India’s Digital Personal Data Protection Act vs GDPR: Through a comparative lens

Introduction:
The DPDP Act, 20231 was notified in the Official Gazette on 11 August 2023 and has brought
to life India’s first dedicated data privacy legislation. With the buzz around the DPDP Act, 2023
and its implications on both the territorial as well as global landscape. While the ancillary
Regulations to the Act are still awaited, we aim to examine the provisions of the DPDP Act
with undisputed the toughest privacy legislation in the world, the General Data Protection
Regulation (GDPR).

Tabulated comparison

Criteria GDPR DPDP Act, 2023

Scope The GDPR covers all The scope of the DPDP Act
organizations that process extends to the processing of
the personal data of EU digital personal data within
citizens, including every India where such data is: (i)
company that offers goods collected online, or (ii)
and services or employs collected offline and is
people in the EU even if an digitised.
entity is based outside the
EU. It will also apply to the
processing of personal data
outside India if it is for
offering goods or services in
India.

Consent of minors Under the GDPR, the age of Under the DPDP Act, people
consent has been kept at 16, under the age of 18 are

1
https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pd
f
 but it allows member states considered minors and
to lower it to as much as 13. processing of their data
requires “verifiable parental
consent”.
Classification of data The GDPR classifies personal The Act applies to the
data into a further subset, broader set of personal data,
namely special categories of without further categorising
personal data, which include it into sensitive or critical
data pertaining to racial or personal data and there
ethnic origin, political exists no statutory
opinions, religious or requirement to implement
philosophical beliefs etc. separate compliance
Special categories of standards for different kinds
personal data are subject to of personal data.
distinct compliance
requirements.
Categorisation of data The GDPR does not The DPDP Act, 2023 has
distinguish between classes
fiduciaries/ data controllers provided a further
of data controllers
(equivalent to data classification of data
fiduciaries under the DPDP
fiduciaries as “significant
Act).
data fiduciaries” based on a
variety of items including the
volume and nature of data
collected. Pursuant to such
governmental classification,
additional obligations may
be imposed on the notified
significant data fiduciaries.
Processing of personal data The GDPR clearly mentions The DPDP Act has no express
mention of any such
under Article 5 that
principles in the Act itself.
lawfulness, fairness &
 transparency, purpose
limitation, data
minimization, accuracy,
storage limitation, integrity
& confidentiality, and
accountability shall be
the core principles guiding
the processing of personal
data.
Cross-border transfers of The GDPR has laid down an As per the DPDP Act allows
data exhaustive procedure for the Central Government to
cross border flow of data. restrict the transfer of
This is implemented through personal data by a data
adequacy decisions, fiduciary to notified
prescribed rules, standard countries or territories
contracts, and clauses outside of India, which shall
relating to derogation be notified at a later stage.
Moreover, greater is
expected to be brought in
the subsequent Rules
regarding the procedure for
cross-border flow of data.

Consent managers There does not exists any The DPDP Act lays down the
concept in the GDPR concept of a ‘consent
regarding ‘consent manager’, who is a person
managers’. registered with the Data
Protection Board, who is
accountable to the data
principal and acts as a single
point of contact to enable a
 data principal to manage
their consents though
accessible platforms.
Right of data portability The Right of data portability The DPDP Act does not
under the GDPR enables provide the right of data
individuals to obtain and portability in favour of data
reuse their personal data for principals.
their own purposes across
different services.
Data breaches The GDPR requires personal The DPDP Act mandates
data breaches to authorities.
both the data fiduciaries and
However, personal data
breaches need to be the data processors to
intimated to affected data
report personal data
subjects only when such
breaches are likely to result breaches and breach must
in high risk to their rights and
be reported in all cases
freedom.
As per the GDPR, in regard to under the Act.
data breaches suffered by
data processors, the data
processors' obligation is to
only notify the concerned
data controller of the same.
The responsibility of
reporting such personal data
breach (if found to be
meeting the necessary
threshold set out under the
GDPR) to the authority lies
with the data controller.
Processing of personal data The GDPR also enables data The DPDP Act stipulates that
without consent controller to process under certain scenarios such
personal data without as for performance of a state
 consent in specific situations function, medical
while providing for certain emergency, compliance with
obligations on the data a decree or law etc., the
controller. requirement of consent can
be overridden. This is
referred to as ‘legitimate
uses’ under the Act.
Data Protection Authorities The GDPR mandates The DPDP Act stipulates the
establishment of establishment of the Data
supervisory authorities in Protection Board of India,
each EU member state which would enforce
regulations, enforce
penalties, and resolve
complaints. Key functions of
the Board include: (i)
monitoring compliance and
imposing penalties, (ii)
directing data fiduciaries to
take necessary measures in
the event of a data breach,
and (iii) hearing grievances
made by affected persons.

The Board shall conduct such

inquiry following the
principles of natural justice
shall record reasons for its
actions during the course of
such inquiry.

Penalties The GDPR prescribes fines The DPDP Act prescribes

under Article 83 and the an upper limit on the
same are administered financial penalty for non-
according to the size of the compliance and the same
organization, gravity and has been limited to not more
impact on non-compliance, than INR 500 crores (Approx
and other criteria. As per the USD 6,04,97,530).
GDPR, penalties structure
can be up to 20 million Euros
or, in the case of an
undertaking, up to 4% of the
entire global revenue of the
prior fiscal year, depending
on what is higher, for very
serious violations.
Moreover, less serious
violations can entail fines of
up to 10 million Euros or, in
the case of an undertaking,
up to 2% of its total global
revenue for the prior fiscal
year, whichever is larger.