AS LAW OFFICES

Privacy and AI

Comparative Analysis of GDPR and India’s DPDPA – Building a Data Privacy Program for HealthTech Companies

Introduction

In the digital economy, data has been frequently described as the “new oil”. Nowhere is this truer than in the healthcare technology (healthtech) sector, where sensitive personal data such as medical histories, diagnostic reports, and biometric identifiers form the lifeblood of innovation. Yet, with the opportunities of data-driven healthcare come profound responsibilities. Data protection and privacy frameworks have become pivotal in ensuring both legal compliance and ethical trust.

Globally, the General Data Protection Regulation (GDPR) of the European Union (2016) has set the gold standard for privacy regulation, influencing jurisdictions worldwide. India, recognising the need for robust data protection, recently enacted the Digital Personal Data Protection Act, 2023 (DPDPA), which will soon become the cornerstone of its privacy regime. This article compares GDPR and DPDPA, identifies nuances relevant to healthtech companies in India, and proposes a framework for building a compliant data privacy program.

GDPR – The Global Benchmark

The GDPR, effective from 25 May 2018, applies across all EU member states and to entities outside the EU that process the data of EU residents. It sets out comprehensive principles for data processing, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability (Article 5 GDPR).

GDPR’s key features include:

  1. Legal Basis for Processing – Processing requires a legal basis such as consent, contract, legitimate interest, or public interest (Articles 6 and 9 GDPR). For health data, explicit consent or medical necessity is required.
  2. Special Category Data – Health data is classified as “special category data” requiring heightened protection (Article 9).
  3. Data Subject Rights – Rights include access, rectification, erasure (“right to be forgotten”), portability, and restriction of processing (Articles 12-22).
  4. Data Protection Impact Assessments (DPIA) – Mandatory where processing is likely to result in high risk to individuals (Article 35).
  5. Data Transfers – Transfers outside the EU are permitted only where adequate safeguards exist (Chapter V).
  6. Enforcement – Supervisory authorities can impose fines up to €20 million or 4% of global turnover (Article 83).

For healthtech companies, GDPR demands stringent consent mechanisms, encryption, pseudonymisation, and accountability documentation.

India’s DPDPA – Emerging Privacy Regime

The Digital Personal Data Protection Act, 2023 marks India’s first comprehensive privacy law, following the Supreme Court’s recognition of privacy as a fundamental right in Justice K.S. Puttaswamy v. Union of India (2017). The DPDPA applies to digital personal data, both within India and in certain cases extraterritorially (s 3).

Key provisions include:

  1. Lawful Processing – Processing requires consent or deemed consent (ss 4–8). Deemed consent may apply in cases such as medical emergencies, state functions, or employment purposes.
  2. Special Data Sensitivity – Unlike GDPR, DPDPA does not explicitly carve out health data as a “special category”. However, it requires heightened safeguards where risk is high.
  3. Data Principal Rights – Rights include access, correction, erasure, grievance redress, and nomination of another person in case of death/incapacity (ss 11–15).
  4. Significant Data Fiduciaries (SDFs) – Entities processing large-scale data, including healthtech platforms, may be designated SDFs and required to appoint Data Protection Officers (DPOs), conduct audits, and undertake DPIAs (s 10).
  5. Data Transfers – Cross-border transfers are permitted except to countries restricted by government notification (s 16).
  6. Enforcement – Penalties can reach ₹250 crore (~€28 million) for non-compliance (s 33).

The DPDPA emphasises compliance through a trust-based model, where entities must demonstrate accountability and responsibility for secure data handling.

Comparative Analysis: GDPR v. DPDPA

AspectGDPRDPDPA (India)Implication for HealthTech
ScopeApplies to EU residents’ data, extraterritorial in natureApplies to digital personal data in India, limited extraterritorial scopeIndian firms handling EU patient data must comply with both regimes
Legal BasisConsent, contract, legitimate interest, etc.Consent and deemed consentBroader “deemed consent” requires caution in healthtech
Health DataClassified as “special category” requiring strict safeguardsNo explicit category, but sensitive use cases regulatedLess clarity in India – compliance programs must adopt GDPR-like safeguards
Individual RightsStrong rights: access, portability, erasure, objectionRights: access, correction, erasure, grievance, nominee rightsIndian rights regime narrower – portability and objection missing
DPO RequirementMandatory in certain cases (Art 37)Required for Significant Data FiduciariesHealthtech likely to qualify as SDFs
Data TransfersPermitted only with adequacy or safeguardsPermitted except to blacklisted countriesIndia provides broader transfer freedom, but risks adequacy recognition
FinesUp to €20m / 4% global turnoverUp to ₹250 crore (~€28m)Comparable financial risks, with extraterritorial enforcement challenges

Building a Privacy Program for a HealthTech Company in India

Given the sensitive nature of health data, Indian healthtech companies must design a hybrid program incorporating both GDPR’s rigor and DPDPA’s local compliance requirements. The following steps are essential:

  1. Data Mapping and Inventory
    • Document all personal data flows, including patient onboarding, diagnostics, wearable devices, and telemedicine platforms.
    • Identify high-risk processing areas such as genetic or biometric data.
  2. Consent Management Framework
    • Implement explicit consent mechanisms, especially for health data.
    • Ensure consent is granular, revocable, and informed, aligning with GDPR standards.
  3. Governance and Accountability
    • Appoint a Data Protection Officer (DPO) if classified as SDF under DPDPA.
    • Establish a Data Governance Committee for cross-functional oversight.
    • Maintain records of processing activities.
  4. Security Safeguards
    • Use encryption, pseudonymisation, and anonymisation techniques.
    • Regularly conduct vulnerability assessments and penetration testing.
  5. Rights Management
    • Implement mechanisms to handle rights requests (access, correction, erasure).
    • While portability is not mandated under DPDPA, adopting GDPR-like portability strengthens trust.
  6. Data Protection Impact Assessments (DPIAs)
    • Conduct DPIAs before launching new services such as AI-driven diagnostics or cross-border telehealth solutions.
  7. Vendor and Supply Chain Compliance
    • Ensure third-party service providers (cloud, analytics firms, labs) adopt equivalent safeguards.
    • Draft strong contractual clauses ensuring compliance with both GDPR and DPDPA.
  8. Cross-Border Transfers
    • Adopt GDPR-compliant Standard Contractual Clauses (SCCs) where EU data is processed.
    • Monitor Indian government’s evolving list of restricted jurisdictions.
  9. Training and Awareness
    • Conduct regular staff training on handling sensitive health data.
    • Include modules on ethical handling, cybersecurity hygiene, and breach reporting.
  10. Incident Response Plan
    • Implement a breach notification mechanism aligned with GDPR (72-hour requirement) even if DPDPA is less stringent.

Conclusion

For Indian healthtech companies, navigating privacy regulation is no longer optional but a core operational necessity. While the DPDPA provides a domestic compliance baseline, GDPR remains relevant for firms processing EU data or aspiring to global partnerships. By adopting GDPR-level safeguards, companies not only future-proof themselves but also build patient trust, investor confidence, and regulatory goodwill.

The nuanced approach is clear: align with the highest common denominator of GDPR and DPDPA, building a program that embeds privacy into the DNA of healthtech innovation.

References (OSCOLA)

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
  • Digital Personal Data Protection Act, 2023 (India).
  • Justice K.S. Puttaswamy (Retd) v. Union of India (2017) 10 SCC 1.
  • European Data Protection Board, Guidelines on Data Protection Impact Assessment (2017).
  • Ministry of Electronics and Information Technology (India), Explanatory Note on DPDPA (2023).
  • Graham Greenleaf, ‘Global Data Privacy Laws 2023: Over 160 Laws, but No Global Standard’ (2023) 187 Privacy Laws & Business International Report.

This website is not an attempt to advertise or solicit clients, and does not seek to create or invite any lawyer-client relationship and is only intended to share information purposes and to inform about the initiatives undertaken by the AS Law Offices. The content herein or on such links should not be construed as a legal reference or legal advice.

Readers are advised not to act on any information contained herein or on the links and should refer to legal counsels and experts in their respective jurisdictions for further information and to determine its impact.

This website has been made solely for the providing information about AS Law Offices. While it has been carefully prepared to ensure that the information provided herein is accurate and up-to-date but AS Law Offices is not responsible for any reliance that a reader places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof. Reader is advised to confirm the veracity of the same from independent and expert sources.

We advise against the use of the communication platform provided on this website for exchange of any confidential, business or politically sensitive information. User is requested to use his or her judgment and exchange of any such information shall be solely at the user’s risk.

This website also uses cookies on its website to improve its usability. This helps us in providing a good user experience and to also help in improving our website. By continuing to use our website without changing your privacy settings, you agree to our use of the cookies.

I Agree I Disagree