From Directives To Regulations: ‘The Paradigm Shift In Data Protection’

Ansh Dhariwal & Pratham Chaudhury, OP Jindal Global University

ABSTRACT

The General Data Protection Regulation (GDPR)1, which was approved by the European Union (EU) in 2018, sought to profoundly transform global data privacy by building on strong business practices and a comprehensive framework of personal rights. By emphasizing consent, accountability, and transparency, the GDPR has established a global standard for data protection frameworks and replaced the EU's Data Protection Directive from 19952. One example of the GDPR's enforcement efforts and extraterritorial implications in influencing global privacy laws is India's Digital Personal Data Protection Act, 2023 (DPDP Act)3. Questions are being raised about whether the DPDP Act is positioned to sufficiently protect individual privacy in a time of unprecedented socioeconomic inequity, increased technology, and increased government use of citizens’ data. This paper compares aspects of India's DPDP Act with the GDPR to determine whether India's new data protection regime is aligned with individual needs for privacy protection in digital spaces. Actionable recommendations for reform of the privacy regime are proposed, including issues related to using consent in low literacy segments, organizational compliance burden, surveillance by the state, and algorithmic profiling. The paper also reflects on efforts to improve the DPDP Act's effectiveness through recommendations for structural reform that align privacy protection with India's constitutional values and the realities of the digital environment.