India's New Data Law: Hurdles for Legal Teams vs EU's GDPR
India's DPDP Act sets stricter digital data rules but diverges from the GDPR in scope and penalties.
Why it matters: Corporate counsel managing Indian and EU user data must tailor compliance to divergent rules and enforcement timelines. Missteps could bring steep financial penalties and operational risks for cross-border business.
- DPDP Act covers only digital personal data, unlike GDPR's broader protection.
- Maximum penalty under DPDP is INR 2.5 billion for severe violations.
- DPDP's carveouts for employment and emergencies differ from GDPR's narrower legal bases.
- Key compliance guidelines and full deadlines remain pending as of June 2024.
India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act) on August 11, 2023, aiming to address data privacy much like the EU’s GDPR. But there are practical distinctions affecting legal risk and compliance management.
- Scope: The DPDP Act covers only digital personal data and excludes paper files, while the GDPR covers both digital and physical records. Unlike GDPR, the DPDP Act does not distinguish a separate category of sensitive personal data.
- Consent and exceptions: Both regimes require user consent for most data processing. However, India's law makes explicit carveouts—such as for employment-related data and emergencies—where data can be processed without consent. GDPR's exceptions ("legitimate interest" and others) are more limited and must meet additional balancing tests.
- Enforcement: India’s law introduces a new Data Protection Board and major financial liability: fines up to INR 2.5 billion for serious breaches or for failing to report incidents within required timelines.
- Compliance timeline: While the DPDP Act is law, enforcement will not start until final rules are issued. Full compliance deadlines are expected to begin rolling out in November 2025, but key operational guidelines are still not published as of June 2024.
Legal advisors must watch for additional guidance from Indian regulators and shift compliance operations accordingly. As some legal commentaries note, actual risk will depend on how well the new Data Protection Board enforces the Act and the clear establishment of procedures for data breach notification and redress.
Multinational legal teams should prepare for ongoing uncertainty when structuring cross-border agreements or data transfer frameworks until those final rules are in place.
By the numbers:
- INR 2.5 billion — maximum penalty for breach or non-compliance under DPDP Act
- August 11, 2023 — date DPDP Act was enacted
- November 2025 — earliest expected start of full compliance deadlines
Yes, but: Legal enforcement is in flux: key operational guidelines and enforcement procedures are still pending, raising uncertainty for counsel.
What's next: Watch for final implementation rules from Indian authorities, which will trigger compliance countdowns and enforcement.