India is at a defining moment in its data protection journey. With the Digital Personal Data Protection Rules, 2025 notified earlier this year and the Data Protection Board of India (DPBI) being operationalised under the Ministry of Electronics and Information Technology, regulators in New Delhi face a critical choice: design an enforcement regime that protects citizens without strangling India's $250 billion digital economy. The most useful reference point is not a theoretical model but a real-world experiment that has now run for eight years — the European Union's General Data Protection Regulation (GDPR).
The GDPR record offers India a rare gift: a fully observable case study of what happens when ambitious data protection law meets the messy reality of enforcement. The lessons are sobering, and they argue strongly for a more proportionate, innovation-aware Indian approach.
The GDPR Enforcement Ledger
Since GDPR took effect in May 2018, EU data protection authorities have imposed over €5.88 billion in fines across more than 2,400 enforcement actions, according to the GDPR Enforcement Tracker maintained by CMS. Headline penalties include Meta's €1.2 billion fine from the Irish Data Protection Commission in May 2023 for unlawful EU-US data transfers, Amazon's €746 million penalty from Luxembourg's CNPD in 2021, and TikTok's €345 million fine for children's data processing failures.
These numbers signal regulatory muscle. But they obscure three structural problems Indian policymakers should examine carefully:
- Glacial case resolution. Cross-border GDPR cases routed through the One-Stop-Shop mechanism take an average of 18 months to resolve. The European Data Protection Board's 2024 annual report acknowledged a backlog that has prompted the proposed GDPR Procedural Regulation now moving through co-legislators.
- Disproportionate impact on SMEs. The European Commission's own 2024 GDPR review found that compliance costs fall hardest on small and medium-sized enterprises, with surveyed SMEs reporting first-year compliance costs averaging €30,000–€50,000 — a sum that swallows a significant share of working capital for early-stage firms.
- Chilling effects on AI and analytics. Italy's Garante temporarily banned ChatGPT in March 2023, France's CNIL launched investigations into multiple generative AI providers, and Hamburg's DPA has sparred publicly with model developers over training data. The Court of Justice of the EU's Schrems II ruling (Case C-311/18) effectively invalidated Privacy Shield and continues to create transfer uncertainty for any business with EU customers.
Why India's Context Demands a Different Approach
India's digital economy is structurally distinct from the EU's. Roughly 60 million MSMEs form the backbone of Indian commerce, and a single national startup ecosystem of over 100,000 DPIIT-recognised firms is being asked to comply with a brand-new regulatory regime simultaneously. Unlike the EU, India does not have decades of accumulated supervisory experience under prior data protection statutes such as the 1995 Data Protection Directive.
Section 33 of the DPDP Act authorises penalties of up to ₹250 crore (approximately €27 million) per instance of non-compliance — substantial sums that, while smaller than GDPR's 4% of global turnover ceiling, are large enough relative to Indian SME revenues to be existentially threatening if applied without calibration.
The risk is not that India under-regulates. The risk is that India imports GDPR's enforcement reflexes — maximalist fines, expansive interpretations, slow adjudication — without GDPR's institutional capacity to apply them sensibly.
A Proportionate Path Forward
Three principles should guide the DPBI's early enforcement posture:
1. Graduated Enforcement Before Punitive Action
The UK Information Commissioner's Office has explicitly adopted a regulatory approach prioritising guidance, warnings, and enforcement notices before monetary penalties for first-time violations by SMEs. India's DPDP Rules, 2025 already gesture in this direction by allowing voluntary undertakings under Rule 18, but the DPBI should publicly commit to a tiered escalation framework that distinguishes negligent SMEs from systemic offenders.
2. Clear Safe Harbours for Innovation
The DPDP Act's research exemption (Section 17(2)(b)) and provisions for processing publicly available data should be operationalised with specific guidance for AI training, fraud detection, and cybersecurity research. Brussels' regulatory ambiguity around legitimate interest as a basis for AI training has produced years of litigation; India can avoid that by issuing clarificatory rules early.
3. Time-Bound Adjudication
The DPBI should adopt statutory timelines for resolving complaints — ideally 90 days for routine matters and 180 days for complex cases — backed by transparent disclosure of pending caseloads. The European Commission's proposed Procedural Regulation is essentially an attempt to retrofit GDPR with the procedural discipline India can build in from day one.
Getting the Balance Right
Data protection is non-negotiable in a country where over 900 million Indians are online. But the goal of a data protection regime is to protect people, not to perform regulatory severity. GDPR's enforcement record demonstrates that headline fines do not, by themselves, produce better privacy outcomes — they often produce defensive compliance theatre, regulatory arbitrage, and innovation flight.
India has an opportunity that the EU did not have in 2018: to build a data protection regime informed by what eight years of real enforcement has actually achieved. Proportionate, predictable, and procedurally disciplined enforcement is not a weakness. It is the strongest possible signal that India intends to make data protection a foundation for digital growth, not a barrier to it.