India Has a Data Protection Law Now

Parliament passed the Digital Personal Data Protection Act on 11 August 2023, and the President gave assent the same day. After nearly six years of public consultations, expert committees, two scrapped drafts, and a joint parliamentary committee report that generated hundreds of pages of debate, India finally put a single piece of legislation on the books that tells companies, government agencies, and other organisations what they can and cannot do with people's personal data. The Act has 30 sections. That makes it one of the shorter privacy laws among major economies, but length is not the same thing as simplicity. There are terms that carry very specific legal weight, exemptions that have already drawn fire from civil liberties groups, and enforcement mechanisms that exist in theory but have not yet been tested.

Before August 2023, data protection in India was governed by Section 43A of the Information Technology Act 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011. If you have never heard of those rules, you are not alone. They were rarely enforced, covered a narrow set of situations, and contained no real penalty structure. Sector-specific regulators like the RBI and SEBI had their own data-handling guidelines for banks and brokerages, but those applied only within their respective industries and left the rest of the economy effectively ungoverned on data matters.

The gap had real consequences. Indian companies collected vast amounts of personal information with almost no accountability for how it was stored, shared, or sold. Data breaches were discovered, sometimes affecting millions of users, and the responsible companies faced no penalty beyond bad press coverage. Users had no formal legal right to ask a company to delete their data, correct errors, or even tell them what information was being held. The IT Act rules required "reasonable security practices" but defined them so loosely that almost anything qualified.

The DPDP Act changes that. It creates a consent-based framework where companies must get clear permission before collecting personal data, must explain why they are collecting it and what they will do with it, and must delete it when the purpose is served or consent is withdrawn. It gives individuals a set of enforceable rights. It creates a new government body, the Data Protection Board of India, to handle complaints and impose penalties. And it sets financial penalties that reach up to Rs 250 crore for the most serious violations.

There are things this law does not do. It does not cover data written on paper. It does not give you the right to take your data from one service and move it to another. It does not let you challenge decisions made about you by algorithms. And it gives the central government broad power to exempt its own agencies from the rules. All of that matters, and all of it will come up in the sections that follow.

But the basic fact remains: India went from having no dedicated data protection law to having one. What happens next depends on enforcement.

Indian parliament building with digital data protection hologram overlay

The Vocabulary You Need to Know

The Act introduces a set of defined terms, and the entire law is built around them. If you do not understand these terms, the rest of the Act reads like alphabet soup. There are four that matter most, and one additional category that comes with extra obligations.

Data Principal. That is you. The individual whose personal data is being collected, stored, or processed. If your phone number is in a company's database, you are the Data Principal for that record. If your child is under 18 and using an app, you are the Data Principal acting on their behalf. The law treats the Data Principal as the person who owns the relationship with their data, even though the data itself might sit on someone else's server. In plain language, the Data Principal is the human being behind the data point.

Data Fiduciary. The entity that decides why and how your data is collected and used. This is a broad category. Flipkart is a Data Fiduciary. So is IRCTC, SBI, the Income Tax department, a hospital chain, a real estate broker who takes your Aadhaar copy, or a mobile gaming company that stores your email address. The word "fiduciary" is borrowed from trust law and finance, where it means someone who holds a position of trust and has a legal obligation to act in the other party's interest. The choice of that word was deliberate. It signals that companies holding your data owe you a duty of care, not just a transactional relationship.

Data Processor. A third party that processes data on behalf of the Data Fiduciary, but does not decide what to do with it. If HDFC Bank stores its customer records on Amazon Web Services, AWS is the Data Processor. It follows HDFC's instructions. The distinction matters because the Fiduciary bears primary responsibility under the Act, while the Processor's obligations flow from its contract with the Fiduciary. Most cloud computing providers, analytics platforms, and outsourced IT service companies fall into this bucket.

Consent Manager. A new category that did not exist in Indian law before. Consent Managers are entities registered with the Data Protection Board whose job is to act as intermediaries between you and the companies that hold your data. Think of them as a single dashboard where you can see which organisations have your consent, for what purpose, and where you can revoke that consent without visiting each company's website individually. The concept is promising. No Consent Managers are operational yet as of early 2026, and the rules governing their registration, technical standards, and accountability are still being finalised. When they do launch, the question will be whether people actually use them or whether they become another feature that exists on paper but gets ignored.

Significant Data Fiduciary. The government has the power to designate certain large Data Fiduciaries as "Significant" based on factors like the volume and sensitivity of data they handle, the risk of harm, and their potential impact on India's sovereignty and integrity. Significant Data Fiduciaries face extra requirements: they must appoint a Data Protection Officer based in India, they must conduct periodic Data Protection Impact Assessments, they must get independent audits done, and their data processing activities will receive closer scrutiny. The likely candidates for this designation include the big technology platforms (Google, Meta, Amazon), major Indian banks, telecom companies, and possibly large health-tech and ed-tech firms. The designations have not yet been made public, and the timelines for compliance remain unclear.

One more term worth knowing: "processing." The Act defines it broadly to cover collection, recording, storage, structuring, retrieval, use, sharing, disclosure, and erasure. Just about anything a company does with your data counts as processing. That breadth is intentional. It prevents companies from arguing that they were "only storing" data and therefore the rules do not apply.

Rights You Actually Have as a Data Principal

The DPDP Act grants five specific rights to individuals. All five are written into the statute, which means they have the force of law. This is not a set of recommendations or best practices. These are legal entitlements that you can enforce through the Data Protection Board if a company or agency refuses to honour them.

Right to Information. Any Data Fiduciary that collects your personal data must give you a clear notice at the time of collection. This notice must state what data is being collected, the purpose of collection, how you can exercise your rights under the Act, and how you can file a complaint with the Data Protection Board. The notice cannot be in legal jargon. The Act requires it to be in plain, understandable language. And here is a detail that often gets overlooked: the notice must be available in any of the 22 languages listed in the Eighth Schedule of the Constitution. Not just English, not just Hindi. If a company operates in Tamil Nadu and collects data from Tamil-speaking users, the notice should be available in Tamil. Compliance with the language requirement will be one of the first real tests of whether companies take this law seriously or treat it as a box-ticking exercise.

Right to Correction and Erasure. If a company has incorrect information about you, you can request a correction. If you withdraw your consent or the original purpose of data collection no longer applies, you can ask for deletion. The default under the Act is that data must be erased once the specified purpose has been fulfilled, unless there is a specific legal requirement to retain it. For example, tax records may need to be kept for a certain number of years under the Income Tax Act, and the DPDP Act recognises that exception. But a food delivery app that keeps your order history for five years after you deleted your account would have a hard time justifying that retention under this framework.

Right to Grievance Redressal. Every Data Fiduciary must have a functioning grievance mechanism. They must publish how complaints can be filed, designate a person or team to handle them, and respond within a reasonable time. If the company does not respond, or if the response is unsatisfactory, you escalate to the Data Protection Board. The Board has the power to investigate, hold hearings, and impose penalties. The process is designed to be digital-first, which should make it more accessible than a traditional court-based approach. Whether the Board will have the staff and infrastructure to handle a large volume of complaints remains an open question.

Right to Nominate. You can appoint another person to exercise your data rights in the event of your death or incapacity. This is the digital equivalent of naming a nominee for your bank account. If you pass away, your nominee can write to companies and request access to your data, correction of records, or deletion. Without this provision, your digital data would exist in a kind of legal limbo after death, with companies under no obligation to respond to anyone.

What this law does not include is worth noting. There is no right to data portability. Under the GDPR in Europe, you can ask a company to hand over all your data in a machine-readable format so you can take it to a competing service. The DPDP Act does not offer this. If you want to leave a social media platform, you cannot demand your photos, posts, and contacts in a format that another platform could import. Privacy advocacy organisations like the Internet Freedom Foundation have called this a significant omission, and there are indications it may be addressed in future amendments or subordinate rules, but for now, it is not part of the law.

There is also no right to object to automated decision-making. If an insurance company uses an algorithm to set your premium, or a lending app uses a scoring model to reject your loan application, you have no specific right under this Act to challenge that decision or demand a human review. The GDPR provides this right. India's law does not.

Alongside rights come duties. The Act states that Data Principals must not file false or frivolous complaints with the Board. You must not suppress material information when exercising your rights. And you must not furnish false particulars or impersonate someone else while providing personal data. The penalty for breaching these duties is up to Rs 10,000. The amount is small, but the provision signals a reciprocal structure: the law gives you rights and expects you to use them honestly.

Obligations on Companies and the Government

The Act puts the weight of compliance on Data Fiduciaries. The consent requirements are specific and, if actually enforced, will change how most Indian companies interact with their users.

Consent must be free, specific, informed, unconditional, and unambiguous. That string of adjectives is doing a lot of work. "Free" means no coercion, no making an unrelated service conditional on consent. "Specific" means each purpose of data collection requires separate consent. If an e-commerce company wants your data for order delivery and also for targeted advertising, those are two distinct consent requests. You can agree to the first and refuse the second, and the company cannot deny you service for the refusal. "Informed" means the company must explain in plain terms what data they want, why, and what your options are. "Unconditional" means they cannot attach strings. "Unambiguous" means pre-ticked checkboxes, implied consent through continued browsing, and similar dark patterns are not valid.

The consent notice must be standalone. A company cannot bury it inside a 50-page terms-of-service document. It must be presented at the point of data collection, in language the user can actually understand, and with clear instructions on how to withdraw consent later. Withdrawal must be as simple as granting consent. If signing up took one click, deleting your account and revoking consent should take one click too. The era of account deletion flows that require three emails, a support ticket, and a two-week waiting period is supposed to be over, at least legally.

For children under 18, the rules are stricter. A Data Fiduciary must obtain verifiable consent from the child's parent or legal guardian before processing the child's data. Behavioural tracking of children for advertising purposes is banned outright. Detailed profiling of minors is prohibited. This affects social media companies, gaming platforms, ed-tech firms, and anyone else whose user base includes people under 18. How "verifiable" consent will work in practice is still being worked out. Age verification itself is a hard technical problem, and no country has solved it perfectly.

Data Fiduciaries must also take "reasonable security safeguards" to protect personal data from breaches. What this actually means is that if a company stores your data and someone steals it because the company failed to encrypt its databases or used outdated software with known vulnerabilities, that company is liable. The penalties for failing to prevent a breach go up to Rs 250 crore. Failing to notify the Data Protection Board and affected individuals of a breach carries a separate penalty of up to Rs 200 crore. Violations of children's data provisions can result in penalties of up to Rs 200 crore. For Significant Data Fiduciaries that fail their additional obligations, the cap is Rs 150 crore. Any other non-compliance is capped at Rs 50 crore.

These are fixed caps, not percentages of revenue. Under the GDPR, fines can reach 4% of a company's global annual turnover, which for a company like Alphabet or Meta would be billions of euros. The Indian penalty caps are smaller in absolute terms for the very largest companies, but Rs 250 crore is still a significant amount for most organisations operating in India. For mid-sized companies and startups, the penalties are large enough to be existential.

Breach notification is mandatory and must happen "without delay." The Act does not specify an exact number of hours, the way the GDPR requires notification within 72 hours. The rules that will clarify this timeline are still being drafted. But the principle is established: hiding a data breach is now a separate offence with its own penalty.

Government agencies are also Data Fiduciaries under the Act. The Income Tax department, IRCTC, DigiLocker, Aadhaar-related services, state government portals that collect citizen data for welfare schemes, public hospitals that maintain digital health records, all of these fall within the law's scope. Government entities must comply with the same consent, notice, security, and breach notification requirements as private companies. In theory.

In practice, there is a very large caveat.

Penalties and the Data Protection Board

The Data Protection Board of India is the enforcement body created by this Act. It is not a traditional court. It is designed as a quasi-judicial body that operates digitally: complaints filed online, hearings conducted virtually, orders published electronically. The idea is to reduce the delays that plague India's court system and create a body that can handle a high volume of data protection disputes with reasonable speed.

The Board's members are appointed by the central government. This has drawn criticism from multiple legal commentators who argue that the Board should be independent, similar to how the Election Commission or the NHRC operate with a degree of separation from the executive branch. When the body that enforces the law is appointed by the same government that has exempted itself from parts of the law, questions about independence are reasonable. The Supreme Court has not yet been asked to rule on this structure, but constitutional challenges seem likely once the Board starts operating and making decisions.

Appeals against the Board's orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). From there, the path leads to the High Court and ultimately the Supreme Court. The penalty amounts, listed earlier, are the maximum caps for each category of violation. The Board has discretion to impose lower amounts depending on the severity, duration, and nature of the violation, whether the Fiduciary took corrective action, and other factors. There is no minimum penalty specified in the Act.

The penalty structure does not include compensation to individuals. If a data breach causes you financial loss, the Board can fine the company, but it cannot order the company to pay you damages. For that, you would need to go through the consumer courts or civil courts, which is a separate and typically slower process. This is a gap that privacy advocates have pointed out. Under the GDPR, data subjects can claim compensation for material and non-material damage resulting from a violation. The DPDP Act does not match that.

As of early 2026, the Data Protection Board has been constituted but is not yet fully operational. The rules governing its procedures, staffing, and complaint-handling infrastructure are being finalised. There have been no enforcement actions taken yet. The law is on the books, but the machinery for implementing it is still warming up. This does not mean your rights do not exist. They do. It means that the first wave of complaints will test whether the Board can actually deliver on its mandate or whether it becomes another backlogged government body.

Legal document with DPDP Act text and digital privacy icons beside laptop

Exemptions and the Controversial Parts

Section 17 of the Act is its most debated provision. It gives the central government the power to exempt any government agency from any or all provisions of the Act, on grounds of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, or prevention and investigation of offences. The exemptions are issued through notification, and they do not require parliamentary approval.

The practical effect is that the government could, in theory, notify an exemption for Aadhaar and UIDAI, the National Crime Records Bureau, intelligence agencies, or any ministry that handles large volumes of citizen data. The exemption could cover the consent requirement, breach notification, security safeguards, or all of the above. The government's position is that these exemptions are necessary for national security and law enforcement. The counterargument, made forcefully by groups like the Internet Freedom Foundation and individual Supreme Court advocates, is that the exemptions are too broad, too easy to invoke, and lack judicial oversight.

Under the GDPR, government bodies in the EU are generally subject to the same data protection rules as private companies. There are exemptions for national security, but they are narrow, subject to judicial review, and applied on a case-by-case basis. The European Court of Justice has struck down exemptions it found too broad. India's framework is different. The exemptions here are executive decisions, reviewable only after the fact and only if someone challenges them in court. Given how long Indian litigation takes, a challenged exemption could remain in effect for years before a court rules on it.

There is a second category of controversy around cross-border data transfers. The Act allows the government to restrict transfers of personal data to specific countries through a "blacklist" approach. Data can flow to any country unless the government says it cannot. This is simpler than the GDPR's adequacy-decision model, but it also means that data can flow freely to countries with weak or nonexistent data protection laws unless the government acts to block it. The government has not yet published any restricted-country list.

Third, the Act does not create a right to be forgotten in the strong sense. You can ask for erasure when consent is withdrawn or the purpose is served, but there is no standalone right to demand that a company remove specific information about you from public-facing databases or search results. The Delhi High Court has recognised a limited right to be forgotten in certain cases, but the DPDP Act does not codify it.

Fourth, there is the question of what happens to the personal data of deceased individuals beyond what the nominee can request. The Act is silent on the long-term status of data belonging to people who have died, beyond the nomination provision. Digital legacy is an area that most privacy laws worldwide are still figuring out, and India's law is no exception.

So Does Any of This Matter Yet?

The honest answer is that it matters on paper more than it matters in practice, for now. The law exists. The rights are real. The penalty provisions are written into statute. But the enforcement body is not yet running at full capacity, the subordinate rules that will fill in the operational details are incomplete, and no company has yet been fined under this Act. That means companies are in a period of adjustment, most likely preparing internally but not yet under real pressure to demonstrate compliance. The Consent Manager framework has not launched. Cross-border transfer rules have not been notified. Significant Data Fiduciary designations have not been publicly announced.

None of that should stop you from acting on your rights. You can, today, write to any company that holds your data and ask what they have, why they have it, and request correction or deletion. You can refuse to give consent when a company asks for data it does not need. You can use masked Aadhaar copies and virtual IDs instead of sharing your actual Aadhaar number. You can complain to a company's grievance officer when they violate your preferences, and you can document the interaction. When the Data Protection Board starts accepting complaints, you will have a record.

The early years of any new law are shaped by how forcefully people use it. The Right to Information Act 2005 became powerful because millions of Indians filed RTI applications and created a culture of accountability that did not exist before. The Consumer Protection Act gained teeth because consumers started filing cases. The DPDP Act will follow the same path or die the same slow death as the 2011 IT Rules, depending on whether people treat it as a usable tool or an abstract legal development that happened somewhere far away.

If you run a business, the time to audit your data collection practices is now, not when the first enforcement actions hit. Map what personal data you collect, verify that your consent flows are granular and clear, appoint someone to handle data-related grievances, and build deletion processes that actually work. The companies that get caught flat-footed when enforcement begins will be the ones that assumed the law would never be applied. That assumption is a bad bet.

If you are an individual, the single most useful thing you can do is read the privacy notices that companies put in front of you. Most people click "Accept" without reading a word. The Act requires these notices to be clear. If they are not clear, that itself is a violation. Start treating your consent as something with actual value. Companies want your data because it has commercial worth. Your agreement to hand it over should not be free.

Keep in mind: The DPDP Act's rules are still being finalised. The Data Protection Board is not yet fully operational. But the law is on the books and your rights are enforceable. The more people actually use them, the faster the system will develop. Do not wait for perfection. Send the email.

One takeaway above all else: you have real, legal rights over your data in India now. Whether those rights turn out to be meaningful or just words on paper depends entirely on how the Data Protection Board operates, and we do not know that yet. The rules exist. Enforcement is the question mark.