Data Protection in India

Table of Contents

A New Era for Data Privacy in India

• From the Past to the Present The Evolution of Data Protection
• Decoding the Digital Personal Data Protection Act 2023 Key Principles and Definitions
• Empowering Individuals Rights of Data Principals
• Responsibilities and Accountability Obligations of Data Fiduciaries
• Navigating Consent The Cornerstone of Data Processing
• Addressing Data Breaches Ensuring Security and Transparency
• Cross-Border Data Transfers A Balanced Approach
• The Path Forward Implementing the DPDPA 2023 and the Draft Rules
• Conclusion Embracing a Privacy-Centric Digital Future

A New Era for Data Privacy in India

India has entered a transformative phase in digital governance with the introduction of the Digital Personal Data Protection Act, 2023. This landmark legislation aims to protect individual privacy while enabling organizations to process data responsibly. Rooted in the constitutional right to privacy, the Act strikes a balance between safeguarding personal information and supporting innovation. It sets clear guidelines for data collection, use, and storage, marking a major step toward building a secure, transparent, and accountable digital ecosystem in one of the world’s fastest-growing digital economies.

From the Past to the Present The Evolution of Data Protection

Before the Digital Personal Data Protection Act, 2023, India relied largely on the Information Technology Act, 2000, and the SPDI Rules of 2011 to manage data protection. While these laws addressed cybercrimes and basic data security, they didn’t offer a complete framework to handle today’s data privacy challenges. Section 43A of the IT Act provided for compensation in case of data breaches caused by negligence, but it was clear that a more focused and modern law was needed. The turning point came in 2017 when the Supreme Court ruled that the right to privacy is a fundamental right under Article 21 of the Indian Constitution. This landmark judgment fueled the government’s efforts to build a strong privacy law. The Srikrishna Committee was set up the same year, and after multiple drafts, debates, and revisions, the Digital Personal Data Protection Act finally came into effect with presidential assent in 2023. This transition from patchy protections under the IT Act to a dedicated, comprehensive law reflects India’s growing awareness of data privacy and its alignment with global standards. The focus has shifted from just securing data to respecting individual rights, obtaining informed consent, and holding organizations accountable.

Understanding the DPDPA 2023: Key Principles Made Simple

To truly understand how the DPDPA 2023 works, it helps to break down its basic terms and principles:

• Personal Data refers to any digital information that can identify a person, either directly or indirectly.

• Data principals are the individuals whose data is being processed.

• Data Fiduciaries are the organizations deciding how and why personal data is processed, similar to data controllers under the GDPR.

• Data Processors are third parties that process data on behalf of fiduciaries.

At its core, the DPDPA 2023 is built on a few clear principles:

• Lawful Purpose: Data can only be used for legitimate reasons, based on consent or defined exemptions.

• Purpose Limitation: Data should be collected only for specific, clear purposes, not for anything beyond that.

• Data Minimization: Collect only what’s needed—no more, no less.

• Accuracy: Ensure data is correct and updated where necessary.

• Storage Limitation: Don’t keep data longer than required.

• Integrity & Confidentiality: Protect data from leaks, misuse, or loss.

• Accountability: Organizations must take responsibility for following the law.

Empowering Individuals' Rights of Data Principals

The DPDPA 2023 significantly empowers individuals by granting them a range of rights over their personal data. Data principals have the right to access information about their personal data, including a summary of the data being processed and the processing activities undertaken. They also possess the right to correction and erasure of their personal data, enabling them to rectify inaccurate information and request its deletion under specific circumstances. While the explicit 'right to be forgotten' as seen in some other jurisdictions is not directly mentioned, the right to erasure serves a similar purpose. Furthermore, the Act grants individuals the right to nominate another person who can exercise their rights under the DPDPA in the event of their death or incapacity. To ensure accountability, data principals have the right to grievance redressal, mandating that data fiduciaries establish clear mechanisms for addressing and resolving complaints. Finally, individuals retain the right to withdraw consent they have previously given for the processing of their personal data. These rights collectively aim to provide individuals with greater control, transparency, and recourse regarding the processing of their digital personal data.

Responsibilities and Accountability Obligations of Data Fiduciaries

The DPDPA 2023 places significant responsibilities on data fiduciaries, the entities that determine the purpose and means of processing personal data. These obligations are designed to ensure that personal data is handled responsibly and that individuals' rights are protected.

• Security Safeguards: Data fiduciaries are obligated to implement reasonable security safeguards to prevent personal data breaches. This includes technical and organizational measures to protect the confidentiality, integrity, and availability of personal data. They must establish and maintain security practices that are commensurate with the sensitivity of the data and the potential risks involved in its processing.

• Notice to Data Principals: Before or at the time of collecting personal data, data fiduciaries are required to provide notice to data principals (the individuals whose data is being processed). This notice must include details about the specific purpose for which the data is being collected, the types of data being collected, and how individuals can exercise their rights under the Act. The notice should be clear, concise, and easily understandable, and, ideally, provided in multiple languages to accommodate India's diverse linguistic landscape.

• Purpose Limitation: Personal data can only be processed for the purpose for which it was collected. Data fiduciaries cannot use the data for any other purpose without obtaining fresh consent from the data principal, unless such other purpose is a 'legitimate use' as defined under the Act.

• Data Accuracy and Completeness: Data fiduciaries are responsible for ensuring the accuracy and completeness of the personal data they hold. This helps to prevent errors and inaccuracies that could adversely affect data principles.

• Data Erasure: Data fiduciaries must erase personal data when it is no longer necessary for the purpose for which it was collected, or when the data principal withdraws their consent, unless retention is required by law.

Significant Data Fiduciaries (SDFs)

The DPDPA 2023 introduces the concept of Significant Data Fiduciaries (SDFs). These are a subset of data fiduciaries that are subject to enhanced obligations due to the greater risk associated with their data processing activities. The criteria for designating an entity as an SDF include:

• The volume of personal data processed.

• The sensitivity of the personal data processed.

• The potential risk to the rights of data principals.

• The impact on the sovereignty and integrity of India.

SDFs have additional responsibilities, including:

• Appointment of a Data Protection Officer (DPO): SDFs must appoint a Data Protection Officer (DPO) who is responsible for overseeing data protection compliance. The DPO acts as a point of contact for data principals and the Data Protection Board of India (DPB). The DPO must be based in India.

• Data Protection Impact Assessments (DPIAs): SDFs may be required to conduct Data Protection Impact Assessments (DPIAs) to evaluate the potential impact of their data processing activities on the privacy of data principals. DPIAs help to identify and mitigate risks.

• Regular Audits: SDFs may also be required to conduct regular data protection audits to ensure compliance with the DPDPA 2023.

Navigating Consent The Cornerstone of Data Processing

Consent is a fundamental principle in the DPDPA 2023. It is the legal basis for processing personal data, and data fiduciaries must obtain valid consent from data principals before processing their data.

• Valid Consent: The DPDPA 2023 specifies the requirements for valid consent. Consent must be:

  • Free: Given without any coercion, undue influence, or deception.

  • Specific: Obtained for a clearly defined and specific purpose.

  • Informed: Based on clear and comprehensive information about the data being processed and the purposes of processing.

  • Unconditional: Not tied to the provision of any service or benefit that is not necessary for the specified purpose.

  • Unambiguous: Expressed through a clear, affirmative action that indicates the data principal's agreement.

• Consent for Each Purpose: Generally, consent must be obtained separately for each distinct purpose of data processing. This ensures that individuals have granular control over how their data is used.

• Legitimate Uses: The Act recognizes certain 'legitimate uses' where data can be processed without explicit consent. These include:

  • Processing for employment-related purposes.

  • Processing for medical emergencies.

  • Processing for the provision of government services and benefits.

• Children's Data: The DPDPA 2023 has specific provisions for the processing of children's data. It mandates verifiable parental consent for processing the personal data of children and prohibits certain types of processing, such as tracking, behavioral monitoring, and targeted advertising directed at children.

• Consent Managers: The DPDPA introduces a new category of entity called Consent Managers. These entities, registered with the Data Protection Board, provide a platform for data principals to:

  • Give consent to data fiduciaries.

  • Manage their consent preferences.

  • Review their consent decisions.

  • Withdraw consent previously given.

Data principals can grant, manage, review, or withdraw their consent directly with the data fiduciary or through a Consent Manager. Consent Managers are accountable to the data principal and must act in accordance with their instructions. This mechanism aims to simplify the consent management process and empower data principals with greater control over their data.

Addressing Data Breaches: Ensuring Security and Transparency

Protecting personal data from unauthorized access and misuse is a cornerstone of the DPDPA 2023. Data fiduciaries are mandated to protect the personal data in their possession or control by implementing reasonable security safeguards. In the event of a personal data breach, defined as any unauthorized processing, disclosure, alteration, loss, or access to personal data that compromises its confidentiality, integrity, or availability, data fiduciaries have a mandatory obligation to notify both the Data Protection Board of India (DPB) and each affected data principal. The draft rules specify that this notification to the DP Board must be made without undue delay, ideally within 72 hours of the data fiduciary becoming aware of the breach. The notification should include comprehensive details about the nature and scope of the breach, the timeline of its occurrence, its potential impact on data principals, and the steps the data fiduciary is taking to mitigate the harm. Similarly, the notification to the affected data principals should be communicated in a concise, clear, and easily understandable manner, ensuring they are promptly informed about the incident and any recommended actions they should take. These stringent reporting requirements underscore the Act's emphasis on transparency and accountability in data handling, ensuring that both regulatory authorities and affected individuals are informed in a timely manner to facilitate appropriate responses and minimize potential damages

Cross-Border Data Transfers A Balanced Approach

In today's globalized digital economy, the transfer of personal data across national borders is often essential for business operations. The DPDPA 2023 adopts a balanced approach to regulating such transfers. Unlike earlier drafts that proposed strict data localization requirements, the Act permits the transfer of personal data to countries outside India unless explicitly restricted by the Central Government through a notification. This approach is often referred to as a "negative list," where data transfers are allowed to all countries except those specifically placed on the restricted list. It is important to note that the DPDPA 2023 serves as a baseline and does not override existing sector-specific laws that may impose stricter data localization requirements. For instance, the Reserve Bank of India (RBI) has specific regulations regarding the storage of financial data within the country. The draft rules further clarify that data fiduciaries can transfer personal data outside of India only by the conditions that will be specified by the government in due course. This framework aims to strike a balance between safeguarding the personal data of Indian residents and facilitating the seamless flow of data necessary for international trade and business operations.

The Path Forward Implementing the DPDPA 2023 and the Draft Rules

With the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA 2023), India has taken a significant step towards building a privacy-centric digital ecosystem. To operationalize this landmark legislation, the Ministry of Electronics and Information Technology (MeitY) has released the Draft Digital Personal Data Protection Rules, 2025, marking the next critical phase in the law’s implementation.

These draft rules provide much-needed clarity on the procedures and mechanisms required to enforce the provisions of the Act. Recognizing the scale of change this law demands, MeitY has proposed a phased implementation strategy. This approach gives organizations adequate time to adapt their data governance and processing practices in alignment with the new legal requirements.

Key elements addressed in the draft rules include:

• The rights of data principals and how these rights can be exercised

• The required content and format of privacy notices by data fiduciaries

• Security safeguards, such as encryption, access controls, and breach reporting protocols

• Cross-border data transfer conditions

• Appointment criteria for Data Protection Officers (DPOs)

• Consent management platform frameworks

• Detailed procedures for reporting and responding to data breaches

A cornerstone of the DPDPA’s enforcement mechanism is the establishment of the Data Protection Board of India (DPB). As an independent adjudicatory body, the DPB is empowered to:

• Investigate personal data breaches

• Issue directives for urgent remedial actions

• Impose financial penalties for non-compliance (up to INR 250 crores)

• Adjudicate disputes and complaints from data principals

The DPB is designed to function primarily as an online complaint resolution platform, ensuring speed, accessibility, and transparency in handling data privacy grievances.

Conclusion Embracing a Privacy-Centric Digital Future

For organizations operating in India or processing data of Indian residents, compliance with the DPDPA 2023 is more than a legal obligation—it’s a strategic necessity. Failure to comply not only risks severe penalties but also undermines consumer trust and brand reputation in an increasingly privacy-aware marketplace. This evolving regulatory environment calls for expert-led guidance, tailored implementation strategies, and continuous compliance monitoring. Briskinfosec is equipped to support organizations at every step, from readiness assessments and policy creation to DPO support, Data Protection Impact Assessments (DPIAs), and employee training. With our in-depth understanding of the DPDPA and its operational rules, we help clients implement robust, scalable, and compliant data protection frameworks.