Quick Answer: Regulators scrutinised Google’s acquisition of Fitbit because Fitbit devices collect sensitive health and biometric data. Approval focused on keeping Fitbit health data separate and not using it for advertising.
What it means for you: If you collect sensitive data (health, biometric, financial), expect closer scrutiny. Do not repurpose data collected for one purpose (for example, fitness tracking) into advertising or cross-selling without clear, informed consent. In transactions involving customer datasets, plan governance and separation safeguards early.
Case study 2: WhatsApp / Meta – consent cannot be forced
Quick Answer: In WhatsApp LLC & Meta Platforms Inc. v. Competition Commission of India, the Competition Commission of India (CCI) held that WhatsApp’s 2021 privacy policy imposed unfair conditions by requiring users to accept expanded data-sharing with Meta Platforms Inc. entities as a precondition for continued use. The CCI on 18th November, 2024, imposed a penalty of ₹213.14 crore stating that the act by WhatsApp amounts to ‘abuse of dominance position’ and directed WhatsApp to ensure data sharing is voluntary, clearly disclosed, and supported by a visible opt-out option, and banned data sharing with Meta for advertising for five years (with opt-out from 2029).
Aggrieved by the penalty imposed, WhatsApp and Meta appealed to the National Company Law Appellate Tribunal (NCLAT). The NCLAT, vide its judgement dated 4th November 2025, upheld the abuse findings, penalty, and competitive harm but set aside the five-year advertising data-sharing ban, deeming intra-group sharing standard while retaining user-choice remedies.
Both WhatsApp/Meta and CCI have since appealed to the Supreme Court of India, where hearings are ongoing as of February 2026. During the proceedings, the Supreme Court condemned “take-it-or-leave-it” consent models, emphasizing that privacy is a fundamental right and that companies operating in India must adhere to domestic data protection principles.
What it means for you: Consent needs to be real choice. If your product design pressures users into agreeing to expanded data sharing as the price of access, you increase both regulatory and reputational risk. Make opt-outs visible and terms easy to understand.
DPDP vs GDPR: where they align and where they differ
Quick Answer: DPDP and GDPR share core principles (consent, purpose limitation, rights, security and breach notification) but they are not interchangeable. Compliance with one does not automatically satisfy the other.
Key similarities
- Both emphasize lawful processing based on valid, informed, specific consent.
- Both require purpose limitation and data minimisation.
- Both provide rights such as access, correction, erasure and grievance redressal.
- Both impose security safeguards and breach notification duties.
- Both can apply extraterritorially.
Key differences
- Scope: GDPR covers personal data broadly, including offline processing; DPDP focuses on digital personal data and digitised offline data.
- Legal bases: GDPR allows multiple lawful grounds for data processing such as contract, legitimate interest, legal obligation, etc.; DPDP is more restrictive and limits data processing mainly to consent and specific legitimate uses defined in the Act (e.g. compliance with law, employment purposes, or emergencies)..
- Regulator: GDPR uses supervisory authorities across EU member states; DPDP uses a central DPB.
- DPO: GDPR mandates DPOs in specified cases; DPDP requires a DPO mainly for SDFs.
- Penalties: GDPR follows a two-tier , turnover-linked system, for instance, lower fines (up to €10 million or 2% of global turnover) for procedural breaches, and higher fines (up to €20 million or 4%) for serious violations such as unlawful processing or consent failures. In contrast, DPDP prescribes heavy financial penalties for the following:
- Failure to Secure Data: Up to ₹250 crore.
- Failure to Notify Breaches: Up to ₹200 crore.
- Mishandling Children’s Data: Up to ₹200 crore(requires verifiable parental consent).
The Data Protection Board of India: what it can do
Quick Answer: The DPB is an independent adjudicatory authority with powers to inquire into non-compliance and breaches, impose monetary penalties, and issue corrective directions including cease-processing orders.
In deciding penalties, the DPB may consider factors such as the nature and duration of the breach, sensitivity of data, number of individuals affected, the entity’s profile, harm caused, and cooperation during the inquiry.
The Ministry of Electronics and Information Technology notified the DPDP Rules on 14th November, 2025, initiating an 18-month phased implementation schedule. For most mid-sized and large organizations, the risk of non-compliance becomes real during 2026.
