COMPLIANCE ROUTE FROM GDPR TO DPDPA: MANAGING THE SHIFT IN REGULATORY EXPECTATIONS

PART I

1. The General Data Protection Regulation, 2016 (“GDPR”) is widely regarded as the global benchmark for data protection compliance. Therefore, organisations operating in or expanding into India often assume that a GDPR compliance framework would place them substantially on the right side of the Indian data protection law. In practice, that assumption is only partially correct. While India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) reflects similar foundational principles as GDPR, it adopts a more prescriptive and consent- centric regulatory model that materially alters the legal basis on which personal data may be processed. Therefore, GDPR compliance can be treated as a meaningful foundation, rather than a substitute, for compliance under the DPDPA and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).
   

2. Any organisation processing personal data of individuals in India, regardless of the sector, whether it is situated in India or abroad, it is within the scope of DPDPA (1). Thus, this period should be treated as a transition window to prepare for the regulatory scrutiny before the operation of penalties and enforcement mechanism. We highlight the key differences between GDPR and DPDPA that would require organizations to reassess their existing processing activities when operating in India.
   

   Part I examines the structural differences focusing on personal data as a defined parameter and the scope of publicly available data exemption under DPDPA compared to GDPR.
   

SCOPE OF PERSONAL DATA AND PUBLICALY AVAILABLE DATA

3. The definition of personal data under the DPDPA broadly aligns with the GDPR, both cover data by which an individual is identifiable directly or indirectly, i.e., from one or more identifiers specific to the individual (2). Unlike the GDPR, the DPDPA does not distinguish between personal data and special category personal data. This simplifies data classification for organizations in India and removes the graduated risk framework under GDPR.
   

4. However, the DPDPA does not define or classify in express terms the exemptions or treatment for pseudonymized data or annonymized data and their processing. However, it would be reasonable to borrow the standards from European Data Protection Board reasoning under GDPR in Opinion 28/2024 about the standards in relation to a dataset being personal data. In order to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used to identify an individual. This requires taking into account all objective factors, such as the costs of and the amount of time required for identification; the available technology at the time of the processing and technological developments.
   

5. The main divergence arises in the treatment of publicly available personal data. The DPDPA excludes from its scope: personal data that has been made or caused to be made publicly available either by the data principal themselves or by another person under a legal obligation to disclose such data (3).
   

6. The GDPR does not recognize any comparable blanket exclusion. The only limited parallel appears in Article 9(2)(e), which permits the processing of special category personal data where the data subject has manifestly made the data public (4).
   

7. There is no doubt that this exemption could reduce compliance burdens for organizations in India when using such data, but certain pointers must be analyzed beforehand. The organizations will be under an obligation to verify that personal data collected from public sources, is genuinely made public by the individual rather than a third party. This process can be cumbersome and error-prone requiring assessment on a case-to-case basis.
   

8. This exclusion has the potential to reduce friction for innovation, particularly in the development and training of artificial intelligence systems. Most large language models are trained on large-scale web scraping, which typically involves vast, unstructured datasets containing a mix of personal and non-personal data. In practice, data scrapers will be rarely able to determine whether personal data appearing on a webpage was uploaded by the individual or by a third party, nor can they reliably assess the context behind such disclosure. Thus, developers will have to implement appropriate filters and safeguards to utilize this exclusion.
   

9. For instance, an individual maintains a public social media profile and has consciously chosen to make certain profile details such as their city or region of residence visible to all users. The social media platform can access this publicly available profile information and process the disclosed location data for the purpose of serving geographically relevant advertisements (for example, advertising a local event or a region-specific service).
   

10. Under the DPDPA, the platform will not be required to obtain the individual’s consent to process the specific location data that has been intentionally disclosed in the public domain. Whereas under GDPR because location data is not special category of data and even though it has been consciously made public, the platform will have to depend on lawful basis such as legitimate interest or consent for its processing.
    

11. Thus, the classification of personal data and its source is an important factor in determining the limited exemption under DPDPA.

Check out PART II here.

Footnotes :

(1) Section 3(a) and 3(b), DPDPA, 2023.

(2) Section 2(t), DPDPA, 2023.

(3) Section 3(c)(ii), DPDPA, 2023.

(4) Note - This exception is limited to special categories of personal data such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data and data concerning sexual orientation.

Please feel free to reach out to our Team to discuss any of the Technology Law, Competition Law, International Trade and Policy Issues.