The digital revolution has transformed the way personal data is collected, processed, and stored, raising serious concerns about privacy, security, and misuse of information. In India, the right to privacy was recognized as a fundamental right under Article 21 in Justice K.S. Puttaswamy v. Union of India (2017), which laid the foundation for comprehensive data protection legislation. This recognition came at a time when the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018, had already set a global benchmark for data protection standards. India’s evolving framework, culminating in the Digital Personal Data Protection Act, 2023, attempts to address these challenges, but a comparison with the GDPR highlights both progress and gaps.
The GDPR is one of the most comprehensive data protection regimes in the world, built around the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and accountability. It grants individuals robust rights such as the right to access, rectify, erase (“right to be forgotten”), restrict processing, and data portability. It also mandates explicit consent for data processing, imposes strict obligations on data controllers and processors, and provides for significant penalties for non-compliance. Importantly, GDPR has extraterritorial reach, applying to any entity processing the personal data of EU residents, regardless of where it is located.
India’s Digital Personal Data Protection Act, 2023 represents its first comprehensive attempt to regulate the use of personal data. The Act applies to both digital personal data within India and data processing outside India if it is related to offering goods or services within India. It emphasizes principles of consent-based processing, data minimization, and purpose limitation, similar to GDPR. Individuals are given rights such as the right to access their data, correction, erasure, and grievance redressal. Consent must be free, specific, informed, and unambiguous, aligning with global standards. However, the Indian law also permits wide-ranging exemptions for government agencies on grounds of national security, sovereignty, and public order, which raises concerns about dilution of privacy protections.
A major point of divergence between GDPR and the Indian framework lies in the scope of user rights. While GDPR provides for the right to data portability and the right to be forgotten as enforceable claims, India’s law has a narrower scope, with the right to be forgotten not as strongly articulated. Similarly, GDPR emphasizes transparency and accountability through mandatory appointment of Data Protection Officers (DPOs) and Data Protection Impact Assessments for high-risk processing. India’s law provides for such mechanisms but with more flexibility, potentially reducing compliance burdens but also weakening oversight.
Enforcement is another area where GDPR stands stronger. Under GDPR, non-compliance can attract penalties up to €20 million or 4% of global turnover, whichever is higher. This high penalty structure ensures strict adherence by corporations. The Indian law establishes a Data Protection Board to adjudicate violations and impose penalties, but questions remain about its independence and capacity. The maximum penalties, though significant in Indian terms, are not as stringent as those under GDPR, which may limit deterrence for large multinational corporations.
Exemptions for government surveillance also mark a key difference. GDPR allows restrictions on data protection rights only under strictly defined conditions and subject to safeguards. In contrast, the Indian law grants broad exemptions to government agencies, raising fears of mass surveillance and undermining the balance between individual privacy and state interests. Critics argue that this weakens the very foundation of the Puttaswamy judgment, which demanded proportionality and necessity in any restriction on privacy rights.
In conclusion, India’s data protection law marks a critical step in recognizing privacy as a fundamental right and establishing a statutory framework to regulate digital data. By incorporating principles such as consent, purpose limitation, and user rights, it reflects many elements of GDPR. However, in comparison, it provides weaker user rights, broader state exemptions, and less stringent enforcement mechanisms. While GDPR represents a high standard of privacy protection rooted in individual rights, India’s law attempts to balance privacy with economic growth, ease of compliance, and governmental interests. The road ahead requires strengthening institutional independence, narrowing state exemptions, and aligning more closely with global standards to ensure that the fundamental right to privacy is not compromised in the digital era.
