Top 10 operational impacts of India’s DPDPA – Comparative analysis with the GDPR and other major data privacy laws
This article provides comparative analysis with India's DPDPA, the GDPR and other major data privacy laws.
Published: 26 Oct. 2023
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's soon-to-be enforced Digital Personal Data Protection Act seeks to balance individual privacy and the country's emerging digital economy.
India’s government recently notified the rules under the DPDPA, introducing a phased implementation period. The Data Protection Board of India, the enforcement body under the DPDPA, is constituted immediately upon the notification of these rules, initiating the appointment process to determine its members.
Unlike global data laws, the DPDPA only applies to digital personal data, excluding non-digital personal data unless subsequently digitized. Perhaps inspired by Singapore's Personal Data Protection Act, the DPDPA creates a broad exception for personal data made public either by an individual or a law. Contrary to the EU General Data Protection Regulation, the act does not exclude processing pursuant to journalistic purposes from its scope.
The DPDPA treats all personal data uniformly without imposing heightened obligations for sensitive personal data. Entities that determine the means and purposes of processing personal data are termed "data fiduciaries," instead of "data controllers." Individuals identifiable by or in relation to any data are termed "data principals," rather than "data subjects" — implying a fiduciary relationship of trust in India's digital economy. Notably, in relation to children and persons with disabilities, the act includes parents or lawful guardians under its definition of data principals, raising questions on how overlapping rights between such data principals may be reconciled.
Additionally, the act allows data principals to provide or withdraw consent through consent managers, data-blind entities that facilitate interoperable data sharing, to enable seamless sharing of data inter alia within India's digital public infrastructure. Under the new rules, consent managers are accountable to data principals. The rules impose technical and operational requirements, including restrictions to prevent conflicts of interest with data principals arising from a material pecuniary relationship with data fiduciaries.
Unlike the GDPR and the California Consumer Privacy Act, which directly apply certain obligations to data processors, the DPDPA only applies to data fiduciaries, requiring them to execute valid contracts with data processors. The rules further require appropriate provisions in the contract between data fiduciaries and data processors, when applicable, for implementing certain minimum reasonable security safeguards such as encryption, obfuscation, masking or the use of virtual tokens mapped to the concerned personal data.
Comparative analysis with GDPR
This section provides a comparison of the GDPR and the DPDPA as it relates to scope and application.
GDPR
Applies to:
• Organizations that have an establishment in the EU and process personal data "in the context of" the EU establishment.
• Organizations that are not established in the EU but process personal data related to either offering goods or services in the EU or monitoring the behavior of individuals in the EU.
DPDPA
Applies to digital personal data processed:
• Within the territory of India.
• Outside India, in connection with the offering of goods or services in India.
Except data security requirements, offshore entities in India are exempt from the DPDPA when:
• The offshore entity processes personal data on behalf of a foreign data fiduciary.
• The personal data only relates to foreign data principals.
GDPR
Applies to:
• Personal data.
• Automated processing or nonautomated processing where personal data forms part of a filing system.
Does not apply to:
• Anonymous data.
• Personal data processed by natural persons for purely personal or household purposes.
• Processing by law enforcement and national security agencies.
DPDPA
Applies to:
• Automated and nonautomated processing of digital personal data.
• Automated and nonautomated processing of nondigitized personal data that is subsequently digitized.
Does not apply to:
• Anonymous personal data implicitly, since applicability is limited to personal data.
• Personal data processed by an individual for purely personal or domestic purposes.
• Personal data made publicly available, either by a data principal or another person, under an obligation of Indian law to publicize such data.
Except data security requirements, does not apply to processing pursuant to:
• Enforcing a legal right or claim.
• The performance of a judicial, regulatory or supervisory function.
• Prevention, detection or investigation of offences.
• Processing by an Indian data processor on behalf of a foreign data fiduciary, where the personal data only relates to foreign data principals.
• Certain mergers and acquisitions approved by a competent authority.
• Ascertaining the assets and liabilities of any person who has defaulted in payment of a loan or advance taken from a financial institution.
Also allows the government to additionally exempt from its scope:
• Classes of data fiduciaries, including startups, considering the nature and volume of personal data processed.
• Government agencies in the interest of national security, public order, investigation of offences, etc.
GDPR
Defines personal data as any information related to an identified or identifiable natural person, the data subject. An identifiable natural person is one who can be identified, directly or indirectly, taking "all of the means reasonably likely to be used" into account.
DPDPA
Defines personal data as information about a natural person identifiable by or in relation to such data.
GDPR
Defines "special categories of personal data" as personal data revealing:
• Racial or ethnic origin.
• Political opinions, religion or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data, for the purpose of uniquely identifying a natural person.
• Health.
• Sex life or sexual orientation.
Personal data related to criminal convictions and offenses, while not special category data, is subject to distinct rules defined by EU or member state law.
DPDPA
Treats all personal data uniformly, without separately classifying special or sensitive categories of personal data.
GDPR
- Controller: The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
- Data subject: An identified or identifiable natural person.
DPDPA
- Data fiduciary: Any individual, company or juristic entity that alone, or in conjunction with another, determines the means and purposes of processing personal data.
- Data processor: Any state, company, juristic entity or individual who processes personal data on behalf of a data fiduciary.
- Data principal: The natural person to whom the personal data relates. In relation to children and persons with disabilities, the definition includes the parent or lawful guardian.
- Consent manager: The DPDPA allows data principals to give, manage, review, or withdraw their consent through a "consent manager." Consent managers are accountable to the data principal and are to act on their behalf in such manner as is prescribed through rules.
- Significant data fiduciaries: Classes of data fiduciaries notified by the government as considering certain factors. These include the nature and volume of personal data processed, the risk posed to data principals from their processing activities, risk to electoral democracy, threat to the country's sovereignty and integrity, and security of state. Significant data fiduciaries are subject to additional obligations under the DPDPA.
This section provides a comparison of the GDPR and the DPDPA as it relates to lawfulness of processing.
GDPR
Sets out seven principles in Article 5:
• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimization.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality.
• Accountability.
DPDPA
Reflects the following commonly accepted data protection principles in its various requirements:
- Lawfulness: Personal data may be processed only pursuant to a lawful purpose.
- Fairness: Consent must be free, specific, informed, unconditional and unambiguous. Consent should be provided through a clear affirmative act of the data principal, signifying an agreement to such processing.
- Data minimisation: Where consent is the basis for processing, personal data collected should be limited to what is necessary for a specified purpose.
Storage limitation: Data collected should be retained only until necessary for the specified purpose unless further retention is required by an Indian law. - Purpose limitation: Where consent or voluntarily provided personal data is the basis for processing, personal data should only be processed pursuant to specified purposes. Integrity: Where personal data is likely to be disclosed to another data fiduciary or used to make decisions about a data principal, the data fiduciary must ensure the processing of such personal data ensures its completeness, accuracy and consistency.
- Confidentiality: Data fiduciaries are required to protect the personal data in their possession, or control and implement reasonable security safeguards to prevent a personal data breach. Data fiduciaries are also required to implement appropriate technical and organisational measures.
- Accountability: Data fiduciaries are required to, irrespective of an agreement to the contrary, ensure compliance with DPDPA provisions.
Significant data fiduciaries are required to carry out periodic audits through an independent data auditor, data protection impact assessments in accordance with the DPDPA and rules prescribed, etc.
GDPR
Includes six lawful bases for processing personal data, subject to additions by member states:
• Consent.
• Performance of a contract.
• Legal obligation.
• Legitimate interests.
• Life protection and vital interests.
• Public interest.
DPDPA
Prescribes nine additional grounds for processing personal data beyond consent, defined as legitimate uses, including the following:
• Use of voluntarily provided data by the data principal for a specified purpose, where the data principal has not objected to such use.
• Performance of a state function.
• Performance of legal obligation, or in the interests of the sovereignty and integrity of India.
• To fulfil any legal obligation.
• To comply with a judicial order.
• To respond to medical emergencies involving a threat to an individual's life.
• During a threat to public health.
• For undertaking measures to ensure public safety or provide assistance during a disaster or public order breakdown.
• For employment purposes, or to safeguard the employer from loss or liability such as corporate espionage, to maintain confidentiality of proprietary information or to provide any service or benefit sought by an employee.
GDPR
Imposes a number of requirements for obtaining valid consent:
• Consent must be freely given, specific and informed.
• It must be granted by an unambiguous affirmative action.
• Generally, the provision of a service cannot be made conditional on obtaining consent for processing that is not necessary for the service.
• A request for consent must be distinct from any other terms and conditions.
• Consent for separate processing purposes must be provided separately.
• Individuals have the right to withdraw consent at any time "without detriment" and it should be as easy to withdraw consent as it was to give it.
DPDPA
Requires consent to be:
• Freely given, specific and informed.
• Unconditional. This possibly implies the provision of a service cannot be conditioned on providing consent for collecting any unnecessary data.
• Unambiguous.
• Capable of being withdrawn with comparable ease to which consent was given.
• In clear and plain language.
• Accessible in English as well as in all the official languages as prescribed in the Indian Constitution.
GDPR
Processing is permitted without consent where it is necessary for the controller's or a third party's legitimate interests, provided such interests are not overridden by the rights and interests of the data subject.
It is the controller's responsibility to determine whether the interests it pursues under this basis are legitimate and proportionate. Controllers are expected to document these assessments.
GDPR
Includes 10 lawful bases for processing sensitive data, subject to additions by member states:
• Explicit consent.
• Compliance with obligations and exercising rights in the employment and social security context.
• Life protection and vital interests.
• Legitimate activities by foundation, associations or other not-for-profit bodies with political, philosophical, religious or trade union aims that process data about members.
• Establishment, exercise or defense in legal claims.
• Manifestly made public by the individual.
• Substantial public interest defined by law.
• Preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, and the provision of health or social care or treatment.
• Substantial public interest in health.
• Archiving, scientific or historical research purposes.
DPDPA
Treats all personal data uniformly, without creating special categories of personal data, so the grounds for processing all personal data remain the same.
GDPR
Imposes additional obligations when collecting consent from children under age 16 or at an age set between 13 and 16 by member state law.
Where providing certain electronic services at a distance, i.e., "information society services," directly to a child and where the processing is based on consent, consent must be provided by a parent or guardian.
Processing personal data of children is pertinent to other GDPR requirements, so notices must be tailored to children. The fact that data subjects are children could tip the balance of the legitimate interest test or trigger a DPIA.
One recital states significant automated decisions should not be taken concerning children.
DPDPA
Defines a child as an individual under age 18.
There is a general obligation to obtain "verifiable consent" from the parent or lawful guardian of children and persons with disabilities. The government can notify rules specifying the manner of obtaining such verifiable parental consent.
Data fiduciaries are prohibited from undertaking processing that:
• Is likely to have a detrimental effect on the wellbeing of a child.
• Involves tracking, behavioral monitoring of children or targeted advertising directed at children.
These restrictions would not apply for certain classes of data fiduciaries, or for certain purposes as prescribed through rules by the government.
The government may notify classes of data fiduciaries exempt from these restrictions upon satisfaction that their processing activities are verifiably safe.
This section provides a comparison of the GDPR and the DPDPA as it relates to individual rights.
GDPR
Requires information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Where personal data is collected directly from the individual, notice must be provided at or before the time of collection.
For personal data collected indirectly, i.e., from another source), notice must be provided within one month or upon first contact with the individual, if earlier, unless providing notice would be impossible or require disproportionate effort.
Detailed requirements for the content that must be included in notices.
DPDPA
Requires consent to be obtained using clear and plain language.
Requires a notice to be provided before or at the time of personal data collection, disclosing:
• Personal data processed and the purpose for such processing.
• The manner in which data principals may exercise the rights available under the DPDPA.
• The manner in which the data principal can make a complaint to the Data Protection Board of India in such manner as prescribed.
Requires the consent language to be accessible in English as well as all official languages set out in the Indian Constitution.
Data fiduciaries are required to publish the business contact information of a point of contact, and a data protection officer in the case of significant data fiduciaries, to answer data principals' questions regarding personal data processing.
GDPR
Gives individuals the right to receive information about how their personal data is processed and a copy of their personal data.
Personal data must be provided:
• Free of charge, except where requests are manifestly unfounded, excessive or for additional copies.
• In electronic form when requested.
• Within one month unless an extension applies.
Exceptions apply when providing the information would adversely affect the rights and freedoms of others, including intellectual property rights.
DPDPA
Where consent or voluntary use is the basis for processing personal data, gives the data principal the right of access in the manner prescribed to:
• A summary of personal data processed by the data fiduciary and the processing activities undertaken by that data fiduciary with respect to such personal data.
• The identities of all other data fiduciaries and data processors with whom personal data has been shared, with a description of the personal data.
• Any other information related to the their personal data and its processing, as may be prescribed.
GDPR
• Grants data subjects the right to: Correct inaccurate personal data.
• Complete incomplete personal data.
When personal data is updated, it must be communicated to each recipient to which it was disclosed, unless this would involve disproportionate effort.
The controller must restrict processing where the accuracy of the data is disputed for the time needed to verify the request.
DPDPA
When consent or voluntary use is the basis for processing personal data, grants data principals the right to:
• Correct inaccurate or misleading personal data.
• Complete incomplete personal data.
• Update outdated personal data.
GDPR
Grants data subjects the right to request the deletion of personal data processed by the controller, when the data is no longer needed for the purpose of processing, when the data subject withdraws consent or objects, and when processing is unlawful or deletion is required by law.
If the controller grants a request for the deletion of data that was previously made public, the controller needs to "take reasonable steps" to inform any third parties that may be processing the data of the data subject's request.
There is also an obligation to communicate the request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort.
Controllers may rely on a number of exceptions, including establishing, exercising or defending legal claims, conducting research that meets certain conditions, and other compelling legitimate interests to override a request.
DPDPA
Does not expressly recognize a right to be forgotten.
However, it allows data principals to withdraw their consent related to personal data processing.
Where consent is the basis for processing personal data, and such consent is withdrawn, the data fiduciary would be required to cease the processing of personal data, including its retention or public disclosure, within a reasonable time, unless the data is required to be retained under an Indian law. Additionally, the data principal may exercise the right to erasure of their personal data where its further retention is not necessary for the specified purpose, and is not required by law.
This section provides a comparison of the GDPR and the DPDPA as it relates to accountability requirements.
GDPR
Requires controllers and processors not established in the EU, that are subject to the GDPR, to appoint a representative in the EU, except if processing is occasional and does not involve large scale processing of sensitive data.
Requires private entities to appoint a DPO only when a "core activity" of the controller or processor involves either the regular and systematic monitoring of data subjects on a large scale or the large-scale processing of sensitive data.
The DPO must have sufficient independence and skill to carry out its functions and must be able to report to the highest levels of management within the organization.
DPOs may be outsourced.
Guidance from EU regulators recommend DPOs should be based in the EU.
DPDPA
Requires all significant data fiduciaries to appoint DPOs based out of India. Significant data fiduciaries are classes of data fiduciaries notified by the government considering the nature and volume of personal data processed, the risk posed to the rights of data principals, risk to electoral democracy, potential impact on the sovereignty and integrity of India, security of the state, etc.
The DPO must represent the significant data fiduciary and be accountable to the board of directors or governing body of the significant data fiduciary.
There are no express skill requirements for DPOs. Guidance on terms for appointing DPOs may be provided through rules under the DPDPA.
GDPR
Requires controllers and processors to retain detailed records of their processing activities unless very narrow exceptions apply.
DPDPA
Does not require data fiduciaries to maintain a record of processing activities. However, data fiduciaries may practically be required to maintain records of their processing activities when demonstrating compliance with the DPDPA.
Notably, during any proceeding, the data fiduciary should be able to prove a notice was given to the data principal and consent was obtained in accordance with DPDPA provisions
GDPR
Requires controllers to conduct a DPIA for certain "high risk" activities, including:
• Systematic and extensive profiling.
• Large-scale processing of sensitive data.
• Systematic monitoring of a publicly accessible area on a large scale.
In cases where the risks cannot be mitigated, the controller must consult with the data protection authority before engaging in the processing.
DPDPA
Requires significant data fiduciaries to carry out DPIAs. Such assessment should consider the impact of processing on data principals' rights, the purpose of processing, the assessment and management of risks to data principals' rights, and other prescribed matters.
GDPR
Includes a requirement to implement appropriate compliance processes through the lifecycle of any product, service or activity.
By default, only personal data necessary for a purpose should be processed and personal data should not be publicly disclosed without an individual's affirmative action.
DPDPA
Notably, does not require data fiduciaries to implement privacy by design.
Where consent or voluntary use is the basis for processing personal data, ensuring personal data collected is limited to what is necessary for a specified purpose is required.
Like the GDPR, the DPDPA requires all data fiduciaries to implement appropriate technical and organizational measures.
GDPR
Does not include audit requirement that are applicable to controllers.
Processors must agree to audit provisions in contracts with controllers.
DPDPA
Requires significant data fiduciaries to appoint an independent data auditor and carry out periodic audits.
GDPR
Subjects processing by processors to detailed contracts, with requirements set out in Article 28.
DPDPA
Requires data fiduciaries to be responsible for compliance, without any provision being applicable directly to data processors. However, data fiduciaries are required to engage data processors only pursuant to a valid contract.
This section provides a comparison of the GDPR and the DPDPA as it relates to security and breach notifications.
GDPR
Requires controllers and processors to implement appropriate technical and organizational measures to protect the security of personal data.
DPDPA
Requires data fiduciaries to protect the personal data under their control or possession, including involving any processing undertaken by or on its behalf, and implement necessary security safeguards to prevent a personal data breach. This requirement is likely to be passed on to data processors.
GDPR
Requires controllers to notify the DPA of a breach within 72 hours unless the breach is unlikely to result in a risk to individuals.
Notification may be made in stages as information becomes available.
Controllers must notify individuals of a breach without undue delay only if it is likely to result in a "high risk" to individuals.
Processors must notify a controller of a breach without undue delay.
DPDPA
Requires data fiduciaries to notify the board and the affected data principals in the event of a personal data breach, in a manner prescribed through rules.
The time period for notifying breaches may be established by rules.
This section provides a comparison of the GDPR and the DPDPA as it relates to international data transfers.
GDPR
Does not require localization unless international data transfer requirements are not met.
DPDPA
Does not generally require data localization. However, the government may impose restrictions on transfers of personal data to specific countries through notification. Additionally, any stricter law such as sector-specific data localization requirements, e.g., in respect of payment data, insurance data, or telecommunications subscriber data, will continue to apply.
GDPR
Only permits the transfer of personal data outside the European Economic Area when:
• The recipient is in a territory considered by the European Commission to offer an adequate level of protection for personal data after an assessment of its privacy laws and law enforcement access regime.
• Appropriate safeguards are put in place, such as European Commission-approved standard contractual clauses or binding corporate rules approved by DPAs.
• A derogation applies, such as where data subjects provide explicit consent, the transfer is necessary to fulfil a contract, or there is a public interest founded in EU or member state law, among others.
DPDPA
Generally permits international data transfers. The government may restrict transfers of personal data to specific countries notified through rules under the act. The rules will also specify the nature of such restrictions.
Penalties
GDPR
Does not stipulate criminal liability, but permits member states to impose criminal penalties for violations of the regulation and applicable national rules.
Administrative fines up to 20 million euros or 4% of annual global revenue.
DPAs may also issue injunctive penalties, which include the ability to block processing, restrict international transfers and require the deletion of personal data.
Individuals may bring claims in court for compensation and mechanisms exist for representative actions on behalf of a class of individuals.
DPDPA
Does not impose any criminal penalties, but imposes monetary penalties for "significant" breaches. In calculating the amount of penalty, relevant factors to be considered include:
• The nature, gravity and duration of the breach.
• The type and nature of personal data affected by the breach.
• The repetitive nature of the breach.
• Whether, as a result of the breach, the data fiduciary realized a gain or avoided any loss.
• Whether the monetary penalty imposed is proportionate and effective.
• The likely impact of the imposition of the monetary penalty on such data fiduciary.
During any stage of a proceeding for compliance with the DPDPA, the board may accept a voluntary undertaking by a data fiduciary. This may include a commitment to take appropriate action within a stipulated timeframe determined by the board. The board's acceptance would bar all proceedings under the DPDPA against the data fiduciary.
In addition to monetary penalties, the Central Government may direct any of its agencies or any online intermediary to block access to any information which enables a data fiduciary to offer goods or services in India, based on a written reference from the board intimating that the data fiduciary has been subject to a monetary penalty in two or more cases, and advising the Central Government that blocking access to the data fiduciary's offerings is in the public's general interests.
This section provides a comparison of the GDPR and the DPDPA as it relates to miscellaneous provisions.
GDPR
Does not define anonymous data, which cannot identify an individual by means reasonably likely to be used, falls outside of the scope of the law (reasonable steps to re-identify). In practice, anonymization is a high standard to meet.
DPDPA
Does not define anonymized personal data.
GDPR
Permits a number of exemptions for scientific or historical research, archiving in the public interest, and statistical purposes, including:
• Further processing for such purposes may be considered "compatible."
• EU or member state law may permit controllers to process sensitive data for such purposes.
• EU or member state law may provide derogations from certain individual rights.
For the research exemptions to apply, controllers must implement appropriate safeguards, which may be specified by law, such as pseudonymization.
DPDPA
Does not apply its provisions of to the processing personal data for research, archiving or statistical purposes, if such processing is:
• Not used to make a decision about a data principal.
• Carried out in accordance with the standards prescribed by the government.
Data protection principles
Instead of listing out data protection principles, the DPDPA internalizes principles of lawfulness, purpose limitation, storage limitation, integrity and confidentiality, and accountability through its various provisions.
However, the principle of purpose limitation only applies when consent or voluntary use is the basis for processing personal data. Similarly, the requirement of data minimization — collecting only as much information as is necessary for a specified purpose — only applies where consent is the basis for processing personal data.
Notably, the DPDPA does not impose a general obligation to comply with the principle of fairness in processing personal data, as required under the GDPR.
Lawful bases
The DPDPA excludes contractual necessity and legitimate interest as grounds for processing personal data. Consent remains the primary basis for processing, except for certain legitimate uses where obtaining consent may not be possible. Such situations include complying with legal obligations, performing state functions, complying with judicial orders, responding to medical emergencies, and maintaining public safety and order. A request for consent must be accompanied by a granular notice. Significantly, the notice must clearly specify an itemized description of personal data, specific description of goods or services provided — or uses enabled by such processing — along with the purposes of the processing.
The act recognizes processing for broadly defined employment purposes as an independent basis. It also envisions the use of personal data voluntarily provided by a data principal for a specified purpose, where the data principal does not object to such use. Voluntary use as a basis is possibly inspired by the deemed consent ground under Singapore's PDPA, where a notice and consent mechanism may not be practical in transactional settings.
However, the voluntary use basis is much narrower than the legitimate interest grounds for processing, which is flexible and can extend beyond specified purposes to cover the data controller's broader commercial interests — provided the individual can reasonably expect such processing.
Classification of data fiduciaries
Unlike the GDPR, which requires all entities to carry out data protection impact assessments under specific circumstances like high-risk processing, the DPDPA only imposes this requirement on specific data fiduciaries classified as "significant data fiduciaries." The government may classify data fiduciaries as significant considering the volume and extent of personal data processed, as well as the risks posed to data principals, electoral democracy, national security and public order.
The GDPR, by default, requires all public bodies and entities carrying out large-scale processing of sensitive data and systematic monitoring of individuals as their core activity to appoint a data protection officer. The DPDPA, meanwhile, only imposes the requirement to appoint an India-based DPO on data fiduciaries that are classified as significant through notification. Significant data fiduciaries will likely include global businesses collecting significant volumes of personal data.
While the GDPR requires the DPO to act independently, the DPDPA mandates that the DPO report to the board of directors or a similar governing body of the significant data fiduciary. For significant data fiduciaries, the rules impose additional obligations, including conducting due diligence to ensure that technical measures, such as algorithms, do not pose risks to individual rights. The rules also envisage empowering the government, based on recommendations from a committee it constitutes, to require entities to prevent the transfer of specified categories of personal data and traffic data related to its flow outside of India.
Scope of rights
While the GDPR and CCPA allow individuals to exercise a broader array of rights, the rights available to data principals under the DPDPA are limited to the rights of access; correction; completion; nomination, such as of a representative to exercise rights in case of death or incapacity; erasure; consent withdrawal; and grievance redressal. Further, rights to access, correction, completion and erasure can only be exercised where consent or voluntary use is the basis for processing personal data.
While the act does not explicitly provide for a right to be forgotten, it is possible to exercise the withdrawal of consent, where consent is the basis for processing; this would require the data fiduciary to delete the collected personal data. The requirement to provide a notice to data principals only applies when consent is the basis for processing personal data.
Crucially, the right to data portability and the right against solely automated decision-making are excluded. However, the act does require personal data used to make a decision about a data principal to be accurate, complete and consistent — which may make it difficult for data fiduciaries to implement solely automated decision-making processes that could result in inaccurate or discriminatory results.
Processing the personal data of children and those with disabilities
Under the DPDPA read with the rules, verifiable consent must be obtained from the parent or lawful guardian before processing a child’s personal data. Businesses are required to confirm that the parent or guardian of the child is an adult. Behavioral monitoring, tracking or profiling of children is prohibited, except when providing certain essential services, such as health care, education or real-time safety. For individuals with disabilities, consent must be obtained from their lawful guardian, who must be verified in accordance with India’s guardianship laws.
Duties of a data principal
Unlike most data laws, the act imposes duties on data principals, prohibiting frivolous complaints, impersonation of another person, and the suppression of material information in identifying oneself, such as during age-verification measures. Additionally, the act requires data principals to comply with applicable laws.
International data transfers
Unlike the GDPR, which generally restricts data transfers unless a country is deemed adequate, the DPDPA generally allows international data transfers, except where the government restricts transfers to specific countries. While the nature of these restrictions remains unclear, they could mean a stringent ban against transfers to blacklisted countries or soft obligations akin to adequacy — like arrangements, such as binding corporate rules or standard contractual clauses, for specific countries.
Additionally, sector-specific restrictions on data transfers to regulated entities — banking and finance, insurance, etc. — may apply as relevant. As mentioned above, the rules hint to the possibility of cross-border data transfer restrictions being introduced, with additional restrictions for significant data fiduciaries.
Data retention
The DPDPA, read with the rules, prescribes a minimum data retention period of one year for certain specified purposes, such as national security, strategic interests of the state or performance of any function under any law. This may require international businesses to revisit their transfer impact assessments for India.
Additionally, the rules also prescribe maximum retention periods for certain data fiduciaries — such as large e-commerce, gaming and social media platforms — except for certain specified purposes. These purposes include enabling access to existing accounts or digital wallets beyond the specified retention period.
Exemptions
The act allows the government to exempt classes of data fiduciaries, such as startups, from its scope, based on factors like the nature and volume of personal data processed. This provision addresses the long-standing criticism of the GDPR for imposing excessive regulatory costs on small businesses.
The DPDPA also exempts processing pursuant to research, archival or statistical purposes, provided it is carried out in accordance with standards prescribed by the government. The rules prescribe these standards, including adherence with data protection principles such as lawfulness, data minimization, data accuracy, storage limitation and accountability.
Additionally, except for data security requirements, the act exempts data processing carried out under unique conditions. These include: ascertaining the assets and liabilities of persons who may have defaulted in payment due on account of a loan or advance taken from a financial institution, enabling financial institutions and fintech businesses to conduct their business; processing where it is necessary in the context of mergers and acquisitions approved by a competent authority in certain circumstances; and, in the context of outsourcing, where the data relates only to foreign residents and is processed by a data processor in India on behalf of a foreign data fiduciary, allowing India to retain its prowess as an outsourcing hub.
Powers of the board
Notably, the newly created Data Protection Board of India has powers including the ability to carry out inquiries and direct urgent or remedial measures.
However, unlike national supervisory authorities under the GDPR, the DPBI does not have the power to initiate a proceeding on its own. Similarly, unlike EU supervisory authorities, the board cannot issue recommendations or codes of conduct; such prescriptive powers are retained by the government. While the board is required to act independently, it lacks the structural and functional independence utilized by EU supervisory authorities, as the government retains control over its composition, powers and functions. This was a missed opportunity for India to further strengthen its adequacy status under the GDPR.
In another element perhaps inspired by Singapore’s PDPA, the act allows the DPBI to accept voluntary undertaking to address any alleged noncompliance by data fiduciaries and bar associated legal proceedings against such data fiduciaries. Such a provision for voluntary undertaking is absent from most global data laws.
Significantly, the board can recommend the government exercise blocking powers against noncompliant data fiduciaries, restricting access to the data fiduciary's online goods or services, which could lead to a virtual stop in sales.
Enforcement and sanctions
While the GDPR allows member states to impose criminal penalties for certain non-compliance with data protection law, the DPDPA does not impose any criminal penalties. The sanctions are monetary penalties which, unlike the turnover-based penalties under the GDPR, may extend to INR250 crores (approximately USD27 million) in some cases.
Contrary to global data laws, the DPDPA only provides for the imposition of penalties for non-compliances that are "significant" in nature, though the threshold of what constitutes a “significant” breach is unclear. In determining the monetary penalty in a case of a significant non-compliance, the turnover of the business is not considered. Instead, relevant factors taken into account include the nature, gravity, and duration of the breach; type and nature of personal data affected; whether the breach was repetitive; and any mitigation measures undertaken by the data fiduciary.
Importantly, composite penalties may be imposed for more than one instance of noncompliance under the act. For example, penalties for failing to undertake reasonable security safeguards to prevent a personal data breach could be imposed in addition to the penalty for being noncompliant with child-related data processing obligations. The act does not provide for a right to compensation to data principals in cases of noncompliance.
Key takeaways
- Structural resonance: The structure of the DPDPA is comparable to the GDPR in terms of definitions, grounds, exceptions, rights and obligations. However, compared to other global laws, the scope of these provisions is relatively narrow, which may reflect that this is India's first step toward introducing an omnibus data protection law.
- Ease of compliance: As a continuing theme, the act and the rules seek to ease compliance for businesses in India's emerging digital economy and to retain its competitive advantage among preferred offshore locations globally.
- An evolving law for emerging challenges: Flexibility in introducing regulatory requirements through swifty exercisable rule-making powers — the ability to impose additional obligations for significant data fiduciaries, the manner of reporting data breaches, the accountability framework for consent managers, the manner of providing notice and the restrictions on international data transfers — provides the DPDPA with an evolving character. It can reshape itself and expeditiously adapt to unprecedented and unique challenges posed by India's rapidly transforming digital economy through situation-specific and need-based regulation.
- Proportionate regulation: The act's elasticity gives India the regulatory flexibility to ensure proportionate regulation from the perspective of doing business, with graded obligations for startups compared to significant data fiduciaries. This mechanism provides India's startup economy with a competitive advantage in the global tech landscape.
As a first step toward introducing an omnibus data protection legislation, for a vast and emerging economy like India, the DPDPA attempts to create baseline requirements that can be implemented at scale. This approach aims to help a country that historically has disregarded data protection internalize a culture of privacy.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA – Comparative analysis with the GDPR and other major data privacy laws
This article provides comparative analysis with India's DPDPA, the GDPR and other major data privacy laws.
Published: 26 Oct. 2023
Last updated: 20 Jan. 2026
Contributors:
Siddharth Sonkar
Associate, Khaitan & Co.
Supratim Chakraborty
Partner, Khaitan & Co
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's soon-to-be enforced Digital Personal Data Protection Act seeks to balance individual privacy and the country's emerging digital economy.
India’s government recently notified the rules under the DPDPA, introducing a phased implementation period. The Data Protection Board of India, the enforcement body under the DPDPA, is constituted immediately upon the notification of these rules, initiating the appointment process to determine its members.
Unlike global data laws, the DPDPA only applies to digital personal data, excluding non-digital personal data unless subsequently digitized. Perhaps inspired by Singapore's Personal Data Protection Act, the DPDPA creates a broad exception for personal data made public either by an individual or a law. Contrary to the EU General Data Protection Regulation, the act does not exclude processing pursuant to journalistic purposes from its scope.
The DPDPA treats all personal data uniformly without imposing heightened obligations for sensitive personal data. Entities that determine the means and purposes of processing personal data are termed "data fiduciaries," instead of "data controllers." Individuals identifiable by or in relation to any data are termed "data principals," rather than "data subjects" — implying a fiduciary relationship of trust in India's digital economy. Notably, in relation to children and persons with disabilities, the act includes parents or lawful guardians under its definition of data principals, raising questions on how overlapping rights between such data principals may be reconciled.
Additionally, the act allows data principals to provide or withdraw consent through consent managers, data-blind entities that facilitate interoperable data sharing, to enable seamless sharing of data inter alia within India's digital public infrastructure. Under the new rules, consent managers are accountable to data principals. The rules impose technical and operational requirements, including restrictions to prevent conflicts of interest with data principals arising from a material pecuniary relationship with data fiduciaries.
Unlike the GDPR and the California Consumer Privacy Act, which directly apply certain obligations to data processors, the DPDPA only applies to data fiduciaries, requiring them to execute valid contracts with data processors. The rules further require appropriate provisions in the contract between data fiduciaries and data processors, when applicable, for implementing certain minimum reasonable security safeguards such as encryption, obfuscation, masking or the use of virtual tokens mapped to the concerned personal data.
Comparative analysis with GDPR
This section provides a comparison of the GDPR and the DPDPA as it relates to scope and application.
GDPR
Applies to:
• Organizations that have an establishment in the EU and process personal data "in the context of" the EU establishment.
• Organizations that are not established in the EU but process personal data related to either offering goods or services in the EU or monitoring the behavior of individuals in the EU.
DPDPA
Applies to digital personal data processed:
• Within the territory of India.
• Outside India, in connection with the offering of goods or services in India.
Except data security requirements, offshore entities in India are exempt from the DPDPA when:
• The offshore entity processes personal data on behalf of a foreign data fiduciary.
• The personal data only relates to foreign data principals.
GDPR
Applies to:
• Personal data.
• Automated processing or nonautomated processing where personal data forms part of a filing system.
Does not apply to:
• Anonymous data.
• Personal data processed by natural persons for purely personal or household purposes.
• Processing by law enforcement and national security agencies.
DPDPA
Applies to:
• Automated and nonautomated processing of digital personal data.
• Automated and nonautomated processing of nondigitized personal data that is subsequently digitized.
Does not apply to:
• Anonymous personal data implicitly, since applicability is limited to personal data.
• Personal data processed by an individual for purely personal or domestic purposes.
• Personal data made publicly available, either by a data principal or another person, under an obligation of Indian law to publicize such data.
Except data security requirements, does not apply to processing pursuant to:
• Enforcing a legal right or claim.
• The performance of a judicial, regulatory or supervisory function.
• Prevention, detection or investigation of offences.
• Processing by an Indian data processor on behalf of a foreign data fiduciary, where the personal data only relates to foreign data principals.
• Certain mergers and acquisitions approved by a competent authority.
• Ascertaining the assets and liabilities of any person who has defaulted in payment of a loan or advance taken from a financial institution.
Also allows the government to additionally exempt from its scope:
• Classes of data fiduciaries, including startups, considering the nature and volume of personal data processed.
• Government agencies in the interest of national security, public order, investigation of offences, etc.
GDPR
Defines personal data as any information related to an identified or identifiable natural person, the data subject. An identifiable natural person is one who can be identified, directly or indirectly, taking "all of the means reasonably likely to be used" into account.
DPDPA
Defines personal data as information about a natural person identifiable by or in relation to such data.
GDPR
Defines "special categories of personal data" as personal data revealing:
• Racial or ethnic origin.
• Political opinions, religion or philosophical beliefs.
• Trade union membership.
• Genetic data.
• Biometric data, for the purpose of uniquely identifying a natural person.
• Health.
• Sex life or sexual orientation.
Personal data related to criminal convictions and offenses, while not special category data, is subject to distinct rules defined by EU or member state law.
DPDPA
Treats all personal data uniformly, without separately classifying special or sensitive categories of personal data.
GDPR
- Controller: The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
- Data subject: An identified or identifiable natural person.
DPDPA
- Data fiduciary: Any individual, company or juristic entity that alone, or in conjunction with another, determines the means and purposes of processing personal data.
- Data processor: Any state, company, juristic entity or individual who processes personal data on behalf of a data fiduciary.
- Data principal: The natural person to whom the personal data relates. In relation to children and persons with disabilities, the definition includes the parent or lawful guardian.
- Consent manager: The DPDPA allows data principals to give, manage, review, or withdraw their consent through a "consent manager." Consent managers are accountable to the data principal and are to act on their behalf in such manner as is prescribed through rules.
- Significant data fiduciaries: Classes of data fiduciaries notified by the government as considering certain factors. These include the nature and volume of personal data processed, the risk posed to data principals from their processing activities, risk to electoral democracy, threat to the country's sovereignty and integrity, and security of state. Significant data fiduciaries are subject to additional obligations under the DPDPA.
This section provides a comparison of the GDPR and the DPDPA as it relates to lawfulness of processing.
GDPR
Sets out seven principles in Article 5:
• Lawfulness, fairness and transparency.
• Purpose limitation.
• Data minimization.
• Accuracy.
• Storage limitation.
• Integrity and confidentiality.
• Accountability.
DPDPA
Reflects the following commonly accepted data protection principles in its various requirements:
- Lawfulness: Personal data may be processed only pursuant to a lawful purpose.
- Fairness: Consent must be free, specific, informed, unconditional and unambiguous. Consent should be provided through a clear affirmative act of the data principal, signifying an agreement to such processing.
- Data minimisation: Where consent is the basis for processing, personal data collected should be limited to what is necessary for a specified purpose.
Storage limitation: Data collected should be retained only until necessary for the specified purpose unless further retention is required by an Indian law. - Purpose limitation: Where consent or voluntarily provided personal data is the basis for processing, personal data should only be processed pursuant to specified purposes. Integrity: Where personal data is likely to be disclosed to another data fiduciary or used to make decisions about a data principal, the data fiduciary must ensure the processing of such personal data ensures its completeness, accuracy and consistency.
- Confidentiality: Data fiduciaries are required to protect the personal data in their possession, or control and implement reasonable security safeguards to prevent a personal data breach. Data fiduciaries are also required to implement appropriate technical and organisational measures.
- Accountability: Data fiduciaries are required to, irrespective of an agreement to the contrary, ensure compliance with DPDPA provisions.
Significant data fiduciaries are required to carry out periodic audits through an independent data auditor, data protection impact assessments in accordance with the DPDPA and rules prescribed, etc.
GDPR
Includes six lawful bases for processing personal data, subject to additions by member states:
• Consent.
• Performance of a contract.
• Legal obligation.
• Legitimate interests.
• Life protection and vital interests.
• Public interest.
DPDPA
Prescribes nine additional grounds for processing personal data beyond consent, defined as legitimate uses, including the following:
• Use of voluntarily provided data by the data principal for a specified purpose, where the data principal has not objected to such use.
• Performance of a state function.
• Performance of legal obligation, or in the interests of the sovereignty and integrity of India.
• To fulfil any legal obligation.
• To comply with a judicial order.
• To respond to medical emergencies involving a threat to an individual's life.
• During a threat to public health.
• For undertaking measures to ensure public safety or provide assistance during a disaster or public order breakdown.
• For employment purposes, or to safeguard the employer from loss or liability such as corporate espionage, to maintain confidentiality of proprietary information or to provide any service or benefit sought by an employee.
GDPR
Imposes a number of requirements for obtaining valid consent:
• Consent must be freely given, specific and informed.
• It must be granted by an unambiguous affirmative action.
• Generally, the provision of a service cannot be made conditional on obtaining consent for processing that is not necessary for the service.
• A request for consent must be distinct from any other terms and conditions.
• Consent for separate processing purposes must be provided separately.
• Individuals have the right to withdraw consent at any time "without detriment" and it should be as easy to withdraw consent as it was to give it.
DPDPA
Requires consent to be:
• Freely given, specific and informed.
• Unconditional. This possibly implies the provision of a service cannot be conditioned on providing consent for collecting any unnecessary data.
• Unambiguous.
• Capable of being withdrawn with comparable ease to which consent was given.
• In clear and plain language.
• Accessible in English as well as in all the official languages as prescribed in the Indian Constitution.
GDPR
Processing is permitted without consent where it is necessary for the controller's or a third party's legitimate interests, provided such interests are not overridden by the rights and interests of the data subject.
It is the controller's responsibility to determine whether the interests it pursues under this basis are legitimate and proportionate. Controllers are expected to document these assessments.
GDPR
Includes 10 lawful bases for processing sensitive data, subject to additions by member states:
• Explicit consent.
• Compliance with obligations and exercising rights in the employment and social security context.
• Life protection and vital interests.
• Legitimate activities by foundation, associations or other not-for-profit bodies with political, philosophical, religious or trade union aims that process data about members.
• Establishment, exercise or defense in legal claims.
• Manifestly made public by the individual.
• Substantial public interest defined by law.
• Preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, and the provision of health or social care or treatment.
• Substantial public interest in health.
• Archiving, scientific or historical research purposes.
DPDPA
Treats all personal data uniformly, without creating special categories of personal data, so the grounds for processing all personal data remain the same.
GDPR
Imposes additional obligations when collecting consent from children under age 16 or at an age set between 13 and 16 by member state law.
Where providing certain electronic services at a distance, i.e., "information society services," directly to a child and where the processing is based on consent, consent must be provided by a parent or guardian.
Processing personal data of children is pertinent to other GDPR requirements, so notices must be tailored to children. The fact that data subjects are children could tip the balance of the legitimate interest test or trigger a DPIA.
One recital states significant automated decisions should not be taken concerning children.
DPDPA
Defines a child as an individual under age 18.
There is a general obligation to obtain "verifiable consent" from the parent or lawful guardian of children and persons with disabilities. The government can notify rules specifying the manner of obtaining such verifiable parental consent.
Data fiduciaries are prohibited from undertaking processing that:
• Is likely to have a detrimental effect on the wellbeing of a child.
• Involves tracking, behavioral monitoring of children or targeted advertising directed at children.
These restrictions would not apply for certain classes of data fiduciaries, or for certain purposes as prescribed through rules by the government.
The government may notify classes of data fiduciaries exempt from these restrictions upon satisfaction that their processing activities are verifiably safe.
This section provides a comparison of the GDPR and the DPDPA as it relates to individual rights.
GDPR
Requires information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Where personal data is collected directly from the individual, notice must be provided at or before the time of collection.
For personal data collected indirectly, i.e., from another source), notice must be provided within one month or upon first contact with the individual, if earlier, unless providing notice would be impossible or require disproportionate effort.
Detailed requirements for the content that must be included in notices.
DPDPA
Requires consent to be obtained using clear and plain language.
Requires a notice to be provided before or at the time of personal data collection, disclosing:
• Personal data processed and the purpose for such processing.
• The manner in which data principals may exercise the rights available under the DPDPA.
• The manner in which the data principal can make a complaint to the Data Protection Board of India in such manner as prescribed.
Requires the consent language to be accessible in English as well as all official languages set out in the Indian Constitution.
Data fiduciaries are required to publish the business contact information of a point of contact, and a data protection officer in the case of significant data fiduciaries, to answer data principals' questions regarding personal data processing.
GDPR
Gives individuals the right to receive information about how their personal data is processed and a copy of their personal data.
Personal data must be provided:
• Free of charge, except where requests are manifestly unfounded, excessive or for additional copies.
• In electronic form when requested.
• Within one month unless an extension applies.
Exceptions apply when providing the information would adversely affect the rights and freedoms of others, including intellectual property rights.
DPDPA
Where consent or voluntary use is the basis for processing personal data, gives the data principal the right of access in the manner prescribed to:
• A summary of personal data processed by the data fiduciary and the processing activities undertaken by that data fiduciary with respect to such personal data.
• The identities of all other data fiduciaries and data processors with whom personal data has been shared, with a description of the personal data.
• Any other information related to the their personal data and its processing, as may be prescribed.
GDPR
• Grants data subjects the right to: Correct inaccurate personal data.
• Complete incomplete personal data.
When personal data is updated, it must be communicated to each recipient to which it was disclosed, unless this would involve disproportionate effort.
The controller must restrict processing where the accuracy of the data is disputed for the time needed to verify the request.
DPDPA
When consent or voluntary use is the basis for processing personal data, grants data principals the right to:
• Correct inaccurate or misleading personal data.
• Complete incomplete personal data.
• Update outdated personal data.
GDPR
Grants data subjects the right to request the deletion of personal data processed by the controller, when the data is no longer needed for the purpose of processing, when the data subject withdraws consent or objects, and when processing is unlawful or deletion is required by law.
If the controller grants a request for the deletion of data that was previously made public, the controller needs to "take reasonable steps" to inform any third parties that may be processing the data of the data subject's request.
There is also an obligation to communicate the request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort.
Controllers may rely on a number of exceptions, including establishing, exercising or defending legal claims, conducting research that meets certain conditions, and other compelling legitimate interests to override a request.
DPDPA
Does not expressly recognize a right to be forgotten.
However, it allows data principals to withdraw their consent related to personal data processing.
Where consent is the basis for processing personal data, and such consent is withdrawn, the data fiduciary would be required to cease the processing of personal data, including its retention or public disclosure, within a reasonable time, unless the data is required to be retained under an Indian law. Additionally, the data principal may exercise the right to erasure of their personal data where its further retention is not necessary for the specified purpose, and is not required by law.
This section provides a comparison of the GDPR and the DPDPA as it relates to accountability requirements.
GDPR
Requires controllers and processors not established in the EU, that are subject to the GDPR, to appoint a representative in the EU, except if processing is occasional and does not involve large scale processing of sensitive data.
Requires private entities to appoint a DPO only when a "core activity" of the controller or processor involves either the regular and systematic monitoring of data subjects on a large scale or the large-scale processing of sensitive data.
The DPO must have sufficient independence and skill to carry out its functions and must be able to report to the highest levels of management within the organization.
DPOs may be outsourced.
Guidance from EU regulators recommend DPOs should be based in the EU.
DPDPA
Requires all significant data fiduciaries to appoint DPOs based out of India. Significant data fiduciaries are classes of data fiduciaries notified by the government considering the nature and volume of personal data processed, the risk posed to the rights of data principals, risk to electoral democracy, potential impact on the sovereignty and integrity of India, security of the state, etc.
The DPO must represent the significant data fiduciary and be accountable to the board of directors or governing body of the significant data fiduciary.
There are no express skill requirements for DPOs. Guidance on terms for appointing DPOs may be provided through rules under the DPDPA.
GDPR
Requires controllers and processors to retain detailed records of their processing activities unless very narrow exceptions apply.
DPDPA
Does not require data fiduciaries to maintain a record of processing activities. However, data fiduciaries may practically be required to maintain records of their processing activities when demonstrating compliance with the DPDPA.
Notably, during any proceeding, the data fiduciary should be able to prove a notice was given to the data principal and consent was obtained in accordance with DPDPA provisions
GDPR
Requires controllers to conduct a DPIA for certain "high risk" activities, including:
• Systematic and extensive profiling.
• Large-scale processing of sensitive data.
• Systematic monitoring of a publicly accessible area on a large scale.
In cases where the risks cannot be mitigated, the controller must consult with the data protection authority before engaging in the processing.
DPDPA
Requires significant data fiduciaries to carry out DPIAs. Such assessment should consider the impact of processing on data principals' rights, the purpose of processing, the assessment and management of risks to data principals' rights, and other prescribed matters.
GDPR
Includes a requirement to implement appropriate compliance processes through the lifecycle of any product, service or activity.
By default, only personal data necessary for a purpose should be processed and personal data should not be publicly disclosed without an individual's affirmative action.
DPDPA
Notably, does not require data fiduciaries to implement privacy by design.
Where consent or voluntary use is the basis for processing personal data, ensuring personal data collected is limited to what is necessary for a specified purpose is required.
Like the GDPR, the DPDPA requires all data fiduciaries to implement appropriate technical and organizational measures.
GDPR
Does not include audit requirement that are applicable to controllers.
Processors must agree to audit provisions in contracts with controllers.
DPDPA
Requires significant data fiduciaries to appoint an independent data auditor and carry out periodic audits.
GDPR
Subjects processing by processors to detailed contracts, with requirements set out in Article 28.
DPDPA
Requires data fiduciaries to be responsible for compliance, without any provision being applicable directly to data processors. However, data fiduciaries are required to engage data processors only pursuant to a valid contract.
This section provides a comparison of the GDPR and the DPDPA as it relates to security and breach notifications.
GDPR
Requires controllers and processors to implement appropriate technical and organizational measures to protect the security of personal data.
DPDPA
Requires data fiduciaries to protect the personal data under their control or possession, including involving any processing undertaken by or on its behalf, and implement necessary security safeguards to prevent a personal data breach. This requirement is likely to be passed on to data processors.
GDPR
Requires controllers to notify the DPA of a breach within 72 hours unless the breach is unlikely to result in a risk to individuals.
Notification may be made in stages as information becomes available.
Controllers must notify individuals of a breach without undue delay only if it is likely to result in a "high risk" to individuals.
Processors must notify a controller of a breach without undue delay.
DPDPA
Requires data fiduciaries to notify the board and the affected data principals in the event of a personal data breach, in a manner prescribed through rules.
The time period for notifying breaches may be established by rules.
This section provides a comparison of the GDPR and the DPDPA as it relates to international data transfers.
GDPR
Does not require localization unless international data transfer requirements are not met.
DPDPA
Does not generally require data localization. However, the government may impose restrictions on transfers of personal data to specific countries through notification. Additionally, any stricter law such as sector-specific data localization requirements, e.g., in respect of payment data, insurance data, or telecommunications subscriber data, will continue to apply.
GDPR
Only permits the transfer of personal data outside the European Economic Area when:
• The recipient is in a territory considered by the European Commission to offer an adequate level of protection for personal data after an assessment of its privacy laws and law enforcement access regime.
• Appropriate safeguards are put in place, such as European Commission-approved standard contractual clauses or binding corporate rules approved by DPAs.
• A derogation applies, such as where data subjects provide explicit consent, the transfer is necessary to fulfil a contract, or there is a public interest founded in EU or member state law, among others.
DPDPA
Generally permits international data transfers. The government may restrict transfers of personal data to specific countries notified through rules under the act. The rules will also specify the nature of such restrictions.
Penalties
GDPR
Does not stipulate criminal liability, but permits member states to impose criminal penalties for violations of the regulation and applicable national rules.
Administrative fines up to 20 million euros or 4% of annual global revenue.
DPAs may also issue injunctive penalties, which include the ability to block processing, restrict international transfers and require the deletion of personal data.
Individuals may bring claims in court for compensation and mechanisms exist for representative actions on behalf of a class of individuals.
DPDPA
Does not impose any criminal penalties, but imposes monetary penalties for "significant" breaches. In calculating the amount of penalty, relevant factors to be considered include:
• The nature, gravity and duration of the breach.
• The type and nature of personal data affected by the breach.
• The repetitive nature of the breach.
• Whether, as a result of the breach, the data fiduciary realized a gain or avoided any loss.
• Whether the monetary penalty imposed is proportionate and effective.
• The likely impact of the imposition of the monetary penalty on such data fiduciary.
During any stage of a proceeding for compliance with the DPDPA, the board may accept a voluntary undertaking by a data fiduciary. This may include a commitment to take appropriate action within a stipulated timeframe determined by the board. The board's acceptance would bar all proceedings under the DPDPA against the data fiduciary.
In addition to monetary penalties, the Central Government may direct any of its agencies or any online intermediary to block access to any information which enables a data fiduciary to offer goods or services in India, based on a written reference from the board intimating that the data fiduciary has been subject to a monetary penalty in two or more cases, and advising the Central Government that blocking access to the data fiduciary's offerings is in the public's general interests.
This section provides a comparison of the GDPR and the DPDPA as it relates to miscellaneous provisions.
GDPR
Does not define anonymous data, which cannot identify an individual by means reasonably likely to be used, falls outside of the scope of the law (reasonable steps to re-identify). In practice, anonymization is a high standard to meet.
DPDPA
Does not define anonymized personal data.
GDPR
Permits a number of exemptions for scientific or historical research, archiving in the public interest, and statistical purposes, including:
• Further processing for such purposes may be considered "compatible."
• EU or member state law may permit controllers to process sensitive data for such purposes.
• EU or member state law may provide derogations from certain individual rights.
For the research exemptions to apply, controllers must implement appropriate safeguards, which may be specified by law, such as pseudonymization.
DPDPA
Does not apply its provisions of to the processing personal data for research, archiving or statistical purposes, if such processing is:
• Not used to make a decision about a data principal.
• Carried out in accordance with the standards prescribed by the government.
Data protection principles
Instead of listing out data protection principles, the DPDPA internalizes principles of lawfulness, purpose limitation, storage limitation, integrity and confidentiality, and accountability through its various provisions.
However, the principle of purpose limitation only applies when consent or voluntary use is the basis for processing personal data. Similarly, the requirement of data minimization — collecting only as much information as is necessary for a specified purpose — only applies where consent is the basis for processing personal data.
Notably, the DPDPA does not impose a general obligation to comply with the principle of fairness in processing personal data, as required under the GDPR.
Lawful bases
The DPDPA excludes contractual necessity and legitimate interest as grounds for processing personal data. Consent remains the primary basis for processing, except for certain legitimate uses where obtaining consent may not be possible. Such situations include complying with legal obligations, performing state functions, complying with judicial orders, responding to medical emergencies, and maintaining public safety and order. A request for consent must be accompanied by a granular notice. Significantly, the notice must clearly specify an itemized description of personal data, specific description of goods or services provided — or uses enabled by such processing — along with the purposes of the processing.
The act recognizes processing for broadly defined employment purposes as an independent basis. It also envisions the use of personal data voluntarily provided by a data principal for a specified purpose, where the data principal does not object to such use. Voluntary use as a basis is possibly inspired by the deemed consent ground under Singapore's PDPA, where a notice and consent mechanism may not be practical in transactional settings.
However, the voluntary use basis is much narrower than the legitimate interest grounds for processing, which is flexible and can extend beyond specified purposes to cover the data controller's broader commercial interests — provided the individual can reasonably expect such processing.
Classification of data fiduciaries
Unlike the GDPR, which requires all entities to carry out data protection impact assessments under specific circumstances like high-risk processing, the DPDPA only imposes this requirement on specific data fiduciaries classified as "significant data fiduciaries." The government may classify data fiduciaries as significant considering the volume and extent of personal data processed, as well as the risks posed to data principals, electoral democracy, national security and public order.
The GDPR, by default, requires all public bodies and entities carrying out large-scale processing of sensitive data and systematic monitoring of individuals as their core activity to appoint a data protection officer. The DPDPA, meanwhile, only imposes the requirement to appoint an India-based DPO on data fiduciaries that are classified as significant through notification. Significant data fiduciaries will likely include global businesses collecting significant volumes of personal data.
While the GDPR requires the DPO to act independently, the DPDPA mandates that the DPO report to the board of directors or a similar governing body of the significant data fiduciary. For significant data fiduciaries, the rules impose additional obligations, including conducting due diligence to ensure that technical measures, such as algorithms, do not pose risks to individual rights. The rules also envisage empowering the government, based on recommendations from a committee it constitutes, to require entities to prevent the transfer of specified categories of personal data and traffic data related to its flow outside of India.
Scope of rights
While the GDPR and CCPA allow individuals to exercise a broader array of rights, the rights available to data principals under the DPDPA are limited to the rights of access; correction; completion; nomination, such as of a representative to exercise rights in case of death or incapacity; erasure; consent withdrawal; and grievance redressal. Further, rights to access, correction, completion and erasure can only be exercised where consent or voluntary use is the basis for processing personal data.
While the act does not explicitly provide for a right to be forgotten, it is possible to exercise the withdrawal of consent, where consent is the basis for processing; this would require the data fiduciary to delete the collected personal data. The requirement to provide a notice to data principals only applies when consent is the basis for processing personal data.
Crucially, the right to data portability and the right against solely automated decision-making are excluded. However, the act does require personal data used to make a decision about a data principal to be accurate, complete and consistent — which may make it difficult for data fiduciaries to implement solely automated decision-making processes that could result in inaccurate or discriminatory results.
Processing the personal data of children and those with disabilities
Under the DPDPA read with the rules, verifiable consent must be obtained from the parent or lawful guardian before processing a child’s personal data. Businesses are required to confirm that the parent or guardian of the child is an adult. Behavioral monitoring, tracking or profiling of children is prohibited, except when providing certain essential services, such as health care, education or real-time safety. For individuals with disabilities, consent must be obtained from their lawful guardian, who must be verified in accordance with India’s guardianship laws.
Duties of a data principal
Unlike most data laws, the act imposes duties on data principals, prohibiting frivolous complaints, impersonation of another person, and the suppression of material information in identifying oneself, such as during age-verification measures. Additionally, the act requires data principals to comply with applicable laws.
International data transfers
Unlike the GDPR, which generally restricts data transfers unless a country is deemed adequate, the DPDPA generally allows international data transfers, except where the government restricts transfers to specific countries. While the nature of these restrictions remains unclear, they could mean a stringent ban against transfers to blacklisted countries or soft obligations akin to adequacy — like arrangements, such as binding corporate rules or standard contractual clauses, for specific countries.
Additionally, sector-specific restrictions on data transfers to regulated entities — banking and finance, insurance, etc. — may apply as relevant. As mentioned above, the rules hint to the possibility of cross-border data transfer restrictions being introduced, with additional restrictions for significant data fiduciaries.
Data retention
The DPDPA, read with the rules, prescribes a minimum data retention period of one year for certain specified purposes, such as national security, strategic interests of the state or performance of any function under any law. This may require international businesses to revisit their transfer impact assessments for India.
Additionally, the rules also prescribe maximum retention periods for certain data fiduciaries — such as large e-commerce, gaming and social media platforms — except for certain specified purposes. These purposes include enabling access to existing accounts or digital wallets beyond the specified retention period.
Exemptions
The act allows the government to exempt classes of data fiduciaries, such as startups, from its scope, based on factors like the nature and volume of personal data processed. This provision addresses the long-standing criticism of the GDPR for imposing excessive regulatory costs on small businesses.
The DPDPA also exempts processing pursuant to research, archival or statistical purposes, provided it is carried out in accordance with standards prescribed by the government. The rules prescribe these standards, including adherence with data protection principles such as lawfulness, data minimization, data accuracy, storage limitation and accountability.
Additionally, except for data security requirements, the act exempts data processing carried out under unique conditions. These include: ascertaining the assets and liabilities of persons who may have defaulted in payment due on account of a loan or advance taken from a financial institution, enabling financial institutions and fintech businesses to conduct their business; processing where it is necessary in the context of mergers and acquisitions approved by a competent authority in certain circumstances; and, in the context of outsourcing, where the data relates only to foreign residents and is processed by a data processor in India on behalf of a foreign data fiduciary, allowing India to retain its prowess as an outsourcing hub.
Powers of the board
Notably, the newly created Data Protection Board of India has powers including the ability to carry out inquiries and direct urgent or remedial measures.
However, unlike national supervisory authorities under the GDPR, the DPBI does not have the power to initiate a proceeding on its own. Similarly, unlike EU supervisory authorities, the board cannot issue recommendations or codes of conduct; such prescriptive powers are retained by the government. While the board is required to act independently, it lacks the structural and functional independence utilized by EU supervisory authorities, as the government retains control over its composition, powers and functions. This was a missed opportunity for India to further strengthen its adequacy status under the GDPR.
In another element perhaps inspired by Singapore’s PDPA, the act allows the DPBI to accept voluntary undertaking to address any alleged noncompliance by data fiduciaries and bar associated legal proceedings against such data fiduciaries. Such a provision for voluntary undertaking is absent from most global data laws.
Significantly, the board can recommend the government exercise blocking powers against noncompliant data fiduciaries, restricting access to the data fiduciary's online goods or services, which could lead to a virtual stop in sales.
Enforcement and sanctions
While the GDPR allows member states to impose criminal penalties for certain non-compliance with data protection law, the DPDPA does not impose any criminal penalties. The sanctions are monetary penalties which, unlike the turnover-based penalties under the GDPR, may extend to INR250 crores (approximately USD27 million) in some cases.
Contrary to global data laws, the DPDPA only provides for the imposition of penalties for non-compliances that are "significant" in nature, though the threshold of what constitutes a “significant” breach is unclear. In determining the monetary penalty in a case of a significant non-compliance, the turnover of the business is not considered. Instead, relevant factors taken into account include the nature, gravity, and duration of the breach; type and nature of personal data affected; whether the breach was repetitive; and any mitigation measures undertaken by the data fiduciary.
Importantly, composite penalties may be imposed for more than one instance of noncompliance under the act. For example, penalties for failing to undertake reasonable security safeguards to prevent a personal data breach could be imposed in addition to the penalty for being noncompliant with child-related data processing obligations. The act does not provide for a right to compensation to data principals in cases of noncompliance.
Key takeaways
- Structural resonance: The structure of the DPDPA is comparable to the GDPR in terms of definitions, grounds, exceptions, rights and obligations. However, compared to other global laws, the scope of these provisions is relatively narrow, which may reflect that this is India's first step toward introducing an omnibus data protection law.
- Ease of compliance: As a continuing theme, the act and the rules seek to ease compliance for businesses in India's emerging digital economy and to retain its competitive advantage among preferred offshore locations globally.
- An evolving law for emerging challenges: Flexibility in introducing regulatory requirements through swifty exercisable rule-making powers — the ability to impose additional obligations for significant data fiduciaries, the manner of reporting data breaches, the accountability framework for consent managers, the manner of providing notice and the restrictions on international data transfers — provides the DPDPA with an evolving character. It can reshape itself and expeditiously adapt to unprecedented and unique challenges posed by India's rapidly transforming digital economy through situation-specific and need-based regulation.
- Proportionate regulation: The act's elasticity gives India the regulatory flexibility to ensure proportionate regulation from the perspective of doing business, with graded obligations for startups compared to significant data fiduciaries. This mechanism provides India's startup economy with a competitive advantage in the global tech landscape.
As a first step toward introducing an omnibus data protection legislation, for a vast and emerging economy like India, the DPDPA attempts to create baseline requirements that can be implemented at scale. This approach aims to help a country that historically has disregarded data protection internalize a culture of privacy.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Data Protection Officer Requirements by Country
Top 10 operational impacts of India’s DPDPA