Data Privacy • International Compliance • March 2026
In This Article
01. What Is the GDPR and Why Should Indian Businesses Care?
02. The Seven Principles: The Architecture of European Privacy
03. Data Subject Rights: What Individuals Can Demand
04. The Enforcement Tsunami: €7.1 Billion and Counting
05. GDPR and India: The DPDPA 2023 Connection
06. AI, Dark Patterns, and the 2026 Frontier
What Is the GDPR and Why Should Indian Businesses Care?
The General Data Protection Regulation (EU) 2016/679 — universally known as the GDPR — came into force on 25 May 2018 and fundamentally reshaped the global conversation around data privacy. It is the most comprehensive, most consequential, and most aggressively enforced data protection law ever enacted. Eight years after its implementation, cumulative fines have exceeded €7.1 billion, with €1.2 billion issued in 2025 alone, and enforcement shows no signs of slowing.
But here is the point that many Indian executives miss: the GDPR is not a European law that applies only to European companies. It is, by design, an extraterritorial regulation. It applies to any organisation, anywhere in the world, that processes the personal data of individuals located in the EU — whether through offering goods or services to them, monitoring their behaviour, or employing EU-based staff. If your Indian IT company serves European clients, if your SaaS platform has EU users, if your BPO processes EU customer data, or if your e-commerce site ships to Europe — you are within the GDPR’s jurisdiction.
Eight of the ten largest GDPR fines to date have been imposed on US-based companies — Meta, Amazon, LinkedIn, WhatsApp, Uber — totalling €3.9 billion, demonstrating that enforcement is emphatically extraterritorial. Indian companies operating in the EU or processing EU data are not exempt from this reality.
GDPR Enforcement at a Glance (as of March 2026)
€7.1 billion+ cumulative fines since May 2018 • 2,245+ documented penalties across EU/EEA • €1.2 billion issued in 2025 alone • 400+ daily breach notifications (first time since 2018) • Spain: 932 fines (highest frequency) • Ireland: €3.5 billion by value (highest amount) • €1.2 billion single largest fine (Meta, May 2023, data transfers to US)
The Seven Principles: The Architecture of European Privacy
Article 5 of the GDPR establishes seven principles that form the foundation of the entire regulatory framework. Every enforcement action, every fine, every compliance audit ultimately traces back to one or more of these principles. Understanding them is not merely legal knowledge — it is the operating system for any business that handles EU personal data.
1. Lawfulness, Fairness, and Transparency. Personal data must be processed lawfully, fairly, and in a transparent manner. “Lawfully” means the organisation must identify one of six legal bases in Article 6 before processing begins: consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. Meta’s €1.2 billion fine stemmed directly from relying on “contractual necessity” as its legal basis for behavioural advertising — a justification regulators decisively rejected.
2. Purpose Limitation. Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. An Indian IT services company that collects employee data for payroll processing cannot repurpose it for marketing analytics without establishing a separate legal basis.
3. Data Minimisation. Only data that is adequate, relevant, and limited to what is necessary for the stated purposes may be collected. This principle challenges the instinct of many technology companies to collect as much data as possible. Under GDPR, less is more — and excess collection is itself a violation.
4. Accuracy. Personal data must be accurate and, where necessary, kept up to date. Organisations must take every reasonable step to ensure that inaccurate data is erased or rectified without delay.
5. Storage Limitation. Data must be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which it is processed. Indefinite retention — common in many Indian enterprises — is a per se violation.
6. Integrity and Confidentiality. Data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. This is the principle that underpins breach notification obligations — organisations must report breaches to the supervisory authority within 72 hours.
7. Accountability. The controller must be able to demonstrate compliance with all of the above principles. This is not a passive obligation — it requires documented policies, impact assessments, records of processing activities, and evidence that privacy considerations are embedded into every product and process. The accountability principle shifts the burden of proof: it is not for the regulator to prove you violated the GDPR, but for you to prove you comply.
Data Subject Rights: What Individuals Can Demand
The GDPR grants individuals — referred to as “data subjects” — a comprehensive suite of rights that organisations must be able to fulfil, typically within 30 days of a request. These are not aspirational principles; they are enforceable obligations, and failure to honour them is among the most common triggers for regulatory action.
Right of Access (Art. 15): Individuals can request confirmation of whether their data is being processed, a copy of that data, and information about the purposes, recipients, and retention periods. Malta’s DPA in February 2026 ordered a company to provide a complete data copy within 20 days — demonstrating that regulators will intervene even without a fine when access rights are denied.
Right to Rectification (Art. 16): The right to have inaccurate personal data corrected without undue delay.
Right to Erasure — “Right to Be Forgotten” (Art. 17): In specified circumstances, individuals can request the deletion of their personal data. The EDPB made this right the focus of its 2025 coordinated enforcement action across EU supervisory authorities.
Right to Restriction of Processing (Art. 18): Individuals can request that processing be restricted while disputes about accuracy or lawfulness are resolved.
Right to Data Portability (Art. 20): The right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Art. 21): The right to object to processing based on legitimate interests or direct marketing. Where the objection relates to direct marketing, the processing must stop immediately.
Rights Related to Automated Decision-Making (Art. 22): The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. The proposed 2025 Digital Omnibus amendments would relax this for non-sensitive data, but the principle remains potent for AI-driven systems.
The Enforcement Tsunami: €7.1 Billion and Counting
GDPR enforcement operates on a two-tier penalty structure. Tier 1 (procedural violations such as failure to maintain records, appoint a DPO, or report breaches) carries fines up to €10 million or 2% of global annual turnover, whichever is higher. Tier 2 (substantive violations of data processing principles, consent requirements, or data subject rights) carries fines up to €20 million or 4% of global annual turnover.
The enforcement record since 2018 makes clear that these are not theoretical maximums:
| Company | Fine | Authority | Core Violation |
|---|---|---|---|
| Meta (Facebook) | €1.2 billion | Ireland DPC (2023) | Unlawful data transfers to US without adequate safeguards |
| Amazon | €746 million | Luxembourg (2021) | Targeted advertising without valid consent |
| TikTok | €530 million | Ireland DPC (2025) | Illegal transfer of EEA data to China; inadequate safeguards |
| Meta (Spain) | €479 million | Madrid Court (2025) | Unlawful legal basis for ad data processing; competitive harm |
| Meta (Instagram) | €405 million | Ireland DPC (2022) | Failure to protect children’s personal data |
| Google (France) | €325 million | CNIL (2025) | Gmail ads without consent; manipulated cookie acceptance |
| €310 million | Ireland DPC | Inadequate transparency and legal basis for ad targeting | |
| Uber | €290 million | Netherlands AP | Cross-border data transfer violations |
| SHEIN | €150 million | CNIL (2025) | Placing cookies without consent |
The pattern is unmistakable. Cross-border data transfers, invalid consent mechanisms, dark patterns in cookie banners, and inadequate protections for children’s data are the four enforcement priorities driving the largest penalties. Finance, healthcare, telecommunications, and public sector organisations are now firmly in scope — not just Big Tech. Spain leads in enforcement frequency (932 fines), while France’s CNIL has established itself as Europe’s most active enforcer against consent manipulation. Regulators now actively test websites rather than waiting for complaints.
GDPR and India: The DPDPA 2023 Connection
India’s Digital Personal Data Protection Act, 2023 (DPDPA) is explicitly modelled on GDPR principles but diverges in critical ways that every Indian executive needs to understand:
| Dimension | EU GDPR | India DPDPA 2023 |
|---|---|---|
| Scope | All personal data (automated + manual filing systems); extraterritorial | Digital personal data only; extraterritorial for data of Indian residents |
| Legal bases | Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests | Two primary bases: consent and “certain legitimate uses” (narrower than GDPR legitimate interests) |
| Data subject rights | Access, rectification, erasure, portability, restriction, objection, automated decision-making | Access, correction, erasure, grievance redressal, nomination (for deceased); no portability right |
| DPO requirement | Mandatory for public authorities and large-scale processing | No DPO requirement; “Consent Manager” regime instead (registration opens November 2026) |
| Maximum penalty | €20 million or 4% of global annual turnover | £250 crore (~€28 million); no turnover-based calculation |
| Breach notification | 72 hours to supervisory authority; “without undue delay” to data subjects | Notify Data Protection Board “in such form and manner as may be prescribed” (rules pending) |
| Cross-border transfers | Adequacy decisions, SCCs, BCRs, derogations | Government to notify restricted countries; transfers permitted unless blocked |
| Children’s data | Parental consent for under-16 (member states may lower to 13) | Verifiable parental consent for under-18; ban on tracking/advertising to children |
| Enforcement timeline | Fully operational since May 2018 | Phased: Consent Manager registration November 2026; full compliance May 2027 |
The dual compliance challenge: Indian IT companies, BPOs, and SaaS platforms that serve European clients must comply with both the GDPR and the DPDPA — and the standards do not always align. The GDPR’s “legitimate interests” basis has no direct equivalent in the DPDPA. The GDPR requires Data Protection Impact Assessments (DPIAs) for high-risk processing; the DPDPA does not. The GDPR grants data portability rights; the DPDPA does not. Conversely, the DPDPA’s prohibition on tracking and advertising to children under 18 is stricter than the GDPR’s position.
India has not yet received an EU adequacy decision (nor applied for one), meaning that transfers of EU personal data to India must rely on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or GDPR derogations — a significant compliance burden for the Indian IT services sector, which processes vast quantities of European data.
AI, Dark Patterns, and the 2026 Frontier
Artificial Intelligence has become the GDPR’s most contested frontier. The EDPB’s April 2025 report established that large language models rarely achieve anonymisation standards — meaning that controllers deploying third-party LLMs must conduct comprehensive Data Protection Impact Assessments. The EU AI Act, with most provisions applicable from 2 August 2026, creates dual obligations: AI systems processing personal data must comply with both the GDPR and AI Act requirements simultaneously. For Indian AI companies serving European markets, this represents a new layer of compliance complexity.
Dark patterns have emerged as the enforcement priority of 2025–2026. The CNIL’s €325 million fine against Google for manipulating cookie acceptance and the €150 million fine against SHEIN for placing cookies before consent established clear precedents: making rejection harder than acceptance is a violation. Regulators now actively test websites, and common red flags include unequal friction between “Accept” and “Reject” paths, absence of a “Reject All” button on the first consent layer, pre-ticked boxes, and cookie walls blocking service access.
The proposed Digital Omnibus amendments (Q4 2025) would simplify certain GDPR obligations: expanding SME exemptions, relaxing Article 22 automated decision-making protections for non-sensitive data, and introducing a “recognised legitimate interests” category that would not require the balancing test currently mandated. These amendments, if adopted, would represent the first significant relaxation of the GDPR since its enactment — but enforcement against consent manipulation and dark patterns is only intensifying.
Compliance Roadmap: What Indian Companies Must Do
1Determine whether GDPR applies to you. Do you offer goods or services to EU residents? Do you monitor the behaviour of EU residents (e.g., analytics, tracking)? Do you process EU personal data on behalf of European clients? If yes to any, you are within scope.
2Appoint an EU representative (Article 27). Non-EU controllers and processors subject to the GDPR must designate a representative in an EU member state. This representative serves as the contact point for both data subjects and supervisory authorities.
3Audit and document all processing activities. Create and maintain a Record of Processing Activities (ROPA) under Article 30. Map every data flow: what data you collect, from whom, the legal basis, retention period, security measures, and any cross-border transfers.
4Fix your consent mechanisms. Consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Test your cookie banners for dark patterns: the “Reject All” button must be equally prominent as “Accept All.”
5Implement cross-border transfer safeguards. Execute Standard Contractual Clauses (2021 version) with EU clients and partners. Conduct Transfer Impact Assessments to verify that Indian law does not undermine the protections afforded by the SCCs.
6Conduct DPIAs for high-risk processing. Any processing involving large-scale profiling, systematic monitoring, sensitive data, or AI-driven decision-making requires a Data Protection Impact Assessment before the processing begins.
7Build a 72-hour breach response capability. Establish an incident response team, define escalation procedures, prepare notification templates for supervisory authorities and data subjects, and conduct regular drills.
8Prepare for dual GDPR + DPDPA compliance. Build a unified privacy framework that satisfies the higher standard on each issue: GDPR’s broader rights framework, DPDPA’s stricter children’s data protections, and the overlapping breach notification obligations.
How Juris Altus Can Help
Our international data privacy practice advises Indian enterprises, IT companies, and startups on GDPR compliance, cross-border data transfers, and dual GDPR-DPDPA frameworks.
|
• GDPR compliance audits & gap analysis • Data Processing Agreements & SCCs • DPIA preparation & review |
• DPDPA 2023 implementation • Breach response & notification • AI Act & GDPR dual compliance |
Ravinder Singh Dhull
Advocate, Punjab & Haryana High Court (Bar No. P-991/2003) | Founding Partner, M & D Law Associates LLP | Former Additional Advocate General of Haryana | Architect of the LexPatra legal technology platform | DPDPA 2023 compliance specialist.
Data Privacy
DPDPA 2023
EU AI Act
Cross-Border Data Transfer
Data Protection
Consent
Dark Patterns
Privacy by Design
CERT-In
International Compliance
Indian IT Services
This article is for informational purposes only and does not constitute legal advice. The GDPR, DPDPA 2023, and EU AI Act are subject to ongoing legislative development and judicial interpretation. For specific compliance guidance, consult qualified counsel in the relevant jurisdiction.