Introduction
Data protection has become increasingly vital as Information Technology advances. While the European Union (EU)‘s General Data Protection Regulation (GDPR) sets the global standard for stringent data regulation, India has enacted the Digital Personal Data Protection Act 2023(DPDPA) to balance privacy with economic growth. Though both legislations regulate personal data processing, a malleable corporate governance approach is present in DPDPA, which reflects the country’s priorities regarding business growth. Therefore, this article argues that though the protection of privacy offered compares to GDPR, DPDPA encourages a business-friendly space along with economic growth at the cost of relatively a higher risk to personal data when compared to GDPR.
Scope and Applicability
Though both GDPR and DPDPA have the common goal of safeguarding an individual’s privacy, certain legal principles such as scope and applicability, enforcement mechanisms and rights conferred upon ‘data principals’ (individuals) differ greatly. The jurisdictional scope of GDPR is global that is, as per Article (Art.) 3, it applies to EU-based corporations as well as non-EU-based corporations that offer goods or services to or monitor the behaviour of people residing in the EU. Such wide extra-territorial applicability of GDPR is one of its salient features that provide the GDPR with a more rigid approach. In contrast, under Section 3 of the DPDPA Act, it applies to only Indian companies and foreign companies where the latter is targeted at providing goods or services in India. The non-inclusion of foreign-based entities that only monitor behaviour in DPDPA limits its extra-territorial reach and provides more flexibility to companies.
Regarding material scope, Art. 2 of GDPR applies to both automated and manual data processing, covering online and offline data, and any operation including collection, storage, or destruction. DPDPA, however, only regulates digital personal data, excluding manual data.
Penalties
Another significant distinction between GDPR and DPDPA relates to penalties. Violations under GDPR invite very significant fines under Art. 84, which occur in two forms: lower-tier fines of up to €10 million or 2% of global turnover and higher-tier fines of up to €20 million or 4% of turnover in the case of serious infringements. This incentivizes compliance on a global scale. In contrast, Section 33(1) of the DPDPA Act proposes fines of up to ₹ 250 crore, or around €29 million, in case of major non-compliance without the turnover-based percentages as seen in the GDPR and thus makes organizations in India less vulnerable to risk.
Consent Requirements
On the question of consent, both sets of regulations require that consent be informed and freely given, but whereas Art. 7 of the GDPR places a condition for explicit opt-in consent over sensitive data, Section 7 of the DPDPA Act provides for “Certain legitimate uses“, which may allow for non-explicit consent under special conditions. This makes the requirements set forth by DPDPA comparatively less stringent, primarily on sensitive personal information. Beyond these, both allow withdrawal of consent at any time, but GDPR specifies clearer stipulations that would make the process as easy as giving consent.
Appointment of Data Protection Officer
These differences create distinct compliance environments for businesses in Europe and India. Both laws require the appointment of a Data Protection Officer (DPO), but Section 10(2) of DPDPA mandates this only for Significant Data Fiduciaries—entities notified by the government based on data volume, sensitivity, and national security. In contrast, Art. 37 of GDPR mandates the appointment of a DPO when the core activities of the entity involve regular and systematic monitoring of data subjects on a large scale. It also lays down conditions for certain special categories of data, data about criminal convictions and makes it mandatory for public authorities to appoint a DPO. The wider exemptions available under DPDPA, coupled with these less stringent conditions for appointing a DPO, contribute to a less strict compliance environment for businesses catering to Indian customers.
Storage and Transfer of Data
Under both GDPR and DPDPA, the storage and transfer of personal data require compliance with rather severe rules that protect personal data. Art. 5(1) of the GDPR creates the principle of data minimization and storage limitation so that personal data should not be stored for any period longer than necessary. The DPDPA also mandates purpose limitation over data retention but does not have the same emphasis on regular audits and specific technical requirements, instead focusing on reasonable safeguards without prescribing the enforcement procedures to be used.
Data transfers are another area where GDPR places high demands, under Chapter 5 it establishes stringent requirements for international data movements, including adequacy decisions and appropriate safeguards such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Conversely, while Section 16 of the DPDPA Act allows cross-border transfers, it places the decision-making power in the hands of the Central government, thus relying heavily on governmental control rather than private contractual frameworks. Because of all these distinctions, GDPR would necessitate more significant operational decisions in terms of investment related to the storage, transfer, and security of data as opposed to DPDPA, which is much less stringent and more dependent on the oversight of government.
Strategic Challenges and Opportunities for Multinational Companies
Another important point of discussion in our globalized data-driven world is how multinational companies operating in both the EU and India face significant strategic challenges in navigating these differing data protection regimes. While GDPR’s stringent requirements enforce a high standard for data protection, DPDPA’s more flexible provisions show the Indian government is more incentivized to make a business-friendly environment. Data Protection Commissioner v. Facebook Ireland Ltd. serves as a prime example. In 2022, Facebook was fined €265 million under GDPR by Europe for its breach of privacy rules after user data leaks. Facebook had to cope with increased legal and operational strains arising from the stricter consent, transparency, and transfer of data regulation in GDPR.
In contrast, India’s DPDPA offers a regulatory environment that may, in comparison, fail to mitigate the risks of data breaches such as the 2020 BigBasket breach. Even though this breach does predate the formation and realisation of DPDPA, this leak of sensitive information of over 20 million users did expose critical gaps that are still common practice in Indian cybersecurity measures. While DPDPA did introduce some changes, companies are still offered broader leeway to use personal data for purposes like service improvement or research, without the need for explicit consent each time. This provides significant cost-saving opportunities, incentivizing companies to adopt a reactive rather than proactive approach. Furthermore, without turnover-based penalties, stricter audit requirements and the level of specificity as seen in GDPR, DPDPA does less to deter companies from practices that can lead to such data breaches.
Conclusion
Hence, although GDPR and DPDPA attempt to secure privacy for individuals, their approach towards regulatory policy is what makes a difference in the business environments of the EU and India. Strict compliance with regulations and high penalties ensures robust data protection under GDPR but implies a cost of operations, especially for multinational companies. Contrary to this, DPDPA has provided a more flexible and business-friendly environment where its growth benefits Indian ecosystems without compromising on basic privacy safeguards. This lighter regulatory control of DPDPA may expose Indian citizens to higher privacy risks, at least compared to the stringent protections that GDPR enforces in Europe.
This blog is written by Tvesha Chauhan, B.A., LL.B (Hons.) student at National Law School of India University, Bengaluru.