Unveiling Connections: A Comparative Analysis of EU GDPR and India’s DPDP

India’s Digital Personal Data Protection Act (DPDP) became law as of August 11, 2023 focusing on personal data management, consent, cross-border transfers, and establishing the Data Protection Board.

While clearly inspired by the GDPR, India's DPDP Act deviates from the European model in a number of important ways to address India's particular socio-economic and cultural needs. The DPDP (1) sets granular criteria for data processing, (2) provides broad carveouts for governmental data uses, (3) creates authority for the government to exempt some organizations from the law's core obligations, and (4) directs regulators to refine the legislation over time.

Moreover, the DPDP stands out for using duty-of-care verbiage like "Data Fiduciaries" for Controllers and "Data Principals" for Data Subjects, raising the age of parental consent to 18, and requiring speedy data breach reporting requirements with fines of up to INR 250 crore (tens of millions). Interestingly, the DPDP does not itemize special (sensitive) categories of personal data or set heightened requirements for their care.

The law also gives the government an unconventional capacity to request information from Fiduciaries, the Board, and "intermediaries," and to curtail public access to certain information within "computer resources."

It's important to underscore that significant aspects of the law require further clarity from the government and courts. And while the newly created Data Protection Board of India can provide input and assess compliance violations, it has not been granted formal rulemaking authority.

As we await confirmation of the act's effective date and for Indian authorities to work through how the law should work in practice, we thought it helpful to further compare the DPDP to the GDPR, below.