All Articles

When comparing the Digital Personal Data Protection Act, 2023 (“DPDPA”) with the General Data Protection Regulation, 2016 (“GDPR”), one of the most significant points of divergence lies in the treatment of children’s personal data and the corresponding compliance obligations imposed upon entities processing such data. The regulatory approach adopted by each framework reflects distinct legislative priorities, particularly in relation to consent mechanisms, age thresholds, prof

As India prepares to operationalize the Digital Personal Data Protection Act, 2023 (“DPDPA”), many organisations assume that an existing General Data Protection Regulations, 2016 (“GDPR”) compliance framework will translate seamlessly to the Indian context. Our previous parts of the blog challenges this assumption by examining the foundational differences between the two regimes and illustrating how the DPDPA reshapes lawful processing and consent at a structural level. Part

Continuing from the previous part, this segment examines the lawful bases for processing personal data under the Digital Personal Data Protection Act, 2023 (“DPDPA”), with particular emphasis on the framework of consent, the scope of “legitimate use” under the Indian regime, and its departure from the concept of “legitimate interest” recognised under the General Data Protection Regulation, 2016 (“GDPR”). It further analyses the treatment of voluntarily provided personal data

The General Data Protection Regulation, 2016 (“GDPR”) is widely regarded as the global benchmark for data protection compliance. Therefore, organisations operating in or expanding into India often assume that a GDPR compliance framework would place them substantially on the right side of the Indian data protection law. In practice, that assumption is only partially correct. While India’s Digital Personal Data Protection Act, 2023 (“DPDPA”)