DPDP Act vs GDPR Dashboard

A comprehensive, structured comparison of India's Digital Personal Data Protection Act (2023) and the EU General Data Protection Regulation (2016).

Large Indian Tech Platform — Security Breach
Failure to implement adequate security safeguards (Section 8(1) / Article 32)

Company Profile

  • Type: Indian consumer internet company
  • Revenue: ₹10,000 crore (~€1.07 billion)
  • Users Affected: 5,000,000

DPDP Target

₹250 crore

₹250 crore is 2.5% of this company's revenue — significant but not existential. A large company may treat it as a cost of doing business if security investment is seen as more expensive.

GDPR Target

€42.8 million (4% of €1.07B turnover)

At 4% of €1.07B, the GDPR exposure exceeds DPDP's fixed cap. For larger companies, the GDPR gap widens dramatically — a company with €10B turnover faces €400M GDPR exposure vs the same ₹250 crore DPDP cap.

For large companies, GDPR is significantly more punitive than DPDP. The fixed-cap model of DPDP creates a disproportionate incentive gap — the same violation costs the same amount for a startup and a billion-dollar platform.

Mid-Size Indian Fintech — Breach Notification Failure
Failure to notify breach to authority and affected users (Section 8(6) / Article 33)

Company Profile

  • Type: Indian fintech startup (Series B)
  • Revenue: ₹500 crore (~€53 million)
  • Users Affected: 200,000

DPDP Target

₹200 crore

₹200 crore is 40% of annual revenue for this fintech — existential. The flat-cap model is MOST punitive for mid-sized companies relative to their revenue.

GDPR Target

€10 million OR 2% of €53M turnover (€1.06M) — whichever is higher. Cap: €10 million.

For a company with €53M turnover, GDPR Tier 1 cap is €10M — the fixed floor kicks in. DPDP's ₹200 crore (€21.4M) is higher than the GDPR cap in this scenario.

For mid-sized companies, DPDP's fixed cap can EXCEED GDPR fines in absolute terms. The DPDP's flat caps are most disproportionate for companies in the ₹100–₹1,000 crore revenue range.

Global Social Media Platform — Children's Data Violation
Processing children's data without verifiable parental consent (Section 9 / Article 8)

Company Profile

  • Type: Global social media platform
  • Revenue: USD 150 billion (~€140 billion)
  • Users Affected: 50,000,000

DPDP Target

₹200 crore

For a $150B revenue company, ₹200 crore is 0.000016% of revenue — essentially immaterial. The fixed cap creates almost zero deterrent for the world's largest platforms.

GDPR Target

€5.6 billion (4% of €140B turnover)

Meta was fined €1.2 billion under GDPR in 2023 for data transfers. A children's data violation at scale could reach the theoretical 4% cap. The deterrent effect for large platforms is orders of magnitude greater under GDPR.

This is the starkest illustration of the DPDP vs GDPR enforcement gap for global tech giants. DPDP's fixed caps are structurally incapable of creating meaningful deterrence for trillion-dollar platforms. Critics argue this is a design flaw that will be revisited as India's data economy matures.

EU Company With Indian Users — GDPR + DPDP Dual Exposure
Inadequate consent mechanisms + failure to honour erasure requests

Company Profile

  • Type: European SaaS company with Indian SMB customers
  • Revenue: €200 million
  • Users Affected: 100,000

DPDP Target

₹50 crore (other violations)

For a €200M revenue company, ₹50 crore (~€5.4M) is 2.7% of revenue — material but manageable. DPDP enforcement not yet active (Phase 3: May 2027).

GDPR Target

€8 million (4% of €200M for consent + rights failures)

GDPR enforcement is active. The cumulative exposure for concurrent consent and rights failures could approach the 4% cap. Actual fines set by DPA based on cooperation, remediation, and severity.

For a European company with Indian users, total regulatory exposure is the SUM of GDPR and DPDP fines. Budget for both regimes. Start with GDPR (active enforcement) and use Phase 3 lead time for DPDP readiness.