Why GDPR and India's Data Law Don't Behave as One Rule
EU's GDPR is rights first and extraterritorial. India's Digital Personal Data Protection Act is consent driven and sovereignty first.
EU's GDPR is rights first and extraterritorial. India's Digital Personal Data Protection Act is consent driven and sovereignty first.
The phrase "build once, scale everywhere" used to be the operating manual for global software. Two major data regimes are now making that manual obsolete, and not because the rules look similar. The European Union's General Data Protection Regulation and India's Digital Personal Data Protection Act start from different assumptions about who controls personal data and where it is allowed to travel. Treating them as variations on a theme of "privacy compliance" misses the real shift, according to Forbes Council contributor Sanjay Ghare, founder and CEO of travel-technology company Vervotech (how data regulations may fragment the internet).
GDPR, in force since 2018, is a rights-first system. It gives individuals direct control over their personal data and imposes strict conditions on collection, processing, and cross-border transfer. Its reach is extraterritorial: any company that handles the data of people inside the European Union is accountable, regardless of where the company itself is incorporated. India's DPDP Act, by contrast, is built around explicit consent and pairs that consent model with stronger data sovereignty. It expects personal data to be governed and, in some categories, stored within India. The two laws do not ask for the same things, and they do not stop at the same borders.
That distinction is the spine of Ghare's argument. He pushes back against the framing of "data privacy regulation" as incremental compliance overhead. In his reading, it is a structural change in how the digital economy operates. A global platform can no longer assume that a single user record, a single consent receipt, or a single transfer mechanism will be valid in every market it serves. Consent structures, transfer rules, and storage requirements are now jurisdiction-specific. The architecture has to be jurisdiction-specific too.
For travel and fintech platforms in particular, the cost shows up in product and engineering, not just in legal review. Online travel agencies, cross-border payment companies, and global SaaS providers that once routed user data through centralized, region-agnostic back ends are now maintaining separate consent flows, separate data residency footprints, and separate deletion and portability logic. What used to be one database schema is becoming several. What used to be one privacy notice is becoming several. The fragmentation Ghare is naming is operational before it is political.
It is worth being precise about the source. The argument comes from a single Forbes Council contributor who runs a travel-tech company, and the published excerpt is truncated mid-paragraph. Ghare's characterizations of GDPR and DPDP are paraphrases, not statutory text. The piece frames its forecast that further fragmentation will follow as the author's projection rather than a settled outcome, and it has not been corroborated by regulators or by independent reporting with direct policy access. Readers weighing the operational implications should treat the architectural-incompatibility frame as a hypothesis worth pressure-testing, not as consensus. Counter-views from interoperability advocates, from cross-border data-flow frameworks, or from regulators themselves would test whether the gap is as deep as the contributor claims, or whether harmonized controls can absorb it.
The watch items are concrete. The first is whether major cross-border data-flow arrangements, including the EU's adequacy decisions, the EU-U.S. Data Bridge, and any successor instruments, can narrow the practical gap between the rights-first and consent-and-sovereignty models. The second is how aggressively India's DPDP is enforced against foreign-headquartered platforms, since the law's reach in practice will determine how many companies actually rebuild their stacks versus bolt on regional workarounds. The third is whether other large jurisdictions, including Brazil, Indonesia, and a possible United States federal privacy floor, layer additional sovereignty assumptions on top, or converge toward one of the existing models. None of those questions is settled. Each one will tell global engineering and product teams whether "build once, scale everywhere" needs to be retired, regionalized, or quietly rewritten behind the same slogan.