AMLEGALSDPDPAVibe Data Privacy

AMLEGALS — India's DPDPA Practice — Legal 500 Asia Pacific

India Did Not
Copy GDPR.

It built something older. Something deeper.
Something 1.4 billion people's constitutional rights demanded.

The Digital Personal Data Protection Act, 2023 is not GDPR with an Indian accent.

It is a sovereign legal architecture built on the premise that personal data is a fundamental right — rooted in Justice K.S. Puttaswamy vs Union of India, 2017. A nine-judge constitutional bench. Not a Brussels directive.

GDPR flows from a Charter. DPDPA flows from a Constitution. That distinction changes every compliance decision you will make for your India operations.

If you are entering India with EU-trained compliance instincts alone, you are carrying the wrong map.

Extraterritorial Scope — Section 3If your company collects, stores, or processes personal data of Indian residents — from anywhere in the world — DPDPA applies to you. No minimum threshold. No grace period in the enacted text. The Act does not ask where your servers are. It asks whose data you hold.

AMLEGALS | Est. 1997 | 10 Offices India + Dubai | Legal 500 Asia Pacific | 27 Years Indian Regulatory Practice
0B

Data Principals. Every Indian resident. Protected by law from day one.

₹0 Cr

Maximum penalty per instance of breach. Schedule-based. Not turnover-linked yet.

0 Hrs

Data breach notification window to the Data Protection Board. Same as GDPR.

0

Year India’s Supreme Court declared privacy a fundamental right. By Constitution. Not legislation.

0

Supreme Court judges in the Puttaswamy bench. Unanimous on the right to privacy.

Architecture Analysis

Same Mission.
Different Philosophy.

Eight structural differences every EU counsel must understand before advising on India data operations.

Legal Ancestry
EU Charter of Fundamental Rights + Data Protection Directive 95/46/EC. Legislative origin. Revised and expanded over 20 years.
Justice Puttaswamy Judgment 2017 + Article 21, Constitution of India. Constitutional origin. Fundamental right. Not replaceable by ordinary legislation.
Consent Philosophy
6 lawful bases. Consent is one option. Legitimate interest, contract, legal obligation, vital interest, public task also available.
Consent + Legitimate Use. Simpler architecture. Two lanes only. Withdrawal of consent is absolute — no balancing test against controller interest.
Data Principal Rights
8 rights: access, erasure, portability, objection, restriction, rectification, not subject to automated decisions, information.
5 rights. Grievance-first architecture. Plus: Nominee rights on death or incapacity of data principal. No GDPR equivalent. A uniquely Indian legal construct.
Children’s Data
16 years default. Member states can lower to 13. Significant variation across EU jurisdictions.
18 years. No exceptions. No member-state variation. Verifiable parental consent mandatory. Stricter than GDPR in absolute terms. Tracks India’s age of majority.
Data Localisation
No mandatory localisation. Adequacy decisions govern cross border transfers. 14 countries hold EU adequacy as of 2024.
Whitelist-based transfer mechanism. Government notification pending. Not adequacy-mirrored. Strategic sovereignty over cross border data flow retained. India has not been granted EU adequacy.
DPO Requirement
Mandatory for large-scale processing, public authorities, and special category data processors.
No mandatory DPO as GDPR defines it. Consent Manager model for consent intermediation. Grievance Officer required for Indian data principals. Rules under Section 40 pending. Your EU DPO does not satisfy this automatically.
Penalty Structure
Up to €20M or 4% of global annual turnover, whichever is higher. Turnover-linked maximum.
Up to ₹250 Crore (approx. €27M) per instance. Schedule-based. No turnover linkage yet. Per-instance reading makes aggregate exposure potentially higher than a single GDPR fine.
Enforcement Body
National Supervisory Authorities + European Data Protection Board. Multi-jurisdiction enforcement coordination.
Data Protection Board of India. Digital-first adjudicatory body. Appeals to High Court. Single unified national enforcement — no state-level fragmentation like EU’s national authority model.

This is not a table that declares a winner. Both frameworks protect the same right — the individual's control over personal data. The difference is constitutional philosophy, enforcement architecture, and the specific obligations each imposes. EU companies need both maps. Not one translated into the other.

The Constitutional Foundation

On 24 August 2017,
Nine Judges Changed Everything.

The Supreme Court of India declared privacy a fundamental right.

Not through legislation. Through the Constitution. Article 21. The right to life and personal liberty. Nine judges. Unanimous.

Justice D.Y. Chandrachud wrote that personal data is an extension of the self. That sentence is the philosophical foundation of every obligation in the DPDPA. It is why consent withdrawal under DPDPA is absolute, not subject to a balancing test. You cannot balance a controller’s legitimate interest against a person’s constitutional right.

EU companies that treat DPDPA as a lighter version of GDPR have not read that judgment. India’s data law has deeper constitutional roots than most countries’ privacy laws.

GDPR’s Article 8 protects personal data as a fundamental right under the EU Charter. But the EU Charter is not a constitution in the same sense. It binds EU institutions. The Indian Constitution binds the Indian state and — through the Puttaswamy logic — shapes the obligations of every entity that processes the personal data of Indian citizens.

That is a different kind of gravity. And it produces a different kind of compliance obligation.

“Privacy is not just a right to be left alone. It is the right to determine the narrative of your own life — to control the information that defines you in the eyes of the world.”

Justice D.Y. ChandrachudJustice K.S. Puttaswamy v. Union of India
Supreme Court of India · 24 August 2017
Nine-Judge Constitutional Bench
The Unanimous Holding

The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India. All nine judges. No dissent.

The Market You Are Entering

The Scale EU Companies
Are Walking Into.

India's digital economy is not an emerging market with fragile data infrastructure. It is the world's largest biometric identity system, the highest-volume real-time payments network, and the fastest-growing internet population — all governed by one law. DPDPA.

900M+
Internet Users

Second largest internet population in the world. Overtaking the entire EU internet user base by a factor of two. Every one a data principal under DPDPA.

131B
UPI Transactions (FY2023-24)

131 billion Unified Payments Interface transactions in one fiscal year. Every transaction carries personal and financial data. All within DPDPA scope.

1.35B+
Aadhaar Enrollments

World’s largest biometric identity system. Iris scans, fingerprints, demographic data. Sensitive personal data under DPDPA. EU companies processing Aadhaar-linked data have heightened obligations.

270M+
DigiLocker Users

Government-issued digital identity repository. Education certificates, driving licences, Aadhaar. All DPDPA-governed. All accessible via API integrations EU companies may be using.

$1T
Digital Economy Target by 2028

India’s stated target for its digital economy. DPDPA is the regulatory infrastructure for that economy. Compliance is not a cost of operating in India. It is the price of admission to the opportunity.

Zero
Minimum Threshold for DPDPA Applicability

No revenue floor. No data volume floor. No user count floor. If you process personal data of Indian residents in digital form, DPDPA applies. Size is not a defence.

Extraterritorial Scope — Section 3, DPDPA 2023

The Act applies to processing of digital personal data within India. It also applies to processing of digital personal data outside India if such processing is in connection with any activity related to offering of goods or services to data principals within India.

This mirrors GDPR Article 3(2). If your website serves Indian users, your app has Indian downloads, or your service has Indian customers — DPDPA reaches you regardless of where your servers sit.

There is no grace period in the enacted text. There is no small-company exemption. The Rules, when notified, may create tiered obligations. But the Act itself does not.

EU Counsel Risk Brief

Five Assumptions
That Will Cost You.

Every EU company entering India carries assumptions built from years of GDPR practice. Most of those assumptions are partially right. Some are dangerously wrong. These are the five that produce liability.

It does not. The overlap is real — consent, breach notification, data subject rights. But the differences are structural, not cosmetic.

DPDPA has no six-lawful-bases framework. If your consent management platform was built around GDPR’s six lawful processing bases, it does not map to DPDPA’s consent-plus-legitimate-use architecture. You will need to rebuild the consent flow for Indian data principals.

DPDPA’s Nominee Rights — the right of a nominee to exercise data rights on behalf of a deceased or incapacitated data principal — have no GDPR equivalent. Your privacy notice almost certainly does not address this. It now needs to.

The practical consequence: A GDPR-compliant company is perhaps 40-50% of the way to DPDPA compliance. The remaining 50-60% requires India-specific work that your European data privacy team cannot do from Brussels.

The Act is enacted. The Act creates obligations. The Rules detail the mechanics of compliance — how consent notices must be structured, how the Data Protection Board will operate, how Consent Managers will function.

But Section 8 of the Act — the obligations of Data Fiduciaries — is not contingent on the Rules being notified. The duty of care, the accuracy obligations, the breach response requirements, the grievance redressal mechanism — all arise from the Act itself.

Waiting for Rules as a compliance strategy is not a strategy. It is a liability accumulation exercise.

The practical consequence: Use the Rules-pending period to build the compliance architecture so you can execute the moment Rules are notified. Companies that start on notification day will be six months behind companies that started today.

DPDPA does not require a Data Protection Officer in the GDPR sense. It requires a Grievance Officer — a contact point accessible to Indian data principals for raising complaints about their personal data.

Your EU DPO does not automatically satisfy this. The Grievance Officer must be a named individual, accessible within India’s time zones, able to respond to complaints in the manner the Rules will prescribe. A DPO based in Frankfurt overseeing global operations does not meet this standard.

Significant Data Fiduciaries — a category to be notified by the Central Government — will have additional obligations including data protection impact assessments and mandatory third-party data audits. These are roles your existing DPO infrastructure is unlikely to cover for the India market.

The practical consequence: Map your existing privacy governance structure against what DPDPA actually requires for Indian operations. The gap is likely larger than assumed.

Standard Contractual Clauses govern the EU-to-India leg of your data transfers. That part is correct — India has not been granted EU adequacy, and SCCs remain the primary transfer mechanism from an EU perspective.

But for India-outbound transfers — personal data of Indian residents flowing out of India — DPDPA’s own cross border transfer mechanism governs. A whitelist of approved jurisdictions will be notified by the Central Government. SCCs do not satisfy this requirement. They solve a different problem.

Most EU companies are managing one transfer framework. They need two, operating simultaneously, each covering a different direction of data flow.

The practical consequence: Your transfer impact assessment needs to map both directions. The data flowing from Frankfurt to Mumbai (GDPR governs the EU leg). And the data flowing from Mumbai back to Frankfurt (DPDPA governs the India leg). Build both architectures in parallel.

₹250 Crore is approximately €27 million. A maximum GDPR fine is €20 million or 4% of global annual turnover — whichever is higher. For a large EU company, the GDPR maximum is significantly higher than ₹250 Crore.

But DPDPA’s penalty is per instance. Not per investigation. Not per breach event. Per instance of non-compliance within that event.

A data breach affecting 50,000 Indian users, with a failure to notify within 72 hours, with inadequate consent records for each affected user — the per-instance reading of this scenario produces potential aggregate exposure that makes the headline ₹250 Crore ceiling look very different.

The practical consequence: Do not calibrate your India compliance investment against a GDPR-style single-event maximum penalty. Calibrate it against the aggregate exposure that a material breach could produce under a per-instance enforcement reading.

Original Framework — AMLEGALS, 2023

India's Data Law
Has a Philosophy
Europe Does Not.

The Digital Atman Theory of Data Privacy proposes that personal data is not merely information. It is the digital extension of the self — the Atman, the soul, as understood in Indian philosophical tradition.

GDPR treats personal data as property with rights attached. Rights to access, to erase, to port, to object. The frame is ownership. The remedy is control.

DPDPA treats personal data as identity with dignity owed. The frame is not ownership. It is selfhood. And that difference is not semantic. It is architectural.

Property can be transferred, licensed, traded, assigned. Dignity cannot. It must be protected regardless of consent, regardless of transaction, regardless of business interest.

This is why DPDPA’s consent withdrawal mechanism is stronger than GDPR’s. When you withdraw consent under DPDPA, you reclaim your digital self. Not just your data. The controller has no residual interest to balance against. The withdrawal is absolute.

EU companies entering India with a property rights compliance model are building the wrong structure on the wrong philosophical foundation. The structure may look right. The filing cabinets may say the right things. But the foundation is cracked.

The Digital Atman Theory™ — Core Proposition

“Personal data is not what you produce. It is what you are — in digital form. A law that protects data protects the person. A law that fails data fails the person. DPDPA was written by a country that knows this in its constitutional DNA.”

GDPRData asProperty6 LAWFUL BASESPORTABILITYADEQUACY MODELEDPB OVERSIGHTDPDPAData asDignityNOMINEE RIGHTSABS. WITHDRAWALWHITELIST XFERSDPBI (NATIONAL)CONSENTBREACH NOTICEDATA RIGHTS72-HR BREACHARCHITECTURE — NOT A COMPLIANCE MAP
Satya
Truth in data. Accuracy as a fundamental obligation, not just a right.
Ahimsa
Non-harm through data. Security and purpose limitation as expressions of do-no-harm.
Swatantrata
Freedom through consent withdrawal. The right to reclaim your digital self.

The Practice

The Only Practice Built for India's Data Law Before India's Data Law Was Built.

AMLEGALS began building its DPDPA competency before the Act was enacted. Not because we saw a market. Because Puttaswamy 2017 made this law a constitutional inevitability.

  • Legal 500 Asia Pacific — Ranked multi speciality Indian law firm
  • 27 Years of Indian regulatory, litigation, and advisory practice
  • 10 Offices: Mumbai · Delhi · Bangalore · Ahmedabad · Kolkata · Hyderabad · Pune · Chennai · Jaipur · Dubai
  • FDPPI Ahmedabad Chapter President — Anandaday Misshra
  • IAPP Chair, New Delhi — Deepti Bhatia
  • Coined: Digital Atman Theory™ · Privacy Dividend™ · Consent Capital™ · Vibe Data Privacy™
  • Practice Areas: DPDPA · AI Governance · GST · Arbitration · Contract Law · Labour Law
01 / DPDPA GAP ANALYSIS
Your GDPR Posture vs DPDPA Requirements

We map what transfers from your existing compliance architecture, what does not, and what India requires that Brussels never imagined. Delivered as a structured gap report with remediation priorities and timelines.

02 / CROSS BORDER DATA FLOW ARCHITECTURE
India Inbound + India Outbound. Both Directions.

SCCs for the EU to India leg. DPDPA whitelist compliance for the India outbound leg. One coherent cross border data flow structure covering both regulatory frameworks simultaneously.

03 / CONSENT MECHANISM REBUILD
DPDPA Native Consent Architecture

Not GDPR consent ported to India. A consent flow built for Indian data principals — covering notice requirements, language obligations for 22 scheduled languages, withdrawal mechanisms, and Consent Manager integration.

04 / GRIEVANCE OFFICER SETUP
India Accessible. Board Ready. Accountable.

The contact India’s law requires. Named, accessible, accountable. Structured for Data Protection Board of India interface when the adjudicatory mechanism activates. Not a FAQ page — a functional grievance channel.

05 / REGULATORY WATCH + RULES TRACKING
Notified the Moment the Ministry Acts

The Rules are coming. We track every Ministry of Electronics and Information Technology notification, every inter-ministerial consultation, every DPBI circular. You will not be surprised by a notification that everyone else saw coming.

The Privacy Dividend™

Most EU Companies See DPDPA as Risk.
The Smart Ones See It as Entry.

India’s DPDPA creates a trust infrastructure that does not exist in most Asian markets. A regulated data environment. Enforceable rights. An independent adjudicatory body with real penalty powers.

EU companies that achieve DPDPA compliance early gain something their competitors do not: an India market entry story built on demonstrated trust. Indian consumers, regulators, and counterparties notice the difference.

Compliance is not a cost of entry. It is the entry.

The Privacy Dividend™ — the measurable return on privacy investment — is higher in India’s market right now than anywhere else in Asia. India is the only jurisdiction in Asia where privacy is a constitutional right. That changes the value of demonstrating compliance to every Indian counterparty you will ever face across a table.

2017
Puttaswamy Judgment — Privacy as fundamental right
2018
Srikrishna Committee Report
2019
PDP Bill introduced in Parliament
2022
JPC Report — revised framework proposed
Aug 2023
DPDPA enacted and notified
2024–25
Rules drafting — consultation period
2025–26
Rules expected — full Act in force
2026+
Full enforcement era — DPBI operational
May 2027
DPDPA in full force
The Privacy Dividend™ — AMLEGALS Framework
Compliance is Not a Cost.
It is a Competitive Position.

Companies that treat DPDPA as a box ticking exercise will spend money and remain exposed. Companies that treat it as an architecture exercise will build something that creates business value — in the Indian market and in their relationship with Indian counterparties, regulators, and customers.

Privacy Investment
minus Penalty Risk Avoided
plus Market Trust Gained
= Privacy Dividend™
AMLEGALS Proprietary Framework · © 2023

Authority

What Thinking Lawyers
Are Saying About DPDPA.

India’s DPDPA is not a derivative statute. It is a first principles response to the question: what does data protection mean in a constitutional democracy of 1.4 billion people? The answer is different from Brussels. It was always going to be.

Anandaday MisshraFounder & Managing Partner, AMLEGALS FDPPI Ahmedabad Chapter President FDPPI Annual Conference

The DPDPA introduces a consent architecture that EU practitioners have not encountered before. Consent withdrawal is absolute — no controller-interest balancing, no residual processing justification. Indian data principals hold a stronger withdrawal right than their EU counterparts in this specific dimension.

Deepti BhatiaIAPP Chair, New Delhi Data Privacy Practice, AMLEGALS

The Data Protection Board of India will be the most consequential new regulatory body India creates since SEBI. It will set enforcement precedents that define the compliance obligations of every digital business in India for the next two decades. Build your posture before it activates, not after.

D.S. MahajaniSenior Partner, AMLEGALS Regulatory & Compliance Practice

EU companies processing Indian personal data face a dual compliance burden that most have not mapped. SCCs govern the EU-to-India leg. DPDPA governs the India-outbound leg. Two frameworks, two directions, one operation. Most companies are solving half the problem and calling it done.

Rohit LalwaniPartner, AMLEGALS Cross Border Data Governance

DPDPA’s nominee rights provision has no parallel in GDPR. When a data principal dies or loses capacity, a nominee can step in to exercise their data rights. EU privacy counsel advising on India operations must address this in every privacy notice, every consent framework, every data governance policy.

Mridusha GuhaAssociate Partner, AMLEGALS DPDPA Advisory Practice
Section 8 — Core Obligations

Every Data Fiduciary must maintain accuracy, retain data only as long as the purpose requires, protect data through appropriate security safeguards, and delete data once the purpose is served. These obligations arise from the enacted Act. Not from the pending Rules.

Section 17 — Significant Data Fiduciaries

The Central Government will notify certain Data Fiduciaries as Significant. Additional obligations include data protection impact assessments, data audits, and appointment of a Data Protection Officer. EU companies processing large volumes of Indian personal data should assume they may be notified.

Schedule — Penalty Quantum

Children’s data obligations breach: up to ₹200 Crore. Failure to implement security safeguards: up to ₹250 Crore. Failure to notify a breach: up to ₹200 Crore. Non-compliance with Board directions: up to ₹50 Crore. Per instance. Not per investigation.

India is not waiting for EU companies to be ready. The Act is enacted. The Board is being constituted. The Rules are coming. The question is not whether DPDPA applies to your operations. The question is whether you want to build your compliance architecture with a firm that has spent 27 years in the jurisdiction — or explain to your board why you did not.

Anandaday Misshra · AMLEGALS · 2024

Your India Data Compliance
Starts With the Right Conversation.

Not a form. Not an RFQ. A conversation with a lawyer who has argued Indian regulatory law for 27 years and built a practice specifically for this moment in India's data law history.

Schedule a DPDPA BriefingDPDPA Resource Centre →