India has officially entered a new era of data privacy. With the Digital Personal Data Protection Act (DPDPA) now enacted, businesses operating in or touching India need to understand what’s coming, what’s different from the General Data Protection Regulation (GDPR), and where the biggest compliance risks lie.
To help unpack the law, we sat down with Vikram Jeet Singh, partner at BTG Advaya in New Delhi and head of the firm’s Technology, Media, and Communications practice. Vikram advises clients globally on Indian IT law, online content, advertising, and data privacy. He reached out to us to share timely updates on India’s new data privacy framework.
Where does India stand today on data privacy regulation?
India is at the end of a roughly ten‑year journey toward establishing a comprehensive data protection law. Until now, India’s earlier data protection rules were enforced only sporadically, largely because the country did not have a dedicated data protection regulator.
That is about to change. Under the DPDPA, the Data Protection Board of India is expected to be set up within the next year. Its sole purpose will be to enforce data protection regulations.
The legislative process began as early as 2019, when multiple drafts were debated in Parliament. One version looked very similar to the GDPR, but it did not fit well with India’s business environment. The law that ultimately emerged is much shorter and more principles‑based, closer in spirit to Singapore’s 2012 data protection regime. Many details will be filled in later through regulations, once the new regulator is operational.
This means India may be at the beginning of true, active data privacy enforcement for the first time.
What are the key dates businesses should be aware of under the DPDPA?
The Data Protection Board of India is expected to be established later this year. Around that time, rules are also expected for “consent managers,” which will effectively function as India’s version of data brokers.
By May of next year, all businesses that collect personal data from individuals will be required to comply fully with the DPDPA. That is the date when enforcement expectations will meaningfully begin.
If a company is already GDPR‑compliant, how close does that get them to compliance under Indian law?
If you are GDPR‑compliant, you are a significant way toward meeting India’s requirements, but not all the way there.
The core principles are similar. Data fiduciaries must provide notice, obtain consent, maintain data security, and handle grievances from data principals. However, there are important gaps and differences that companies need to address.
What are the most important differences between the GDPR and India’s DPDPA?
One obvious difference relates to children’s data. Under the GDPR, parental consent is required for individuals under 16. In India, that threshold is 18. Any processing of personal data for individuals below 18 requires verifiable parental consent, even if the same consent would be valid under the GDPR.
A more nuanced difference is the legal basis for processing. The GDPR has evolved into a law that heavily relies on legitimate interest, allowing processing without consent in many scenarios. The DPDPA, by contrast, is largely consent‑based.
In approximately 70–80% of use cases under the DPDPA, express consent will be required. Exceptions exist, but they are limited. These include employment‑related processing, compliance with legal obligations, and situations where individuals voluntarily provide their data, such as in a retail transaction. Broad legitimate‑interest justifications, common under the GDPR, are generally not available under Indian law.
As a result, many businesses in India will likely adopt consent mechanisms as a conservative compliance approach.
What enforcement priorities do you expect once the regulator is active?
The law introduces the concept of “significant data fiduciaries.” These will generally be large platforms or gatekeepers that control substantial volumes of personal data, such as major technology companies.
Significant data fiduciaries will face higher compliance obligations. For example, they will be required to appoint a data protection officer, conduct periodic audits, and potentially submit compliance reports to the government. Other organizations may only need to establish a grievance‑redress mechanism.
As a result, enforcement attention is likely to focus heavily on large, consumer‑facing platforms and companies that process vast amounts of personal data. Businesses that operate primarily B2B or that are not data‑intensive—such as manufacturing companies—are less likely to be the initial focus of enforcement compared to social media or content platforms.
Does the DPDPA account for emerging technologies like artificial intelligence?
The law does not contain a specific exception or use case for processing personal data to train AI systems, which is a significant gap.
India’s broader approach to AI regulation has so far been relatively hands‑off. Unlike the European Union, India is not currently regulating AI systems based on risk categories. Regulatory interventions have been more targeted, such as banning deepfakes and impersonation, and requiring labeling of AI‑generated or synthetic content.
Questions around using personal data for AI training may ultimately be addressed by the regulator or, possibly, by Indian courts. There are already lawsuits in India, similar to those in the US, challenging the use of copyrighted or personal data to train AI models. Judicial decisions may end up shaping this area of law.
This conversation has been edited for clarity and length. Many thanks to Vikram for sharing his insights on India’s evolving data privacy landscape.
