Technology Law Analysis: A New Dawn: India’s New Data Protection Regime Finally Takes Flight

A New Dawn: India’s New Data Protection Regime Finally Takes Flight

Prologue

India has entered a new era of privacy regulation with its first comprehensive data protection framework, marking a major shift in the legal framework governing privacy in one of the world’s largest digital markets. The Digital Personal Data Protection framework draws on the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)¹, which recognized an individual’s right to privacy as a fundamental right under the right to life and personal liberty under the Constitution of India². The data protection framework builds on this foundation and seeks to balance individual rights with legitimate government and commercial data use, a principle central to modern global privacy regimes.

The path to the data protection framework has been long and eagerly anticipated. Starting with the Justice Srikrishna Committee Report in 2018, there were several iterations of data protection bills which made the rounds³, some incorporating principles from the GDPR and other global standards, finally culminating in the Digital Personal Data Protection Act, 2023 (Data Protection Act). However, the Data Protection Act was not operationalized until 2 years later, given the extensive deliberation by the Government prior to the notification of the rules. The data protection framework’s core principles: purpose limitation, data minimization, storage limitations, security practices, breach reporting, safeguards for children’s data etc. are important concepts, some of which are inspired by internationally recognised privacy norms such as the GDPR.

With the rules now in force, the data protection framework is set to transform India’s data governance framework. For global organizations, its scale, centralized enforcement powers, and financial consequences are major regulatory frontiers. With substantial penalties which may extend up to approximately USD 30 million for breaches, the data protection framework places India firmly among jurisdictions with a comprehensive legislative framework for data protection. For companies already navigating the GDPR and other global privacy frameworks, India’s data protection framework demands immediate and sustained attention.

Introduction

The Digital Personal Data Protection Rules, 2025 (Data Protection Rules) were notified by the Ministry of Electronics and Information Technology (MeitY) on November 13, 2025. This comes after months of anticipation since the draft rules were released for public consultation on January 3, 2025. The Data Protection Rules operationalise the Data Protection Act, India’s first standalone personal data protection legislation, and address key areas including notice obligations, registration and obligations of consent managers, intimation of personal data breaches, rights of Data Principals, data retention periods, and the structure and functioning of the Data Protection Board of India (Data Protection Board).

The Data Protection Act and the Data Protection Rules will be implemented in a staggered manner⁴:

1. The provisions relating to commencement, definitions, and the constitution of the Data Protection Board will take effect immediately upon publication of the Data Protection Rules in the Official Gazette.
2. Provisions on the registration and obligations of consent managers will become operative 1 year after publication.
3. The remaining provisions including notice obligations, rights of Data Principals, data retention periods, breach-notification, and the obligations of Significant Data Fiduciaries, will come into force 18 months from the date of publication. The erstwhile data protection framework under the Information Technology Act, 2000 (IT Act) i.e., Section 43-A of the IT Act and rules issued thereunder i.e., The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 will also be repealed 18 months from the date of publication.

The phased rollout provides organisations and stakeholders with sufficient time to prepare and comply with the requirements of India’s new data protection framework, though action must commence if not already.

This article provides a detailed review of the Data Protection Act and the Data Protection Rules, focusing on key considerations and practical implications for organizations and stakeholders.

Applicability

The Data Protection Act applies to the processing of digital personal data in India, where the personal data is either (i) collected in digital form; or (ii) collected in a non-digitized format and subsequently digitized^5,6.

The Data Protection Act has extra territorial application, i.e., it applies to the processing of personal data outside India (irrespective of the location of the processing entity) if such processing is in connection with offering goods or services to Data Principals located within the territory of India⁷.

Important Definitions

The important definitions under the Data Protection Act are as follows:

1. ‘Personal Data’ is defined as any data about an individual who is identifiable by or in relation to such data⁸, whereas ‘Digital Personal Data’ is defined as personal data in digital form⁹.
2. ‘Consent Manager’ is defined as a person registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform¹⁰.
3. ‘Data Principal’ is the individual to whom the personal data relates. Where such an individual is a child, the term includes the parent or lawful guardian of the child. Where the individual is a person with disability, it includes their lawful guardian acting on behalf of such individual¹¹.
4. ‘Data Fiduciary’ is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data¹² (emphasis supplied).
5. ‘Data Processor’ is any person who processes personal data on behalf of a Data Fiduciary¹³. Data Fiduciaries may appoint, engage, use or involve a Data Processor to process personal data on their behalf for any activity related to offering of goods and services to Data Principals¹⁴.

Notice and Consent

The Data Protection Act requires the Data Fiduciary to provide notice¹⁵ and obtain consent¹⁶ from the Data Principal on or before processing personal data. The notice accompanying a request for consent may be in the English language or any other language specified in the Eighth Schedule of the Indian Constitution¹⁷ and must inform the Data Principal of: (i) the personal data to be processed and purpose for which such data is to be processed; (ii) the manner in which they may exercise their rights under the Data Protection Act; and (iii) the manner in which the Data Principal may make a complaint to the Data Protection Board¹⁸.

From our review of the illustrations, it is important to note that Data Fiduciaries should ensure that they are only processing personal data necessary for the specified purpose. Accordingly, if the Data Principal provides their consent for processing their name and address (which is personal data) towards purpose ‘A’ which only requires their name and not their address, their consent shall be limited, and the Data Fiduciary should only process their name.

Where a Data Principal has given consent to processing of their personal data prior to the commencement of the Data Protection Act, the Data Fiduciary is required to provide notice containing the above details ‘as soon as it is reasonably practicable’¹⁹. Such data can be processed till such time the Data Principal withdraws their consent²⁰.

The Data Protection Act and the Data Protection Rules do not clarify the timeline that may be considered ‘reasonably practicable’.  As a practice, Data Fiduciaries should document the efforts made to ensure that notice is provided in a timely manner.

The Data Protection Rules further specify that the notice must be clear, standalone, and understandable, distinct from any other information shared by the Data Fiduciary²¹.The language of the notice must be clear and plain²² and is required to include, at the minimum: (i) an itemised description of personal data being processed²³; (ii) the specific purpose(s) for processing²⁴; and (iii) a specific description of goods and services to be provided or uses to be enabled by such processing²⁵.

The Data Protection Rules do not prescribe a format for the notice, allowing flexibility for Data Fiduciaries. However, the notice should not be clubbed with other documentation such as an End-User License Agreement, General Terms of Service etc.

The Data Protection Rules appear to provide Data Fiduciaries with the flexibility to issue a consolidated consent notice covering an itemized list of personal data to be collected for several related purposes for the processing of such personal data, rather than specifically mapping each purpose to each individual item of personal data collected towards that purpose. This reduces the need for frequent updates to consent notices as service features evolve and provide organisations with broader administrative flexibility. However, Data Fiduciaries must continue to ensure that stated purposes are genuinely specific and not drafted broadly which may undermine the standard of meaningful, informed consent.

The Data Principal has the right to withdraw their consent where their consent is the basis of processing of their data. The ease of such withdrawal should be comparable to the ease with which consent was given²⁶. Upon withdrawal of consent, the Data Fiduciary is required to cease and cause its Data Processors to cease processing of the personal data within ‘a reasonable time’²⁷.

Consent Managers

‘Consent Manager’ has been introduced as a concept under the Data Protection Act²⁸. A Data Principal may give, manage, review or withdraw their consent to a Data Fiduciary through a Consent Manager²⁹.

Consent Managers are required to register with the Data Protection Board and the eligibility conditions include requirements for: (i) the Consent Manager to be a company incorporated under Indian law with a net worth of at least INR 20,000,000 (approx. USD 240,000), with adequate financial, technical and operational capability³⁰; (ii) for directors, senior management, and other key managerial personnel of the Consent Manager to have a record of fairness and integrity; (iii) the Consent Manager’s governing documents to contain sufficient conflict of interest provisions; (iv) the interoperable platform and the technical and organizational measures deployed by the Consent Manger to be independently certified³¹.

It is presently unclear who may independently certify the interoperable platform and the technical and organizational measures deployed by the Consent Manager. Certification by a CERT-In empanelled auditor or a similar entity should reduce the risk of liability and the monetary penalty that may be imposed for breach of the Data Protection Act and the Data Protection Rules.

Obligations

A Consent Manager will be accountable to the Data Principal and must act in a fiduciary capacity on behalf of the Data Principal in such manner and subject to its obligations³² including requirements to:

1. Maintain records of consents, notices, and data sharing transactions related to its platform for a period of 7 years or longer as may be agreed with Data Principals or as may be required under applicable law.
2. Conduct periodic audits of its technical and organizational controls, and its compliance with the Data Protection Act and the Data Protection Rules and report the outcome to its Board of Directors.
3. Not sub-contract or assign its obligations under the Data Protection Act and the Data Protection Rules.
4. Ensure that while facilitating consent for sharing personal data between the Data Principal and Data Fiduciary, the data itself is not accessible or readable by the Consent Manager.

   While facilitating consent, a Consent Manager may handle personal data, but it is not permitted to directly access or use it. The platform must be designed so that Data Principals’ information remains private, for example through tokenization, pseudonymization, hashing, or anonymization, allowing consent managers to facilitate consent without seeing the underlying personal data.

5. Respond to and address Data Principal’s requests and grievances (see ‘Rights and Duties of Data Principals’ below).
6. Ensure that there are adequate measures in place to ensure that no conflict of interest arises on account of its directors, key managerial personnel, senior management holding directorships, financial interest, employment, or beneficial ownership in Data Fiduciaries.

   The broad restrictions placed with respect to conflict of interest may prohibit Data Fiduciaries and their group entities from acting as Consent Managers for datasets processed within the same group. It has not been clarified that the restriction applies only when there is a direct overlap between the Consent Manager and the Data Fiduciary whose datasets it manages, rather than extending to all group entities.

Failure to adhere to the obligations may result in the suspension or cancellation of registration granted by the Data Protection Board and/or could lead to monetary penalties under the Data Protection Act³³.

Operationally, both the Data Principal and the Data Fiduciary should be onboarded on the Consent Manager’s platform in order to enable the Data Principal to provide and manage their consents. It may also be noted that it is not mandatory for Data Fiduciaries to integrate with Consent Managers; the Data Fiduciary may continue to independently manage its Data Principal’s consents and grievances. Considering that the position of a Consent Manager is a novel concept under the Data Protection Act, and its operational functionality is not tested under other data protection laws, it remains to be seen how the practical nuances and implementation challenges play out.

Processing for Legitimate Purpose

The Data Protection Act permits the processing of personal data without seeking consent of the Data Principals, for certain specified ‘legitimate uses,’³⁴ including:

1. Where the Data Principal voluntarily provides personal data to the Data Fiduciary for a specified purpose and does not indicate to the Data Fiduciary that they do not consent to the use of their personal data for such purposes³⁵.

   It appears that this legitimate use would apply only in cases where personal data is provided without being asked for or prompted by the Data Fiduciary. Thus, the Data Principal is given a certain degree of autonomy to determine the purpose for which processing can be done without the Data Fiduciary complying with notice and consent requirements.

2. For the performance of any functions of the State or its instrumentalities under applicable law, or in the interest of sovereignty and integrity of India or security of the State³⁶.
3. For compliance with any judgment or decree or order issued under applicable law, or any judgment or order relating to claims of a contractual or civil nature under any applicable law outside India³⁷.
4. For: (i) responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual³⁸;
   (ii) providing health services during an epidemic, outbreak of any disease etc.³⁹; (iii) providing assistance to individuals during any disaster⁴⁰ or breakdown of public order⁴¹.
5. For purposes related to employment or for safeguarding the employer from loss or liability such as prevention of corporate espionage, maintenance of confidentiality, intellectual property, classified information or provision of any service or benefit to employees etc⁴².

   In practice, this may include CCTV surveillance, biometric authentication for office access and other security measures aimed at protecting the employer’s intellectual property, confidential information, and employees.

6. For the State or any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, license or permits where: (i) the Data Principal has previously consented to the processing of their personal data by the State or any of its instrumentalities for such reasons mentioned above; or (ii) such personal data is available in digital form, or in non-digital form and digitized subsequently from any database, register, book or any other document maintained by the State or its instrumentalities. Such processing by the State is required to comply with the standards provided under the Data Protection Rules including requirements to provide the Data Principal with (i) an intimation; (ii) contact information of a representative of the Data Fiduciary to respond to queries; and (iii) access to a communication links to exercise their rights under the Data Protection Act⁴³.

   The requirements under the Data Protection Rules for the State (or its instrumentalities) to intimate the Data Fiduciary regarding such processing, ensure lawful processing, adhere to purpose limitation, ensure data minimization, ensuring accuracy of personal data, deploying reasonable security safeguards etc. ensures there are safeguards in place to prevent the misuse of this exemption by  the State (or its instrumentalities).

Data Fiduciary Obligations

The obligations of Data Fiduciaries include requirements to:

1. Ensure compliance with the Data Protection Act in respect of any data processed by itself or by a Data Processor on its behalf, irrespective of: (i) any agreement to the contrary; or (ii) the Data Principal’s non-compliance with their duties⁴⁴.
2. Implement appropriate technical and organizational measures to ensure effective adherence with the provisions of the Data Protection Act⁴⁵.
3. Ensure the accuracy, completeness and consistency of the personal data when such personal data is processed to make a decision that affects the Data Principal or if the personal data is likely to be disclosed to another Data Fiduciary⁴⁶.
4. Protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breaches⁴⁷.
5. In the event of a personal data breach, notify the Data Protection Board and each affected Data Principal in the form and manner as prescribed in the Data Protection Rules as discussed below⁴⁸.
6. Publish the business contact information of a Data Protection Officer (DPO), if applicable, or a person who is able to answer the Data Principal’s questions about the processing of their personal data, on behalf of the Data Fiduciary⁴⁹. The Data Protection Rules clarify that the Data Fiduciary must prominently publish the business contact information per the above on its website or application and must also mention such information in every response to a communication from a Data Principal exercising their rights⁵⁰.

   While Significant Data Fiduciaries are required to appoint individuals as DPOs, other Data Fiduciaries may publish the business contact information of a ‘person’⁵¹, which may be the business contact information of a company / entity, who will be responsible to answer queries of the Data Principal with respect to the processing of their personal data.

7. Delete personal data and cause the deletion of personal data by the Data Processor (as applicable), upon the Data Principal withdrawing their consent or as soon as it may be reasonably assumed that the specified purpose is no longer being served, whichever is earlier, save and except if such retention is required under applicable laws⁵².

The obligations of the Data Fiduciaries do not seem excessive, should largely be acceptable to the industry (save and except to the extent detailed at ‘Intimation to the Data Principals’ and ‘Intimation to the Data Protection Board’), and should largely protect the interests of the Data Principal.

The Data Protection Rules prescribe minimum security standards which, among others, include (i) implementing data security measures including encryption, obfuscation, masking or use of virtual tokens; (ii) retention of logs and personal data for 1 year to detect unauthorized access; and (iii) inclusion of ‘appropriate’ contractual provisions in the contract between the Data Fiduciary and the Data Processor to adopt reasonable security safeguards⁵³.

The safeguards appear reasonable and feasible for the industry to implement since Data Fiduciaries appear to have flexibility in implementing security standards as long as they meet the minimum requirements prescribed.

Intimation to Data Principals

The Data Protection Rules prescribe that upon ‘becoming aware’ of a personal data breach, the Data Fiduciary must notify the affected Data Principals ‘without delay’. The intimation must be made through the Data Principal’s user account or any registered mode of communication with the Data Fiduciary. The notification given to the Data Principal must include details such as a description of the breach, potential consequences for the Data Principal and safety measures that the Data Principal may adopt to protect their interests, the measures implemented/ being implemented by the Data Fiduciary to mitigate risk (if any), and the business contact information of the person able to respond to the Data Principal’s queries⁵⁴.

Intimation to the Data Protection Board

The Data Fiduciary, upon ‘becoming aware’ of a personal data breach, must notify the Data Protection Board ‘without delay’, with a description of the breach, including its nature, extent, timing, and impact⁵⁵. In addition, within 72 hours (or within such longer period as the Data Protection Board may permit), it must provide: updated and detailed information regarding such description of the breach, the broad facts, circumstances and reasons leading to the breach, measures taken to mitigate risk, remedial measures to prevent reoccurrence, findings regarding the person who caused the breach, and a report regarding the intimations given to the Data Principals⁵⁶.

Collating and sharing such information within a short timeline [i.e., without delay (which appears to be under 72 hours), or within 72 hours], which includes several details per above, may pose significant compliance challenges for Data Fiduciaries. Pertinently, since there are no materiality thresholds for reporting breaches, these timelines will also apply to minor breaches, which may lead to the Data Fiduciary being required to report several breaches.

Further, this requirement appears to be in addition to the breach reporting requirements (with Cert-IN) under the IT Act and as prescribed by specific sectoral regulators. Accordingly, entities may need to implement effective internal monitoring mechanisms and have dedicated IT teams and personnel in place to detect, escalate and report incidents under the varied laws and regulations applicable.

Significant Data Fiduciary Obligations

The Central Government may classify a Data Fiduciary – or a class of Data Fiduciaries – as a Significant Data Fiduciary (SDF) based on factors such as the volume and sensitivity of personal data processed, the risk to the Data Principals, the potential impact of the processing of personal data on India’s sovereignty and integrity, and other relevant considerations⁵⁷.

SDFs are subject to additional obligations, including the requirement to: (i) appoint an individual as a DPO who should be based in India; (ii) engage an independent auditor to evaluate compliance with the Data Protection Act and the Data Protection Rules; (iii) conduct measures such as Data Protection Impact assessments (DPIAs) and audits on an annual basis and require for persons conducting such DPIAs and audits to furnish their observations  to the Data Protection Board⁵⁸.

Additionally, SDFs must exercise due diligence to ensure that technical measures, including any algorithmic software used for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing personal data, do not pose a risk to the rights of Data Principals⁵⁹.

The Data Protection Rules also introduce a data localization requirement for SDFs, mandating that any category of personal data specified by the Central Government – on the recommendation of a committee constituted for this purpose – must be processed in accordance with the restriction that such personal data, along with the corresponding traffic data relating to its flow, is not transferred outside India⁶⁰. The Data Protection Rules clarify that this committee will include officials from MeitY and may also comprise officials from other Ministries or Departments of the Central Government⁶¹.

While the Data Protection Act treats DPIAs and periodic audits as distinct obligations, the Data Protection Rules do not clearly differentiate between them. A closer reading of the Data Protection Act with the Data Protection Rules suggests that data audits are required to be conducted by an independent data auditor, implying that such audits may need to be outsourced, whereas DPIAs may be carried out internally. The industry should develop its own standard practices to address this ambiguity and promote consistency across organisations.

The obligation for SDFs to exercise due diligence over technical measures, including algorithmic software, is broad and vague. The Data Protection Rules require for SDFs to ensure that that these technical measures are not ‘likely to pose a risk to the rights of Data Principals’. Since the term ‘technical measures’ and the thresholds for ‘likely to pose a risk’ are not defined, this may result in subjective enforcement and place a significant operational burden on SDFs. To comply with this requirement, organizations may need to monitor, test, and certify all technical measures to ascertain potential risks. Further, since the intermediaries will be required to deploy such due diligence measures to verify the technical measures immediately upon being notified as an SDF (since there is no grace period to deploy such measures) this requirement may be onerous.

The Data Protection Rules also introduce data localisation obligations for SDFs, restricting the transfer of certain categories of personal data as identified by a committee constituted by the Central Government. Pertinently, the Data Protection Act does not contemplate the establishment of such a committee or empower the Central Government to impose cross-border transfer restrictions on SDFs, and this appears to be beyond the ambit of the Data Protection Act. These localisation requirements may particularly affect foreign or multinational SDFs, who could be required to localise not only the specified personal data categories but also ancillary datasets such as logs and traffic data.

Exemptions from certain obligations

The Data Protection Act exempts Data Fiduciaries from certain obligations, such as notice and consent requirements (obligations to be responsible for processing by a Data Processor and taking reasonable security safeguards shall continue to apply) for certain specified circumstances including where processing of personal data is:

1. Necessary for enforcing any legal right or claim⁶².
2. By any court or tribunal or any other body in India towards the performance of any judicial, quasi-judicial function, regulatory, or supervisory function, with which it is entrusted under law⁶³.

   It remains to be seen whether the exemption for processing of personal data by courts / tribunals also applies to judicial bodies outside India. Since, litigation and arbitration proceedings involving Indian multinational companies may take place globally, the industry should seek clarification from the Government to determine whether the exemption will apply even if the courts / tribunals are not Indian.

3. In the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law⁶⁴.
4. Of Data Principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India by any person based in India⁶⁵.

   The Data Protection Act exempts outsourcing activities from certain obligations as set out above. However, any cross-border restrictions that may be notified by the Government should continue to apply with respect to such personal data, despite the exception.

5. Necessary for a merger/amalgamation or similar arrangement as approved by a court or tribunal or other competent authority⁶⁶.
6. Necessary to ascertain the financial situation of a person who has defaulted on a loan or advance given by a financial institution⁶⁷.

The Data Protection Act also enables the Central Government to exempt the applicability of the Data Protection Act under the following circumstances:

1. Where the processing is undertaken by an instrumentality of the State in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it⁶⁸.
2. Where the processing of personal data is necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal. and such processing is carried on in accordance with standards prescribed in the Data Protection Rules⁶⁹. These standards include ensuring that the processing is: (i) done in a lawful manner; (ii) limited to only the personal data necessary for such purpose; (iii) done while making reasonable efforts to ensure completeness, accuracy, and consistency of personal data; (iv) undertaken after deploying reasonable security measures for the processing of the personal data (by itself or through its Data Processor)⁷⁰.

   These standards appear to be reasonable and feasible for the industry to implement, while ensuring that there is no detriment to the rights of the Data Fiduciary.

Additionally, the Data Protection Act states that the Central Government may notify certain Data Fiduciaries or classes of Data Fiduciaries based on the volume and nature of personal data they process, such as start-ups⁷¹, to whom the obligations of: (i) issuing notices; (ii) ensuring completeness, accuracy and consistency of data; (iii) erasing data; and (iv) facilitating the Data Principal’s right to access information do not apply⁷².

Retention of Personal Data

The Data Protection Act requires for Data Fiduciaries to erase and cause its Data Processor to erase personal data: (i) upon receipt of a withdrawal request from the Data Principal (or their nominee); or (ii) as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, unless retention is necessary for compliance of any law in force⁷³.

The Data Protection Rules supplement this requirement by introducing retention periods for certain Data Fiduciaries that are intermediaries, specifically e-commerce entities⁷⁴, online gaming intermediaries⁷⁵ and social media intermediaries⁷⁶ (that satisfy certain thresholds of registered users), processing personal data for specific purposes⁷⁷. For all such entities, the Data Protection Rules set out a retention time period of three years from the date of the Data Principal last approaching the Data Fiduciary for the performance of the specified purpose or exercise of their rights, or the commencement of the Data Protection Rules, whichever is later. The retention period generally applies to all purposes for these classes of Data Fiduciaries, except for the purposes of enabling the Data Principal to access their account or enabling the Data Principal to access a virtual token, issued by the Data Fiduciary (stored on the digital facility or platform), which may be used to get money, goods or services⁷⁸.

Data Fiduciaries are also required to notify Data Principals at least 48 hours prior to erasure, that their personal data will be erased if they do not log in to their user account or approach the Data Fiduciary for performance of the specified purpose or to exercise their rights⁷⁹.

Separately, the Data Protection Rules specify that, without prejudice to the prescribed retention periods and the 48-hour prior notice, a Data Fiduciary must retain personal data, associated traffic data, and other logs of processing for a minimum period of 1 year from the date of processing^80,81. After this period, the Data Fiduciary must erase the personal data and logs unless further retention is required to comply with any other applicable law or government notification⁸².

In the absence of the prescribed timelines, intermediaries that aren’t specifically mentioned under the Data Protection Rules could develop their own internal processes, resulting in inconsistent standards for erasure of personal data across organizations. Organizations subject to other sector-specific retention laws may face overlapping or conflicting compliance timelines.

Additionally, the requirement to provide a 48-hour prior notice to Data Principals before erasure will require intermediaries to necessitate the implementation of automated systems to track user activity, determine the applicable notice periods, trigger notifications, and execute data deletion.

Rights and Duties of Data Principals

Rights of Data Principals

The rights of Data Principals under the Data Protection Act are detailed below:

1. Right to access information about personal data: The Data Principal has the right to obtain: (i) a summary of their Personal Data and details of its processing by a Data Fiduciary; (ii) identities of all the Data Fiduciaries and Data Processors with whom the personal data has been shared (including the description of the personal data shared); (iii) any other relevant information as may be prescribed by the Central Government⁸³.
2. Correction, completion, updation, or erasure of personal data: The Data Principal has the right to request correction, completion, updation, and erasure of their personal data⁸⁴. Upon receipt of a request for correction/updation/completion/erasure, a Data Fiduciary is required to (i) correct inaccurate or misleading personal data; (ii) complete any incomplete personal data; (iii) update relevant personal data⁸⁵; or (iv) erase personal data unless the same is necessary for the specified purpose for which the consent was obtained, or required to be retained under applicable law⁸⁶.

   If a Data Principal intends to prevent all processing of their personal data, a request for withdrawal of consent must be made instead of erasure since the Data Fiduciary may continue to retain personal data if necessary for the specified purpose for which the consent was obtained in the case of the latter. In the event that the Data Fiduciary is engaging any Data Processors for processing personal data on its behalf, the Data Fiduciary should also intimate the Data Processors of any requests received for correction, completion, updation, or erasure of any personal data to ensure that records of the Data Processor are also updated. This is important since the ultimate obligation to ensure that the Data Principal is able to exercise their rights remains with the Data Fiduciary.

3. Grievance redressal: Data Principals have the right to register their grievances with the Data Fiduciary or the Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of their obligations or the exercise of the Data Principal’s rights, in relation to their personal data under the Data Protection Act and Data Protection Rules⁸⁷.  The Data Principal will need to exhaust the right to grievance redressal before approaching the Data Protection Board⁸⁸.
4. Right to nominate: The Data Principal has the right to nominate (in accordance with applicable law and the terms of service of the Data Fiduciary) any other individual to exercise the above-mentioned rights under the Data Protection Act on behalf of the Data Principal, in the event of the death or incapacity (unsoundness of mind or infirmity of body) of the Data Principal⁸⁹. 

The Data Protection Rules clarify that Data Fiduciaries and / or Consent Managers (where applicable) should publish on their application and/or websites: (i) the procedure for the Data Principals to make a request for the exercise of their rights⁹⁰; and (ii) the details of the Data Principal required to identify them (such as user name or other identifier⁹¹) as per the terms of service of the Data Fiduciary / Consent Manager⁹².

The Data Fiduciaries and Consent Managers are required to implement technical and organizational measures to respond to Data Principals’ requests and grievances⁹³. Data Fiduciaries and Consent Managers are allowed to establish their own reasonable timelines for addressing grievances⁹⁴. The Data Principal may make a request to exercise their rights in accordance with the procedure published by the Data Fiduciary / Consent Manager⁹⁵.

The absence of prescriptive and coded grievance redressal / Data Principal request procedure is beneficial for Data Fiduciaries since entities have the flexibility to adopt procedures suitable to their business model, subject to ensuring that such grievances are addressed within a reasonable time period.

Duties of Data Principals

The duties of Data Principals⁹⁶ under the Data Protection Act include requirements to ensure that they do not: (i) impersonate another person while providing personal data⁹⁷; (ii) suppress material information while providing personal data for obtaining State issued documents⁹⁸; (iii) do not file frivolous grievances with a Data Fiduciary⁹⁹; and (iv) furnish false information while exercising their right to correction / erasure^100,101.

Failure of a Data Principal to carry out the said duties does not dilute the obligations of the Data Fiduciary under the Data Protection Act.

Processing Personal Data of Children and Persons with Disabilities

Requirements for Processing Personal Data of Children

Data Fiduciaries processing personal data of children must comply with the following obligations:

1. Verifiable consent: The Data Protection Rules require a Data Fiduciary to adopt appropriate technical and organizational measures to obtain verifiable consent of a parent / lawful guardian for processing the personal data of a child^102,103. A Data Fiduciary must observe due diligence, for checking that the individual identifying herself as the parent / lawful guardian is an adult¹⁰⁴ who is identifiable if required in connection with any applicable law, by referring to:

   i. Reliable details of identity and age of the parent, already available with the Data Fiduciary¹⁰⁵, or

   ii. Details voluntarily provided by the parent / lawful guardian or a virtual token mapped to such details issued by an ‘Authorized Entity’¹⁰⁶.

   Where a parent’s age and identity details are already available with the Data Fiduciary, the ‘reliable’ identification requirement may necessitate verification of documentation comparable to a government-issued ID, and a simple check-the-box confirmation is unlikely to meet this standard.

   The Data Protection Act and the Data Protection Rules appear to rely upon self-identification by a user as a child, or by a parent, for compliances to trigger. The Data Protection Act and the Data Protection Rules do not require the Data Fiduciary to investigate the ages of their users to ascertain if they are in fact not children or the relationship between child and purported parent. However, it does not address a situation where there is no proactive identification by a child. Arguably, if a Data Fiduciary obtains actual knowledge about the age of a child either through alerts from a parent, other users or through any other means, Data Fiduciaries may then be required to take necessary steps for processing personal data of children per this section. The Data Protection Rules do not prescribe a specific manner of obtaining verifiable parental consent and simply refer to reliable details of age or identity, providing flexibility to the Data Fiduciaries in adopting their own standards.

2. No detrimental effects of processing personal data: Data Fiduciaries are prohibited from undertaking processing of personal data of children which is likely to cause detrimental effects to children¹⁰⁷.
3. No tracking / targeted advertisements to children: Data Fiduciaries are prohibited from undertaking tracking and behavioural monitoring of children, or targeted advertising directed at children¹⁰⁸.

Exemptions to the above conditions for processing personal data of children

In certain cases, Data Fiduciaries may be exempted from the obligations of (i) obtaining verifiable parental consent; and (ii) the prohibition on tracking / behavioural monitoring of children or directing targeted advertisement towards children¹⁰⁹. These exemptions (subject to the conditions below) may be available to certain classes of Data Fiduciaries, or certain purposes for processing personal data, as detailed below:

Exemptions for Specific Data Fiduciaries¹¹⁰

Exempted Purposes¹¹¹

While the exemptions to the Data Fiduciaries, and for the specified purposes, are stated to generally apply to the obligations of obtaining verifiable parent consent and not directing targeted advertisements towards children, the exemptions only apply subject to the ‘Conditions’ detailed above.

Illustratively:

1. The exemption for educational institutions to undertake tracking and behavioural monitoring of children should only be applicable to the extent necessary for the educational institution to: (i) undertake educational activities; or (ii) ensure safety of children enrolled with such institutions¹¹². It should not extend to permitting targeted advertisements directed towards such children.
2. Processing children’s personal data for the purpose of creation of a user account for communication by email, will only be exempt from the obligations to the extent necessary to create such user account. It should not extend to permitting targeted advertisements directed towards such children.

Additionally, the Central Government may also exempt Data Fiduciaries from one or more of the above restrictions, in respect of children above a certain age, if it is satisfied that a Data Fiduciary has ensured that processing of personal data of such children is done in a manner that is verifiably safe¹¹³. This exclusion may be limited to certain classes of Data Fiduciaries, and subject to specified conditions.

Requirements for Processing Personal Data of Persons with Disabilities (PwD)

Data Fiduciaries are required to obtain verifiable consent of a PwD and shall be required to observe due diligence to ensure that a person identifying themselves as the lawful guardian of a PwD has been duly appointed under applicable law¹¹⁴.

Under the Data Protection Rules, a PwD is defined as follows:

“...(i) An individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and

(ii) An individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions…”¹¹⁵.

For fulfilling this obligation, the Data Fiduciary ensuring that the lawful guardian has provided a document as proof to substantiate that they are the guardian appointed: (i) by a court of law (such as the relevant court order); or (ii) by a designated authority¹¹⁶ or local level committee¹¹⁷, under the Rights of Persons with Disabilities Act, 2016, National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and the Multiple Disabilities Act, 1999 (such as a document issued by the designated authority or the local level committee, as applicable) should suffice.

The Data Protection Act also grants the Data Principal the right to nominate an individual to exercise their rights in the event of “incapacity” due to unsoundness of mind or infirmity of body. This is distinct from the provisions allowing a PwD to provide consent through a lawful guardian, which apply only for giving consent and do not extend to exercising all of the Data Principal’s rights. Being a PwD for consent purposes does not automatically imply incapacity for the purposes of nomination.

Cross Border Transfers of Data

The Central Government may restrict the transfer of personal data by a Data Fiduciary to notified countries and territories¹¹⁸. Accordingly, transfer would be permissible unless such countries / territories are blacklisted by the Central Government. Should there be any other Indian law (including sector specific laws) that provide for a higher degree of protection/ restriction on transfer of personal data outside India, then such laws would continue to apply even if such transfer is permitted under the Data Protection Act¹¹⁹.

The Data Protection Rules specify that a Data Fiduciary may transfer personal data outside India subject to complying with the requirements that the Central Government may specify in relation to making such personal data available to any foreign State, or to any person or entity under the control of such State (including any agency of such State)¹²⁰. In addition, certain further data localization obligations apply to SDFs (discussed above in ‘Significant Data Fiduciary Obligations’).

The Data Protection Act empowers the Central Government to restrict the transfer of personal data to specific countries / territories. Foreign entities from blacklisted countries may be restricted from directly undertaking business in India since they will likely require personal data to provide any goods or services.

The Data Protection Rules stipulate that the Central Government may impose additional compliance requirements for Data Fiduciaries undertaking personal data transfers to foreign States (including their agencies) and persons / entities under their control. This could possibly result in: (i) transfer to certain states being permitted, subject to enhanced compliance measures (rather than an outright blacklisting); or (ii) increased compliance measures for personal data transfers to countries which would otherwise not be subject to any such restrictions.

Furnishing of Information and Blocking Powers

The Central Government is empowered to require for the Data Protection Board, Data Fiduciaries and ‘intermediaries’¹²¹ to furnish information¹²². The Data Protection Rules stipulate that the Central Government (through an authorized person) may require any Data Fiduciary or intermediary to furnish information (which may include personal data of Data Principals) in a specified time for the following purposes¹²³:

1. Use by the State (or its instrumentalities) in the interest of sovereignty and integrity of India, or security of the State¹²⁴.
2. Use by the State (or its instrumentalities) for: (i) performance of any function under any law in force in India; or (ii) disclosure of any information for fulfilling obligations under any law in force in India¹²⁵.
3. Carrying out assessments for notifying any Data Fiduciary (or class of Data Fiduciaries) as Significant Data Fiduciaries¹²⁶.

Intermediaries are regulated under the IT Act and the rules thereunder. While there may be instances where they may be Data Fiduciaries under the Data Protection Act, bringing them under the ambit of these provisions when they are not the Data Fiduciaries may unduly increase their compliance burden. Pertinently: (i) intermediaries may not have direct control or visibility over the personal data required to be furnished by the Central Government; and (ii) where intermediaries are processing information on behalf of a Data Fiduciary, they may be contractually restricted, or may not have the required consents to disclose the information to the Central Government which may lead to breach of privacy.

Further, the  IT Act and rules already contain provisions which require intermediaries to: (i) provide / secure access to a computer resource generating, transmitting, receiving, or storing information; (ii) intercept, monitor, decrypt information; and (iii) provide information stored in a computer resource, in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence¹²⁷. Intermediaries may also be required to provide assistance to the Central Government to secure access to computer resources to monitor and collect traffic data in the interest of enhancing cyber security¹²⁸.

The provisions above are subject to procedural safeguards such as the requirement for prior approval from persons not below a certain level of seniority, written orders and reasons for interception, limited duration of such orders, periodic reviews of the orders issued, destruction of records related to the interception, confidentiality obligations etc.¹²⁹ Accordingly, the Data Protection Act and Data Protection Rules appear to create a parallel mechanism for directing intermediaries to furnish information to the Central Government, without corresponding and commensurate safeguards in place.

The Data Protection Rules also empower the Central Government to require for the Data Fiduciary or the intermediary to not disclose such furnishing of information to the Data Principal or any third party if such disclosure is likely to prejudice the sovereignty and integrity of India, or security of the State (save and except with the prior written consent of the authorized person)¹³⁰.

If the Data Protection Board has: (i) held a Data Fiduciary liable for penalty on more than two instances; and (ii) is of the opinion that any information generated, hosted, stored, etc. on a computer resource, which enables such Data Fiduciary to carry out any activities for offering its goods or services to Data Principals in India, should be blocked in the ‘interest of the general public’, it may refer such matter to the Central Government, which may then direct any Government agency or any intermediary to block access to such information if it is satisfied that it is necessary to block such information, after providing the Data Fiduciary an opportunity of being heard¹³¹.

Similar to our analysis above, the Information Technology Act already contains provisions for the Central Government to direct intermediaries to block access to information in the interest of sovereignty and integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to the above¹³² (however, these grounds do not include the interest of the general public).

The direction for blocking access is subject to reasonable safeguards such as the requirements for directions to come from persons not below a certain level of seniority, limited grounds, written reasons, review and hearing mechanism, opportunity for hearing, confidentiality obligations etc¹³³. While the Data Protection Act prescribes that orders will be in writing, with reasons, and that Data Fiduciaries will be provided an opportunity to be heard, the other safeguards prescribed above may not apply to the blocking of information. Accordingly, the Data Protection Act appears to create a parallel blocking mechanism without corresponding and commensurate safeguards in place.

Further, the ambit of ‘in the interest of the general public’ appears to be broad and ambiguous and may likely have to be interpreted through judicial precedent. Courts have interpreted this phrase to include public health and morals, economic stability, prevention of fraud, and even the implementation of the Directive Principles in Part IV of the Constitution of India. If there is no public interest purpose warranting blocking of websites in exercise of this provision, such blocking orders may be challenged.

Miscellaneous

Data Protection Board

The Data Protection Board has been established under the Data Protection Act and its head office will be located in the National Capital Region of India¹³⁴. However, its Chairperson and members are yet to be appointed. The Data Protection Board will comprise of 4 members (including the Chairperson)¹³⁵. The Data Protection Rules prescribe the manner of appointment of the Chairperson and other members¹³⁶, the salary, allowances and other terms and conditions of service of the Chairperson and other members¹³⁷, the procedure for the meetings of the Data Protection Board¹³⁸, and the terms and conditions of appointment and service of officers and employees of the Data Protection Board¹³⁹.

Broadly, the powers and functions of the Data Protection Board are to: (i) inquire into personal data breaches and impose penalties; (ii) inquire into breaches of obligations and compliance requirements by Data Fiduciaries and Consent Managers and impose penalties; (iii) direct remedial and risk mitigation measures upon receiving an intimation of a personal data breach; (iv) inquire into and impose penalties on intermediaries that do not block access to information as directed by the Central Government¹⁴⁰. The Data Protection Board is also empowered to issue directives, suspend operations, and revoke registration, in relation to Consent Managers¹⁴¹.

The Data Protection Rules clarify that 1/3^rd of the of the Data Protection Boad shall be required to constitute quorum. Since there will be 4 members on the Data Protection Board, it appears that at least 2 persons of the Data Protection Board shall be required to constitute quorum. The Chairperson has the power to take any action necessary in case of emergent situations that warrant immediate attention, and such action taken shall be communicated to the other members of the Data Protection Board within 7 days and will need to be ratified at the next meeting of the Data Protection Board.

Despite the headquarters to be set up in the National Capital Region of India, the Data Protection Rules reiterate that the Data Protection Board shall function as a digital office and may adopt techno-legal measures to conduct its proceedings. The Data Protection Act specifically excludes the jurisdiction of civil courts to entertain any suit or proceeding which pertains to any matter which the Data Protection Board is empowered to address¹⁴².

Penalties

If the Data Protection Board determines that a person has breached any provision of the Data Protection Act or the Data Protection Rules after conducting an inquiry and providing the concerned person with an opportunity of being heard, the Data Protection Board may impose monetary penalties¹⁴³. For critical security breaches, such as failure to implement reasonable safeguards to prevent personal data breaches, fines can reach up to INR 2,500,000,000¹⁴⁴ (approx. USD 30,000,000). Failures to notify the Data Protection Board and affected individuals of a data breach, or violations related to children’s personal data obligations, can attract penalties of up to INR 2,000,000,000¹⁴⁵ (approx. USD 24,000,000). Non-compliance by SDFs, including the failure to meet their obligations to conduct audits or DPIAs, can result in fines up to INR 1,500,000,000¹⁴⁶ (approx. USD 18,000,000). Minor breaches, such as violations of duties by data principals, may attract penalties as low as INR 10,000¹⁴⁷ (approx. USD 120), while other general non-compliance can result in fines up to INR 500,000,000¹⁴⁸ (approx. USD 6,000,000). Additionally, if a Data Fiduciary breaches a voluntary undertaking previously given to the Data Protection Board, the penalty may extend up to the amount applicable to the underlying breach, effectively applying the same cap as the original violation¹⁴⁹.

The Data Protection Act does not allow for Data Principals to seek compensation for breaches by Data Fiduciaries.

Appeals

Any appeals against the orders or directions of the Data Protection Board will be required to be made before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days from the receipt of such order¹⁵⁰. The TDSAT must endeavour to expeditiously dispose of the appeal within 6 months from the date the on which the appeal is presented before it¹⁵¹. Pertinently, the TDSAT is required to function as a digital office and may adopt techno-legal measures to conduct proceedings in a manner that does not require presence of any individual¹⁵².

A Musing

“Johnny Johnny, Yes Papa; Telling lies? No Papa
Open your mouth…No Papa —that’s my personal data. You can’t just peek, you must request. Ask for consent, I’ll do the rest.
No coercion, no drama, no “trust me beta.” Do you accept? Haha haha.”

— Suril Desai

Authors

Technology Law Team

¹Justice KS Puttaswamy v. Union of India, 2017 SCC OnLine SC 996.

²Article 21, Constitution of India.

³Including in 2018, 2019 and 2022.

⁴Rules 1(2), 1(3), and 1(4), Data Protection Rules read with notification bearing Ref No. G.S.R. 843(E) dated 13 November 2025 issued by MeitY, accessible at: https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf, last accessed on 15 November 2025.

⁵Section 3(a), Data Protection Act.

⁶The Data Protection Act does not apply to: a) Processing of personal data in non-digitised form; b) Processing of non-personal data; c) Personal data: (i) processed by an individual for personal or domestic purposes; (ii) that is made or caused to be made publicly available by the Data Principal to whom such personal data relates, or any other person who is under a legal obligation to make personal data publicly available.[1]

⁷Section 3(b), Data Protection Act.

⁸Section 2(t), Data Protection Act.

⁹Section 2(n), Data Protection Act.

¹⁰Section 2(g), Data Protection Act.

¹¹Section 2(j) Data Protection Act.

¹²Section 2(i), Data Protection Act.

¹³Section 2(k), Data Protection Act.

¹⁴Section 8(2) of the Data Protection Act.

¹⁵Section 5, Data Protection Act. Section 6 of the Data Protection Act clarifies that consent should be freely given, specific, informed and unambiguous, with clear affirmative action, and should not infringe the provisions of any applicable (illustratively, if the Data Principal consents to waiving their right to file a complaint to the Data Protection Board).

¹⁶Section 6, Data Protection Act.

¹⁷Section 5(3), Data Protection Act.

¹⁸Section 5(1), Data Protection Act.

¹⁹Section 5(2), Data Protection Act.

²⁰Section 5(2)(b), Data Protection Act.

²¹Rule 3(a), Data Protection Rules

²²Rule 3(b), Data Protection Rules.

²³Rule 3(b)(i), Data Protection Rules.

²⁴Rule 3(b)(ii), Data Protection Rules.

²⁵Ibid.

²⁶Section 6(4), Data Protection Act.

²⁷Section 6(6), Data Protection Act.

²⁸Section 2(g), Data Protection Act.

²⁹Section 6(7), Data Protection Act.

³⁰Which includes adequate volume of business, capital and earning prospects.

³¹Rule 4 read with First Schedule, Part A, Data Protection Rules.

³²Section 6(8), Data Protection Act read with Rule 4 and First Schedule, Part B, Data Protection Rules.

³³Rules 4(5), Data Protection Rules read with Section 27(d), Data Protection Act.

³⁴Section 4(1)(b) read with Section 7, Data Protection Act.

³⁵Section 7(a), Data Protection Act.

³⁶Section 7(c), Data Protection Act.

³⁷Section 7(e), Data Protection Act.

³⁸Section 7(f), Data Protection Act.

³⁹Section 7(g), Data Protection Act.

⁴⁰Section 7(h) of the Data Protection Act states that ‘disaster’ “shall have the same meaning as assigned to it in clause (d) of section 2 of the Disaster Management Act, 2005.”

⁴¹Section 7(h), Data Protection Act.

⁴²Section 7(i), Data Protection Act.

⁴³Section 7(b), Data Protection Act read with Rule 5 and Second Schedule, Data Protection Rules.

⁴⁴Section 8(1), Data Protection Act.

⁴⁵Section 8(4), Data Protection Act.

⁴⁶Section 8(3), Data Protection Act.

⁴⁷Section 8(5), Data Protection Act.

⁴⁸Section 8(6), Data Protection Act; See ‘Intimation to the Data Principals’ and ‘Intimation to the Data Protection Board’ below.

⁴⁹Section 8(9), Data Protection Act.

⁵⁰Rule 9, Data Protection Rules.

⁵¹Section 2(s) of the Data Protection Act states that a ‘Person’ “includes (i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not, (vi) the State, and (vii) every artificial juristic person not falling under any of the preceding sub-clauses.”.

⁵²Section 8(7), Data Protection Act.

⁵³Rule 6, Data Protection Rules.

⁵⁴Rule 7(1), Data Protection Rules.

⁵⁵Rule 7(2)(a), Data Protection Rules.

⁵⁶Rule 7(2)(b), Data Protection Rules.

⁵⁷Section 10(1), Data Protection Act.

⁵⁸Section 10(2), Data Protection Act read with Rule 13(1) and Rule 13(2), Data Protection Rules.

⁵⁹Rule 13(3), Data Protection Rules.

⁶⁰Rule 13(4), Data Protection Rules.

⁶¹Rule 13(5), Data Protection Rules.

⁶²Section 17(1)(a), Data Protection Act.

⁶³Section 17(1)(b), Data Protection Act.

⁶⁴Section 17(1)(c), Data Protection Act.

⁶⁵Section 17(1)(d), Data Protection Act.

⁶⁶Section 17(1)(e), Data Protection Act.

⁶⁷Section 17(1)(f), Data Protection Act.

⁶⁸Section 17(2)(a), Data Protection Act.

⁶⁹Section 17(2)(b), Data Protection Act.

⁷⁰Rule 16 read with the Second Schedule, Data Protection Rules.

⁷¹Section 17(3) of the Data Protection Act states that a ‘Start-up’ “means a private limited company or a partnership firm or a limited liability partnership incorporated in India, which is eligible to be and is recognised as such in accordance with the criteria and process notified by the department to which matters relating to startups are allocated in the Central Government.”

⁷²Section 17(3), Data Protection Act.

⁷³Section 8(7), Data Protection Act.

⁷⁴Here, ‘e-commerce entities’ include Data Fiduciaries who are e-commerce entities having not less than two crore registered users in India.

⁷⁵Here, ‘online gaming intermediaries’ include Data Fiduciaries who are online gaming intermediaries having not less than fifty lakh registered users in India.

⁷⁶Here, ‘social media intermediaries’ include Data Fiduciaries who are social media intermediaries having not less than two crore registered users in India.

⁷⁷Rule 8(1) read with the Third Schedule, Data Protection Rules.

⁷⁸Third Schedule, Data Protection Rules.

⁷⁹Rule 8(2), Data Protection Rules.

⁸⁰For purposes including: (i) use by the State or its instrumentalities in the interest of the sovereignty and integrity of India or the security of the State; (ii) use by the State or its instrumentalities for performing any function under existing law or disclosing information to fulfil any legal obligation; and (iii) carrying out assessments for notifying any Data Fiduciary, or class of Data Fiduciaries, as an SDF.

⁸¹Rule 8(3) read with the Seventh Schedule, Data Protection Rules.

⁸²Rule 8(3), Data Protection Rules.

⁸³Section 11, Data Protection Act. The requirements at (ii) and (iii) do not apply when a Data Fiduciary is authorized to obtain such personal data under applicable law and makes a request in writing to a Data Fiduciary processing the personal data, for the purpose of prevention, detection, investigation of offences, or for prosecution or punishment of offences.

⁸⁴Section 12(1), Data Protection Act.

⁸⁵Section 12 (2), Data Protection Act.

⁸⁶Section 12(3), Data Protection Act.

⁸⁷Section 13(1), Data Protection Act.

⁸⁸Section 13(3), Data Protection Act.

⁸⁹Section 14(1) and 14(2), Data Protection Act.

⁹⁰Rule 14(1)(a), Data Protection Rules.

⁹¹Rule 14 (5), Data Protection Rules states that an ‘identifier’ “shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification.”

⁹²Rule 14(1)(b), Data Protection Rules.

⁹³Rule 14(3), Data Protection Rules.

⁹⁴Ibid.

⁹⁵Section 13(1), Data Protection Act read with Rule 14(2), Data Protection Rules.

⁹⁶Section 15, Data Protection Act.

⁹⁷Section 15(b), Data Protection Act.

⁹⁸Section 15(c) Data Protection Act. State-issued documents include documents, unique identifiers, identity proofs or address proofs issued by the State or any of its instrumentalities.

⁹⁹Section 15(d), Data Protection Act.

¹⁰⁰Section 15(e), Data Protection Act.

¹⁰¹Item 5 of the Schedule to the Data Protection Act imposes a penalty of up to INR 10,000 for non-compliance by the Data Principal of its duties.

¹⁰²Section 2(f) of the Data Protection Act states that a ‘Child’ “means an individual who has not completed the age of eighteen years.”

¹⁰³Rule 10(1), Data Protection Rules.

¹⁰⁴Rule 10(2)(a), Data Protection Rules states that ‘Adult’ “means an individual who has completed the age of eighteen years.”

¹⁰⁵Rule 10(1)(a), Data Protection Rules.

¹⁰⁶Rule 10(2)(b) of the Data Protection Rules states that an ‘Authorized entity’ shall mean: “(i) an entity entrusted by law or the Government; or (ii) a person appointed or permitted by such entity with the issuance of the age and identity details, or a virtual token mapped to such details, which includes details of identity and age, or token made available and verified by a Digital Locker Service Provider.” A ‘Digital Locker Service Provider’ is defined as “an intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (IT Act).”

¹⁰⁷Section 9(2), Data Protection Act.

¹⁰⁸Section 9(3), Data Protection Act.

¹⁰⁹Section 9(4), Data Protection Act read with Rule 12(1) and 12(2), Data Protection Rules.

¹¹⁰Part A, Fourth Schedule, Data Protection Rules.

¹¹¹Part B, Fourth Schedule, Data Protection Rules.

¹¹²Part A, Row 3, Fourth Schedule, Data Protection Rules.

¹¹³Section 9(5), Data Protection Act.

¹¹⁴Rule 11(1), Data Protection Rules.

¹¹⁵Rule 11(2)(d), Data Protection Rules.

¹¹⁶Rule 11(2)(a) of the Data Protection Rules states that a ‘Designated authority’ “shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity.”

¹¹⁷Rule 11(2)(c) of the Data Protection Rules states that a ‘Local level committee’ “shall mean a local level committee constituted. under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999).”

¹¹⁸Section 16(1), Data Protection Act.

¹¹⁹Section 16(2), Data Protection Act.

¹²⁰Rule 15, Data Protection Rules.

¹²¹‘Intermediary’ shall have the meaning prescribed under the IT Act.

¹²²Section 36, Data Protection Act.

¹²³Rule 23(1), Data Protection Rules.

¹²⁴Item 1, Seventh Schedule, Data Protection Rules. The authorized person for such purpose is an officer of the State (or its instrumentalities) notified under the corresponding clause in the Data Protection Act [i.e., Section 17(2)(a)], as the Central Government (or head of its instrumentality) may designate in this regard.

¹²⁵Item 2, Seventh Schedule, Data Protection Rules. The authorized person for such purpose is any person authorized under applicable laws.

¹²⁶Item 3, Seventh Schedule, Data Protection Rules. The authorized person for such purpose is such officer of the Central Government, in the MeitY, designated by the Secretary of MeitY in this regard.

¹²⁷Section 69, IT Act.

¹²⁸Section 69-B, IT Act.

¹²⁹The procedural safeguards with respect to: (i) interception monitoring and decryption are detailed in the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009; and (ii) monitoring of traffic data are detailed in the Information Technology (Procedure and Safeguards for Monitoring and Collecting Traffic Data or Information) Rules, 2009.

¹³⁰Rule 23(2), Data Protection Rules.

¹³¹Section 37, Data Protection Act.

¹³²Section 69-A, IT Act.

¹³³The procedural safeguards with respect to blocking of information are detailed in the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009.

¹³⁴Notification bearing Ref No. G.S.R. 844(E) dated 13 November 2025 issued by MeitY, accessible at: https://www.meity.gov.in/static/uploads/2025/11/cc217843dc3bcb37b2b05bcc3b4e031f.pdf, last accessed on 15 November 2025.

¹³⁵Notification bearing Ref No. G.S.R. 844(E) dated 13 November 2025 issued by MeitY, accessible at: https://www.meity.gov.in/static/uploads/2025/11/f6c0837972422cf79d890bfe84cc04d6.pdf, last accessed on 15 November 2025.

¹³⁶Rule 17, Data Protection Rules.

¹³⁷Rule 18, Data Protection Rules.

¹³⁸Rule 19, Data Protection Rules.

¹³⁹Rule 21, Data Protection Rules.

¹⁴⁰Section 27(1)(e), Data Protection Act.

¹⁴¹Section 27(3), Data Protection Act read with Rule 4(5), Data Protection Rules.

¹⁴²Section 39, Data Protection Act. It further states that no court or any other authority has jurisdiction to issue injunctions with respect to any action taken or to be taken in pursuance of powers granted under the Data Protection Act.

¹⁴³Section 33(1), Data Protection Act.

¹⁴⁴Item 1, the Schedule to the Data Protection Act.

¹⁴⁵Items 2 and 3, the Schedule to the Data Protection Act.

¹⁴⁶Item 4, the Schedule to the Data Protection Act.

¹⁴⁷Item 5, the Schedule to the Data Protection Act.

¹⁴⁸Item 7, the Schedule to the Data Protection Act.

¹⁴⁹Item 6, the Schedule to the Data Protection Act.

¹⁵⁰Sections 2(a), 29(1) and 29(2), Data Protection Act. The TDSAT may entertain an appeal after the expiry of the 60-day period if it satisfied that there was sufficient cause for the delay.

¹⁵¹Sections 29(6) and 29(7), Data Protection Act. If there is a delay beyond this period, the TDSAT is required to record its reasons in writing for the delay.

¹⁵²Rule 22(3)(b), Data Protection Rules. This does not impact the TDSAT’s power to summon and enforce attendance of any person in a manner that does not require physical presence of any individual.

Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This hotline does not constitute a legal opinion and may contain information generated using various artificial intelligence (AI) tools or assistants, including but not limited to our in-house tool, NaiDA. We strive to ensure the highest quality and accuracy of our content and services. Nishith Desai Associates is committed to the responsible use of AI tools, maintaining client confidentiality, and adhering to strict data protection policies to safeguard your information.

This hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This hotline does not substitute the need to refer to the original pronouncements.

This is not a spam email. You have received this email because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a email cannot be considered spam if it contains the sender’s contact information, which this email does. In case this email doesn’t concern you, please unsubscribe from mailing list.