Founding Partner
20 November 2025
15 minutes
For over two decades, India’s data privacy regime was governed by the Information Technology Act, 2000, mainly Section 43A and its rules. This framework was narrow, focusing on compensation for negligent data security by “body corporates” rather than ensuring proactive protection. It offered a reactive, liability-based model with vague definitions of “personal data” limited consent mechanisms, and little emphasis on individual rights. With growing data volumes, cross-border transfers, and rising cyber risks, this compensatory approach became inadequate. The Digital Personal Data Protection Act, 2023 (“The Act”) shifts to an accountability-based model, requiring Data Fiduciaries to adopt strong security measures, ensure transparent consent, and report breaches. The law emphasizes proactive governance and risk mitigation, marking a fundamental shift in India’s privacy framework.
The Statement of Objects and Reasons behind the Bill highlights its dual purpose i.e. promoting responsible growth of online gaming while curbing the harms of money-based games.
The Act introduces a new definition for the key entities involved in data processing.
1.
Data Principal: The individual to whom the personal data This term, in contrast to “data subject” in other legal frameworks like the General Data Protection Regulation (“GDPR”), emphasizes the individual’s role as the principal owner of their data.
2.
Data Fiduciary: Any person who, alone or in conjunction with others, determines the purpose and means of processing personal This is the equivalent of a “data controller” under the GDPR.
3.
Data Processor: Any person who processes personal data on behalf of a Data
4.
Significant Data Fiduciary (“SDF”): A class of Data Fiduciaries notified by the Central Government based on factors such as the volume and sensitivity of personal data processed, risk to the rights of the Data Principal, and potential impact on India’s sovereignty and integrity, electoral democracy, and state security.
5.
Consent Manager: A person registered with the Data Protection Board who acts as a single point of contact, enabling a Data Principal to give, manage, review, and withdraw her consent through an “accessible, transparent and interoperable platform”.
The Act’s reach is both domestic and extraterritorial. It applies to the processing of all digital personal data within India, including data initially collected in non-digital form and subsequently digitized. Furthermore, it has a crucial extraterritorial application, extending to the processing of digital personal data outside of India if such processing is in connection with offering goods or services to Data Principals within India. This broad scope ensures that foreign entities targeting the Indian market are subject to the same legal obligations as domestic ones.
The legislation provides specific exemptions under Section 3 of the Act, including:
1.
Processing of data by an individual for any “personal or domestic purpose”.
2.
Data that has been made or caused to be made “publicly available” by the Data Principal or by any person who is legally obligated to do so.
The Act provides two primary grounds for lawful processing of personal data: consent and certain legitimate uses.
1.
Consent is the cornerstone, requiring it to be free, specific, informed, unconditional, and unambiguous through clear affirmative action. The term “unconditional” prevents organizations from tying access to services with consent for non-essential Data Fiduciaries must provide a plain-language notice, in English or any Eighth Schedule language, before or along with a consent request. Data Principals also have the right to withdraw consent anytime, with withdrawal as simple as giving it.
2.
Additionally, the Act permits processing without consent for certain legitimate uses, such as when data is voluntarily shared, to perform state functions, comply with legal obligations, or address emergencies and This balance protecting individual rights with enabling essential state and economic functions.
The draft Digital Personal Data Protection Rules, 2025 (“The Rules”), released on January 3, 2025, aim to operationalize the Act by translating its principles into a detailed compliance framework. A central theme is the “digital-by-design” philosophy, ensuring that processes such as consent management and grievance redressal are structured for efficiency, accessibility, and transparency in the digital ecosystem.
The Rules provide clarity on the consent process. Notices must be concise, itemized, and easy to understand, specifying the exact personal data to be collected and its purpose. This strengthens informed consent. They also establish the role of Consent Managers, requiring their registration with the Data Protection Board and mandating obligations such as retaining records of consents for seven years and acting in a fiduciary capacity toward Data Principals.
The Rules convert broad obligations into concrete safeguards, mandating encryption, access controls, monitoring logs, and data backups. In case of a breach, Data Fiduciaries must notify both the Board and affected Data Principals “without delay,” and submit a detailed breach report within seventy- two (72) hours.
Additionally, the Rules fix data retention timelines. Entities like e-commerce, social media, and gaming platforms must erase personal data within three (3) years of the last user interaction, unless retention is legally required.
| Obligation | Provisions | Key Actionable Items |
|---|---|---|
| Lawful Processing | Section 4, 5, 6, 7 | Obtain free, specific, informed, unconditional consent for processing; use a clear and itemized notice; ensure processing is for a lawful purpose. |
| Data Security Safeguards | Section 8(5), Rule 6 | Implement reasonable security safeguards, including encryption, access controls, and data backups, to prevent personal data breaches. |
| Breach Intimation | Section 8(5), Rule | Immediately notify the Data Protection Board and affected Data Principals of a personal data breach; submit a detailed report to the Board within 72 hours. |
| Data Retention and Erasure | Section 8(7), Rule 8 | Erase personal data when the specified purpose is no longer served or after the prescribed time period (e.g., three years for large platforms), unless retention is legally required. |
| Obligations for Children's Data | Section 9 | Obtain verifiable parental consent before processing a child's data; prohibit tracking, behavioral monitoring, and targeted advertising directed at children. |
| Additional Obligations for SDFs | Section 10, Rule 12 | Appoint a Data Protection Officer (“DPO”) in India; appoint an independent data auditor; conduct periodic Data Protection Impact Assessments (“DPIA”) and audits; review algorithmic software for potential risks to Data Principals' rights. |
The draft Rules impose additional obligations on SDFs, designated by the Central Government based on factors like data volume, sensitivity, and risks to electoral democracy. This tiered model ensures stricter compliance for entities handling high-risk data.
Under Section 10(2) of the Act and Rule 12 of the Rules, SDFs must appoint a Data Protection Officer (based in India) as a grievance redressal contact and an independent data auditor to conduct regular audits and report to the Data Protection Board of India (“DPBI”). They are also required to conduct annual DPIA to evaluate risks to Data Principals. Another unique obligation is algorithmic software verification, ensuring deployed systems do not harm Data Principals’ rights, especially in automated decision-making.
The Act grants Data Principals significant control over their personal data. They can access summaries of processed data, understand processing activities, and identify entities with whom their data is shared. They may request correction, completion, updating, or erasure of their data. Further, they have a right to grievance redressal via Data Fiduciaries or Consent Managers, with escalation to the Data Protection Board if unresolved. A distinctive right allows them to nominate another person to exercise these rights in the event of death or incapacity, addressing digital legacies.
The Act also imposes reciprocal duties on Data Principals such as exercising rights lawfully, avoiding impersonation or suppression of material information, and refraining from filing false or frivolous grievances. This balanced approach ensures efficient grievance redressal and reinforces the law’s digital-first framework.
The Act establishes the DPBI as a body corporate with the power to investigate and enforce the Act’s provisions. The Chairperson and Members of the Board will be appointed by the Central Government for a two-year term, with eligibility for re-appointment. This short term and the potential for re-appointment have been noted as a potential point of contention regarding the Board’s long-term independence.
The DPBI has the powers of a civil court to summon and enforce the attendance of any person, and it can inquire into personal data breaches and breaches of obligations by Data Fiduciaries or Consent Managers. The Act empowers the Board to impose significant monetary penalties for non-compliance, as specified in the Schedule.
| Type Of Breach | Provisions | Monetary Penalty |
|---|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach. | Section 8(5) | May extend to Indian Rupee Two Hundred and Fifty (250) Crore. |
| Failure to give intimation of a personal data breach to the Board and affected Data Principal. | Section 8(6) | May extend to Indian Rupee Two Hundred (200) Crore |
| Failure to observe additional obligations in relation to children. | Section 9 | May extend to Indian Rupee Two Hundred (200) Crore |
| Failure to observe additional obligations of a SDF. | Section 10 | May extend to Indian Rupee One Hundred and Fifty (150) Crore. |
| Breach in observance of Data Principal duties. | Section 15 | May extend to Indian Rupee Ten (10) Thousand. |
| Breach of any other provision of the Act or Rules. | Section 33 | May extend to Indian Rupee Fifty (50) Crore. |
The Act adopts a less prescriptive approach to cross-border data transfers than many other global frameworks. Instead of creating a whitelist of “safe” countries, it grants the Central Government the power to, by notification, restrict the transfer of personal data to any country or territory outside India. This approach allows the government the flexibility to manage data flows based on evolving geopolitical and security considerations. The draft Rules further specify that a Data Fiduciary must meet certain requirements when making data available to a foreign state or entity, subject to a general or special order from the Central Government.
Beyond territorial scope, the Act provides significant exemptions under Section 17. These include enforcing legal rights, processing by courts or regulatory bodies for their functions, crime prevention and prosecution, processing foreign data principals under a contract, processing for corporate mergers or restructuring approved by a competent authority, and ascertaining the financial details of loan defaulters for financial institutions, in accordance with other laws.
The Act marks a transformative shift in India’s data governance, replacing a reactive, liability- based model with a proactive, rights-focused framework. By establishing clear roles, stringent obligations for Data Fiduciaries, and robust rights for Data Principals, the Act aims to balance individual privacy with legitimate state and business interests. Its extraterritorial applicability and flexible cross- border data transfer rules reflect a modern, adaptable approach. While the success of this new regime will depend on effective enforcement by the DPBI and conscientious compliance by organizations, the Act undoubtedly lays a strong foundation for a secure and accountable digital ecosystem in India.
