How Does India’s DPDP Act Differ from the GDPR?

In today’s digital world, personal data has become highly important. To protect people’s information, governments around the world have introduced data protection laws. These laws ensure that personal data is handled safely. Two major data protection laws are the General Data Protection Regulation (GDPR) of the European Union and India’s Digital Personal Data Protection Act, 2023 (DPDP Act). Although both laws aim to protect people’s privacy and personal information, they differ in scope, approach, level of detail, and enforcement mechanisms.

Overview of the European Union’s GDPR

The GDPR came into effect in May 2018 and applies to all European Union countries. It is considered one of the strongest data protection laws in the world. GDPR mainly focuses on the following points:

• Giving people strong control over their personal information
• Clearly defining what organizations must do when handling personal data
• Making organizations transparent and accountable in the way they use data
• Applying even to companies outside the EU if they handle the data of people living in the EU

Overall, GDPR aims to give individuals more control over their personal information and ensure organizations handle data responsibly.

Overview of India’s DPDP Act

India’s Digital Personal Data Protection Act was passed in 2023. It is India’s first complete law that focuses on protecting personal data. The DPDP Act mainly aims to:

• Protect personal data that is collected or used in digital form
• Make it easier for businesses to follow data protection rules
• Balance people’s privacy with innovation and effective governance
• Create a practical and India-specific data protection system

Overall, the DPDP Act is designed to protect people’s digital personal data while supporting business growth and development.

Applicability and Scope

GDPR

GDPR applies to:

• Organizations that are based in the European Union
• Organizations outside the EU that offer goods or services to people living in the EU
• Organizations that track or monitor the behavior of individuals in the EU

GDPR covers both digital data and paper-based personal data, as long as the data is organized in a structured filing system.

DPDP Act

The DPDP Act applies to:

• Processing of personal data in digital form within India
• Organizations outside India that process digital personal data of people in India to provide goods or services

Unlike GDPR, the DPDP Act does not apply to offline or paper-based personal data.

Key Difference

GDPR has a wider scope and covers both digital and offline data, while the DPDP Act applies only to digital personal data.

Terminology: GDPR Term vs DPDP Act Term

While the terms used under GDPR and the DPDP Act are different, they generally refer to similar roles and responsibilities in data protection.

Legal Basis for Processing Personal Data

GDPR

Article 5 of the GDPR lists out the following seven principles for the processing of personal data

• Lawfulness, fairness and transparency
  1. Notice
  2. Choice
  3. Consent
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability

Organizations can choose the most suitable legal basis depending on the purpose of processing.

DPDP Act

The DPDP Act mainly allows processing based on:

• Consent
• Certain “legitimate uses” (such as employment purposes, legal requirements, or medical emergencies)

The DPDP Act provides fewer legal grounds compared to the GDPR.

Key Difference:

GDPR gives organizations more options and flexibility through multiple legal bases, while the DPDP Act mainly focuses on consent, with limited additional uses allowed.

Consent Requirements

GDPR

Under GDPR, consent must be:

• Freely given
• Specific
• Informed
• Unambiguous
• Withdrawable at any time

For sensitive personal data, explicit consent is required.

DPDP Act

Under the DPDP Act, consent must be:

• Free
• Specific
• Informed
• Unambiguous
• Given through a clear positive action (such as clicking “I agree”)

The DPDP Act strongly focuses on giving consent notices in simple and clear language that people can easily understand.

Key Difference:

Both laws require strong and clear consent. However, the DPDP Act places extra emphasis on making consent notices simple and easy to understand for Indian users.

Rights of data subjects (Rights under GDPR)

Key rights of data subjects under GDPR are -

• The right to be informed by the organizations about the collection and use of their personal data (Article 13-14)
• The right to access their personal data (Article 15)
• The right to rectification (Article 16)
• The right to erasure, also called the right to be forgotten (Article 17)
• The right to restrict processing of how their data is used in certain circumstances (Article 18)
• The right to receive and transfer their data to another service (data portability) (Article 20)
• The right to object to certain types of data processing (Article 21)
• The rights in relation to automated decision-making and profiling (Article 22)

Rights of data principal (Rights under the DPDP Act)

The DPDP Act provides important but limited rights, including:

• The right to access information about personal data (Section 11)
• The right to correct and delete personal data (Section 12)
• The right to raise complaints and seek grievance redressal (Section 13)
• The right to nominate another person to act on their behalf in case of death or incapacity (Section 14)

Key Difference:
GDPR offers more detailed and advanced rights, while the DPDP Act focuses on basic and practical rights that are easier to implement.

Children’s Data Protection

GDPR

Under GDPR:

• A child is defined as someone under 16 years of age (EU countries may reduce this limit to 13)
• Parental consent is required to process a child’s personal data.
• There are strict rules for marketing profiling and targeted advertising aimed at children.

DPDP Act

Under the DPDP Act:

• A child is defined as anyone under 18 years of age.
• Data fiduciaries must obtain verifiable parental consent before processing a child’s data.
• Tracking, behavioral monitoring, and targeted advertising directed at children are not allowed.

Key Difference:
The DPDP Act provides stricter age-based protection by treating everyone under 18 as a child, offering a higher level of protection compared to GDPR.

Data Protection Officer (DPO)

GDPR

Under GDPR, appointing a Data Protection Officer (DPO) is compulsory for:

• Public authorities - Any public body or authority, except courts when they are performing judicial functions.
• Large-Scale monitoring - Core activities involve regularly and systematically monitoring people on a large scale, such as using CCTV in public places or tracking user behavior.
• Organizations that handle sensitive personal data - Core activities involve large-scale processing of sensitive personal data, such as health, race, or religion.

DPDP Act

Under the DPDP Act, only Significant Data Fiduciaries are required to appoint a Data Protection Officer.
This classification depends on factors such as the amount and sensitivity of personal data being processed.

Key Difference:

GDPR requires DPOs in more situations, while the DPDP Act applies this requirement only to selected organizations.

Cross-Border Data Transfers

GDPR

GDPR allows personal data to be transferred outside the EU only when:

• The receiving country provides an adequate level of data protection, or
• Proper safeguards are in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)

DPDP Act

The DPDP Act allows personal data to be transferred outside India only to countries that are approved and notified by the Indian government.
This approach is simpler and more controlled by the government.

Key Difference:

GDPR relies on detailed legal safeguards for cross-border data transfers, while the DPDP Act depends mainly on government approval.

Data Breach Notification

GDPR

Under GDPR, if a data breach happens:

• It must be reported to the data protection authority within 72 hours.
• It must also be informed to affected individuals if the breach creates a high risk to them.

DPDP Act

Under the DPDP Act, if a data breach occurs:

• It must be reported to the Data Protection Board.
• The affected individuals must also be informed.
• The exact timeline for reporting is not fixed in the law and will be specified later through rules.

Key Difference

GDPR sets strict and clear deadlines for reporting breaches, while the DPDP Act allows more flexibility in terms of timelines.

Penalties and Fines

GDPR

Under GDPR, organizations can face heavy fines of:

• Up to €20 million, or
• 4% of their total global annual turnover, whichever amount is higher.

DPDP Act

Under the DPDP Act:

• Penalties can go up to ₹250 crore.
• There are no criminal penalties under the law.
• The final penalty depends on the type and seriousness of the violation.

Key Difference:

GDPR fines are based on a percentage of the company’s global turnover, while the DPDP Act sets fixed maximum penalty amounts.

Regulatory Authority

GDPR

Under GDPR:

• Each EU country has its own independent Supervisory Authority.
• These authorities are coordinated at the EU level by the European Data Protection Board (EDPB).

DPDP Act

Under the DPDP Act:

• A single Data Protection Board of India is responsible for enforcement.
• It functions as a central authority to handle complaints and impose penalties.

Key Difference:

GDPR follows a decentralized regulatory model across EU countries, whereas the DPDP Act relies on a centralized authority in India.

GDPR vs DPDP Act: Summary of Key Differences

Coverage

• GDPR: Applies to both digital personal data and organized paper-based records.
• DPDP Act: Applies only to personal data in digital form.

Territorial Scope

• GDPR: Applies worldwide if the personal data of EU residents is processed.
• DPDP Act: Applies worldwide if the digital personal data of individuals in India is processed.

Core Philosophy

• GDPR: Very detailed and strict, with a strong focus on individual rights.
• DPDP Act: More balanced approach, simpler rules, and more business friendly.

Legal Basis for Processing

• GDPR: Allows six legal grounds, such as consent, contract, and legal obligation.
• DPDP Act: Mainly relies on consent, with a few allowed “legitimate uses”.

Terminology

• GDPR: Uses terms like Data Subject and Data Controller.
• DPDP Act: Uses terms like Data Principal and Data Fiduciary.

Rights of Individuals

• GDPR: Provides many detailed rights, including data portability and rights against automated decisions.
• DPDP Act: Focuses on basic rights like access, correction, deletion, and grievance redressal.

Children’s Data

• GDPR: Treats children as under 16 years (can be reduced to 13 by countries).
• DPDP Act: Treats anyone under 18 years as a child, giving stronger protection.

Data Protection Officer (DPO)

• GDPR: Requires many organizations to appoint a DPO.
• DPDP Act: Requires a DPO only for Significant Data Fiduciaries.

Data Breach Notification

• GDPR: Breaches must be reported to authorities within 72 hours.
• DPDP Act: Reporting timeline will be specified later, but affected individuals must be informed.

Penalties

• GDPR: Fines can go up to €20 million or 4% of global turnover, whichever is higher.
• DPDP Act: Penalties can go up to ₹250 crore as a fixed monetary amount.

Conclusion

Both GDPR and India’s DPDP Act are designed to protect personal data and strengthen privacy rights. However, GDPR is wider in scope, more detailed, and strongly focused on individual rights. At the same time, the DPDP Act is simpler, limited to digital data, and tailored to India’s regulatory and business environment. Organizations working globally must understand both laws. GDPR provides a global standard, while the DPDP Act shows India’s move towards a practical data protection framework.