The origin of the Digital Personal Data Protection Act (DPDPA), 2023, considered to be India’s first comprehensive data protection law, lies in the Supreme Court’s landmark judgment in Justice K S Puttaswamy vs Union of India (2017), that recognised the right to privacy as a fundamental right under Article 21 of the Constitution. In 2017, the union government constituted an expert committee, chaired by Justice B N Srikrishna, to draft a data protection framework, leading to the introduction of the Personal Data Protection Bill in 2018. A revised version was subsequently tabled in the Parliament in 2019. Addressing various concerns, the Bill was withdrawn in August 2022, followed by an introduction of the DPDP bill, 2023, which was passed by Parliament and received presidential assent on August 11, 2023, formally enacting the DPDPA. To operationalise the Act, the government released the corresponding draft rules in January 2025, setting the stage for its implementation.
However, to place this policy in a global context, it is essential to draw comparisons between the DPDPA and the European Union (EU)’s General Data Protection Regulation (GDPR). Such comparisons would help understand how India’s framework aligns with or diverges from international standards in data protection as both regulations seek to protect individuals’ personal data rights.
Consent and user rights
Much like under GDPR, consent must be explicit and informed under the DPDPA. Processing personal data primarily requires explicit and informed user consent, except for specific “legitimate uses,” such as voluntary data sharing by individuals for particular services or state-driven data processing to deliver benefits. In contrast to GDPR, which provides multiple legal bases beyond consent — such as contractual necessity and “legitimate interests” — the DPDPA excludes these alternatives, making Indian companies significantly more dependent on user consent. This gives Indians more direct say but could also inundate them with consent requests, whereas European companies can often process data on other lawful grounds without asking at every turn.
When it comes to individual rights, GDPR provides a broad suite where people can access their data, correct it, delete it (“right to be forgotten”), object to certain uses, and port their data elsewhere. While the DPDPA ensures users can know what data a company has on them, get errors corrected, request deletion, and file grievances over misuse but lacks some focus on data portability and a general right to object. For instance, a user can correct or erase data they provided, but cannot easily move their data to a rival service or refuse secondary uses of their data beyond withdrawing consent. This trade-off may simplify compliance for businesses but leaves individuals with fewer tools to control their data.
Enforcement and penalties
The GDPR is enforced by independent Data Protection Authorities in each EU member state whereas the DPDPA will be enforced by a Data Protection Board of India, a central body to handle complaints and order penalties for violations. Board members will be appointed by the government for two-year terms, raising concerns about its independence. Unlike Europe’s regulators, the DPDP Board cannot issue broad guidelines but will focus on case-by-case enforcement. This means companies must rely on the text of the law (and upcoming rules) for direction rather than expecting an independent regulator to interpret grey areas.
On penalties, GDPR sets a high bar with fines up to €20 million or 4 per cent of global turnover, whichever is higher, whereas the DPDPA caps fines at Rs 250 crore (around €30 million) per violation. That is substantial — enough to deter most companies — but for the biggest tech players it’s potentially less severe than GDPR’s percentage-of-revenue fines. Still, if India’s Board imposes Rs 250 crore penalties for serious breaches, it would usher in unprecedented accountability. The law specifies clear penalties for failures such as inadequate data protection or breach reporting, emphasising tangible consequences for non-compliance, however, the rigour of enforcement would be a critical factor. European regulators have demonstrated GDPR’s seriousness through substantial fines. If Indian authorities similarly enforce the DPDPA — without any exemptions for government agencies — it may significantly enhance the law’s credibility.
Government agencies’ exemptions and cross-border data transfers
While DPDPA allows the government to exempt its agencies from complying with the law for reasons like national security, public order, or prevention of offences, the GDPR does not offer blanket exemptions; instead, Article 23 permits EU member states to establish targeted restrictions on data protection rights for clearly defined purposes, including national security, public safety, or crime prevention. Simply put, if the national government exempts specific agencies from complying with data protection rules for the aforementioned reasons, these agencies may collect and use personal data without consent or transparency, creating risks of unchecked surveillance and undermining the fundamental right to privacy.
Rules on cross-border data transfer are crucial. The GDPR protects sending personal data outside the EU — typically requiring the destination to have adequate privacy laws or the sender to use approved safeguards. The DPDPA takes a much more open stance where it allows data to be sent abroad by default, except to specific countries that the government blacklists for lacking adequate protection. For businesses, this flexibility is a boon as they can use global cloud services and engage in international data projects without cumbersome legal checks. But the openness carries privacy risks and may increase the risk of Foreign Information Manipulation and Interference.
Both laws aim to protect privacy — DPDPA is simpler, consent-driven, and business-friendly, while GDPR is comprehensive and strict. The key challenge of the DPDPA lies in effective implementation. India’s Data Protection Board must demonstrate real independence and hold both government agencies and corporations accountable, while enhancing user rights — such as data portability — and tightening international data transfer rules.
The writer is currently based in Berlin Germany, conducting research on India and the European Union’s digital landscape and policy interventions to counter disinformation and foreign information manipulation & interference.
