HighlightsPrivacy espresso seriesResourcesAugust 31, 2023PrivacyRules comparison: Indian upcoming law v. GDPR


In this privacyespresso, Protiti Basu, from the German law firm Wodianka Legal Privacy GmbH delves into the nuanced differences between the GDPR (General Data Protection Regulation) and India’s new data protection law.

India’s new law draws significant inspiration from the GDPR. However, there are some intriguing distinctions worth exploring.

1. Nomenclature: Protiti highlighted that India’s law, while heavily inspired by GDPR, introduces unique terms like “data fiduciaries” for controllers and “data principals” for data subjects.

2. Scope and Applicability: Unlike GDPR’s distinction between personal data and special categories, India’s law treats all personal data equally. Publicly available data is entirely excluded from India’s law, a contrast to GDPR’s broader coverage. Moreover, India’s law only applies to digitized data or non-digitalized data that will be digitized later.

3. Data Breaches: India’s law mandates reporting data breaches to both the supervisory authority and affected data principals, whereas GDPR requires reporting risky breaches to the supervisory authority and high-risk breaches to data subjects.

4. Data Subject Rights: Most data subject rights in India’s law align with GDPR, but India’s law lacks the right to data portability granted by GDPR.

5. Age of Majority: In India, the age of majority for processing children’s data is 18, compared to GDPR’s 16 (and sometimes 13 in certain cases). India’s law also explicitly prohibits tracking, behavioral monitoring of children, or targeted advertising aimed directly at children.

6. Cross-Border Data Transfer: India’s law relies on a negative list of countries for data transfer, while GDPR employs a more intricate system.

In addition to these differences, India’s law introduces intriguing concepts not present in GDPR:

– Significant Data Fiduciaries: These are special data fiduciaries subject to higher restrictions and safeguards due to the nature of the data they handle or their impact on national security. GDPR has a similar concept in data controllers but without this level of differentiation.

– Consent Managers: A new role created under India’s law, they act as intermediaries between data subjects and data controllers, assisting in consent management.

– Right of Nomination: Data subjects in India can nominate a third party to assume their powers under the act in case of their passing, a unique provision absent in GDPR.

The new Indian law is certainly inspired by the GDPR, but it’s adding its own twists. Keep an eye on the evolving rules and how they shape the data protection landscape in India. 

Watch our previous privacyespresso with Privacyrules expert Stephen Mathias from the Indian law firm Kochhar&Co, to get more insights on the new Indian data protection law : https://bit.ly/3Ein9r9