Top 10 operational impacts of India’s DPDPA – Comparative analysis with the GDPR and other major data privacy laws

This article is part of a series that explores components of the DPDPA.

India's soon-to-be enforced Digital Personal Data Protection Act seeks to balance individual privacy and the country's emerging digital economy.

India’s government recently notified the rules under the DPDPA, introducing a phased implementation period. The Data Protection Board of India, the enforcement body under the DPDPA, is constituted immediately upon the notification of these rules, initiating the appointment process to determine its members.

Unlike global data laws, the DPDPA only applies to digital personal data, excluding non-digital personal data unless subsequently digitized. Perhaps inspired by Singapore's Personal Data Protection Act, the DPDPA creates a broad exception for personal data made public either by an individual or a law. Contrary to the EU General Data Protection Regulation, the act does not exclude processing pursuant to journalistic purposes from its scope.

The DPDPA treats all personal data uniformly without imposing heightened obligations for sensitive personal data. Entities that determine the means and purposes of processing personal data are termed "data fiduciaries," instead of "data controllers." Individuals identifiable by or in relation to any data are termed "data principals," rather than "data subjects" — implying a fiduciary relationship of trust in India's digital economy. Notably, in relation to children and persons with disabilities, the act includes parents or lawful guardians under its definition of data principals, raising questions on how overlapping rights between such data principals may be reconciled.