Decoding India’s Data Protection Laws Against Global Standards

– Yogitha Jammula¹

In an era where personal data has become the lifeblood of the digital economy, protection of individual privacy has never been more critical. Increasing reliance on technology has amplified concerns over data misuse, highlighted by the recent breach of user privacy by Apple², where private conversations were reportedly recorded by Siri and analyzed without the consent of individuals. Data breaches like these underscore the need for robust data protection laws to safeguard individuals from unauthorized surveillance and exploitation of personal information; The General Data Protection Regulation (GDPR) 2016, of the European Union (EU), emerged as a global benchmark for comprehensive data protection. Inspired by GDPR, India introduced the Digital Personal Data Protection (DPDP) Act, 2023, marking a significant step toward establishing a modern data protection regime. India’s journey towards creating a comprehensive data protection framework is marked by evolution of regulations starting from the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, to the recent Draft Digital Personal Data Protection Rules, 2025.

This article delves into the key differences and nuances between the GDPR, the IT Rules of 2011, the DPDP Act 2023, and the Draft DPDP Rules, 2025. It explores how these laws differ in terms of applicability, managing consent, breach notification timelines, penalties, mechanisms for cross-border data transfer, obligations on data fiduciaries etc. By critically analyzing these frameworks, this piece seeks to highlight their strengths and shortcomings, offering a comprehensive understanding of the evolving data protection landscape.

Applicability of Data Protection Framework

The GDPR has an extraterritorial reach extending its applicability to any entity processing personal data of EU residents, irrespective of the entity’s location. This applies to personal data processed wholly or partly through automated means and that which is or subsequently becomes a part of filing systems. In contrast, the IT Rules of 2011, had a limited scope being applicable to only body corporates within India handling ‘sensitive personal data³’. Subsequently, the DPDP Act 2023, while incorporating extraterritoriality, was made applicable to digital ‘personal data⁴’ and entities processing data of individuals within India and in case of data processing related to offering goods or services to Data Principals within India, to those processing digital personal data outside India too. The Draft DPDP Rules, 2025 aim to clarify and expand on the DPDP Act’s provisions and stipulate that Data Fiduciaries processing data within India or in connection with offering goods or services to Data Principals, from outside India shall comply with any conditions imposed by the Central Government in making personal data available to a foreign state or its entities.

Managing Consent

The IT Rules 2011, placed the responsibility of consent management on body corporates handling sensitive personal data. However, this approach proved to be both impractical and insufficient in ensuring accountability. To remedy this, the DPDP Act, 2023 introduced ‘Consent Managers’ as intermediaries registered with the Data Protection Board of India responsible for managing, tracking and processing consent on behalf of ‘Data Principals⁵’. The GDPR, on the other hand, does not specifically mention the concept of “consent managers” as a separate entity. However, it provides a comprehensive framework for obtaining, managing, and withdrawing consent for processing personal data, which the organization comply with, relying on Consent Management Platforms that serve similar purposes.

Another critical aspect of data protection involves safeguarding the rights of minors. The GDPR mandates parental consent for processing data of children under 16 years of age, allowing member states to lower the threshold to 13 years. The IT Rules of 2011, were notably silent on this aspect, highlight the gap in the earlier framework. The DPDP Act 2023 addressed this gap, requiring parental consent for minors under 18 years of age, emphasizing a higher degree of parental oversight. The Draft DPDP Rules of 2025, delineate the importance of obtaining verifiable consent from parents or legal guardians before processing personal data of children or persons with disabilities. The rules provide that Data Fiduciaries shall verify the identity of a child’s parent using reliable details or a virtual token before processing personal data of children or persons with disabilities.

The Draft DPDP Rules 2025, outline certain exemptions to the standard requirements for processing children’s personal data. Certain entities, like healthcare professionals and educational institutions, are allowed to process children’s data for specific purposes, provided it is necessary for the child’s well-being. However, the processing must be limited and focused on protecting the child’s best interests.

Breach Notification

Timely breach notification is crucial in minimizing harm to individuals. The GDPR mandates data controllers to notify of any breach to supervisory authorities within 72 hours of such breach. The IT Rules 2011, lacked specific deadlines and merely emphasized on expediency. The DPDP Act 2023 also failed to specify an exact timeline which the Draft Rules of 2025 address, proposing a notification be made within 72 hours of the breach, aligning with global standards, including the breach’s cause, corrective measures, and steps taken to prevent future incidents. The 72-hour period is further extendable with prior approval of the Board, in case detailed information as to the breach is to be provided. A breach notification issued by a Data Fiduciary must include clear details about the breach, its impact, and any mitigation actions in addition to offering safety advice and contact information for inquiries.

Cross-Border Transfer of Data

Data localization and cross-border transfers remain contentious issues in data protection discourse. The GDPR allows transfers to countries using specific safeguard mechanisms, standard contractual clauses and binding corporate rules. The IT Rules 2011, emphasized on obtaining consent for transfers without specifying mechanisms for transfer. While this ensures data sovereignty, it may hinder international collaboration. The DPDP Act 2023, also adopted a restrictive stance to cross-border data transfer, permitting transfers only to government-approved jurisdictions with no specific mechanism prescribed for such transfer. The Draft DPDP Rules 2025, align with the DPDP Act 2023, and focus on enforcing compliance with government-prescribed standards for cross-border data transfer. They mandate ‘Data Fiduciaries⁶’ to implement measures ensuring personal data is processed in accordance with specific restrictions set by the Central Government, including a strict prohibition on transferring data outside India.

Data Fiduciaries – Obligations

The GDPR mandates comprehensive obligations for both data controllers and processors, including obligations of maintaining Records of Processing Activities⁷ (ROPA), conducting Data Protection Impact Assessments⁸ (DPIAs), and appointing Data Protection Officers⁹ (DPOs) to ensure accountability and transparency. The IT Rules 2011, with their limited scope, lack comparable provisions. The DPDP Act 2023 was subsequently improvised to impose obligations on Data Fiduciaries but their applicability was not extended to all entities. The Draft DPDP Rules of 2025 accordingly specify obligations applicable to ‘Significant Data Fiduciaries¹⁰’, mandating carrying out DPIAs and annual audits and appointing DPOs. The rules, however, do not mandate carrying out ROPA.

Penalty

The penalties prescribed under the GDPR are among the most stringent globally, with fines reaching up to 20 million euros or 4% of the annual global turnover of the entity, whichever is higher. This high penalty ceiling serves as a strong deterrent, compelling organizations to prioritize compliance. The DPDP Act 2023 adopts a similar approach, with penalties capped at Rs.250 crore (approximately 30 million euros), marking a significant departure from the IT Rules 2011, which relied on the IT Act for enforcement and lacked explicit penalty provisions. The Draft DPDP Rules 2025, while outlining procedural compliance measures, do not specify additional penalties, leaving the enforcement framework largely reliant on the DPDP Act. The Rules focus more on procedural aspects, such as breach notification timelines and consent management, leaving room for future refinement in enforcement mechanisms.

Notice by Data Fiduciary

The Draft DPDP Rules of 2025 specify the notice given by the Data Fiduciary must be clear, separate from other information, and easy to understand, using simple, plain language, allowing the Data Principal to give informed consent for processing their personal data. The notice is to also specify the list of personal data being collected, the purpose of processing, and outline the goods, services, or uses that the data processing will enable.

One notable distinction of the DPDP Act 2023 is the requirement for regional language notices. While GDPR encourages a notice be made in clear and plain language, it does not provide for notices to be multilingual. The DPDP Act 2023 goes a step further, requiring notices be issued in English or the languages listed in the Eighth Schedule of the Indian Constitution.

Conclusion

India’s journey towards robust data protection is both ambitious and challenging. The DPDP Act 2023 and its Draft Rules reflect significant progress, addressing gaps in the earlier IT Rules 2011. While GDPR remains the gold standard, India’s framework is uniquely tailored to its socio-economic context, balancing privacy rights with the needs of a growing digital economy.

However, challenges persist, from unlimited power and zero liability on the State to no specific timeline bring fixed for Data Fiduciaries to respond to requests of Data Principals, to non-adherence of international guidelines related to sensitive personal data and data anonymisation, and concerns over the Data Protection Board of India being completely controlled by the Central Government. As India prepares to operationalize the DPDP Act through its Draft Rules, these challenges remain to be addressed, to foster trust in the data protection regime.

References

1. Legal Writer & Associate, Karavadi & Associates.
2. Siri Privacy Breach: Apple To Pay $95 Million Settlement Amid Spying Claims published on Forbes (last accessed on 12/1/2025) available at – https://www.forbes.com/sites/moinroberts-islam/2025/01/03/siri-privacy-breach-apple-to-pay-95m-settlement-amid-spying-claims/.
3. See Rule 3, IT Rules, 2011 – Sensitive personal data includes information related to passwords, financial details (e.g., bank accounts, credit cards), health conditions, sexual orientation, medical records, biometric data, and any related information provided to or received by a body corporate for services or processing. However, information freely available in the public domain or provided under laws like the Right to Information Act is not considered sensitive personal data.
4. Section 2(t), DPDP Act 2013 – “personal data” means any data about an individual who is identifiable by or in relation to such data.
5. Section 2(j), the DPDP Act, 2013 -“Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
6. Any person, company, or entity that determines the purpose and means of processing personal data. See Section 2(i) of the DPDP Act, 2023.
7. Records of Processing Activities are detailed logs maintained by organizations under the GDPR documenting how personal data is processed including purposes, categories of data, data subjects, and security measures.
8. Data Protection Impact Assessment is a process under GDPR used to identify, assess, and mitigate risks to individuals’ personal data in high-risk processing activities.
9. Data Protection Officers ensure an organization’s compliance with data protection laws, advise on data protection practices, and act as a liaison between regulatory authorities and data subjects.
10. ‘Significant Data Fiduciary’ is a class of Data Fiduciaries as notified by the Central Government based on the volume and sensitivity of personal data processed, risk to the rights of Data Principal, potential impact on the sovereignty and integrity of India etc., as specified U/S 10 of the DPDP Act 2023.