“Demystifying India’s Recent Data Protection Regulations Act, comparison with the GDPR and the issues faced”


The 2023 act makes, for the first time, a data privacy law in India. It needs to give consent before personal data is processed and specifies a small number of cases in the law where they do not need consent. It grants consumers the rights to access, rectify, modify and remove data as well as a right to designate some alter ego. It establishes extra safeguards with regard to children’s data processing. It imposes purpose limits, duties to give customers notice of data collection and processing procedures and security protection requirements in businesses. Businesses have to establish the grievance redress mechanisms according to the law. The DPB is also responsible for gripes and complaints, and it can impose fines in cases of non-adherence to the law.

India finally has a statutory framework for data protection. Besides, the law will take time to evolve into a minimum standard of behavior and compliance among data collecting businesses. The critical variable will be the approach of the government toward implementing and enforcing the law – for example, whether implementation would relate to data heavy businesses or across the economy overall.

Defining “Privacy”

The right, to privacy, plays a role in protecting our autonomy and preserving human dignity. It serves as the foundation for human rights. Privacy grants individuals the power to control their level of interaction with the world and shape their identity. It allows us to set boundaries and establish barriers that prevent influences from intruding into our lives. It also aids in determining who can access our information, locations, belongings, conversations well as our digital data and connections. Privacy protection regulations empower us to assert our rights when there are imbalances of power. While the Indian Constitution does not explicitly mention privacy as a provision the Supreme Court of India has established that it is indeed a right, under Article 21 despite its absence being explicitly stated.


[Image Sources: Shutterstock]

Digital Personal Data Protection (DPDP) Act, 2023

The Globe’s pace is skyrocketing. Of course, data has emerged as a major topic in recent years owing to the fast changes made within the digital world. Personal information is irreplaceable thus safeguarding it has become the ultimate priority. However, do we have a way to guarantee that our information will be secure?

India has also taken an active part in the cooperative venture of saving our information after long discussions and decisions were made by global leaders. In August 2023, the Indian government passed the Digital Personal Data Protection Act. The Act provides guidelines on the handling of digital personal data, creating legislation to safeguard individuals’ rights in terms of their data security while also taking care of the requirement to manipulate such kind of data as per the laws governing it and other related or unrelated issues.

India had introduced the Personal Data Protection Bill 2019 but due to various reasons, PDPB also became ineffective. The first version of the measure appeared to favour economic interests before national security. There were no directions for the localization of data, a full strategy for private data management during international relocation and requirements for social media platforms.

The Bill, which is now to be presented in Parliament has also drawn the attention of Forbes India because it allows the government vast powers to access data of individuals. These issues led to the creation of the new DPDPA.

Historical Context

DPDP Act was adopted in the early 2000s. 2001, Indian legislation on hacking began with the passage of the Information Technology Act. But as technology advanced and digital data grew exponentially, it was clear that a more reliable system needed to be implemented to protect this information. For instance, in the case of Puttaswamy which is a popular Indian court case.

The DPDP Bill was adopted by Parliament six years after the important case of Justice K.S Puttaswamy v. India Union. Therefore, India’s Supreme Court announced that all individuals in the country possessed a common right to privacy including the protection of confidential information through the “right to life” clause in their Constitution. A nine-member panel of judges at the Indian Supreme Court has stated that the Indian Government must create a well-organized hindrance to safeguard personal data. India has had multiple rounds of expert discussions and research towards the setting up of this system. In the years 2019 and 2022, two versions of the bill were introduced to Parliament.India rated privacy as a basic right under the Constitution and hence proved its importance. This decision opened the doors for even tougher laws that focus only on protecting information.

Comparison with the General Data Protection Regulation (GDPR)

The rollout of the GDPR has made privacy and data security an international standard. The DPDP Act has a number of GDPR attributes. It was based on international standards like these. For instance, both regulations require strict protocols to be followed in the case of data breaches and place user consent as the primary means for managing their information. 2016 brought about new concepts like “data fiduciary” and “data principal” introduced by the DPDP Act.These are designed to fit the peculiar economic and social environment of a nation.

The General Data Protection Regulation (GDPR) in the European Union and the Data Protection Act DPDPA, India arerecognized across the world as leading legislations aimed at protection of personal data. While the main goal of both laws is to ensure that data remains safe, a closer look shows an interesting synergy between similarities and differences, which defines each framework. Let us closely examine both.

The DPDPA introduced the idea of “deemed consent’’. This concept is more narrowly described in Section 7 of the legislation as “specific lawful purposes”

In short, this means that any entities or individuals having access to personal data can use the information for the stated reason specific for which such information is being disclosed as long as an individual does not clearly state his objection to using it in a way. It is necessary to give a more profound description of this word because companies may misunderstand the meaning of it.

  1. Consent Requirements

According to the DPDPA, an e-commerce site can employ an opt-out mechanism for getting consumers’ consent to send them marketing messages.

GDPR:A social media platform has a right to gather and leverage user data for targeted advertising only if it gets users’ explicit and affirmative consent.

  1. Children’s Data Protection

A children’s gaming app should have strong age verification tools to prevent unauthorized access to the application.

GDPR:Before processing data on users under the age of 16, a video streaming service must obtain consent from their parents.

  1. Notification of Data Breach

As stipulated under DPDPA, a financial institution must notify the digital protection authority and individuals whose information has been compromised within 72 hours of a data breach.

GDPR:when there is a breach an online business has the responsibility of informing the appropriate data security authorities in the required time.

  1. Cross-Border Data Transfer Dpdpa

A technology firm operating in India is required to hold and process confidential data belonging to Indian users within the physical boundaries of the country.

GDPR: A multinational corporation moving personal data between the European Union member states must use normal contractual agreements to protect the data throughout the transfer.

  1. SCOPE:

The DPDPA covers both digital data and some groups of private data. Understanding the difference between data and private data is important in ensuring that strict compliance with regulations is maintained.

GDPR: It includes different kinds of personal information from various sources worldwide.

Issues in Legislation:

The 2023 DPDP Act does not enjoy the same level of strength as its 2019 version. It has less strict standards for businesses, and consumers have fewer rights. It makes the rules more understandable, but at the same time opens up even greater autonomy for central government in decision-making without restrictions of any kind.

  1. Increased prevalence
  2. Locating the data’s whereabouts
  3. The responsibility of data fiduciaries
  4. Liberation from Duty
  5. Regulatory framework
  6. Consent:- According to the DPDPA, there must be consent from individuals in advance before corporations get access to their personal information or use it as well as retain any such relevant detail in fact, necessary permission should always be freely given consensual and unambiguous; informative; clear when required.
  7. Data localization:-The DPDPA requires that such types of personal data should be stored domestically within the borders of India. This covers private and sensitive information about individuals, including biological and financial data.
  8. Data protection:-The DPDPA limits the spread of information about individuals to third parties. A firm can only disclose personal data to a third party using consent or if the data is required, for instance, for the initial purpose of obtaining such information.
  9. Data subject rights:– According to the DPDPA, individuals have specific rights concerning their data – the right to request access to their data, correct it, delete it and object to the processing of these data.
  10. Legislation enforcement:- The DPDPA sets up the Data Protection Authority to comply with the legislation. The Data Protection Authority can investigate complaints and order corporations, to issue penalties against individuals who violate the law.


Governments are altering their strategies in protecting data in response to the challenges of digital transformation. India is not an exception. With the DPDP Act, India achieved another milestone in its attempts to establish a strong data protection regime.

Overall, enterprises operating within the Indian territory need to understand and comply with these provisions not only from a legal standpoint but also because this would enable them to have confidence in their activities. Data is also sometimes called “the new oil” because it helps fuel development and give birth to new ideas. However, data has value not only because of the fact that it is collected but also because it is well managed. The DPDP Act shows that the significance of personal data, as not solely a fundamental right for individuals but also an asset capable of taking enterprises to great heights if handled properly, was acknowledged.

Overall, the DPDP Act includes various provisions that aim to change ways personal data is handled in India. Endpoint Protector and other similar tools are vital for securing the legal path. By using the features of the platform, businesses can ensure compliance with regulations and show ethical concerns towards privacy and data security.

Author: Shruti Sinha, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.


  1. Pop, C., & Pop, C. (2023, November 22). India’s Digital Personal Data Protection Act: Key Provisions and Business Implications. Endpoint Protector Blog. https://www.endpointprotector.com/blog/indias-personal-data-protection-bill-what-we-know-so-far/
  2. Castagna, R., &Lavery, T. (2021, January 29). General Data Protection Regulation (GDPR). What Is.


  1. Frankenfield, J. (2020, November 11). General Data Protection Regulation (GDPR) Definition and Meaning. Investopedia. https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp
  2. The Digital Personal Data Protection Act of India, explained – Future of Privacy Forum. (n.d.). Future of Privacy Forum. https://fpf.org/blog/the-digital-personal-data-protection-act-of-india-explained/
  3. Starting with the Supreme Court’s judgment declaring privacy to be a fundamental right in Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.(10 SCC 1, Supreme Court of India, 2017).
  4. The Personal Data Protection Bill, 2019 (Bill No. 373 of 2019), accessed December 16, 2019,
  5. Justice K.S. Puttaswamy and Anr. v. Union of India and Ors.,(2017) 10 SCC 1

Leave a Reply



  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • September 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010