Published on 18th March 2025
Authored By: Akhilesh Kakade
Symbiosis Law School
Abstract
While creating major privacy and security issues, the digital revolution has turned personal data into a vital asset that fuels economic growth and creativity. The General Data Protection Regulation (GDPR)[1], a worldwide benchmark instituted by the European Union in 2018, and the Digital Personal Data Protection Act, 2023 (DPDPA)[2] in India are investigated in this study. By means of a comparative analysis, the paper investigates their scopes, policies, enforcement strategies, and individual rights, so showing the common focus on user empowerment and data security. Although the GDPR provides thorough clauses and worldwide influence, the DPDPA adjusts foreign ideas to fit India’s own socioeconomic context. Focusing on extending individual rights, strengthening regulatory independence, upgrading compliance procedures, and clearly defining cross-border data transfer laws, the study also offers suggestions for revising the DPDPA to conform with international standards. These observations seek to add to the worldwide conversation on striking a balance between data privacy and innovation in a linked digital economy.
Introduction
Personal data has become a pillar of invention and economic development thanks to the digital era. But this explosive rise in data collecting and processing has raised serious privacy and security issues. As economies all around depend more on data-driven technology, strong rules to control the use of personal data have become very vital.
Particularly with the General Data Protection Regulation (GDPR) launched in 2018, the European Union (EU) has been a leader in the worldwide field of data protection. The GDPR has created a global norm by imposing strict policies to safeguard personal data and guarantee privacy. Its clauses, including severe compliance criteria and extraterritorial applicability, have affected not just EU member states but also data protection systems all over. The harmonised legal framework of the GDPR enables people to govern their personal data and mandates responsibility among data processors and controllers. Beyond its legal reach, the GDPR’s impact motivates other countries to create comparable systems fit for their socioeconomic situation. In the ever linked digital economy, this alignment seeks to build trust in data governance and facilitate international cooperation.[3]
India just passed the Digital Personal Data Protection Act, 2023 (DPDPA), the first thorough data protection law acknowledging the worldwide trend towards strict data protection laws. Approved on August 11, 2023, the DPDPA is a major turning point in the data protection scene of India. It substitutes a focused framework for personal data protection for the disjointed regulatory approach under the Information Technology Act, 2000. While addressing distinct domestic issues, the legislation shows a growing congruence with world standards, especially the GDPR. Though the DPDPA isn’t yet functional, its expected influence on how businesses handle personal data in India emphasises its relevance.[4]
Inspired much by the GDPR, the DPDPA combines ideas of responsibility, openness, and user empowerment. It does, however, also modify these ideas to fit India’s socioeconomic reality, including factors for its own digital economy and particular demographic problems. Important clauses including consent-based processing, strict penalties for non-compliance, and systems for international data transfers reflect the aims of the GDPR. But the DPDPA reflects the regulatory goals of a developing nation in areas like enforcement systems and the extent of individual rights, therefore diverging.
This work aims to offer a thorough comparison of India’s DPDPA with the GDPR. Analysing their scopes, guiding ideas, enforcement policies, and compliance criteria helps one to appreciate the advantages and drawbacks of any system. Moreover, the report investigates the effects of these rules for companies and people and provides suggestions for improving India’s data security system using world best standards. This seeks to add to the continuous conversation about striking a balance between data privacy and innovation in a world gone global.
The Digital Personal Data Protection Act, 2023 (DPDPA)
Overview:
Legislative Review:
A basic shift in India’s attitude to personal data control, the Digital Personal Data Protection Act, 2023 (DPDPA) is It replaces the outdated clauses of the Information Technology Act, 2000 with a robust framework safeguarding personal data in the digital age.[5] Especially in view of the Supreme Court’s historic judgement in Justice K.S. Puttaswamy v. Union of India[6], which recognized privacy as a fundamental right, the Act indicates India’s commitment to addressing concerns of privacy and matching with worldwide norms. Emphasising openness, responsibility, and personal rights, the DPDPA is meant to control the gathering, storage, and processing of digital personal data. Although the government is yet to disclose the provisions, businesses are expected to have a transitional period to coincide with the new law. This preparation stage gives companies a chance to implement top standards in compliance and data management.[7]
DPDPA Current Guidelines
1 Applicability:
The DPDPA covers the processing of digital personal data within India, including data acquired in non-digital media subsequently digitised.. Its clauses cover entities outside India that provide products or services to Indian citizens or track their activity, hence extending extraterritory. The Act does, however, exclude personal data handled for domestic needs or data made public under legal requirements. This dual relevance guarantees the relevance of the law in a globalized digital economy and maintains the local privacy scene.[8]
2 Consent System:
The DPDPA emphasizes that consent must be free, informed, precise, and positive and is based mostly on Clear notices from data fiduciaries will help people to grasp the goal and extent of data use. Consent withdrawal ought to be as smooth as giving it, therefore underlining the idea of user empowerment. This system guarantees that people keep control over their data all through its lifetime, in line with world best standards and tackling local issues of digital literacy.
3 India’s Data Protection Board (DPBI)
Under the Act, the DPBI functions as the adjudication and enforcement power. Its duties include verifying compliance, punishing offenders, and looking at complaints. In incidents of data breaches, the Board is authorised to call evidence, investigate, and implement corrective actions. Though its strong mandate, questions regarding its independence have been expressed as the central government shapes and operates in a major part.[9]
4 Cross-border data exchanges
The Act guarantees that such states preserve sufficient degrees of data security by allowing cross-border data flows to nations notified by the central government. Although companies operating internationally depend on this clause, it creates regulatory uncertainty as the approved list of countries is still pending notification. This system harmonizes economic integration with national security issues.
5 Punishments
Depending on the degree and kind of the infringement, the DPDPA levies severe penalties for non-compliance ranging from ₹10,000 to ₹250 crore. Penalties are determined in part by the type of data impacted, mitigating attempts, and repeating character of offences. These clauses seek to discourage infractions and guarantee strong implementation while encouraging data fiduciaries to have an accountable culture.
The DPDPA creates a forward-looking framework addressing India’s particular socioeconomic situation and trying to match global norms. Reflecting an aim to combine personal privacy rights with the need of invention and economic growth, its articles set the structure for a whole data protection system.
GDPR
1 Overview
Originating with the European Union (EU) in May 2018, the General Data Protection Regulation (GDPR) transformed world data privacy by creating a shared legal framework for all EU members. The GDPR replaced the previous Data Protection Directive 95/46/EC, therefore harmonising data protection regulations throughout the EU. Its clauses stress openness, responsibility, and user control, therefore establishing a worldwide baseline for protection of personal information.[10]
The GDPR’s extraterritorial reach—mandating compliance from companies outside the EU handling personal data of EU residents for products, services, or behavioural monitoring—defines it. This general relevance has driven companies all around to implement strong data security policies in line with GDPR requirements and prevent harsh penalties, which can exceed €20 million or 4% of worldwide annual turnover.[11]The values of the regulation—lawfulness, justice, openness, data minimization, responsibility—clearly define how personal data should be handled securely and ethically. These ideas have established a standard for data security systems all around and pushed companies to give user control and openness top priority. [12]
2 Personal Rights
The GDPR gives people more influence over their data. Key rights include:
1. Right to Access: Users can seek specifics about the handling of their data.
2. Right to Rectification: Corrective action might be done on erroneous or lacking data.
3. Right to Erasure: Data can be destroyed under particular circumstances, such when no longer required, under a right to erasure—that is, a right to be forgotten.
4. Right to Data Portability: People have a right to data portability, which means they can orderly move data to other providers.
5. Right to Data Portability: Users may restrict or object to data processing, especially for marketing uses.
These rights guarantee users of great control over their personal information[13]
3 Rules of Accountability
The GDPR requires companies to name Data Protection Officers (DPOs), complete Data Protection Impact Assessments (DPIs) for high-risk processing, and apply Privacy by Design and Default in operations. These steps focus on proactive compliance and enhance systems of data governance.
4 Penalties and Implementation
Non-GDPR compliance carries fines of up to €20 million or 4% of world annual turnover, whichever is greater. In order to guarantee consistent application across borders, supervising authorities in EU member states monitor compliance and complaints. Coordinating across borders, the European Data Protection Board (EDPB) supports uniformity and responsibility by means of
5 Authorities in Supervisors
In every member state, independent supervising authorities track GDPR compliance, resolve complaints, and impose fines. Their cooperation via the EDPB guarantees consistent application and efficient resolution of conflicts (An American’s Guide to GDPR).
Comparative Study
1 Similarities
Emphasizing basic ideas of user empowerment and consent-driven data processing, both the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act, 2023 (DPDPA) These rules guarantee that companies handling personal data do so with openness and responsibility since they acknowledge the right of the individual to control their information. Both systems centre on user-centric methods, such getting explicit permission for data collecting and processing. Their shared objective of reducing privacy concerns in an increasingly data-driven environment explains this resemblance[14]
The systems for cross-border data transfers also show another obvious similarity. Both systems set rigorous rules to provide enough protection of personal data moved to foreign countries. While GDPR addresses adequacy issues, the DPDPA orders the Indian government to inform nations to which data transfers are allowed. This alignment highlights a shared commitment to safeguarding data privacy globally.[15]
2 Differences
Range and Relevancy
Broad extraterritorial applicability—that is, covering organisations outside the EU that process data of EU residents—provided they supply products, services, or monitor behavior—characterizes the GDPR. By contrast, the DPDPA has a more limited scope and mostly addresses operations aimed at Indian citizens or data processing inside India. This subtle approach captures the developmental and regulatory priorities of a growing nation like India.[16]
Systems of Enforcement
The approaches of enforcement show a notable difference. Through independent Supervisory Authorities in every member state, GDPR guarantees an objective approach to complaints and enforcement, therefore enforcing compliance. By means of the Data Protection Board of India (DPBI), the DPDPA centralises enforcement, thereby generating questions about possible government intervention on its operations. This structural difference emphasises the several ways to strike a balance between administrative control and regulatory independence.[17]
Individuals’ Rights
While both systems seek to empower people, GDPR provides a more complete set of rights including data portability and protections against automated decision-making. These clauses allow EU citizens great control over the flow and use of their data across platforms. But the DPDPA emphasises basic rights like consent and erasure, so excluding these rights explicitly. This difference captures the different socioeconomic settings and degrees of digital literacy between the EU and India[18]
Recommendations
With the Digital Personal Data Protection Act, 2023 (DPDPA), India’s data protection scene makes a major change. Still, some changes could help it to be more effective and in line with world standards.
1. Increasing Personal Rights
More rights like data portability and protections against automated decision-making will help the DPDPA to be much more in line with international standards such the General Data Protection Regulation (GDPR). Data portability encourages competition and innovation by letting people access and rework their personal data across many businesses. Protecting against possible biases and mistakes, safeguards against automated decision-making guarantee that people are not subjected to decisions taken just on automated processing without human interaction. Using these rights would enable people more in charge of their personal information and its exploitation.
2. Enhancing Data Protection Board of India (DPBI) Independence
Neutral execution of data protection rules depends on the DPBI’s being independent. Since the government chooses its members, questions about the possible impact of the central government on the operation of the Board have been voiced lately. Like independent regulatory agencies like the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI), establishing unambiguous legislative measures guaranteeing the DPBI’s autonomy will help to build public confidence and credibility. This covers open appointment procedures, members’ fixed tenure, and defence from arbitrary dismissal.[19]
3. Improving frameworks for compliance.
Requiring regular data protection impact assessments and mandating the appointment of Data Protection Officers (DPOs) for important data fiduciaries can help to enhance responsibility systems. Acting as a point of communication between the company and the regulatory agencies, DPOs would monitor DPDPA compliance. Regular impact studies will guarantee proactive compliance and protection of individual rights by helping to identify and reduce possible hazards related with data processing operations. These rules would encourage among companies managing personal data a culture of responsibility and accountability. [20]
4. Transparency on Cross-border Data Transfers
Reducing uncertainty for multinational companies functioning in India depends on well defined rules for cross-border data transfers. Although the DPDPA lets the central government warn nations to which personal data could be transferred, the standards for such decisions are nonetheless vague. Clear definition of these requirements in line with international standards guarantees sufficient protection and helps to enable flawless data flows. This covers defining the circumstances under which data transfers are allowed and signing agreements with foreign countries to support data security criteria.[21]
Following these recommendations will strengthen the DPDPA and provide strong data security for people, therefore creating an atmosphere fit for innovation and economic development.
Conclusion
Data privacy has advanced greatly with the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act, 2023 (DPDPA). Emphasising individual rights, responsibility, and openness, the GDPR’s thorough framework and extraterritorial reach set a global standard. Focussing on consent and local difficulties, the DPDPA represents India’s particular socioeconomic setting while yet aligning with many of these values.
Including rights like data portability, guaranteeing regulatory independence, enhancing compliance measures, and clarifying cross-border data transfer rules will help the DPDPA to be strengthened. These improvements will help India build a strong data protection system that strikes a compromise between privacy, innovation, and economic development, thereby supporting world initiatives in data governance.
References
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
[2]Digital Personal Data Protection Act, No. 22 of 2023, Gazette of India, Aug. 11, 2023.
[3] Kumar, A., Deep, P., Raghuvanshi, S. & Kumar, V., India’s New Data Frontier: A Critical Legal Insight of the Personal Data Protection Act, 2023, 44(3) Library Progress Int’l 11776, 11782 (2024).
[4] Latham & Watkins LLP, India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison, https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf
[5] Pandit, R.K., Data Protection and Data Privacy Laws in India – Explained, Barristery.in, https://www.barristery.in/2024/02/data-protection-and-privacy-law-in-india.html
[6] Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., W.P. (Civ.) No. 494 of 2012, (2017) 10 S.C.C. 1, AIR 2017 S.C. 4161.
[7] Garg, H.D., Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Lexlife India, https://lexlife.in/2021/06/30/information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021
[8] Kumar, A., Supra note 3
[9] Barat, D., An Overview of India’s New Data Protection Law, 7 J. on Governance 11 (2024)
[10] Broekhof, J.M., The Importance of Compliance in Strengthening Your Organization’s Cybersecurity Posture, Guardian360, https://guardian360.eu/the-importance-of-compliance-in-strengthening-your-organizations-cybersecurity-posture/
[11] Arfelt, E., Basin, D. & Debois, S., Monitoring the GDPR, in Computer Security–ESORICS 2019: 24th European Symposium on Research in Computer Security, Luxembourg, September 23–27, 2019, Proceedings, Part I 681, 699 (Springer Int’l Publ’g 2019).
[12] Jones, M.L. & Kaminski, M.E., An American’s Guide to the GDPR, 98 Denv. L. Rev. 93 (2020).
[13] GDPR, G., General Data Protection Regulation, Regulation (EU) 679 (2016).
[14] Bareh, C.K., Reviewing the Privacy Implications of India’s Digital Personal Data Protection Act (2023) from Library Contexts, 44(1) DESIDOC J. of Libr. & Info. Tech. (2024).
[15] Sengar, S.S., From Pixels to Policies: Analysing the Provisions and Navigating the Complexities of the Digital Personal Data Protection Act, 2023, SSRN, https://ssrn.com/abstract=4547842
[16] Sharma, N. & Mahajan, S., GDPR and DPDP: A Comparative Analysis on User-Centrism, Ramjas Pol. Rev., 1(2) (2023).
[17] Rajagopalan, P. & Silic, D., An EU-GDPR-Based Privacy Assurance Framework for Data Processors in the Software Package Implementation Industry in India, Glob. J. of Bus. & Integral Sec. (2023)
[18] Sengar S.S. Supra Note 15
[19] Data Protection Board’s Architecture to Give It RBI-Like Autonomy: Vaishnaw, Times of India, https://timesofindia.indiatimes.com/india/data-protection-boards-architecture-to-give-it-rbi-like-autonomy-vaishnaw/articleshow/95750705.cms
[20] Bal, M., An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023, Esya Centre 3, 22 (2024)
[21] Sengar S.S. Supra Note 15, at 11
