The digital economy has transformed how personal information flows across borders, making data protection legislation a critical component of modern governance. As businesses expand their operations across jurisdictions, understanding the nuances of data protection frameworks becomes essential for compliance and maintaining consumer trust. India and the United Arab Emirates, two significant economic powerhouses with growing digital ecosystems, have established comprehensive data protection regimes that reflect both global standards and regional priorities.
India enacted the Digital Personal Data Protection Act in 2023 (DPDP Act), marking a watershed moment in the country’s approach to privacy rights. Meanwhile, the UAE introduced Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) as part of a broader legal reform initiative. Both frameworks draw inspiration from international best practices, particularly the European Union’s General Data Protection Regulation (GDPR), while incorporating distinct features tailored to their respective socio-legal contexts.
This article examines the key provisions of both laws, highlighting their similarities, differences, and practical implications for businesses operating in or between these jurisdictions.
Legislative Framework and Scope
The DPDP Act applies to the processing of digital personal data within India, whether collected online or digitized from offline sources. The law extends extraterritorially to processing activities conducted outside India if they involve offering goods or services to individuals within the country. The Act represents India’s fifth iteration of proposed data protection legislation and reflects a significant shift toward a more streamlined, principle-based approach compared to earlier drafts.
The UAE PDPL similarly adopts a broad territorial scope, applying to all entities processing personal data of UAE residents, regardless of where the organization is located. A unique feature of the UAE framework is that it also covers controllers and processors established within the UAE, even when processing data of individuals outside the country. However, the PDPL does not apply to government entities, public institutions, and certain free zones such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), which maintain their own comprehensive data protection regimes.
Both laws exclude certain categories of data from their scope. The DPDP Act does not apply to personal data processed for domestic or personal purposes by individuals, or to personal data made publicly available by the data principal. The UAE PDPL exempts data processed for judicial, security, or defense purposes, as well as health data and banking data already covered by sector-specific regulations.
This blog is a part of our General Corporate and Commercial Advisory Services.
Core Principles of Data Processing
India’s DPDP Act is built upon foundational principles that govern how personal data should be handled throughout its lifecycle. The law mandates that personal data processing must be lawful, with clear specified purposes. Data fiduciaries (entities that determine the purpose and means of processing) are required to maintain data accuracy, implement security safeguards, and delete data once the purpose for collection has been fulfilled.
The UAE PDPL establishes a comprehensive set of processing principles that closely mirror international standards. These include lawfulness, fairness, and transparency in all processing activities. The law requires purpose limitation, ensuring data is collected only for specific, clear, and legitimate purposes. Data minimization principles mandate that organizations collect only what is strictly necessary for the stated purpose. Personal data must be kept accurate and up to date, with mechanisms in place for prompt correction of errors. Storage limitation provisions require that data not be retained longer than necessary, and must be deleted or anonymized once the business purpose is fulfilled. Finally, integrity and confidentiality requirements mandate appropriate technical, physical, and administrative security measures to prevent unauthorized access or misuse.
Consent Requirements
Consent serves as a primary legal basis for processing personal data under both frameworks, though the requirements and alternatives differ in important ways.
Under the DPDP Act, consent must be free, informed, specific, and unconditional. Data fiduciaries must provide clear notice detailing the personal data to be collected and the purpose of processing before obtaining consent. The Act allows processing without consent in specific circumstances classified as “legitimate uses,” including voluntary data sharing by individuals for specific purposes, processing by the State for providing subsidies and public services, employment-related processing, medical emergencies, and compliance with legal obligations or court orders.
The UAE PDPL similarly requires consent to be freely given, specific, informed, and unambiguous. Where consent serves as the legal basis, it must be obtained through clear affirmative action. However, the PDPL does not explicitly address power imbalance scenarios, such as employer-employee relationships, and future executive regulations are expected to provide additional clarity on this issue. The law permits processing without consent in several circumstances, including when necessary to fulfill contractual obligations, protect vital interests of the data subject, comply with legal obligations, protect public interest or public health, perform employment and social security functions, and when personal data has been made public by the data subject.
A notable distinction exists in how the two frameworks handle the “legitimate interests” ground for processing. The UAE PDPL, particularly in its free zone implementations (DIFC and ADGM), recognizes legitimate interests as a legal basis for processing. In contrast, India’s DPDP Act uses a closed-list approach for legitimate uses rather than adopting an open-ended legitimate interests framework.
Rights of Individuals
Both legal frameworks grant individuals (referred to as “Data Principals” in India and “Data Subjects” in the UAE) specific rights over their personal information, though the scope and implementation mechanisms vary.
Under the DPDP Act, Data Principals enjoy several fundamental rights. The right to access information allows individuals to obtain a summary of their personal data being processed and details about processing activities, as well as information about third parties with whom their data has been shared. The right to correction and erasure enables Data Principals to correct inaccurate or incomplete personal data and request deletion once data is no longer needed for the specified purpose. The right to grievance redressal provides a mechanism to lodge complaints about improper data handling with the data fiduciary and subsequently with the Data Protection Board. Additionally, the right to nominate allows individuals to designate representatives to manage their data rights, particularly relevant in cases of death or incapacity.
These rights under the DPDP Act apply only when consent has been given or when personal data has been voluntarily provided to the data fiduciary. They are not available when processing occurs under legitimate use grounds.
The UAE PDPL provides a comprehensive set of rights that align closely with GDPR standards. Individuals have the right to be informed about data processing purposes, third-party sharing, and security measures before processing begins. The right to access enables individuals to obtain their personal data in a machine-readable format. The right to rectification allows correction of inaccurate personal data. The right to erasure permits individuals to request deletion of their data under certain circumstances. The right to data portability allows individuals to receive their data in a structured, commonly used format and transmit it to another controller. The right to object enables individuals to opt out of processing for marketing or survey purposes. Finally, the right to reject automated decision-making allows individuals to object to decisions based solely on automated processing that have legal or significant effects.
Controllers under the UAE PDPL must provide clear mechanisms for individuals to exercise these rights, and responses to data subject requests must be timely and comprehensive.
Obligations of Data Controllers and Fiduciaries
Both frameworks impose substantial obligations on organizations that process personal data, though the terminology and specific requirements differ.
In India, data fiduciaries bear primary responsibility for data protection. They must implement reasonable security safeguards to prevent personal data breaches, with the highest penalties (up to INR 250 crores, approximately USD 30 million) prescribed for failure to maintain such safeguards. Data fiduciaries must provide clear notice to data principals about data collection and processing activities. They are required to notify both the Data Protection Board and affected individuals in the event of a data breach. Data must be erased once the purpose of collection is fulfilled or when consent is withdrawn. Data fiduciaries must establish a grievance redressal mechanism with a designated officer to respond to data principal queries. Significant Data Fiduciaries, designated based on volume and sensitivity of data processed, face additional obligations including appointing a Data Protection Officer based in India, conducting annual Data Protection Impact Assessments, undergoing independent audits, and implementing restrictions on cross-border transfers of certain categories of data as specified by the government.
Under the UAE PDPL, both data controllers and data processors have defined responsibilities. Controllers must identify and document a lawful basis for all processing activities. They must implement appropriate technical and organizational security measures to protect data from unauthorized access, loss, or disclosure. Controllers are required to promptly notify the UAE Data Office and affected individuals of data breaches. They must keep personal data accurate and up to date. Controllers must ensure data is retained only as long as necessary to fulfill processing purposes. Appointment of a Data Protection Officer is mandatory where processing is likely to result in high risk due to new technologies or volume of data, involves systematic and comprehensive evaluation of sensitive personal data including profiling and automated processing, or involves large-scale processing of sensitive personal data. Controllers must conduct Data Protection Impact Assessments before undertaking high-risk processing activities. They are required to maintain detailed records of processing activities and make them available to the UAE Data Office upon request. Finally, controllers must implement contractual safeguards when engaging data processors to ensure compliance with PDPL requirements.
Special Protection for Children
Both jurisdictions recognize that children require enhanced protection in the digital environment, though they adopt different age thresholds and verification mechanisms.
India’s DPDP Act sets the age of a child at below 18 years, which is notably higher than most global standards. Processing of children’s personal data is permitted only after obtaining verifiable parental consent. The law prohibits tracking or behavioral monitoring of children, conducting targeted advertising directed at children, and undertaking profiling that may have a detrimental impact. The Draft DPDP Rules 2025 provide guidance on obtaining verifiable consent, suggesting verification through reliable identity and age details already available with the data fiduciary, voluntarily provided identity documents or digital tokens from government-authorized entities such as Digital Locker service providers, and other proportionate verification methods based on risk assessment. Certain exemptions apply for healthcare providers, educational institutions, and childcare services to ensure essential services can function smoothly.
India’s approach diverges significantly from global practice, where most jurisdictions set lower age thresholds (GDPR allows Member States to set the age between 13 and 16 years, COPPA in the United States applies to children under 13, and similar frameworks in Brazil and Singapore require parental consent for children under 13). India’s higher threshold means that teenagers aged 13 to 17, who might consent independently in other jurisdictions, require parental consent in India.
The UAE PDPL does not contain specific provisions dedicated exclusively to children’s data protection comparable to India’s framework. However, the general principles of data minimization, purpose limitation, and enhanced security apply to all processing activities, including those involving minors. The absence of explicit children’s data protection provisions in the federal PDPL may be addressed in future executive regulations or sector-specific guidelines.
Cross-Border Data Transfers
The approach to international data transfers represents a significant area of divergence between the two frameworks.
India’s DPDP Act adopts a “negative list” approach to cross-border data transfers. Under Section 16 of the Act, personal data may be transferred to any country except those explicitly blocked by the central government. This approach contrasts with the EU’s adequacy mechanism and provides greater flexibility for businesses. However, the Draft DPDP Rules 2025 indicate that government-appointed officials may impose conditions on data transfers to foreign states or entities. For Significant Data Fiduciaries, the government may specify certain categories of personal data that must be processed subject to restrictions preventing transfer outside India, along with associated traffic data. Data must be made available in India within 24 hours for the foreign leg of transactions, particularly relevant for financial services.
The UAE PDPL establishes a more structured framework for cross-border transfers that closely follows the GDPR model. Transfers are permitted to countries recognized by the UAE Data Office as offering adequate levels of data protection. In the absence of an adequacy decision, transfers may proceed using standard contractual clauses or binding corporate rules that ensure recipients uphold privacy protections aligned with UAE law. Alternative pathways for cross-border transfers include obtaining explicit consent from the data subject, fulfilling contractual obligations between the controller and data subject, complying with international judicial cooperation requirements, protecting public interest, and establishing rights before judicial entities.
The UAE’s framework imposes stricter conditions on cross-border transfers compared to India’s approach, requiring either adequacy determinations or specific safeguards unless an exception applies.
Enforcement and Penalties
Both jurisdictions have established enforcement mechanisms and penalty structures to ensure compliance, though they differ significantly in scale and approach.
India’s DPDP Act establishes the Data Protection Board of India as an independent oversight body. The Board conducts inquiries based on complaints, addresses personal data breaches, and issues directions and penalties for non-compliance. All proceedings are conducted online, and inquiries must be completed within six months, extendable by up to three months. The Act prescribes a tiered penalty structure with substantial financial consequences. The highest penalty of up to INR 250 crores (approximately USD 30 million) applies for failure to implement reasonable security safeguards to prevent data breaches. Penalties of up to INR 200 crores apply for failure to notify data breaches to the Board and affected individuals, as well as breaches of obligations related to children’s data. Up to INR 150 crores may be imposed for breach of additional obligations by Significant Data Fiduciaries. Other violations attract penalties of up to INR 50 crores. Data Principals who file false complaints or provide false information may face penalties of up to INR 10,000.
The Data Protection Board considers several factors when determining penalties, including the gravity and nature of the breach, type and sensitivity of data affected, whether the violation is repetitive, financial gain or loss avoidance by the violator, mitigation efforts taken, and proportionality to ensure effectiveness. Appeals against Board orders lie with the Telecom Disputes Settlement and Appellate Tribunal, with final appeals to the Supreme Court of India.
The UAE Data Office is responsible for enforcing the PDPL. The Office receives and decides complaints from data subjects regarding contraventions of the law, imposes administrative sanctions, and issues directions to controllers and processors. Financial penalties under the PDPL range from AED 50,000 to AED 5 million (approximately USD 13,600 to USD 1.36 million), which are considerably lower than GDPR penalties that can reach 4 percent of global annual turnover or EUR 20 million. The lower penalty thresholds reflect the UAE’s distinct regulatory approach while still providing meaningful deterrence.
The UAE framework also incorporates potential criminal penalties under existing laws. Under Article 432 of the UAE Criminal Law, individuals who disclose secrets accessed through their profession may face fines of at least AED 20,000 and imprisonment for at least one year. Article 431 prescribes jail sentences and fines for interfering with privacy rights through eavesdropping, recording, or photographing individuals without consent.
Implementation Status
The current implementation status of both laws presents an important consideration for businesses planning compliance strategies.
India’s DPDP Act was enacted in August 2023, but as of October 2025, it has not yet been brought into force. The Act becomes effective only upon dates notified by the government, and no commencement notification has been issued. On January 3, 2025, the Ministry of Electronics and Information Technology released draft rules for public consultation, proposing a phased implementation approach. Provisions relating to the Data Protection Board will take effect immediately upon publication of final rules, while other compliance-related provisions will be notified later. This staged approach aims to allow time for establishing the statutory framework and providing data fiduciaries with adequate preparation time. Final rules are expected to be enacted and tabled before Parliament, potentially during the 2025 monsoon session. While the Act remains legally unenforceable until formally notified, organizations are advised to begin compliance preparations to avoid last-minute implementation challenges.
The UAE PDPL entered into force on January 2, 2022. However, the law’s executive regulations, which will trigger full enforcement, have not yet been issued as of October 2025. Once executive regulations are published, organizations will have an additional six months to adjust operations for full compliance. Despite the pending executive regulations, businesses operating in the UAE are advised to implement privacy-by-design principles and prepare compliance frameworks proactively. Meanwhile, the free zones of DIFC and ADGM have updated and strengthened their own data protection regimes, with the DIFC implementing significant amendments in 2024 that expanded scope, introduced private rights of action, imposed stricter compliance obligations including annual DPO assessments, and established financial penalties ranging from USD 10,000 to USD 50,000 for specific breaches.
Key Similarities and Differences
A comparative analysis reveals both convergence and divergence between the two frameworks.
Both India and the UAE have adopted comprehensive data protection laws inspired by international standards, particularly the GDPR. The laws share extraterritorial application, extending jurisdiction to processing activities conducted outside their territories when involving residents of their countries. Consent serves as a primary legal basis for processing in both frameworks, requiring it to be freely given, informed, and specific. Both jurisdictions grant individuals rights to access, correct, and erase their personal data, along with grievance redressal mechanisms. Organizations must implement security safeguards, conduct risk assessments for high-risk processing, and notify authorities and affected individuals of data breaches. Both frameworks require appointment of Data Protection Officers in specific circumstances involving high-risk or large-scale processing. Cross-border data transfers are permitted subject to certain conditions and safeguards.
However, several notable differences distinguish the two regimes. The age threshold for children requiring parental consent differs significantly, with India setting it at under 18 years while the UAE lacks specific provisions on children’s data. India adopts a negative list approach for cross-border transfers, allowing transfers to all countries except those explicitly blocked, whereas the UAE follows an adequacy-based model requiring either adequacy determinations or specific safeguards like standard contractual clauses. The penalty structures vary dramatically, with India imposing penalties up to INR 250 crores (approximately USD 30 million) compared to the UAE’s range of AED 50,000 to AED 5 million (approximately USD 13,600 to USD 1.36 million). India classifies entities as Significant Data Fiduciaries based on volume, sensitivity, and potential impact, imposing enhanced obligations, while the UAE determines DPO and DPIA requirements based on risk profiles without a formal classification system. The regulatory bodies differ in structure, with India establishing an online-focused Data Protection Board versus the UAE Data Office with traditional administrative functions. Currently, neither law is fully enforceable, but India awaits commencement notification and finalization of rules, while the UAE awaits publication of executive regulations. Finally, India’s framework explicitly addresses “legitimate uses” as alternatives to consent through a closed-list approach, whereas the UAE provides broader legal bases including legitimate interests in free zone regimes.
Practical Implications for Businesses
Organizations operating in or between India and the UAE must navigate these regulatory frameworks strategically. Businesses should begin compliance preparations immediately, even while full enforcement remains pending in both jurisdictions. This includes conducting comprehensive data mapping exercises to understand what personal data is collected, where it is stored, how it is processed, and with whom it is shared across the organization.
For companies engaged in cross-border operations between India and the UAE, particular attention must be paid to data transfer mechanisms. The divergent approaches mean that transfers from the UAE to India will require assessment against adequacy criteria or implementation of standard contractual clauses, while transfers from India to the UAE will generally be permissible unless the UAE is specifically blocked by Indian authorities (which is unlikely given the strong bilateral relationship).
Organizations processing children’s data must implement robust age verification mechanisms, particularly for operations in India where the 18-year threshold is unusually high. This may require technical solutions to determine user age and parental consent management systems to obtain and document verifiable parental approval.
Businesses should evaluate whether they might be classified as Significant Data Fiduciaries in India based on the volume and sensitivity of data they process. Such classification will trigger additional compliance obligations including appointing a Data Protection Officer, conducting annual assessments and audits, and potentially restricting certain cross-border transfers. Similarly, in the UAE, organizations should assess whether their processing activities constitute high-risk processing requiring DPO appointment and Data Protection Impact Assessments.
Given the substantial penalties in India (up to INR 250 crores for security failures) and the reputational risks in both jurisdictions, organizations should prioritize implementing robust security safeguards including encryption, access controls, monitoring systems, and incident response procedures. Breach notification protocols must be established to ensure timely reporting to authorities and affected individuals as required by both frameworks.
Companies should review and update their privacy policies, consent mechanisms, and data subject rights management systems to ensure compliance with both frameworks. This includes implementing systems to handle access requests, correction requests, erasure requests, and consent withdrawal in accordance with the timelines and procedures required by each jurisdiction.
For multinational organizations, a unified compliance approach meeting the highest standards (such as GDPR compliance) can often cover requirements under both the DPDP Act and PDPL, though jurisdiction-specific adaptations will be necessary for areas like children’s data protection in India and cross-border transfer mechanisms in the UAE.
India’s Digital Personal Data Protection Act and the UAE’s Personal Data Protection Law represent significant steps forward in establishing comprehensive data protection regimes in two economically vibrant jurisdictions. Both frameworks reflect a commitment to aligning with global best practices while incorporating features tailored to their respective legal, social, and economic contexts.
The laws share fundamental principles including lawful processing, transparency, data minimization, security, and individual rights. However, they diverge in important areas such as children’s data protection thresholds, cross-border transfer mechanisms, penalty structures, and classification of high-risk entities. These differences reflect distinct policy choices about how best to balance privacy protection with economic growth and innovation.
For businesses operating in the increasingly interconnected digital economy, understanding these frameworks is not merely a compliance exercise but a strategic imperative. Organizations that invest in robust data governance frameworks, implement privacy-by-design principles, and establish flexible compliance systems will be best positioned to navigate these evolving regulatory landscapes.
As both jurisdictions move toward full implementation, with India finalizing its rules and the UAE publishing executive regulations, businesses should view the current transition period as an opportunity rather than a delay. Proactive preparation will enable organizations to build trust with customers, avoid substantial penalties, and establish themselves as responsible stewards of personal data in an era where privacy has become both a fundamental right and a competitive differentiator.
The comparative analysis of these two frameworks underscores a broader global trend toward comprehensive data protection regulation. As more countries adopt similar laws, businesses with operations across multiple jurisdictions will benefit from harmonized internal policies that meet the highest applicable standards. The convergence around core principles, combined with jurisdiction-specific adaptations, creates both challenges and opportunities for organizations committed to respecting individual privacy rights while leveraging data for innovation and growth.
