Our Terms & Conditions | Our Privacy Policy
The Draft Digital Personal Data Protection Rules, 2024, released in early 2025 for stakeholder consultation, mark a key step toward implementing India’s Digital Personal Data Protection Act, 2023 (DPDPA). While the Indian framework borrows from the EU’s General Data Protection Regulation (GDPR), which is a global benchmark in many ways, it also diverges in key areas. For professionals in technology, innovation and data governance, understanding these frameworks is vital.
Cyril Abrol
Partner
Remfry & Sagar
Gurugram
Email: cyril.abrol@remfry.com
Both laws promote lawful, fair and transparent data processing, with clear purpose limitation (personal data must be collected for a specified purpose and not used beyond the said purpose) and data minimisation principles (aimed at restricting the collection of excessive personal data). Consent remains the primary legal ground in both, with individuals retaining the right to withdraw it at any time. Rights to access, correction and erasure are recognised, and data fiduciaries or controllers must implement safeguards and report data breaches to authorities and, in some cases, to affected individuals. Cross-border transfers are regulated in both frameworks, and non-compliance can result in significant penalties. However, key differences remain.
In scope, the DPDPA applies exclusively to digital personal data, while the GDPR covers both digital and offline data. India’s data protection act relies on consent as the legal basis for data processing, whereas the EU’s regulation permits broader grounds such as legitimate interest and contractual necessity. The act applies to entities offering goods or services within India, while the regulation extends to any entity processing the EU residents’ data, regardless of location. As regards cross-border transfers, under the DPDPA, transfers to certain jurisdictions may be blacklisted. The GDPR, by contrast, permits transfers where safeguards like adequacy decisions or standard contractual clauses (SCCs) are in place. Regarding children’s data, India’s data protection act requires verifiable parental consent for individuals under 18, while the EU’s regulation sets the age at 16, with member states allowed to lower it to 13. While both frameworks provide for the “right to erasure”, the GDPR’s “right to be forgotten” is broader and more enforceable than the DPDPA’s narrower provision.
Innovation impact
Data privacy laws affect algorithm-related IP by limiting the collection and use of personal data for training purposes, potentially constraining innovation and commercial viability. For instance, data from wearable devices often must be anonymised or pseudonymised to meet privacy standards, increasing technical complexity and possibly reducing analytical depth. Moreover, individuals may exercise rights to access or delete their data, complicating efforts to preserve the integrity and consistency of training datasets.
In December 2024, Italy’s data protection authority, Garante, fined OpenAI EUR15 million (USD17.06 million) for violations related to ChatGPT’s handling of personal data. The investigation led to a temporary ban on the service, which was lifted after OpenAI addressed key concerns, particularly users’ right to refuse the use of their data for algorithm training. The ruling found that OpenAI lacked a valid legal basis for data processing, failed to meet EU information requirements, had weak age verification safeguards that exposed minors under 13 to harmful content and had failed to report a data breach.
On a positive note, stronger internal controls around personal data enhance the protection of confidential business information. For instance, a pharmaceutical company managing clinical trial data that includes identifiable patient information must now implement robust safeguards. This reduces the risk of data leaks that could jeopardise proprietary research, compromise patent applications or expose competitive intelligence.
The key takeaway for businesses leveraging user data to drive AI or analytics is the need for a clearly documented legal basis for data processing. While compliance may increase operational costs, it is essential for long-term viability. Licensing agreements should explicitly define permissible uses of AI-generated content and ensure that models are trained on well-defined, privacy-compliant datasets. Professionals involved in licensing software, digital content or innovations must also ensure that data-sharing arrangements align with both local and cross-border data protection regulations.
IP enforcement v data privacy
Bisman Kaur
Of Counsel
Remfry & Sagar
Gurugram
Email: bisman.kaur@remfry.com
Constantin Film Verleih, holding exclusive rights to “Parker” and “Scary Movie 5”, sought user data, specifically email addresses, telephone numbers and IP addresses, from YouTube and Google after the films were illegally uploaded. The Court of Justice of the European Union ruled that under Directive 2004/48/EC, “addresses” refers only to postal addresses, and any additional information need not be disclosed. This underscores the tension between IP enforcement and data privacy, as seen in Constantin Film Verleih GmbH v YouTube LLC & Google Inc (2020).
In the wake of the GDPR, access to WHOIS data, which provides information on domain name registrants, also became restricted.
Anti-counterfeiting efforts often require collaboration among multiple stakeholders, especially when illicit activities operate online and across borders. Sharing robust data is crucial to effectively protect consumers. However, with increased regulatory scrutiny, it remains to be seen how India’s data protection regime will impact information disclosure by intermediaries such as search engines, e-commerce platforms, payment providers, social media companies and domain registrars. That said, rights holders can still pursue a remedy through a John Doe lawsuit, which allows for action against unidentified infringers, with their identities revealed through court-directed discovery.
Striking a balance between data privacy and protection of IP rights will be a necessary and nuanced process – it will be interesting to see how this space evolves.
Remfry & Sagar
Remfry House at the Millennium Plaza,
Sector 27, Gurugram – 122 009
New Delhi, National Capital Region, India
Tel: 91 124 280 6100, 91 124 465 6100
W:
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
Comments are closed.