EU Plans to Slash General Data Protection Regulation (GDPR)

Learn about the EU's General Data Protection Regulation (GDPR), a comprehensive data privacy law that safeguards personal data, enforces user consent, and sets global standards for data protection and privacy compliance.

Table of Contents

Context: The European Commission is considering revising or “slashing” the General Data Protection Regulation (GDPR) to make it more practical and less burdensome. The proposed revisions aim to simplify compliance mechanisms without compromising data protection principles.

Why Is the EU Planning to Modify the General Data Protection Regulation (GDPR)?

High Compliance Burden: A study by the German Chamber of Commerce and Industry (GCCI) found that 75% of businesses still struggle with compliance.
Negative Impact on Innovation: GDPR forced nearly one-third of apps on the Google Play Store to shut down; entry of new apps fell by half post-implementation.
Reduced Profit Margins: An Oxford University paper (2022) reported a 1% decline in profits for European businesses post-GDPR.

What Is India’s Equivalent Law?

Digital Personal Data Protection Act, 2023 (DPDPA):

Passed by Parliament in August 2023
Aims to regulate the processing of personal data by public and private entities

What Are the Issues with India’s Draft Rules Under DPDPA?

No ‘Legitimate Interest’ Clause: GDPR allows data use without consent for fraud prevention, marketing, or journalism.
- DPDPA omits this, requiring fresh consent each time — creating operational chaos.
No ‘Contractual Necessity’ Clause: GDPR allows data use to fulfill contracts (e.g., delivery details, ticket bookings).
- DPDPA blocks even third-party logistics companies from using recipient data without prior consent.
- Hampers e-commerce, BPOs, logistics, and fintech
Consent Fatigue: Users may get flooded with consent pop-ups, leading to blind rejection.
- Ironically, this may weaken privacy and security instead of strengthening them.
Over-regulation May Kill Innovation: Instead of fostering a startup-friendly data regime, DPDPA risks becoming more stringent than GDPR, choking innovation and ease of doing business.

What India Needs to Do

Include “Legitimate Interest” Clause: Allow essential services (security alerts, fraud detection, journalism) without repeated consent requests.
Add “Contractual Necessity” as Legal Basis: Enable smooth processing of data for tasks involving third parties (e.g., delivery services, customer care).
Balance Compliance and Innovation: Avoid making DPDPA a compliance-heavy regime that stifles startups and tech adoption.
Adopt a Risk-Based, Tiered Approach: Differentiate obligations based on the nature and sensitivity of data, not a one-size-fits-all rule.

Conclusion

India must learn from the EU’s experience with GDPR. Without fundamental amendments to DPDPA, compliance overload may backfire, hurting users, startups, and national digital innovation. A pragmatic, business- and citizen-friendly approach is the need of the hour.