DPDPA vs GDPR Comparison

DPDPA and GDPR share conceptual foundations in principles like lawfulness, purpose limitation, and data minimisation. However, they diverge fundamentally in scope and approach.

DPDPA applies exclusively to digital personal data. Paper records fall outside its scope. This is a departure from GDPR, which applies regardless of medium. The consent architecture also differs materially. While both require informed, specific consent, DPDPA prohibits conditional consent more explicitly and gives withdrawal parity statutory force.

Legitimate interests, a cornerstone GDPR processing basis, has no direct equivalent in DPDPA's "legitimate uses" framework. The Indian framework is narrower and more prescribed. Extraterritorial reach creates overlapping compliance obligations for multinationals, though DPDPA ties its territorial scope explicitly to offering goods or services rather than GDPR's broader monitoring criterion.

The penalty architectures reflect different enforcement philosophies. GDPR uses revenue based calculation with penalties up to 20 million euros or 4 percent of global annual turnover. DPDPA uses fixed maximums up to Rs 250 Crore.

This creates interesting proportionality questions. Fixed penalties could be catastrophic for mid sized enterprises while potentially insignificant for global technology giants. However, DPDPA's cumulative penalty application may aggregate to substantial sanctions for entities with multiple processing failures.

The enforcement machinery also differs substantially. GDPR operates through established Data Protection Authorities with decades of enforcement jurisprudence. The Data Protection Board of India represents a nascent institution still building enforcement capability. Organisations maintaining dual compliance must recognise that GDPR compliance does not automatically satisfy DPDPA requirements, particularly in consent granularity and cross border transfer frameworks.