Comparison of the DPDP Act, 2023 with GDPR and Global Privacy Laws: Convergence and Divergence
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India’s first comprehensive law governing personal data. In scope and spirit, it draws heavily from global frameworks, particularly the European Union’s General Data Protection Regulation (GDPR), which has become the international benchmark.
Yet the DPDP Act is not a mere copy-paste. It reflects India’s unique socio-economic realities, high digital adoption, linguistic diversity, and a strong emphasis on state sovereignty over data. This essay examines where the DPDP Act converges with the GDPR and other global privacy laws (such as California’s CCPA/CPRA, Brazil’s LGPD, Singapore’s PDPA, and Canada’s PIPEDA), and where it diverges. It also assesses the implications for multinational organizations that must navigate compliance across multiple jurisdictions.
Table of Contents
Convergence with GDPR and Global Laws
1. Recognition of Individual Rights
The DPDP Act recognizes core data subject rights-access, correction, erasure, and withdrawal of consent. This mirrors the GDPR’s data subject rights and reflects a global trend towards empowering individuals with greater control over personal information.
Similarly, Brazil’s LGPD and Singapore’s PDPA provide individuals with access and correction rights, aligning with India’s direction. This convergence helps establish a common baseline of rights, making it easier for multinationals to adapt policies across markets.
2. Consent as the Primary Legal Basis
Like GDPR and most modern privacy laws, the DPDP Act places consent at the center of lawful processing. Consent must be free, informed, unambiguous, and capable of withdrawal. The Act also mandates notices in regional languages, echoing global emphasis on accessibility and transparency.
3. Extraterritorial Scope
The DPDP Act, GDPR, and laws like the CCPA extend beyond their borders. Any foreign entity processing Indian citizens’ data in connection with goods or services is covered, similar to GDPR’s application to non-EU entities. This reflects a global consensus that data flows are borderless and require jurisdictional reach.
4. Accountability of Data Fiduciaries (Controllers)
The DPDP Act’s concept of a Data Fiduciary parallels the GDPR’s “Data Controller.” Both impose primary responsibility on the entity deciding “why” and “how” data is processed. Obligations include:
- Ensuring lawful basis for processing.
- Implementing safeguards.
- Responding to individual rights requests.
- This accountability principle is echoed globally, including in Brazil’s LGPD and Singapore’s PDPA.
5. Risk-Based Compliance through Significant Data Fiduciaries
India’s creation of Significant Data Fiduciaries (SDFs) resembles GDPR’s obligations for organizations engaged in large-scale or high-risk processing. Both frameworks require:
- Appointment of Data Protection Officers (DPOs).
- Data Protection Impact Assessments (DPIAs).
- Independent audits.
This convergence indicates an international recognition that larger players with higher impact must meet stricter obligations.
6. Enforcement and Penalties
Like GDPR’s administrative fines, the DPDP Act empowers the Data Protection Board of India to impose penalties up to ₹250 crore per breach. Similarly, Brazil’s LGPD authorizes fines up to 2% of turnover, and GDPR can impose up to 4% of global turnover. This deterrence model is becoming the global standard.
Divergence from GDPR and Global Laws
1. Absence of Sensitive Personal Data Classification
Unlike GDPR, LGPD, or Singapore’s PDPA, the DPDP Act does not define “sensitive personal data” requiring higher protection (such as health, biometrics, sexual orientation). All personal data is treated equally.
This simplifies compliance but may weaken safeguards for highly sensitive data, especially in healthcare, biometrics, and financial services.
2. Limited Rights for Individuals
The DPDP Act excludes certain GDPR rights, such as:
- Right to Data Portability.
- Right to Object to Automated Decision-Making.
- Right to Restrict Processing.
- The omission narrows individual empowerment compared to global standards and reduces compliance burdens for companies.
3. Broad Government Exemptions
The DPDP Act grants wide-ranging exemptions to the Central Government, including processing for sovereignty, public order, and law enforcement without consent. GDPR and LGPD allow exemptions but typically subject them to strict necessity and proportionality tests.
This divergence highlights India’s stronger emphasis on state control and national security over privacy.
4. Independence of Regulator
The GDPR mandates independent national supervisory authorities. In contrast, the Data Protection Board of India is appointed and controlled by the Central Government. This raises concerns about autonomy, especially in cases involving state entities.
By comparison, Brazil’s ANPD (National Data Protection Authority) has been established with relative independence, and Singapore’s PDPC operates at arm’s length. India’s model diverges significantly.
5. Child Data Threshold
The DPDP Act defines a child as under 18, requiring parental consent for all processing and banning profiling/advertising to children. GDPR sets the threshold at 16, with flexibility down to 13.
India’s stricter threshold reflects cultural and social concerns but poses practical compliance challenges for platforms serving teenagers.
6. No Explicit “Legitimate Interest” Basis
The GDPR provides multiple lawful bases for processing, including legitimate interests of the controller, provided it does not override individual rights. The DPDP Act does not include this; instead, it provides a narrow list of “legitimate uses” (such as employment or state functions).
This divergence reduces flexibility for businesses to justify processing without explicit consent.
7. Absence of Behavioral Monitoring Clause
The GDPR explicitly covers monitoring of behavior of EU residents (cookies, analytics, profiling). The DPDP Act applies to goods/services offered in India but does not expressly cover “monitoring.” This may create interpretative gaps, though regulators could broaden scope through practice.
Comparison with Other Global Privacy Laws
A. California Consumer Privacy Act (CCPA/CPRA)
- Provides opt-out rights (sale/sharing of personal data), unlike DPDP’s opt-in consent model.
- Recognizes categories like “sensitive personal information.”
- Enforcement through the California Privacy Protection Agency, independent of government.
B. Brazil’s LGPD
- Strongly modeled on GDPR, including sensitive data classification, portability rights, and independent oversight.
- Broader rights for individuals compared to DPDP.
- Enforcement powers similar in strength, but penalties tied to revenue percentage.
C. Singapore’s PDPA
- Consent-focused, like DPDP.
- Allows legitimate interest exemptions.
- Has a narrower definition of “personal data” compared to DPDP’s expansive one.
D. Canada’s PIPEDA
- Principles-based framework emphasizing accountability and transparency.
- Less prescriptive compared to GDPR or DPDP.
- Stronger on accountability mechanisms but weaker on individual rights.
Implications for Multinational Companies
Compliance Overlaps
Multinationals must harmonize policies across jurisdictions. Core overlaps include:
- Consent mechanisms.
- Data subject access rights.
- Accountability of controllers/fiduciaries.
Compliance Divergences
Companies face challenges due to India-specific requirements:
- Multi-lingual notices.
- 18+ threshold for children.
- No sensitive data distinction → uniform treatment of all personal data.
- Government exemptions → uncertainty in enforcement.
Strategic Adjustments
- Adopt baseline GDPR compliance globally, then adapt policies to India-specific nuances.
- Review contracts with Indian partners to ensure DPDP obligations flow down.
- Implement age-gating systems for Indian users.
- Build India-specific consent dashboards and grievance portals.
Compliance Strategies for Multi-Jurisdictional Businesses
1. Global Data Governance Framework
- Adopt GDPR as the global baseline.
- Map divergences in India, U.S., Brazil, etc.
2. Localization Measures
- Ensure India-specific compliance (multi-lingual notices, children’s data rules).
- Consider local representation in India for regulatory engagement.
3. Operational Alignment
- Use technology solutions for consent management and rights requests.
- Harmonize grievance redressal across jurisdictions.
4. Risk Mitigation
- Monitor regulatory developments, especially around DPB independence.
- Prepare for sector-specific obligations (fintech, health-tech, ed-tech).
Conclusion
The DPDP Act reflects both convergence and divergence with GDPR and global privacy frameworks. Convergence exists in core principles: rights-based approach, consent, extraterritorial reach, fiduciary accountability, and deterrent penalties. Divergence arises from India’s policy choices: broad state exemptions, absence of sensitive data categories, stricter child thresholds, and limited individual rights.
For multinationals, the DPDP Act is not a stand-alone compliance challenge but part of a patchwork of global privacy obligations. The best strategy is to anchor compliance in GDPR standards, adapt to local divergences, and build governance systems that balance legal compliance with consumer trust.
Ultimately, while GDPR remains the “gold standard,” India’s DPDP Act signals a sovereignty-driven, consent-first model tailored to domestic realities, setting a precedent for other emerging economies to follow.data
Contributed By – Aurelia Menezes
By entering the email address you agree to our Privacy Policy.