Published on 4th February 2025
Authored By: Saloni Sunil Doiphode
Government Law College, Mumbai
INTRODUCTION
We as humans have come a long way. Human progress and growth have been remarkable. As humanity advanced, technology came into play. Previously, we could only envision face-timing someone thousands of miles away, doing cashless transactions, or effortlessly connecting with anyone on the entire globe. Everything in today’s world has significantly gone digital, including education, entertainment, healthcare, communication, transactions, commerce, and online dating. Almost everything is digital now. We can no longer ignore that we live in a digital world when everything is on our screens.
Information is important in today’s digital environment. In this digital age, when everything has been transferred to our digital gadgets, so has our personal and non-personal information. As a result, the risks to our data privacy have escalated dramatically. Data protection has become increasingly vital in this digital era.
Data protection rules have evolved in parallel with technological improvements and an increased reliance on digital systems. Like how digitalization paved the way for data protection, data protection in turn fueled the demand for data protection legislation.
This paper aims to understand what data privacy is, its need, and what the laws governing it are with a comparison between the General Data Protection Regulation (GDPR) and the Indian Data Protection Regulation.
WHAT IS DATA PRIVACY?
In general, data privacy refers to an individual’s autonomy over the decision of when, how, and to what degree personal information about them is disclosed to other parties. A person’s name, phone number, address, bank account information, surfing history, IP address, medical history, online or offline conduct, etc. are examples of personal information. Like how someone might desire to keep others out of a private discussion, many internet users prefer to restrict or stop specific forms of personal data collecting.
Data privacy has become increasingly important as Internet usage has grown over time. To deliver services, websites, apps, and social media platforms frequently need to gather and store user personal data. Some platforms and apps, however, could go beyond what users anticipate in terms of data gathering and use, giving them less privacy than they initially thought. Other platforms and apps might not adequately protect the data they gather, which could lead to a data breach that jeopardizes user privacy.
WHY IS DATA PRIVACY IMPORTANT?
Data protection laws are in place to preserve the right to privacy, which is seen as a fundamental human right in many jurisdictions. Data privacy is also crucial because people need to have confidence that their personal information will be handled carefully before they are willing to interact online. Businesses utilize data protection procedures to show users and consumers that they can trust them with their personal information.
If personal data is not kept private or individuals are unable to regulate how their information is used, it can be exploited in a variety of ways:
- Personal information can be used by criminals to harass or swindle users.
- Users may receive unsolicited marketing or advertising if entities sell their personal information to advertisers or other third parties without getting their approval.
- A person’s freedom of expression may be restricted when their activities are followed and monitored, particularly in countries with oppressive regimes.
Individuals may suffer from any of these consequences. These outcomes can lead to fines, sanctions, and other legal consequences for a corporation, as well as irreversible harm to its reputation.
In addition to the real-world consequences of privacy violations, many individuals and nations believe that privacy is valuable in and of itself and that it is a human right that is essential to a free society, much like the right to free expression.
DIFFERENCE BETWEEN DATA PROTECTION, DATA PRIVACY, AND DATA SECURITY
Protection, security, and privacy are the three main facets of data protection. Although the three roles are commonly seen as interchangeable, each one has a unique function that varies based on the organization, sector, use, and region.
In essence, data protection uses backup, recovery, and appropriate governance to secure data from loss, destruction, or corruption and to guarantee that users can access it easily. The goal of data privacy is to limit who can access particular data, whereas data security is to safeguard the data’s integrity against both external and internal risks like infection and tampering.
The process of protecting private data against corruption and loss is known as data protection. Data security is a subset of data protection that focuses on preventing theft, corruption, and illegal access to digital data. It covers a range of information security topics, including access controls, organizational rules, and physical security. Data protection, on the other hand, emphasizes data availability and goes beyond data security.[1]
Data privacy is a component of both data security and data protection. Policies that uphold the broad idea that an individual should have control over their personal information, including the authority to determine how businesses gather, store, and use it, are the focus of data privacy.
In other words, the larger topic of data protection includes both data security and data privacy as subsets.2
EVOLUTION OF DATA PROTECTION LAWS
The idea of data privacy is not new. It has existed since the Semayne case in 1604 when it was acknowledged that everyone’s home serves as his stronghold and castle. After that, the idea of privacy changed and was once more made popular by the article “The Right to Privacy,” which was written by Justice Louis Brandeis and Attorney Samuel Warren. In this article, the authors acknowledged that protecting one’s right to privacy was essential to maintaining personal freedom in the modern era. Under Article 12(4) of the Universal Declaration of Human Rights (UDHR), privacy was formally recognized later in 1984. Following that, in 1980, the Organization for Economic Cooperation and Development (OECD) released rules on privacy protection and the cross-border transfer of personal data. As early as 1970, countries began drafting national data privacy legislation, including Germany. On May 25, 2018, the historic General Data Protection Regulation (GDPR) went into force, completely altering the regulations about data privacy and protection.
Privacy has been a topic of discussion in Indian courts; some have argued that it is a basic right, while others have refused to acknowledge it as such under Article 21 of our Constitution. Finally, the right to privacy was declared a basic right protected by Article 21 in the well-known case of K.S. Puttaswamy v. Union of India (2018) in 2017. The Indian Penal Code (1860), the Information Technology Act (2000), and other laws about the right to privacy already had significant flaws. However, there was no comprehensive, stand-alone law addressing the matter. India finally passed a complete data protection and privacy law on August 9, 2023, following three tries and seven years of development.
OVERVIEW OF INDIAN DATA PROTECTION REGULATIONS
On August 11, 2023, the Digital Personal Data Protection Act 2023 (the DPDPA), India’s first comprehensive data protection law, was passed by the Indian parliament. It is anticipated that the DPDPA will significantly alter how companies covered by Indian data protection laws handle personal data, replacing the country’s current patchwork of data protection regulations.
The Act is based on key principles, including purpose limitation, requiring data collection and processing for specific lawful purposes; consent, mandating explicit and revocable consent from individuals; and data minimization, ensuring only necessary data is collected. It also emphasizes storage limitation, requiring data retention only for as long as needed, and accountability from Data Fiduciaries, who must implement robust security measures to protect data.
The Act grants Data Principals (individuals) rights such as accessing information about data processing, correcting, or deleting inaccurate data, and filing grievances. To oversee compliance, the Data Protection Board of India (DPBI) has been established with powers to investigate complaints and impose penalties, which can go up to ₹250 crore for violations.
The Act provides exemptions for government agencies for purposes like national security, public order, or crime prevention. While it aims to align India with global data protection standards and foster trust in the digital economy, critics have raised concerns about broad government exemptions, the lack of data localization provisions, and unclear guidelines for cross-border data transfers.
Overall, the DPDP Act is a crucial step in protecting digital privacy, but its success will depend on effective implementation and balanced enforcement.
Unlike earlier drafts, the DPDPA is a unique legal system that differs significantly from the GDPR, even though it draws inspiration from it.
GDPR AND INDIAN DATA PROTECTION REGULATIONS
One of the strongest data privacy laws now in effect is the General Data Protection Regulation, or GDPR as it is more commonly known. It is the European Union’s privacy law, and it came into force on May 25, 2018.
The Digital Personal Data Protection (DPDP) Act, 2023 is a significant legislation by the Indian government aimed at safeguarding individual privacy and regulating the processing of digital personal data. It applies to personal data that identifies individuals and governs electronic data processing, including by entities outside India if they handle the data of individuals within the country.
These two laws, the DPDP Act and the GDPR are rather detailed and share many similarities.
The following are the provisions that are comparable between the two:
Comparison between EU GDPR and Indian Data Protection Laws
1. Nature and Scope
(GDPR), which was adopted by the EU, applies to all companies worldwide that deal with personal data of individuals having citizenship in European Union countries. As a result, it applies internationally, which implies that if any commercial enterprise uses data from people living in the EU, it will be enforced around the world.
In India, the Data Protection Bill (PDPB), which is related to the Indian Data Protection Laws, is yet to be imposed, but its RAM intends to monitor the data processing operations of Indian citizens and territories. It applies both to domestic organizations and overseas organizations that deal with the personal data of Indian citizens.
2. Consent and Control
While the regulation allows businesses to process personal data of their customers, it is imperative for them to first seek the consent of such individuals and provide them with detailed information regarding the processing purpose and other matters regarding the data. It gives a reasonable level of control to the individuals regarding their data, including but not limited to the rights of access, rectification, erasure, and portability of the data.
In India, the Data Protection Bill aims to achieve the same goals and scope. Data collection only occurs when there is voluntary disclosure of consent to the said party, and once data is available, rights like data access, correction, and erasure are also made available. However, there are other arguments from critics that seem to suggest Indian policies give more control to the government in terms of data usage for security strategies, hence consent will be less emphasized.
3. Data Localization
The European Union’s General Data Protection Regulation does not have seemingly harsh data localization policies however it does have some strict guidelines on the export of data across borders. Such organizations need to make sure that the personal data to be exported from the EU is accompanied by sufficient guarantees.
Indian PDPB has also sought the inclusion of provisions pertaining to data localization, in that case, critical personal data is to be retained within the borders of India. This means there are specific conditions under which various categories of sensitive data can be exported from India, this seems to us to be quite a radical move in comparison to the more fluid view of data exportation permitted by the GDPR regulation.
4. Penalties and Enforcement
The GDPR is strictly enforced since the consequences for noncompliance are substantial; for example, certain nations levy a penalty of up to 4% of annual global revenue or 20 million Euros, whichever is greater. Monitoring is carried out by an independent supervisory authority in each of the European Union’s member states.
The Indian PDPB imposes fines as well, though the quantum is, ironically, lower than the range of data imposed by the GDPR. If approved, it would allow the Indian constitution to impose sanctions of up to 4% of gross annual revenue or 15 crores, whichever is more. The enforcement will take place through a Data Protection Authority (DPA), which is still being constituted.
5. Exemptions
The GDPR also makes provisions for exemptions, especially for matters connected with public interest, national security, or scientific research. Further, it dispenses with the requirement for businesses whose purpose of data processing is journalism or academic research.
The Indian PDPB has also enacted exceptions, most notably for the government concerning national security, public order, and law enforcement, which has raised the possibility of abuse.
While both GDPR and Indian Data Protection Regulations share the fundamental goal of protecting personal data and ensuring transparency, they differ in their approaches. GDPR is known for its stringent standards, global applicability, and comprehensive rights for individuals, while India’s framework, though similar, is still evolving and includes provisions that allow the government broader access to data for security purposes. Both systems reflect the growing need for data protection in an increasingly connected world, though the Indian regulations are expected to undergo further refinement as the digital ecosystem in India matures.
CONCLUSION
In conclusion, both the General Data Protection Regulation (GDPR) and India’s evolving data protection regulations, including the Digital Personal Data Protection (DPDP) Act, 2023, aim to address the growing challenges of data privacy in an increasingly digital world. While the GDPR is a well-established, globally recognized standard emphasizing strong individual rights, accountability, and cross-border data governance, Indian data protection laws are still maturing, focusing on balancing privacy with the needs of a rapidly developing digital economy.
The GDPR sets a high bar with comprehensive rights for individuals, strict consent requirements, and heavy penalties for non-compliance. It is underpinned by principles of transparency, accountability, and extraterritorial applicability, making it a benchmark for data protection globally. In comparison, India’s DPDP Act is more recent and emphasizes simplicity, accessibility, and adaptability to local contexts. While it aligns with global standards on principles like consent, purpose limitation, and data minimization, it diverges in areas such as broader government exemptions and the absence of explicit data localization requirements.
Both frameworks reflect their unique socio-economic and political contexts. The GDPR is rooted in the EU’s emphasis on human rights, while Indian regulations aim to balance individual privacy with national priorities like economic growth, digital inclusion, and innovation. As global data flows grow, the success of these frameworks will depend on their ability to adapt to emerging technologies, address cross-border challenges, and foster international cooperation to ensure robust data privacy for all.
REFERENCES
Statutes
- THE INFORMATION TECHNOLOGY ACT, 2000
- GENERAL DATA PROTECTION REGULATION
- THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
Case laws
Justice K.S. Puttaswamy (Retd) vs Union of India AIR 2018 SC (SUPP) 1841
Law journal
Dowden M, Aw C and Janardhanan B, “India Welcomes Landmark Data Protection Law” (2023) XIV National Law Review https://natlawreview.com/article/india–welcomeslandmark–data–protection–law#google_vignette
Online sources
Badman and Kosinski, “Data Protection” [2024] ibm.com https://www.ibm.com/think/topics/data–protection
“Frequently Asked Questions on Data Protection Laws in India” (Lexology, June 11, 2021) https://www.lexology.com/library/detail.aspx?g=1bc32ef8–e7ed–41d6–8671–bac0684a602f
Karjian R, “What Is Data Protection and Why Is It Important?” (Search Data Backup, April 30, 2024) https://www.techtarget.com/searchdatabackup/definition/data–protection https://www.cloudflare.com/learning/privacy/what–is–data–privacy/
Wolford B, “What Is GDPR, the EU’s New Data Protection Law?” (GDPR.eu, August 29, 2024) https://gdpr.eu/what–is–gdpr/
[1] Badman and Kosinski, “Data Protection” [2024] ibm.com https://www.ibm.com/think/topics/data–protection
2 Badman and Kosinski, “Data Protection” [2024] ibm.com https://www.ibm.com/think/topics/data–protection