DPDP Act VS DPDP vs China's PIPL: Asia's Data Protection Giants

DPDP vs PIPL: The Two Asian Data Protection Frameworks

India’s DPDP Act 2023 and China’s Personal Information Protection Law (PIPL, 2021) regulate personal data in the world’s two most populous countries. While both share GDPR-inspired principles, their enforcement philosophies differ significantly.

Comparison Table

Feature	DPDP Act 2023 (India)	PIPL (China)
Enacted	2023	2021
Consent model	Consent + legitimate use	Consent + 6 other legal bases
Sensitive data	No separate category yet	Explicit sensitive PI definition
Cross-border transfer	Blacklist model	Security assessment, standard contracts, or certification
Data localization	No mandatory localization	Critical Information Infrastructure operators must localize
Max penalty	₹250 Crore	¥50M or 5% annual revenue
Government access	Limited provisions	Broad national security access
Enforcement	Data Protection Board	Cyberspace Administration of China (CAC)
Extraterritorial scope	Processing of Indian residents’ data	Processing to provide products/services to China or analyze behavior

Key Difference: Data Localization

China’s PIPL requires Critical Information Infrastructure (CII) operators and organizations processing data above certain thresholds to store personal data within China. DPDP takes the opposite approach — no mandatory localization, instead using a blacklist of restricted countries. This makes DPDP more flexibility-friendly for multinational operations.

For Companies Operating in Both Markets

India and China present different compliance challenges. Companies in both markets should build unified data governance with jurisdiction-specific overlays rather than separate compliance programs for each country.