has set the gold standard. With strict consent rules, the right to erasure, and hefty fines for violations, GDPR treats data as a fundamental rights issue. Citizens retain meaningful control, and companies are forced to build privacy into their systems by design.

By contrast, the United States takes a more fragmented, sectoral approach. Privacy laws are piecemeal, covering specific areas like health (HIPAA) or finance, while tech giants largely regulate themselves. This market-driven model prioritises innovation but often leaves citizens vulnerable to surveillance and data breaches, as the Cambridge Analytica scandal so starkly revealed.

China, on the other hand, views data as a strategic resource for state power. Its Personal Information Protection Law (PIPL) does impose obligations on companies, but the state retains sweeping authority to access and harness personal data. The model reinforces control and surveillance rather than individual autonomy, offering a cautionary tale for democracies.

India’s New Experiment

India, the world’s largest digital democracy with over 800 million internet users, has finally enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). The law is an important milestone, but it is already drawing scrutiny.

On the one hand, the Act introduces user rights such as access, correction, and erasure of personal data, and obligates companies to handle data responsibly. It also creates a Data Protection Board of India to oversee compliance. On the other hand, critics argue that the Act grants the government excessive exemptions, allowing it to bypass safeguards in the name of “national security” or “public order.” Unlike GDPR, which places citizens at the centre, India’s model risks tipping the balance towards state control.

The timing makes the debate especially urgent. From Aadhaar-linked welfare schemes to facial recognition systems in public spaces, India is rapidly expanding digital governance. Without robust checks, personal data may become a tool for mass surveillance rather than empowerment.

Contemporary Pressures

The stakes could not be higher. Cyberattacks on Indian companies, rising instances of identity theft, and the global scramble for AI development all underscore the fragility of digital privacy. The EU’s move to regulate AI systems through the AI Act, which includes strict data safeguards, highlights how privacy is now inseparable from technology ethics. Meanwhile, the U.S. is under pressure to adopt a comprehensive federal privacy law, and global corporations are having to navigate a patchwork of conflicting rules across jurisdictions.

India’s approach will not only affect its citizens but also its standing in global trade. The EU, for instance, only allows data transfer to countries with “adequate” protection standards. If India’s law is perceived as weak, it may face barriers in digital commerce, undermining its aspirations as a tech hub.

The Way Forward

The lesson from comparative experience is clear: strong data protection is not anti-growth. GDPR has not killed European innovation; instead, it has fostered trust. India must ensure that its DPDP Act is not reduced to a token framework. The Data Protection Board must be independent, penalties must be meaningful, and exemptions for the state must be narrowly tailored.

Ultimately, data protection is not just a legal or technical matter—it is a democratic imperative. In a world where algorithms can profile voters, manipulate markets, and even influence elections, the right to privacy under Article 21 of the Indian Constitution cannot be hollow.

Conclusion

The digital age has made every citizen a data subject. But whether they are treated as empowered rights-holders or passive sources of extraction depends on the strength of our legal frameworks. India stands at a crossroads: it can either follow the European path of rights-based regulation or drift toward a model where data is controlled by a few corporations and the state.

The promise of the digital future lies not in unchecked collection, but in protecting the dignity and autonomy of individuals. In the end, data belongs to people—not to governments, not to corporations, and certainly not to machines.