India—the fifth largest economy in the world—just passed a comprehensive privacy law. On August 11, 2023, the Digital Personal Data Protection Act, 2023 (the “DPDP”) was approved by the president of India, adding India to the list of global powers with a comprehensive privacy law. The law is expected to come into force in June 2024. Guest author Stephen Mathias, from Kochhar & Co., provides a detailed breakdown of the DPDP.

Like other major privacy laws, the DPDP has an extraterritorial reach: it applies to the processing of digital personal data outside India,1 if the processing is in connection with any activity related to the offering of goods or services to individuals within India. Thus, even if a company’s operations are not physically in India, it may still be subject to this law. Fortunately, for global companies that are already subject to the European Union General Data Protection Regulation (“GDPR”) and the many comprehensive privacy laws in the United States, the DPDP can be harmonized with existing compliance programs. The new law shares many provisions with existing privacy laws, such as obligations to honor data privacy rights (access, correct, delete, redress, and opt-out), provide a privacy notice, protect personal data, provide notice of a data breach, enter into contracts with processors, and limit retention of personal data.

However, companies should note some of the differences between the DPDP and other privacy laws when conducting a gap analysis and developing policies and procedures to bridge those gaps. For example, unlike both the GDPR and US privacy laws, the DPDP places obligations on data subjects/consumers (called “data principals” under the DPDP). Further, unlike US privacy laws, the DPDP also has requirements relating to data transfers, data protection officer appointment and lawful basis for processing. Finally, unlike the GDPR, the DPDP is primarily a consent-based privacy law; processing in the absence of consent is possible for certain limited “legitimate uses,” such as to fulfil legal or judicial obligations, or for the purposes of employment. That said, the DPDP’s consent-based lawful basis for processing aligns with the growing trend in the European Union to obtain consent for certain processing activity, such as advertising and marketing, instead of relying on other grounds, following recent case law of the Court of Justice of the European Union in this respect.

Failure to comply with provisions under the DPDP may lead to fines of up to INR 250 crores (approximately USD 30 million).

For an overview of the similarities and differences among these laws, we provide the chart below.

Party Names




Determines Purposes and Means of Processing

Data Fiduciary &

Significant Data Fiduciary (per government notice)



Processes Data For Another

Data Processor


Processor/Service Provider/Contractor

Individual to Whom Data Relates

Data Principal

Data Subject



Data Principal Rights





Data portability




Not to be subject to profiling/automated decision making

Additional rights around sensitive data


Data Principal Obligations




Comply with applicable law

No impersonation of another person

No suppression of material information

No false or frivolous grievance or complaint

Furnish verifiably authentic information

Data Fiduciary Obligations




Lawful basis for processing

Data transfer requirements

Contracts with processors

Privacy policy

Security and breach notification

Data retention limitation

Appoint data protection officer




1 But note that the huge outsourcing industry in India, which processes so much of the world’s data, is exempt from applicability of most of the law.

2 Because the United States has 11 comprehensive privacy laws (and 12 if you count Florida), we have applied the most stringent rights and obligations under all of these state privacy laws. 

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.