If the DPDPA and the GDPR pursue the same goal of protecting personal data, why do they rely on fundamentally different assumptions about consent?
Unlike the GDPR, the DPDPA does not provide a broad menu of lawful bases, such as legitimate interests or contractual necessity, as independent grounds. Instead, consent is the default, and non-consensual processing is the exception.
The Digital Personal Data Protection Act, 2023 (DPDPA) of India and the European Union’s General Data Protection Regulation (GDPR) share a common, foundational objective: protecting personal data and preserving individual autonomy in an increasingly data-driven world.
Both frameworks recognise consent as a central mechanism through which individuals exercise control over their personal data. However, despite this shared objective, the two regimes are built on very different assumptions about the role, reliability, and necessity of consent.
Under the GDPR, consent is one of several lawful bases for processing personal data and is treated as a high threshold, rights-driven construct. In contrast, the DPDPA positions consent as the default legal basis, but simultaneously designs it to be more pragmatic, simplified, and operationally flexible, reflecting India’s digital public infrastructure and governance realities.
Consent as One Lawful Basis Among Many
The GDPR does not treat consent as the primary or preferred ground for processing personal data. Instead, Article 6 provides six lawful bases, including contract performance, legal obligation, legitimate interests, vital interest, public task and consent. This reflects a key assumption: consent is not always the most appropriate or reliable basis for data processing, particularly where there is an imbalance of power between the data subject and the controller. As a result, regulators in the EU often discourage “over-reliance” on consent, especially in employment, public services, or essential digital services.
Definition and Threshold of Consent
Article 4(11) of the GDPR defines consent as: “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes…” This definition is deliberately stringent. Consent must meet four cumulative conditions:
- Freely given – no coercion, conditionality, or imbalance of power
- Specific – granular consent for distinct purposes
- Informed – clear disclosure of processing details
- Unambiguous – clear affirmative action (no silence or pre-ticked boxes)
For sensitive personal data (special categories), the GDPR requires explicit consent, raising the bar even further.
Consent under the DPDPA: The central legitimizing mechanism
In contrast, the DPDPA is built around a consent-first model. Under the Act, personal data may generally be processed only:
- based on consent, or
- for certain defined “legitimate uses” specified in the statute
Unlike the GDPR, the DPDPA does not provide a broad menu of lawful bases, such as legitimate interests or contractual necessity, as independent grounds. Instead, consent is the default, and non-consensual processing is the exception.
Aspect | DPAPA (India) | GDPR (EU) | |
| 1 | Role of Consent | Consent is the default and primary legal basis for processing personal data | Consent is one lawful basis among several, and not always preferred |
| 2 | Regulatory Assumption | Assumes consent can be effective at scale if simplified and notice-driven | Assumes consent is fragile, especially where a power imbalance exists |
| 3 | Availability of Alternative Legal Bases | Limited statutory “legitimate uses”; non-consensual processing is the exception | Multiple lawful bases (contract, legal obligation, legitimate interests, etc.) |
| 4 | Role of Notice | Valid consent must be based on a clear, specific notice | The notice explains processing, but does not create consent |
| 5 | Granularity of Consent | Emphasises purpose clarity through notice over extreme granularity | Requires granular, purpose-specific consent when consent is relied upon |
| 6 | Effect of Consent Withdrawal | Often eliminates the primary legal basis, requiring processing to stop | Affects only consent-based processing; others may continue lawfully |
| 7 | Approach to Children’s Consent | Stricter and more protective, with enhanced safeguards | Contextual and flexible, with Member State discretion on age thresholds |
Assumptions driving the DPDPA approach
The DPDPA’s reliance on consent reflects a different set of assumptions:
- Consent can scale if simplified: In a large, digitally diverse country like India, consent paired with clear notice is seen as a practical way to regulate data use across sectors.
- Purpose limitation can be achieved through notice: Rather than complex legal categorization of lawful bases, clearly stated purposes in a notice are assumed to provide sufficient protection.
- Governance over granularity: The law prioritizes a governance-friendly framework that can be understood and implemented by a wide range of organizations.
As a result, consent under the DPDPA is not merely one legal ground—it is the primary expression of individual control.
1. The pivotal role of notice: A structural difference
One of the most important—but often overlooked—differences between the two regimes is the role of notice.
GDPR: Notice supports multiple lawful bases
Under the GDPR, transparency obligations apply regardless of the lawful basis used. Privacy notices explain:
- The lawful basis relied upon
- The purposes of processing
- The rights available to individuals
Consent is not created by notice alone; a clear affirmative action must accompany it.
DPDPA: Notice as the gateway to consent
Under the DPDPA, notice plays a far more foundational role. Consent is valid only if it is:
- Based on a clear and specific notice
- Linked to a defined purpose
- Capable of being withdrawn as easily as it was given
In practice, this means:
- Poorly drafted notices weaken consent
- Overly broad purposes risk invalid processing
- Notice design becomes a central compliance activity
The DPDPA assumes that well-crafted notice + consent can meaningfully govern data processing, whereas the GDPR is more skeptical of this equation.
2. Withdrawal of consent: Same right, different consequences
Both laws recognise the right to withdraw consent, but their structural differences lead to very different outcomes.
Under the GDPR
- Withdrawal affects only processing based on consent
- Processing may continue lawfully under another legal basis
- Operational disruption is often limited
Under the DPDPA
- Withdrawal often removes the primary legal basis for processing
- Processing may need to stop entirely unless a legitimate use applies
- Systems must be designed to respond quickly and comprehensively
This highlights a key assumption of the DPDPA: withdrawal is meant to have a real, immediate impact, reinforcing individual control.
3. Children’s consent: Protection through restriction vs contextual balance
Both frameworks treat children as a vulnerable category, but their approaches differ in tone and intensity.
- GDPR: Focuses on parental consent for information society services, while allowing Member States some flexibility on age thresholds.
- DPDPA: Adopts a stricter, more protective stance, with enhanced obligations and tighter controls on processing children’s data.
The DPDPA reflects a paternalistic regulatory assumption, prioritising protection even at the cost of reduced flexibility for digital services.
4. Implications for organizations: Why the difference matters
For organizations operating across India and the EU, these differences are not academic—they are operationally critical.
Key takeaways for compliance teams
- GDPR compliance requires lawful basis mapping, not consent everywhere
- DPDPA compliance requires robust consent lifecycle management
- Consent templates, notices, and withdrawal mechanisms cannot be reused blindly
- Privacy programs must be jurisdiction-sensitive by design
Conclusion: Same destination, different roads
The GDPR and the DPDPA are aligned in spirit but distinct in design. Both seek to protect individuals and build trust in the digital economy. However:
- The GDPR is cautious, skeptical, and rights-centric, treating consent as a high-risk, high-standard option.
- The DPDPA is pragmatic and consent-centric, treating consent as the primary bridge between individuals and data-driven organizations.
Understanding these different assumptions about consent is essential—not only for legal compliance, but for building privacy frameworks that are realistic, respectful, and resilient in their respective regulatory environments.