DPDP Act vs GDPR
10 Key Differences Indian Companies Must Know

DPDP requires consent that is free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action (Section 6). Consent must be as easy to withdraw as to give. Pre-ticked boxes and bundled consent are invalid. Notably, DPDP does not recognise "legitimate interest" as a standalone legal basis — processing is generally consent-based or based on specific "legitimate uses" enumerated in Section 7 (state functions, legal obligations, medical emergencies, employment).

GDPR provides six legal bases for processing (Article 6): consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interest. Legitimate interest (Article 6(1)(f)) is widely used by businesses to process data without consent — subject to a balancing test against the data subject's rights. This gives GDPR controllers significantly more flexibility in processing personal data without obtaining explicit consent.

The Data Protection Board of India (DPB) is a quasi-judicial tribunal established under Section 18 of the DPDP Act. It is a centralised national body — there is one Board for all of India, unlike GDPR's multi-DPA structure. The Board is designed for digital-first adjudication with virtual hearings as the default. The Central Government appoints the Chairperson and members. Appeals lie to TDSAT, then the Supreme Court.

Each EU/EEA member state has its own independent Data Protection Authority (DPA) — CNIL in France, ICO in the UK (pre-Brexit), BfDI in Germany, etc. For cross-border cases, the "one-stop-shop" mechanism designates a lead supervisory authority. DPAs have investigative, corrective, and advisory powers. They can conduct audits, issue warnings, ban processing, and impose fines. The European Data Protection Board (EDPB) ensures consistency across DPAs.

Fixed maximum ceilings per breach category as per the Schedule: Rs.250 crore (security safeguard breach, Sl.1), Rs.200 crore (breach notification failure, Sl.2), Rs.200 crore (children's data violations, Sl.3), Rs.150 crore (SDF obligations, Sl.4), Rs.10,000 (Data Principal duties, Sl.5), variable for voluntary undertaking breach (Sl.6), and Rs.50 crore (any other contravention, Sl.7). Penalties are not linked to company turnover. For a company with Rs.50,000 crore revenue, the maximum Rs.250 crore penalty is 0.5% of revenue — significantly lower than GDPR's 4% ceiling.

Two tiers linked to global annual turnover: Tier 1 — up to EUR 10 million or 2% of worldwide annual turnover (whichever is greater) for procedural violations; Tier 2 — up to EUR 20 million or 4% of worldwide annual turnover (whichever is greater) for substantive violations. For big tech companies, this has resulted in fines exceeding EUR 1 billion (Meta's EUR 1.2 billion fine in 2023).

Section 16 empowers the Central Government to notify countries to which transfer of personal data is restricted or prohibited. The approach is a government-notified blacklist — transfers to all non-restricted countries are permitted by default. There are no equivalents of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). The restriction is binary: a country is either blocked or it is not.

GDPR provides multiple transfer mechanisms: adequacy decisions (45 countries currently recognised), Standard Contractual Clauses (most commonly used), Binding Corporate Rules (for intra-group transfers), codes of conduct, certification mechanisms, and derogations for specific situations. The Schrems II decision (2020) invalidated the EU-US Privacy Shield and tightened SCC requirements, requiring transfer impact assessments.

A Data Protection Officer is mandatory only for Significant Data Fiduciaries (SDFs) designated by the Central Government under Section 10. The DPO must be based in India and serves as the point of contact for the Data Protection Board and Data Principals. For non-SDF companies, a DPO is not legally required. The criteria for SDF designation (volume of data, sensitivity, risk to sovereignty) will be specified by government notification.

DPO appointment is mandatory for: (a) public authorities; (b) organisations whose core activities require large-scale, regular and systematic monitoring of individuals; and (c) organisations whose core activities involve large-scale processing of special categories of data (Article 37). The DPO need not be based in the jurisdiction and can serve multiple organisations. The DPO must be independent and report directly to the highest management level.

Section 9 defines a child as any person below 18 years of age. Verifiable consent of a parent or lawful guardian is mandatory for processing any child's personal data. Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited. Processing that is detrimental to the well-being of a child is prohibited. The Central Government may exempt certain Data Fiduciaries or classes of data if processing is in the best interest of the child.

GDPR allows member states to set the age of consent for information society services between 13 and 16 years (Article 8). Most member states have set it at 16, though the UK set it at 13. Below the age threshold, parental consent is required. GDPR does not have a blanket prohibition on behavioural monitoring of children but requires enhanced safeguards. The UK Age Appropriate Design Code goes further than base GDPR requirements.

Section 12(3) provides that a Data Principal may request erasure of their personal data. However, this right is qualified — the Data Fiduciary must erase the data unless retention is necessary for the specified purpose or for compliance with any law. The right is triggered when the Data Principal withdraws consent or when the specified purpose has been served and the retention period has expired. There is no standalone "right to be forgotten" in the GDPR sense — no right to have search results delisted.

Article 17 provides a robust right to erasure (right to be forgotten) with specific grounds: consent withdrawn, data no longer necessary, data subject objects, unlawful processing, legal obligation, or children's data collected for information society services. The CJEU's Google Spain decision (2014) established the right to have search results delisted. Controllers must communicate erasure to third parties to whom the data was disclosed.

The DPDP Act does not include a right to data portability. Data Principals can access a summary of their personal data (Section 11) but there is no right to receive the data in a structured, commonly used, machine-readable format or to transmit it to another Data Fiduciary. This is a significant gap compared to GDPR and may limit competition-enhancing effects of data protection regulation in India.

Article 20 provides Data Subjects the right to receive their personal data in a "structured, commonly used and machine-readable format" and to transmit it to another controller. This right applies when processing is based on consent or a contract and is carried out by automated means. Data portability is a competition tool — it reduces switching costs and vendor lock-in. The Data Act (2023) further expands data portability rights in the EU.

DPDP does not recognise "legitimate interest" as a general legal basis for processing. Instead, Section 7 enumerates specific "legitimate uses" — processing for state functions, compliance with legal obligations, medical emergencies, employment purposes, and certain other specified purposes. This enumerated approach is narrower than GDPR's open-ended legitimate interest. Businesses cannot rely on a general "we have a legitimate business reason" argument to process personal data without consent.

Article 6(1)(f) allows processing where it is necessary for the legitimate interests of the controller or a third party, except where overridden by the interests or fundamental rights of the data subject. This is the most flexible and widely-used legal basis for business data processing. Controllers must conduct a three-part balancing test (legitimate interest, necessity, and balancing against data subject rights). Legitimate interest covers purposes like fraud prevention, network security, direct marketing, and intra-group data sharing.

The DPDP Act applies only to "digital personal data" — personal data collected in digital form or collected in non-digital form and subsequently digitised (Section 2(n)). Personal data that remains in purely physical form (paper records never digitised) falls outside the Act. This scope limitation means that organisations processing only paper-based personal records (some traditional businesses, certain government departments) are not covered. In practice, the distinction is narrow — most organisations digitise their records.

GDPR applies to all personal data, whether processed by automated means or forming part of a filing system (structured manual records). The scope is broader than DPDP — paper-based structured filing systems (alphabetised patient files, indexed employee records) are covered. This means GDPR protects personal data regardless of the medium, while DPDP's protection is contingent on digitalisation.