The Two Internets
Why Privacy Works Differently Globally
Open a news website in Paris and you are greeted not by content, but by a choice.
Accept all cookies.
Reject non-essential cookies.
Manage preferences.
Expand vendor list.
Review storage duration.
The interface may be inelegant, but the premise is clear: your data is not assumed.
Open a similar website in Mumbai and the experience is often different.
Consent is bundled.
Opt-outs are obscured.
Promotional messages arrive by default.
On WhatsApp, brands operating in Europe routinely append reminders of your right to withdraw consent. In India, such reminders are rare.
The contrast between the two cities, and two countries, and what they signify structurally, is jarring.
Under the General Data Protection Regulation, the European Union’s landmark 2018 data protection law, consent must be explicit, informed, specific, and revocable. Organisations must clearly disclose how personal data is collected, processed, shared, and stored. Violations can attract fines of up to 4% of global annual turnover. Enforcement has been consequential. In 2023, Meta Platforms was fined €1.2 billion by Ireland’s Data Protection Commission for unlawful data transfers under GDPR, one of the largest privacy penalties to date. The regulatory signal to firms operating in Europe is unambiguous: non-compliance carries material financial risk.
India’s privacy framework has evolved more incrementally. The Information Technology Act, 2000, originally enacted to govern electronic commerce and cyber offences, remains the backbone of India’s digital legal structure. Section 43A imposes liability on companies that fail to protect sensitive personal data, while Sections 66C and 66D address identity theft and online fraud. Yet the ‘Act’ was drafted before the platform economy reached scale and does not function as a comprehensive privacy code.
In 2017, the Supreme Court of India, in Justice K. S. Puttaswamy v. Union of India, unanimously recognised privacy as a fundamental right under the Constitution. The judgment established a constitutional foundation for data protection and reshaped India’s legal discourse around digital rights.
Building on that foundation, Parliament enacted the Digital Personal Data Protection Act, 2023, which governs the processing of digital personal data. The Act emphasises consent, purpose limitation, data minimisation, and user rights such as access, correction, and erasure. It also establishes a Data Protection Board to oversee compliance and adjudicate breaches. However, its enforcement architecture is still being operationalised, and its deterrent effect remains largely untested at scale.
The Information Technology Rules, 2021 further impose due diligence obligations on digital intermediaries, including grievance redressal mechanisms and compliance reporting. CERT-In directives mandate rapid reporting of cybersecurity incidents. Together, these instruments form an expanding regulatory ecosystem.
What they do not yet represent is a mature enforcement culture comparable to Europe’s.
The divergence reveals something deeper about how markets shape behaviour.
In Europe, privacy is embedded within a broader human rights framework and enforced by active data protection authorities with demonstrable penalty track records.
Civil society organisations litigate.
Regulators investigate.
Fines are public and financially significant.
The signal to companies operating in Europe is clear.
In India, digital expansion has been framed primarily as an engine of growth, inclusion, and innovation. With over 800 million internet users and one of the world’s fastest-growing digital economies, India represents one of the largest pools of behavioural data globally.
But scale is not only demographic.
In a data-driven economy, scale itself is an asset to companies operating in that country, like India for instance.
We are a population exceeding 1.4 billion, rapidly digitising and increasingly transacting online, and we offer companies not just customers but continuous streams of behavioural insight.
Search histories, purchase patterns, click behaviour, and location data feed predictive systems that underpin targeted advertising, pricing models, and platform valuation.
In a country where regulatory friction around collection and processing is limited or inconsistently enforced, the commercial upside in constantly expanding for companies.
India, in that sense, is not merely a large consumer market. India in fact to companies is one of the world’s largest data markets. In a global technology economy where data underpins valuation, that distinction shapes strategy.
Companies respond rationally to incentives. Where enforcement is predictable and penalties are significant, privacy safeguards become embedded in product architecture. Where enforcement capacity is evolving and user awareness remains uneven, frictionless data extraction often prevails.
This does not mean India lacks rights. Our Supreme Court has affirmed them. Our Parliament has legislated them.
So, the key question I am asking is one of institutional depth and bargaining power of an Indian user - do we even have any?
Europe institutionalised digital rights before platforms consolidated dominance. India embraced platforms at speed before fully consolidating enforcement capacity. This sequencing does significantly matter.
Digital maturity is not measured solely by internet penetration or transaction volume. It is measured by the practical leverage users possess within the ecosystem.
Until enforcement deepens, awareness broadens, and corporate penalties become predictably material, the Indian internet will continue to operate differently from its European counterpart. Not because Indians value privacy less, but because the political economy shaping corporate behaviour remains distinct.
In a data-driven world, markets signal priorities.
Europe signals rights.
India signals “growth”.
And, globally companies will continue to optimise these geographies accordingly.