I. INTRODUCTION

Across the world, the legal architecture governing personal data protection has evolved in response to digital transformation, mass datafication, algorithmic profiling, and state–corporate data power. India’s Digital Personal Data Protection Act, 2023 (DPDP Act), implemented progressively through the Digital Personal Data Protection Rules, 2025, marks a structural shift in India’s regulatory philosophy. It replaces a patchwork of sectoral norms with a dedicated, enforceable privacy framework, bringing India closer to global standards while carving out a uniquely sovereign, state-centric model.

This thematic analysis compares the DPDP Act and Rules with major global regimes—the European Union’s General Data Protection Regulation (GDPR), the UK GDPR, the United States’ sectoral privacy model, China’s Personal Information Protection Law (PIPL), Russia’s Federal Law 152-FZ, and Australia’s Privacy Act 1988. The comparison is structured across key legal and policy dimensions: scope, legal bases and consent, data subject rights, controller obligations, cross-border transfers, government surveillance, and enforcement.

The analysis highlights convergences—such as global moves toward accountability, transparency, and higher penalties—and divergences—especially around state access, localization, consent models, and reliance on individual rights versus administrative controls.

II. SCOPE AND APPLICABILITY

India

India’s DPDP Act applies to all digital personal data processed in India, and to extra-territorial processing tied to offering goods or services to individuals in India or profiling them. Unlike GDPR, India excludes offline data unless later digitized. The law unifies public and private sectors under a common regulatory regime but empowers the central government to exempt government agencies and specific classes of processing. This framework therefore creates two zones: a general zone with rights and duties binding private actors, and a sovereign zone where exemptions may shield government operations entirely.

European Union

The GDPR remains the most expansive privacy law globally. It applies to all personal data—digital or structured offline—and extends extra-territorially to any entity processing EU residents’ data for goods/services or behavioral monitoring. Public authorities are fully covered except where member states legislate specific exemptions for national security, defense, or judicial independence. GDPR thus integrates private and public sectors under a uniform rights-based framework.

United Kingdom

Post-Brexit, the UK GDPR mirrors the EU model, with identical scope and extra-territorial principles. The Data Protection Act 2018 contains domestic carve-outs but retains broad coverage of public authorities. The UK’s commitment remains rights-centric but with ongoing policymaker pressure to “simplify” rules to boost innovation.

United States

The U.S. has no comprehensive federal privacy law; instead, a mosaic of sectoral laws (HIPAA, GLBA, COPPA), state laws (notably CCPA/CPRA in California), constitutional privacy protections, and FTC enforcement governs personal data. Applicability varies by sector, entity type, and geography. This fragmentation allows flexibility but produces inconsistencies and regulatory blind spots.

China

China’s PIPL applies to any processing of personal information of individuals within China, with extraterritorial application for offshore services targeting Chinese individuals. The law covers both digital and offline formats. State organs, however, enjoy broad carve-outs, particularly for national security, public safety, and administrative supervision. The scope thus heavily favours state interests over individual rights.

Russia

Russia’s 152-FZ applies to all processing of personal data of Russian citizens and mandates that such data first be stored in Russia. The law covers private and public sectors but contains extensive exemptions for state security and intelligence. It principally protects individual privacy against private actors, not the state.

Australia

Australia’s Privacy Act 1988 covers federal government agencies and private entities with > AUD 3 million turnover, with certain exceptions for small businesses, employee records, and journalism. It applies broadly to personal information, including offline records. Some states have additional local privacy laws.

III. LEGAL BASES FOR PROCESSING AND CONSENT MODELS

India

India’s DPDP Act is fundamentally consent-driven. Consent must be informed, specific, and affirmative. “Legitimate use” exceptions exist but are narrow—centered on compliance with law, medical emergencies, disaster response, employment purposes, or state-backed service delivery. India does not recognize a broad “legitimate interests” basis like GDPR. Consequently, private entities will rely heavily on consent, while the government has parallel authority to process data through statutory mandates or exempted functions.

EU

GDPR recognizes six equal legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests of the controller. Legitimate interests is widely used for analytics, fraud detection, and service improvement. GDPR consent is the strictest: unambiguous, affirmative, freely given, granular, and withdrawable at any time without detriment.

UK

The UK follows GDPR’s six bases. UK regulators encourage minimizing reliance on consent and maximizing reliance on legitimate interests where appropriate—reflecting a more business-friendly interpretation while preserving GDPR-level protections.

U.S.

The U.S. does not employ a universal legal basis model. Consent is required in specific statutes: parental consent for children’s data (COPPA), authorization for certain health data uses (HIPAA), and opt-in for email marketing under anti-spam rules. Most processing by businesses occurs under the “notice-and-choice” model without affirmative consent, except for sensitive data. State laws like CPRA introduce purpose limitation and minimization principles, signalling gradual convergence with global norms.

China

PIPL is also strongly consent-centric but includes several non-consent bases: contract necessity, HR management, statutory obligations, public health emergencies, and reasonable uses of publicly available information. It mandates separate consent for sensitive data, cross-border transfers, and public disclosure. China’s consent rules are rigid, but the state can override consent through national security laws.

Russia

Russian law is consent-heavy, with written consent required for sensitive data, biometrics, and most forms of dissemination. Non-consent bases exist but are narrow and often poorly defined. Government agencies frequently rely on statutory authorizations rather than consent.

Australia

Australia follows a purpose-based model: primary purpose collection needs no consent; secondary purposes usually require consent unless an exception applies. Sensitive information always requires consent unless a statutory ground applies. Consent must be voluntary and informed but does not require GDPR-style granularity.

IV. DATA SUBJECT RIGHTS

India

Data subject rights under the DPDP Act include:

• Right to access

• Right to correction and updating

• Right to erasure

• Right to grievance redress

• Right to withdraw consent

• Unique right to nominate another person to exercise rights upon death/incapacity

Notably absent are:

• Data portability

• Right to object to processing

• Rights against automated profiling

Private actors must respond within 90 days. Government exemptions can nullify these rights.

EU / UK

GDPR and UK GDPR grant the most expansive rights globally:

• Right to be informed

• Access

• Rectification

• Erasure (“right to be forgotten”)

• Restriction

• Data portability

• Objection

• Protection against automated decision-making

These rights must generally be fulfilled within 30 days. Exemptions exist but are narrow and proportionate.

United States

Rights vary by statute:

• CCPA/CPRA gives rights to access, delete, correct, opt-out of sale/sharing, and non-discrimination.

• HIPAA gives patients access and amendment rights.

• Credit reporting laws give rights to dispute inaccuracies.

• No federal right to erasure or portability for general consumer data.

China

PIPL grants:

• Access and copy rights

• Correction

• Deletion

• Portability

• Withdrawal of consent

• Restrictions on automated decision-making

• Right to explanations for algorithmic decisions

Rights are strong on paper, but enforcement against state organs is weak.

Russia

Rights include access, correction, withdrawal of consent, and erasure in limited circumstances. There is no explicit portability right. Procedural guarantees vary in practice.

Australia

Rights include access and correction; no explicit right to erasure or portability, though organizations must delete or de-identify data when not needed. Rights can be denied under many exceptions.

V. OBLIGATIONS OF DATA CONTROLLERS/FIDUCIARIES

India

Obligations include:

• Security safeguards (access controls, logs, retention limits)

• Breach notification to Board and individuals

• Data minimisation and purpose limitation

• Detailed notice requirements

• Duty to delete data once purpose served

Significant Data Fiduciaries must appoint a Data Protection Officer, conduct Data Protection Impact Assessments, undergo third-party audits, and potentially localize specific classes of data.

EU / UK

Controllers must implement:

• Data protection by design and default

• Data minimization, accuracy, storage limitation

• Records of processing activities

• DPIAs for high-risk processing

• DPO in specified circumstances

• 72-hour breach notification

• Contractual controls for processors

These obligations are comprehensive and uniform.

United States

Obligations are fragmented:

• “Reasonable security” across most laws

• Sector-specific controls: HIPAA Security Rule, GLBA Safeguards Rule

• Breach notification laws in all 50 states

• CPRA requires risk assessments and audits for high-risk processing

• No general obligation for DPIAs or DPOs

China

Controllers must:

• Implement strong security measures

• Conduct impact assessments for sensitive data and cross-border transfers

• Appoint a personal information protection officer in large entities

• Store data domestically when required

PIPL obligations are heavy and compliance burdensome.

Russia

Operators must:

• Store data of Russian citizens inside Russia

• Implement security measures

• Notify regulator of certain processing

• Appoint responsible personnel

• Notify breaches

• Use government-approved cryptosystems in some cases

Australia

Entities must:

• Provide collection notices

• Secure personal data

• Delete/de-identify data no longer needed

• Notify breaches likely to result in serious harm

• Ensure overseas recipients protect data to APP-level standards

Australia uses principles rather than prescriptive requirements.

VI. CROSS-BORDER DATA TRANSFER REGIMES

This area reveals stark philosophical divergences.

India

Cross-border transfers are permitted by default, but the central government may:

• Notify territories where transfers are restricted or permitted

• Impose export conditions

• Mandate localization for specified categories of data held by Significant Data Fiduciaries

India’s approach resembles an “administrative sovereignty gate”—flexible yet state-controlled, with potential for selective localization similar to China and Russia.

EU / UK

Transfers allowed only if:

• Destination country has an adequacy ruling, or

• The exporter uses Standard Contractual Clauses, Binding Corporate Rules, or equivalent safeguards.

The GDPR model is the toughest globally and has reshaped international data governance through cases like Schrems II.

United States

No federal restrictions on outbound transfers.
Inbound transfers, however, face scrutiny from foreign regulators (e.g., EU–US Data Privacy Framework).

China

China imposes strict controls:

• Mandatory security assessments for large-scale exporters

• Use of Chinese SCCs

• Certifications by approved bodies

• Explicit separate consent from individuals

• Extensive localization mandates for “important” data and critical infrastructure

China’s regime is one of the world’s most restrictive.

Russia

Russia requires:

• Localization of all data on Russian citizens

• Notification or authorization for transfers

• Adequacy-like assessments by Roskomnadzor

Non-compliance can result in service blocking.

Australia

Transfers allowed if:

• Receiving party is bound to APP-equivalent protection via contract, or

• Individual consents after disclosure of risks

Australia remains among the more liberal regimes.

VII. GOVERNMENT SURVEILLANCE, OVERSIGHT, AND EXEMPTIONS

India

DPDP contains sweeping government exemptions:

• Government may exempt any agency from core obligations for national security, public order, etc.

• Rule 23 allows confidential government demands for personal data.

• No independent oversight body for state surveillance.

India’s privacy regime thus bifurcates between private-sector regulation and strong sovereign prerogatives.

EU / UK

EU GDPR does not apply to national security; member states legislate their own surveillance frameworks, subject to human rights oversight. Courts in Europe have repeatedly restricted bulk surveillance practices. There is judicial, parliamentary, and regulatory oversight.

UK’s Investigatory Powers Act allows extensive surveillance but is overseen by judicial commissioners and subject to ECHR scrutiny.

United States

Surveillance governed by:

• FISA (including Section 702)

• Executive Order 12333

• Stored Communications Act

• Foreign intelligence programs (e.g., PRISM)

Oversight exists (FISA Court, congressional committees), but individual redress is extremely limited. U.S. surveillance is a key reason for tensions with EU adequacy decisions.

China

China’s national intelligence, cybersecurity, and data security laws grant sweeping state access to all data held by private and foreign entities. There is no independent oversight and no ability for individuals to resist state access.

Russia

Russian surveillance architecture (including SORM) allows direct access by security agencies. There is minimal independent oversight. Personal data law does not constrain intelligence bodies.

Australia

Privacy Act exempts intelligence agencies completely. Law enforcement enjoys significant metadata access without warrants. Oversight exists but remains internal or parliamentary, not rights-based.

VIII. ENFORCEMENT AND PENALTIES

India

The Data Protection Board of India can impose:

• Up to ₹250 crore for security failures

• Up to ₹200 crore for breach notification failures and children’s data violations

• Up to ₹50 crore for other violations

Penalties are substantial in absolute terms but lower than GDPR’s revenue-based fines. The Board is a digital-first adjudicatory authority, but its independence has been questioned due to government appointment of members.

EU

GDPR allows:

• Up to €20 million or 4% of global revenue

• Extensive corrective powers (bans, audits, orders)

• Civil compensation actions by data subjects

The EU represents the strongest enforcement model globally.

UK

Same penalty structure as GDPR, enforced by the Information Commissioner’s Office. UK is also increasing emphasis on children’s online safety and algorithmic accountability.

United States

Multiple enforcement avenues:

• FTC for unfair or deceptive practices

• State AGs enforcing CCPA-like laws

• HIPAA enforcement by HHS

• Large class actions under breach liability statutes

Penalties can reach billions (e.g., FTC’s $5B fine against Meta).

China

PIPL prescribes fines up to:

• 5% of annual revenue

• Criminal liability for violations

• Business suspension or license revocation

• Individual penalties on senior management

China’s enforcement is both punitive and regulatory-compliance driven.

Russia

Fines increased in recent years but remain modest compared to global standards (generally in the tens or hundreds of thousands of USD). The more powerful sanction is the ability to block online services.

Australia

Post-2022 reforms, maximum penalties reach the higher of:

• AUD 50 million,

• 30% of domestic turnover, or

• 3× the benefit obtained.

Australia is shifting sharply toward a European-level penalty model.

IX. CONCLUSION

A thematic comparison reveals that India’s DPDP Act sits at the intersection of two global traditions:

1. The rights-based, comprehensive model (EU/UK)
   – Strong rights
   – Heavy private-sector obligations
   – High penalties
   – Limited state exemptions

2. The sovereignty-first, state-controlled model (China/Russia)
   – Broad state access
   – Localization potential
   – Exemptions for government agencies
   – Consent-heavy but state-dominated

India blends both:
It adopts GDPR-inspired rights and obligations for the private sector, but retains China/Russia-style exemptions and state access authorities. In doing so, India has created a “two-layered privacy state”: regulated private actors operating under rights-based norms, and state agencies operating under a security-oriented exception regime.

Against this backdrop, the U.S. and Australia occupy the more flexible, business-oriented middle spaces—U.S. through fragmentation, Australia through principles-based rules supplemented by strong enforcement.

The DPDP Act will significantly elevate India’s privacy protections, but its long-term effectiveness will depend on:

• how strictly the Data Protection Board enforces duties,

• how frequently the government invokes exemptions,

• what categories of data become localized, and

• how India aligns its cross-border transfer regime with global adequacy expectations.

In sum, India’s emerging privacy ecosystem will play a central role in shaping the global flow of data between democratic, authoritarian, and hybrid regulatory spaces. The DPDP Act positions India as a major normative node in global data governance—balancing innovation, individual rights, economic opportunity, and national security in its own sovereign way.