes publicly available data. No special categories of data. | Includes publicly available data and recognizes special categories of sensitive data (e.g., racial/ethnic origin, political views, biometrics). |
| Grounds for processing | Primarily consent-based with limited provisions for legitimate interests. | Allows broader grounds for processing based on legitimate interests. |
| Types of actors | Fiduciaries, Significant Fiduciaries, and Processors (no direct obligations on Processors). | Controllers and Processors (with direct obligations on Processors). |
| Applicability to offline data | Applies only to digital or digitized data. | Covers offline data if it is part of a structured filing system. |
| Children’s data | Sets the age of consent at 18, requiring verifiable parental consent. | Sets the age of consent between 13 and 16, requiring reasonable efforts for parental consent. |
| Grievance Redressal | Requires data subjects to seek redress from the controller before approaching the Data Protection Board or courts. | Allows data subjects to file complaints directly with the Supervisory Authority or courts without first engaging the controller. |
| Cross border data transfer | The Central Government can restrict transfers to specified countries. Personal data can be transferred unless a country is on a negative list. | Allows transfers to countries with adequacy decisions or under specified conditions (e.g., standard contractual clauses), imposing stricter controls. |
| Data breach notification | Requires notifying the Data Protection Board and affected data principals of any personal data breach. | Notification to affected individuals is required only if the breach poses a high risk to their rights and freedoms. |
| Data Retention Timelines | Rules will prescribe specific retention timelines. | Controllers decide retention periods, subject to the principle of necessity and justification. |
| Consent Managers | Introduces a unique concept of “Consent Managers,” registered with the Data Protection Board, to help data principals manage their consents. | No equivalent provision. |
While inspired by global best practices, India’s data protection law incorporates several unique features. The use of the term “data fiduciary” emphasizes the trust-based relationship in handling personal data, while the role of “Consent Manager” empowers data principals to manage their consents effectively. These distinctive elements, combined with the broader framework of the DPDPA, will have far-reaching implications for international businesses operating in or engaging with India.
The DPDPA introduces comprehensive data privacy regulations, impacting companies with new compliance requirements related to data processing standards, obligations for significant data fiduciaries, cross-border data transfer restrictions, and enhanced breach notification mandates. Additionally, the Act prescribes significantly higher penalties than previous Indian laws, with fines reaching up to INR 250 crores. These fines are penal, not compensatory, and are credited to the Consolidated Fund of India. The law also incorporates alternative dispute resolution mechanisms, including electronic proceedings and voluntary undertakings by data fiduciaries. Moreover, repeat offenses may lead to the government blocking public access to services offered by offending data fiduciaries.
Furthermore, in a recent development, the Ministry of Electronics and Information Technology released the draft Digital Personal Data Protection Rules on January 3, 2025; sixteen months after the Act was enacted. The draft proposes a phased implementation, with immediate effect for rules related to the Data Protection Board i.e., Rules 16-20, while other rules concerning notice requirements, consent manager functions, and government access to data will be enforced at a later date.
As businesses navigate the evolving landscape of data privacy in India, compliance with the DPDPA’s requirements will be mandatory to ensure continued market access. This transformative regulation marks a significant step in India’s data governance journey, reinforcing privacy as a fundamental right while balancing economic and technological considerations.
Authored by:
Adv. Anukriti
SUO Law Offices
