Authored By: Twinkle
Jaipur National University
Introduction
Privacy and data protection have ascended as central pillars of modern digital governance. With the exponential growth of digital ecosystems, nations worldwide have enacted comprehensive data protection frameworks to regulate how personal information is collected, processed, stored, shared, and transferred. The Digital Personal Data Protection Act, 2023, (DPDP Act) represents India’s first statutory attempt to codify digital personal data protection, including enforceable rights and obligations. Enacted on 11 August 2023, and progressively brought into force, the Act aims to strike a balance between individual autonomy with legitimate use of data by entities processing digital personal data.
In global legislative discourse, two prominent benchmarks have influenced national data protection laws: the European Union’s General Data Protection Regulation (GDPR) and the United States’ California Consumer Privacy Act (CCPA). The GDPR, effective since 2018, is widely regarded as the most robust and comprehensive framework for privacy rights globally, influencing many national statutes. The CCPA, amended by the California Privacy Rights Act (CPRA) in 2023, reflects an American regulatory model that prioritise consumer control over personal data and market transparency.
This article examines the DPDP Act’s structure and key provisions and conducts a comparative evaluation with the GDPR and CCPA under core themes: scope and applicability, legal bases for processing, individual rights, obligations and enforcement, cross-border data flows, oversight mechanisms, and penalties.
Background
The Digital Personal Data Protection Act, 2023
The DPDP Act emerged from India’s long-standing quest to reform data protection governance, transitioning from patchy protection under the Information Technology Act, 2000, to a holistic statutory regime. The Act applies to the processing of digital personal data (information by which an individual can be identified) collected in digital form or subsequently digitised. It also extends extraterritorially to entities offering goods or services to Indian data principals.
Structured into nine chapters, the Act sets out the obligations of data fiduciaries, rights of data principals (individuals), special provisions, the establishment of a Data Protection Board of India, adjudicatory procedures, and enforcement and penalties. Salient features include consent requirements, purpose limitation, data minimisation, breach reporting, and provisions for data related to minors. A concurrent subsidiary legislation—the Digital Personal Data Protection Rules, 2025—operationalises the Act by outlining procedural and compliance requirements for entities and the board.
GDPR and CCPA: Global Privacy Benchmarks
The GDPR harmonises data protection laws across the European Union, focusing on data processing principles, individual rights, and robust enforcement through independent supervisory authorities. Its extraterritorial reach binds global organisations processing data of EU residents.
The CCPA and its amendments under the CPRA reflect a different paradigm within the United States, focusing on consumer rights in the context of commercial data use, particularly around disclosures, deletion, and opt-out options concerning the sale or sharing of personal information.
Literature Review and Theoretical Framework
Existing empirical and doctrinal scholarship underscores that effective data protection regimes must strike a balance between individual autonomy, economic innovation, trade facilitation, and national security imperatives. Comparative legal studies identify common principles across modern privacy frameworks—such as consent, transparency, accountability, and purpose limitation—while simultaneously highlighting significant divergences in scope, regulatory design, and enforcement mechanisms.
Scholarly discourse on the DPDP Act has particularly focused on its consent-centric model, the introduction of institutional mechanisms such as Consent Managers, and the breadth of exemptions available to State authorities. These features distinguish the Indian framework from the GDPR’s rights-driven architecture and independent regulatory model, raising important questions regarding the adequacy of privacy safeguards and the balance between executive discretion and individual rights.
Comparative Analysis
Scope and Applicability
The scope and applicability of data protection legislation determine the extent to which individuals’ personal data is safeguarded and the regulatory burden imposed on data-processing entities. The Digital Personal Data Protection Act, 2023, (DPDP Act) adopts a relatively narrow yet technology-oriented scope. It applies exclusively to the processing of digital personal data collected within India or personal data initially collected in non-digital form but subsequently digitised. Additionally, the Act has extraterritorial applicability where processing is connected with offering goods or services to individuals within India. However, the Act expressly excludes non-digitised personal data that is never converted into digital form, reflecting the legislature’s intent to regulate contemporary digital ecosystems rather than all manifestations of personal information.
In contrast, the General Data Protection Regulation (GDPR) adopts the broadest scope among modern data protection regimes. It applies to the processing of all personal data, whether automated or non-automated, provided the data forms part of a filing system. The GDPR also extends extraterritorially to entities established outside the European Union where they offer goods or services to, or monitor the behaviour of, individuals within the EU. This expansive reach is grounded in the recognition of data protection as a fundamental right under the Charter of Fundamental Rights of the European Union, thereby ensuring comprehensive protection irrespective of technological form or geographic location.
The California Consumer Privacy Act (CCPA), by comparison, adopts a threshold-based and commercial approach. It applies only to for-profit businesses that conduct business in California and meet specific statutory criteria, such as annual gross revenue thresholds or processing data of a prescribed number of consumers or households. The Act primarily governs personal information collected in commercial contexts and does not apply universally to all entities or processing activities. This reflects the United States’ consumer-centric regulatory philosophy, treating privacy as an aspect of market regulation rather than a universal fundamental right.
A comparative assessment reveals that while the DPDP Act prioritises digital economic governance, the GDPR embodies a rights-based and constitutional approach to data protection. The CCPA, meanwhile, limits applicability through commercial thresholds, reinforcing its role as a consumer protection statute rather than a comprehensive privacy framework.
Legal Bases for Processing
The legal bases for processing personal data constitute a foundational element of any data protection framework. Under the DPDP Act, consent serves as the principal legal basis for processing personal data. The Act mandates that consent be free, specific, informed, unconditional, and unambiguous, subject to limited statutory exceptions such as compliance with legal obligations, medical emergencies, and state functions. Notably, the DPDP Act does not recognise broader lawful bases such as legitimate interests or contractual necessity, thereby adopting a consent-centric regulatory model.
The GDPR, by contrast, provides a pluralistic framework of lawful bases for processing personal data. Article 6 of the GDPR recognises consent, contractual necessity, compliance with legal obligations, protection of vital interests, performance of tasks carried out in the public interest, and legitimate interests pursued by the controller or a third party. This multiplicity enhances legal flexibility but simultaneously imposes rigorous documentation and balancing obligations on data controllers, particularly when relying on legitimate interests.
The CCPA does not articulate legal bases for processing in the same doctrinal manner. Instead, it focuses on regulating the effects of data processing through consumer rights, transparency requirements, and opt-out mechanisms, particularly concerning the sale or sharing of personal information. Businesses subject to the CCPA must still comply with other applicable federal or state laws governing lawful data processing.
Individual Rights
Individual rights form the normative core of data protection regimes. The DPDP Act grants data principals the right to access information about data processing, seek correction and erasure of personal data, withdraw consent, and avail grievance redressal mechanisms.A distinctive feature of the Act is the recognition of consent managers, allowing individuals to manage consent through authorised intermediaries, reflecting India’s context-specific regulatory innovation.
The GDPR offers the most extensive catalogue of data subject rights. These include the right to be informed, right of access, rectification, erasure (commonly known as the right to be forgotten), restriction of processing, data portability, the right to object, and safeguards against automated decision-making and profiling. These rights collectively reinforce individual autonomy and informational self-determination within the European legal framework.
The CCPA confers a distinct set of consumer rights, including the right to know what personal information is collected, used, shared, or sold; the right to delete personal information; the right to opt out of the sale or sharing of personal data; the right to correct inaccurate information; and protection against discrimination for exercising these rights. While these rights significantly enhance consumer control, they remain narrower in scope compared to the GDPR’s rights-based framework.
Obligations and Enforcement
The enforcement architecture of data protection laws determines their practical effectiveness. The DPDP Act imposes statutory obligations on data fiduciaries, including lawful processing, transparency, data security safeguards, and breach notification requirements. Certain entities classified as significant data fiduciaries are subject to heightened compliance obligations, such as appointing Data Protection Officers and conducting data protection impact assessments. Enforcement is vested in the Data Protection Board of India, which is empowered to impose monetary penalties for non-compliance. However, academic discourse has raised concerns regarding the independence of the Board, given its appointment structure and executive oversight.
Under the GDPR, controllers and processors must adhere to core data protection principles, maintain records of processing activities, conduct impact assessments where required, and appoint Data Protection Officers in specified circumstances. Enforcement is carried out by independent supervisory authorities, which possess robust corrective and sanctioning powers, including the imposition of administrative fines of up to €20 million or 4% of global annual turnover.
The CCPA obligates businesses to provide detailed privacy notices, respond to consumer rights requests, implement reasonable security measures, and maintain transparency in data use practices. Enforcement is undertaken by the California Privacy Protection Agency and the Attorney General, with limited private rights of action available to consumers in cases involving data breaches. The enforcement framework is thus more compliance-oriented than punitive.
Cross-border Data Transfers
Cross-border data transfers present complex regulatory challenges in an interconnected digital economy. The DPDP Act permits cross-border transfers of personal data unless restricted by specific government notifications, thereby granting the executive considerable discretion over international data flows.
In contrast, the GDPR imposes stringent conditions on international data transfers. Such transfers are permitted only where the destination jurisdiction ensures an adequate level of data protection or where appropriate safeguards—such as standard contractual clauses or binding corporate rules—are in place. This regime ensures continuity of data protection beyond the EU’s territorial boundaries.
The CCPA does not explicitly regulate international data transfers. Instead, it relies on transparency obligations and consumer rights mechanisms, leaving cross-border data governance largely to contractual arrangements and other applicable legal frameworks.
Critical Issues and Debates
Government Exemptions and Regulatory Independence
One of the most significant criticisms levelled against the Digital Personal Data Protection Act, 2023 concerns the breadth of exemptions granted to government agencies and the centralised nature of regulatory control. The Act empowers the Central Government to exempt certain data processing activities undertaken in the interest of sovereignty, integrity of India, public order, and national security. Such wide-ranging exemptions raise concerns regarding potential encroachments upon informational privacy, particularly in contexts involving surveillance and large-scale data collection by the State. Academic commentators have argued that the absence of narrowly tailored safeguards and proportionality requirements may dilute the constitutional right to privacy recognised by the Supreme Court of India.
Furthermore, the enforcement framework under the DPDP Act vests adjudicatory powers in the Data Protection Board of India, whose members are appointed by the executive. This has sparked debate over the Board’s institutional independence and its ability to function as an impartial regulator. In contrast, the GDPR mandates the establishment of independent supervisory authorities, insulated from political influence, thereby reinforcing public trust and regulatory credibility. The divergence between these models underscores a fundamental tension between executive oversight and regulatory autonomy in data protection governance.
Consumer-centric versus Rights-based Orientation
Another critical debate arises from the differing philosophical orientations of the DPDP Act, GDPR, and CCPA. The CCPA adopts a predominantly consumer-centric framework, focusing on transparency, opt-out rights, and consumer choice, particularly in relation to the sale and sharing of personal data. This market-oriented approach treats privacy as an aspect of consumer protection rather than a fundamental human right.
By contrast, the GDPR is firmly grounded in a rights-based philosophy, conceptualising data protection as an extension of human dignity, autonomy, and fundamental freedoms. It provides a comprehensive catalogue of enforceable rights, including protections against automated decision-making and profiling. The DPDP Act occupies a hybrid position between these two models. While it incorporates individual rights such as access, correction, and erasure, it places disproportionate emphasis on consent as the primary mechanism of control and omits certain rights recognised under the GDPR, such as the right to restrict processing and safeguards against automated decision-making. This selective adoption has led scholars to question whether the DPDP Act sufficiently empowers individuals in an increasingly algorithm-driven digital environment.
Operational and Compliance Challenges
From a practical perspective, the coexistence of multiple data protection regimes presents significant compliance challenges for multinational corporations and digital service providers. Variations in core principles—such as data minimisation standards, consent thresholds, and requirements for data protection impact assessments—necessitate jurisdiction-specific compliance strategies. For instance, the GDPR’s rigorous accountability framework and mandatory impact assessments contrast with the DPDP Act’s comparatively flexible compliance obligations for non-significant data fiduciaries. These divergences increase compliance costs and legal uncertainty, particularly for entities operating simultaneously within India, the European Union, and the United States.
Conclusion
The Digital Personal Data Protection Act, 2023 marks a transformative milestone in India’s digital governance framework, translating the constitutional right to privacy into a statutory regime for regulating digital personal data. Aligned with evolving global privacy norms and calibrated for a digital-first economy, the Act embodies foundational principles of consent, transparency, and accountability within a framework shaped by India’s legal, socio-economic, and institutional realities.
While the DPDP Act does not replicate the expansive rights architecture or independent enforcement mechanisms characteristic of the GDPR, nor does it mirror the market-driven consumer protection model of the CCPA, it represents a significant step toward harmonising India’s data protection regime with international standards. Comparative analysis demonstrates that no single model offers a universally optimal solution; instead, each reflects normative choices balancing individual rights, economic innovation, and state interests. The long-term effectiveness of the DPDP Act will ultimately depend on robust subordinate legislation, genuine regulatory independence, and evolving judicial interpretation capable of bridging legislative intent with the lived realities of India’s digital society.
