What is India DPDP Act?

The Digital Personal Data Protection Act (DPDPA) is India's first comprehensive data protection law. Enacted in August 2023 after years of legislative attempts, it marks India's formal entry into the growing global framework of data protection regimes alongside the GDPR, Brazil's LGPD, and China's PIPL.

Why the DPDPA Matters

India is the world's most populous country and one of its fastest-growing digital economies. With over 800 million internet users, India generates an enormous volume of personal data — and for most of its digital history, no comprehensive law governed how that data was handled. The DPDPA fills that gap.

The law applies to the processing of digital personal data of individuals in India, regardless of where the data is processed — giving it extraterritorial reach similar to the GDPR.

Core Principles

The DPDPA is built around a set of data protection principles:

• Lawful purpose — Data must be processed only for lawful purposes with consent or a legitimate basis
• Data minimization — Only collect what is necessary for the stated purpose
• Accuracy — Reasonable efforts to keep data accurate
• Storage limitation — Data should not be retained longer than necessary
• Security — Implement appropriate safeguards

Consent Framework

Consent is the primary legal basis under the DPDPA, and the law sets specific requirements:

• Consent must be free, specific, informed, and unconditional
• Consent requests must be presented in clear, plain language
• Withdrawal of consent must be as easy as giving it
• Organizations must maintain records of consent

The law also defines "deemed consent" — circumstances where consent is not required, including national security, legal proceedings, employment, and certain public interest activities.

Data Principal Rights

Indian residents (called "Data Principals" in the Act) have the following rights:

• Right to access — Obtain a summary of personal data processed and who it has been shared with
• Right to correction and erasure — Correct inaccurate data or request deletion when purpose is fulfilled or consent is withdrawn
• Right to grievance redress — Access a mechanism to raise complaints with the Data Fiduciary (the organization)
• Right to nominate — Nominate another person to exercise rights in the event of death or incapacity

Notably absent compared to GDPR: no explicit right to data portability, and the right to object to processing is limited.

Key Obligations for Organizations

Organizations handling Indian personal data (called "Data Fiduciaries") must:

• Publish a privacy notice explaining what data is collected and for what purpose
• Implement reasonable security safeguards
• Notify individuals and the Data Protection Board of data breaches
• Not retain data beyond the necessary period
• Appoint a Data Protection Officer (for "Significant Data Fiduciaries" — to be designated by the government)
• Establish a grievance redress mechanism

The Data Protection Board of India

The DPDPA creates a new body — the Data Protection Board of India — to adjudicate complaints and enforce the law. Board members are appointed by the central government, which has raised concerns about independence from state surveillance interests.

Maximum penalties: up to ₹250 crore ($30 million USD) per violation for significant breaches. Penalties for failure to implement security safeguards reach ₹200 crore ($24 million USD).

Cross-Border Data Transfers

Unlike the GDPR's restrictive approach, the DPDPA takes a permissive default stance: cross-border transfers are allowed unless the Indian government specifically restricts certain countries or categories. The government maintains a "negative list" of restricted countries rather than a "positive list" of approved ones. This is a notably more business-friendly approach than the EU framework.

Areas of Concern

Privacy advocates have raised several criticisms:

• Broad government exemptions — The central government and its instrumentalities are largely exempt from the law, meaning state surveillance activities are not restricted
• Limited data portability — No right to take your data to a competing service
• No right to object — Users cannot object to processing based on legitimate interest
• Enforcement independence — The Data Protection Board's appointment process raises questions about independence
• Delegated legislation — Many specifics are left to rules not yet finalized, creating uncertainty

Where Things Stand in 2025–2026

The DPDPA was enacted in 2023 but enforcement rules and the Data Protection Board have been in development. Full enforcement is expected to ramp up through 2025 and 2026 as the implementing rules are finalized. Organizations processing Indian personal data should begin compliance assessments now rather than waiting for the enforcement start date.