Current Law
At present, the Information Technology Act, 2000 (the “IT Act”) is the parent legislation under which the delegated legislation – the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “SPDI Rules”) – provides the framework for data protection and privacy. The SPDI Rules are outdated and are due to be overhauled by dedicated legislation on data protection, called the Digital Personal Data Protection Act, 2023 or the DPDP Act (the “upcoming law”), which was introduced in August 2023.
For context, the IT Act contains specific provisions on privacy and data protection. For instance, Section 72 imposes a penalty for breach of confidentiality and privacy, and Section 72A imposes a penalty for disclosure of information in breach of a lawful contract.
Section 43A imposes a liability on a “body corporate” (ie, a company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities) to pay damages by way of compensation for any negligence in implementing and maintaining reasonable security practices and procedures that may result in wrongful loss or wrongful gain to any person. Given the requirement of maintaining reasonable security practices and procedures under Section 43A, the government notified the SPDI Rules in 2011, stipulating the requirements for data protection by body corporates in India. The IT Act read with the SPDI Rules forms the current data protection regime in India.
The SPDI Rules apply to the collection and processing of personal information, which means any information that – directly or indirectly, in combination with other information available or likely to be available to a body corporate – is capable of identifying such person. Personal information is further categorised into sensitive personal data or information (SPDI), which consists of information relating to passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information, among others. This distinction between personal information and SPDI is important because the requirements and obligations on body corporates for handling personal information and SPDI are different under the SPDI Rules.
Updating Data Protection Regulation
Given the need to update the SPDI Rules due to their inherent gaps and rudimentary nature, the regulatory landscape for data protection, privacy and cybersecurity in India is gradually shifting towards ensuring and enforcing data protection in business operations, with the Supreme Court recognising the “right to privacy” as a fundamental right under the Indian Constitution in 2017, in the case of Justice K.S. Puttaswamy (Retd) v Union of India. This case was monumental and served as the impetus for the government to implement a dedicated data protection framework for India.
Introduction of the Upcoming Law
After several years of contemplation and multiple iterations through draft bills, the Parliament passed the DPDP Act in August 2023 to serve as the first dedicated legislation for data protection and privacy in India. The DPDP Act will replace the SPDI Rules once it comes into force, with any processing of personal information or data continuing to be governed by the SPDI Rules in the meantime.
The DPDP Act provides a principles-based framework for the processing of “digital” personal data – ie, personal data in digital form about an individual who is identifiable by or in relation to such data. It also applies to non-digital personal data that is digitised subsequently. Unlike the SPDI Rules, the DPDP Act does not subcategorise personal data into sensitive personal data.
Several obligations under the DPDP Act will be operationalised through the delegated legislation or “rules” to be issued under the DPDP Act, such as cross-border transfer, notice requirements, notification of “Significant Data Fiduciaries”, treatment of children’s data, consent managers, etc.
Draft Rules Under the DPDP Act
Nearly two years after the introduction of the DPDP Act, in January 2025 the Ministry of Electronics and Information Technology (MeitY) published the draft of the Digital Personal Data Protection Rules, 2025 (the “Draft DPDP Rules”), which was open for public comment until 5 March 2025. At present, these rules are in the draft stage and will be finalised after the stakeholder consultation process; they will then become effective upon their notification in the official gazette. The Draft DPDP Rules may undergo further changes considering public and stakeholder comments before they are finalised and notified.
Notable provisions proposed in the Draft DPDP Rules include the following.
Notice
The DPDP Act requires every request for consent to be accompanied or preceded by a notice. As per the Draft DPDP Rules, this notice must be provided in clear, plain language, and must be presented independently of any other information. The notice must provide an itemised description of the personal data sought to be processed, its specified purpose, an itemised description of the goods or services to be provided, a communication link for accessing the website and/or app, and a description of any other means for enabling the withdrawal of consent, the exercise of rights and making a complaint to the Data Protection Board of India.
The proposed requirements of providing “itemised descriptions” and independent presentation of the notice are more onerous than in the EU GDPR.
Notification of personal data breach
Upon becoming aware of a personal data breach, a Data Fiduciary (an entity who alone or in conjunction with another entity determines the means and purpose of the processing of personal data) must inform, without delay, each affected Data Principal (an individual to whom the personal data relates) and the Data Protection Board of India (DPB – an independent adjudicating body that will enforce the DPDP Act) about the nature and extent of the breach, potential consequences, mitigation measures, safety measures and business contact information of an individual who can respond to their queries. After this, a detailed report will have to be submitted to the DPB within 72 hours (unless an extension is granted by the DPB upon a written request) with updated information about the breach, mitigation and remedial measures, findings regarding the person responsible for the breach, and a report about the Data Principal notification. The proposed requirements of notifying affected Data Principals and double reporting to the DPB is onerous. These proposed reporting requirements are also in addition to requirements to report breaches to a separate authority under cybersecurity regulations.
Verifiable consent
Verifiable consent of a parent/lawful guardian will have to be obtained before processing the personal data of a child or a person with disability. As per the Draft DPDP Rules, appropriate technical and organisational measures would have to be adopted to ensure that verifiable consent of the parent is obtained before the processing of a child's personal data. The DPDP Rules also provide mechanisms to verify parental consent through identity details of the parent available to the Data Fiduciary, or through voluntarily provided identity and age details of the parent or a virtual token mapped to the same, issued by an entity authorised by law/government, including through a digital locker service provider. Due diligence must be undertaken to ensure that the person identifying as the parent is an identifiable adult and that the lawful guardian is appointed by a court or competent authority as per the Indian guardianship law.
Reasonable security safeguards
It has been proposed that minimum baseline safeguards must be adopted by a Data Fiduciary, such as encryption, obfuscation of virtual tokens mapped to that personal data, and visibility on the accessing of personal data. No specific standards have been prescribed.
Cross-border transfer
The government may direct, by general or special orders, Data Fiduciaries to meet certain specific requirements (or restrictions) for transferring personal data to foreign states or entities under the control of such states.
Additional obligations for Significant Data Fiduciaries (SDF)
SDFs are a category of a Data Fiduciary that will be notified by the government based on its assessment of factors listed in the DPDP Act. The Draft DPDP Rules require SDFs to undertake audits and Data Protection Impact Assessments (DPIA) annually, and to ensure that a report regarding these activities is submitted to the DPB. Furthermore, due diligence will have to be exercised to verify that the “algorithmic software” deployed by an SDF for personal data processing does not pose risks to the Data Principal’s rights. The government can specify certain personal data sets and traffic data that cannot be transferred outside India, based on the recommendations of a committee constituted by the government; in effect, this is a data localisation requirement for an SDF.
Consent managers
The DPDP Act allows a Data Principal to give, manage, review or withdraw consent through a Consent Manager. The Draft DPDP Rules stipulate the registration requirements and obligations of such Consent Managers, including that they must be incorporated in India and have sufficient capacity to fulfil their obligations, including technical, operational and financial capacity. These Consent Managers are also required to onboard Data Fiduciaries onto their platform to send requests to users and avoid any conflict of interest with Data Fiduciaries in respect of managerial personnel having directorship or financial interests. Onboarding with a Consent Manager is not mandatory.
Timelines for erasure of data
The Draft DPDP Rules mandate that e-commerce platforms with at least 20 million registered users in India, online gaming intermediaries with at least 5 million registered users in India, and social media intermediaries with at least 20 million registered users in India must erase a Data Principal’s personal data if the Data Principal has not engaged with the Data Fiduciary for the performance of the specified purpose, or exercised their rights regarding the processing, for a period of three years, whichever is the latest. A Data Fiduciary is also required to notify the Data Principal at least 48 hours in advance about the scheduled erasure. No clarity is available on timelines for other types of Data Fiduciaries.
The DPDP Act allows the government to implement the provisions in a phased manner by appointing different dates for the coming into force of different provisions of the DPDP Act. The Draft DPDP Rules also propose that the provisions pertaining to the functioning of the DPB will come into effect immediately upon notification of the rules. However, the more critical provisions for Data Fiduciaries – such as the manner of providing notice, treatment of children’s data, designation of Significant Data Fiduciaries, etc – will come into effect later. According to unofficial reports, the government has indicated that it will provide a period of two years to transition to the requirements under the DPDP Act.
Cybersecurity and Sectoral Laws
The IT Act imposes a cybersecurity reporting requirement. The IT Act read with the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-IN Rules”) and the Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (the “CERT-IN Directions”) comprise the cybersecurity regulations in India. The cybersecurity reporting requirements get triggered in case of a “cybersecurity incident” and are in addition to the reporting requirements in the DPDP Act, once that comes into force. The CERT-IN Rules and the CERT-IN Directions apply to cybersecurity incidents including but not limited to data breaches, data leaks, unauthorised access of IT systems, ransomware attacks, identity thefts, etc.
In addition, sectors such as finance, telecommunications, securities, insurance, etc, are governed by specific regulations that impose data protection requirements on regulated entities.
Current Data Protection Law
While the SPDI Rules do not specify a regulator per se, an adjudicating officer (AO) is appointed under the IT Act to judge whether any person has committed a contravention of any of the provisions of the IT Act or any of the rules made thereunder, which renders such person liable to pay a penalty or compensation.
Upcoming Data Protection Law
The DPB will be established under the DPDP Act, and will operate at the national level. The DPB will be a body corporate that will function as an independent body as per the procedure provided in the rules to the DPDP Act.
Cybersecurity Law
The Indian Computer Emergency Response Team (CERT-IN) serves as the national agency for incident response and performs functions such as:
It also issues guidelines, advisories and vulnerability notes relating to information security practices, procedures, prevention, response and reporting of cyber incidents.
Sectoral Laws
In addition to the above, there are sectoral regulators that enforce data protection regulations in their respective sectors, such as:
Current Data Protection Law
Under the current regime (ie, the IT Act and the SPDI Rules), an AO holds the power of a civil court, and proceedings before AOs are deemed judicial proceedings. While deciding the quantum of compensation, AOs are required to consider:
The IT Act does not stipulate the maximum fine for contravention of the SPDI Rules, simply stating that the body corporate would be liable to pay damages by way of compensation to the affected person.
Section 72A of the IT Act imposes a fine of up to INR25 lakhs (approximately USD29,000) for disclosing personal information obtained under a lawful contract to another person without consent and with the intent to cause wrongful gain or loss, or in violation of the contract.
Upcoming Data Protection Law
Under the DPDP Act, the DPB will have the power to:
Upon the communication of a personal data breach, a complaint from a Data Principal or a reference made by the government regarding a breach in observing directions made to an intermediary, the DPB will determine if there are sufficient grounds to proceed with the inquiry and record its reasons for its actions during the inquiry. The DPB cannot prevent access nor seize any equipment capable of adversely affecting the daily functioning of a person.
The DPB will function as an independent digital office and would adopt the techno-legal measures as may be prescribed in the rules. The Draft DPDP Rules do not specifically propose such measures and simply state that the DPB may adopt techno-legal measures that do not require the physical presence of any individual. This, however, will not affect that power of the DPB to summon and enforce attendance.
The DPDP Act prescribes monetary penalties of INR50 crore (approximately USD5.75 million) up to INR250 crore (approximately USD28.5 million) depending on the nature of the contravention of provisions of the DPDP Act.
Cybersecurity Law
For non-compliance with the cybersecurity requirements under the CERT-IN Directions, the IT Act prescribes imprisonment for up to one year or a fine of up to INR1 crore (approximately USD116,000), or both.
Orders pertaining to contravention of the SPDI Rules issued by the AO are infrequent and pertain to negligence in implementing and maintaining reasonable security practices and procedures, causing wrongful loss or wrongful gain to any person. According to the publicly available orders, AOs have awarded compensation ranging from INR50,000 to INR1.3 crore (approximately USD575 to USD150,000). These cases largely pertained to telecoms service providers, banks and other financial institutions.
While there is information about investigations and probes conducted by the CERT-IN, there is no publicly available information regarding any fines imposed by the CERT-IN in case of a cybersecurity incident.
Once the DPDP Act comes into force and the DPB becomes fully operational, the jurisprudence in this area will develop further.
At present, there is no specific law pertaining to the regulation of AI in India. However, the development, deployment and use of AI technologies are subject to prevailing laws and regulations in other areas of law, such as data protection, intellectual property, intermediary liability, etc. Moreover, any entity deploying AI that qualifies as an intermediary under the IT Act would have to comply with the due diligence requirements provided in the Information Technology (Intermediary Guidelines) Rules, 2021 (the “IT Rules 2021”).
The government has launched various initiatives towards harnessing the potential of AI in India. In 2023, it proposed a statutory framework called the Digital India Act (DIA), which will purportedly regulate emerging technologies including AI. While no draft of the DIA has yet been circulated, the MeitY shared a presentation during stakeholder meetings conducted in 2023, according to which the DIA seeks to regulate emerging technologies such as AI/ML and Virtual Reality/Augmented Reality, focusing on hi-risk AI systems through a legal, institutional quality testing framework to examine regulatory models, algorithmic accountability, zero-day threat and vulnerability assessment, AI-based ad-targeting, content moderation, intermediaries through an updated framework, etc.
A report on AI Governance Guidelines Development (the “AI Report”) was published in January 2025, for public consultation, by the subcommittee of the Advisory Group that was created by the government to develop an India-specific regulatory framework for AI, analyse gaps and offer recommendations for developing a regulatory framework for AI governance in India.
The AI Report proposes the following principles for responsible AI governance based on international guidelines and Indian frameworks:
The subcommittee conducted a gap analysis and examined the issues and concerns surrounding deepfakes, cybersecurity and privacy in general, among other matters, such as copyright infringement and the antitrust dynamics of AI under current law. Furthermore, the report states that mechanisms should be in place for data quality, data integrity and “security-by-design”.
The AI Report proposes the following recommendations to fill the gaps identified in the report:
AI and data protection are interconnected, since AI relies on datasets to generate output. These datasets often contain personal information or data, and are used during all stages of AI training, development, deployment and use. Accordingly, any development and use of AI would have to comply with the data protection laws and cybersecurity laws in the country, particularly for the collection, processing and storage of data.
Impact of DPDP Act on AI
With the introduction of the DPDP Act, the focus of data protection is set to move to consent-based processing. The term “processing” has been defined broadly in the DPDP Act to mean a “wholly or partly automated operation or set of operations performed on digital personal data”, including operations such as collection, recording, organisation, storage, adaptation, retrieval, use, sharing, dissemination or erasure. Accordingly, consent will have to be obtained for the processing of personal data obtained from users, developers and third parties, and while scraping from private databases.
The DPDP Act will not apply if the AI platform uses publicly available personal data and if the processing is done for statistical, research and archival purposes. In addition, the transfer of personal data from India to other countries would be subject to the requirements and restrictions under the data protection laws, which may play a crucial role in the development of indigenous infrastructure and practices surrounding AI technologies.
As noted in 1.5 AI Regulation, the need to comply with the data protection laws has also been recognised in the AI Report.
Impact of Cybersecurity Laws on AI
From a cybersecurity perspective, the developers and deployers of AI technology would have to ensure that they have reasonable security safeguards in place to prevent any cybersecurity incidents such as data breaches, data leaks, attacks on IoT devices, attacks or malicious activities affecting systems, servers, software or applications related to AI, and machine learning. The CERT-IN also requires service providers and companies to enable logs of all ICT systems, and to maintain them in India.
Any regulatory and legal framework that is being developed to govern and harness the potential of AI technologies would have to be cognisant of these considerations, and would also have to take into account the practical implications at the organisational and user levels.
In 2017, in the case of Justice K.S. Puttaswamy (Retd) v Union of India, a nine-judge bench of the Supreme Court declared that the “right to privacy” was a fundamental right under the “right to life” provided in the Indian Constitution. The Court recognised the importance of protecting one’s identity and information, as well as the freedom to share or withhold such information as per an individual's choice. However, fundamental rights are subject to restrictions. According to the Court, invasion of the right to privacy must meet the following three-fold requirement:
Since the Puttaswamy judgment, privacy litigation in India has gained momentum, with various facets of privacy being recognised through cases filed before the High Courts of states in India. Recent cases upholding the right to privacy include the following.
Right to Be Forgotten
There is no formal recognition of this right under Indian data protection laws. The DPDP Act provides the right to the erasure of information but does not include the right to be forgotten within its ambit. However, various courts in India have upheld this right in judicial pronouncements. In ABC v State & Anr, the Delhi High Court recently directed the Court Registry to remove the name of the petitioner and one of the respondents from court records and its search results from public search engines in light of the fundamental right to privacy and the right to be forgotten when the criminal proceedings in the case had been quashed by the Court.
However, in Ikanoon Software Development Pvt Ltd v Karthick Theodore & Ors., the Supreme Court of India recently stayed an order passed by the Madras High Court that had directed the legal search engine Indian Kanoon to remove a judgment from its website (instead of just the personal details), citing the right to be forgotten. According to news reports, while hearing the matter, the Supreme Court orally remarked that redacting personal details in sensitive cases could be justified but removing the entire judgment would be excessive. The matter is pending before the Supreme Court as of January 2025.
Spousal Privacy
Spousal privacy has been upheld in various cases before the High Courts in India. In R v B, the Madras High recently ruled that the collection of call data records of a spouse without her consent cannot be admitted as evidence in court due to her right to privacy.
Privacy of Rape Victims
The Supreme Court recently directed that all references to the name of the victim in a murder and alleged rape case promptly be removed from all social media platforms and electronic media, along with any photographs and video clips depicting the deceased. After this order and given the sensitive nature of the case, the MeitY issued a press release urging all social media companies to ensure that such sensitive information is not further disseminated.
Data Breaches
In the matter of Star Health and Allied Insurance v Telegram Messenger & Ors, wherein Star Health alleged that its customer database was hacked and that personal information including sensitive personal information was being leaked through Telegram, the Madras High Court granted an interim injunction directing Telegram to take down and block all posts or chatbots identified by Star Health. Similarly, in Niva Bupa Health Insurance Company Limited v Telegram, the Delhi High Court recently granted an ad-interim injunction directing platforms, including Telegram, to block and disable accounts linked to an anonymous entity that threatened to leak sensitive personal data of the customers of the insurance company.
Doxing
While addressing a case where the plaintiff claimed that her private information was maliciously disclosed online after she posted a tweet about a political figure, the Delhi High Court emphasised the significant privacy risks and potential harms associated with such acts. The Court noted that since the tweet was not anonymous it did not qualify as doxing, but directed the social media platform to remove defamatory tweets and disclose the Basic Subscriber Information of the accounts involved.
Deepfakes and AI
Various Indian courts have deliberated upon the misuse of AI tools and applications, particularly in respect of celebrities. While most of these cases have addressed the issue of violation of personality rights by using deepfakes, these cases have also commented upon the celebrities’ right to privacy.
Big Tech and Antitrust
The Competition Commission of India (CCI) imposed a penalty on Meta under the Competition Act, 2002 for abusing its dominant position in relevant markets for “online display advertising” and “OTT messaging apps through smartphones”. The CCI observed that WhatsApp’s privacy policy, which required users to accept expanded data collection and share terms with other Meta companies, was being implemented on a “take-it-or-leave-it” basis, thereby limiting user choice and transparency.
Recent litigation in India has addressed the following topics.
Indian laws provide for class action suits to be filed before civil courts, where one or more persons can institute a class action lawsuit on behalf of other persons with the same interests, with the permission of the court.
However, there are no provisions in the IT Act, the SPDI Rules or the DPDP Act that provide for collective redress in India; in fact, the DPDP Act specifically restricts the jurisdiction of civil courts to entertain suits or proceedings in respect of any matter that is within the jurisdiction of the DPB. The DPDP Act also states that courts and regulatory authorities are prohibited from granting any injunction in respect of any action taken or to be taken in pursuance of any power provided under the DPDP Act.
However, Indian courts recognise the concept of public interest litigation, which can be filed by a person or group for public good and for the enforcement of their fundamental rights (which includes the right to privacy).
There is no dedicated regulation governing the use of IOT services and the rights and obligations of data holders and data processing services; various laws and regulations across sectors cover data regulation for these services.
Telecommunication Law
The Telecom Act addresses the development, expansion and operation of telecommunication services and telecommunication networks, and also governs matters connected thereto. The term “telecommunication” is defined broadly in the Telecom Act to include IOT services within the scope of the Telecom Act. However, not all provisions of the Telecom Act have yet come into force.
The Department of Telecommunications (DoT) regulates and grants licences for telecommunication services in India. These licences have been issued under the erstwhile legislation governing telecommunication in India, which remains in force for a period (specified in the Telecom Act) until it migrates to the new requirements under the Telecom Act.
Under the licence (ie, Unified Licence, or UL), operational, commercial, financial, security and technical conditions applicable to all service categories have been provided, including:
There are also specific requirements for the services covered within the ambit of the UL, such as access services, internet services and machine-to-machine services.
Several rules have been notified under the Telecom Act, such as the Telecommunications (Telecom Cyber Security) Rules, 2024 (the “Telecom Cybersecurity Rules”), which will also have to be complied with while providing IoT services. Even if these obligations do not apply to the IoT service providers directly, the obligations may contractually trickle down to such service providers from the telecom service providers. Separately, the Telecom Regulatory Authority of India (TRAI) has also deliberated on various issues that impact IoT/M2M services in India.
Based on these deliberations, the Guidelines for registration process of “Machine to Machine” service providers & WPAN/WLAN Connectivity Provider for M2M Services (the “M2MSP Guidelines”) regulate M2M services in India and address concerns relating to their interface with telecom service providers, security, encryption, etc. These guidelines require entities to register themselves with the DoT and comply with, among other things, the Know-Your-Customer (KYC) and related guidelines and maintenance of customer data requirements. The guidelines also mandate technical and security measures to ensure the protection of communication and data privacy.
Information Technology Law
Although the IT Act does not specifically mention the term “internet of things”, its provisions apply to IoT devices and services in several ways. For instance, in respect of data protection, the SPDI Rules (and subsequently the DPDP Act) would apply to processing personal data in providing such services.
Furthermore, the CERT-IN Rules and the CERT-IN Directions, as well as the reporting requirements, apply to such services from a cybersecurity perspective. Cloud service providers are required to register accurate information, such as the names of subscribers hiring the service, period of hire, IP addresses allotted to them, and validated addresses and contact numbers.
IoT platforms that qualify as intermediaries would also be subject to the due diligence requirements under the IT Rules 2021, including:
Sectoral Laws
IoT services would also be subject to the requirements under sectoral laws. For instance, IoT-based payment systems would have to comply with the RBI guidelines for secure transactions and data storage. In fact, the mandate on tokenisation of card details on devices has also recently been extended to IoT devices.
The Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps (the “Geospatial Guidelines”) regulate the collection, use and acquisition of geospatial data and maps of India in product content and materials being offered to Indian customers. According to these guidelines, entities do not require prior approval, clearance or a licence for the collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of geospatial data and maps in India, apart from the requirements mandated under the Geospatial Guidelines. These guidelines impose restrictions in the form of indicating a “negative list of attributes” and a “threshold value” for spatial accuracy of geospatial data and maps.
Foreign entities are prohibited from generating geospatial data or maps at a scale finer than the threshold value specified in the Geospatial Guidelines. However, geospatial data or maps created at a coarser scale, resolution or accuracy are permitted for foreign companies.
Since there is no dedicated statute on data regulation for IoT services and data processing services, the data protection requirement will flow from data protection laws in India, since such services handle both personal and non-personal data sets. Accordingly, entities offering such services would have to comply with consent, notice, disclosure, transfer and reasonable security-related requirements under the data protection law of India. Furthermore, IoT systems and data processing services will also be subject to various cybersecurity rules.
The general obligations and rights stipulated in the SPDI Rules and the DPDP Act would apply to the processing of personal data by IoT service providers.
Current Data Protection Law
The SPDI Rules provide the right to review the information, and ensure that any information found to be inaccurate or deficient is corrected or amended. These rules also provide the right to withdraw consent and the right to grievance redressal to the provider of information. The obligations for body corporates include:
Upcoming Data Protection Law
Under the DPDP Act, a Data Principal has the right to access (on request) a summary of personal data and processing activities, the identities of all Data Fiduciaries and Data Processors, and any other information that may be prescribed through rules. The right to the correction, completion, updating and erasure of personal data, and the right to withdraw consent, have also been provided for consent-based processing of personal data. The right to grievance redressal and the right to nominate another person in the event of death or incapacity are available irrespective of the bases for the processing of personal data.
As far as obligations under the DPDP Act are concerned, a Data Fiduciary is required to process personal data only for a lawful purpose. Furthermore, a notice needs to be provided for consent-based processing of personal data. The DPDP Act also stipulates general obligations for a Data Fiduciary, including but not limited to:
The Draft DPDP Rules further elaborate on some of these obligations, including, for instance, stipulating minimum baseline security measures that must be adopted by a Data Fiduciary.
Cybersecurity Law
The CERT-IN Directions require cloud service providers to register accurate information pertaining to the following and to maintain it for five years or a longer period as may be required under law after the cancellation or withdrawal of registration:
Sectoral Law
Obligations under sectoral laws will also apply. For instance, the M2MSP Guidelines provide technical and security conditions that must be adhered to for providing M2M services in India, including:
The UL also stipulates certain conditions, such as maintaining log-in/log-out details of all subscribers for a minimum period of two years. Furthermore, the Framework for Adoption of Cloud Services by SEBI Regulated Entities (the “Cloud Service Framework”) provides guidelines on the cloud framework that must be adopted by entities regulated by SEBI for maintaining data privacy, security and regulatory compliance.
Please see 1.2 Regulators.
There are no laws that specifically regulate the use of cookies in India.
Both current (SPDI Rules) and upcoming (DPDP Act) data protection laws apply to identifiable personal information. Accordingly, cookies would only be governed by the SPDI Rules and later by the DPDP Act if such cookies qualify as personal identifiable data or information. Accordingly, all corresponding obligations relating to the processing of personal data will also apply to the use of cookies if they qualify as identifiable personal data or information.
Current Data Protection Law
Given the rudimentary framework of the SPDI Rules, marketing and personalised advertisements have largely remained unregulated in India. Having said that, when the DPDP Act comes into force, the general principles recognised therein – such as data minimisation, consent-based processing, etc – would apply to such advertisements and marketing practices, and would require entities to revisit the policies and practices concerning programmatic advertising and reliance on third parties for data.
Upcoming Data Protection Law
The DPDP Act prohibits a Data Fiduciary from undertaking tracking or behavioural monitoring of children or targeted advertising directed at them. However, the government can notify purposes and classes of Data Fiduciaries that can be exempted from the restriction on tracking or behavioural monitoring of children or targeted advertising directed at children subject to conditions prescribed by it. The government can also notify a lower age for children (ie, lower than 18 years, which is the age of majority in India) for processing if it is satisfied that the Data Fiduciary has ensured that the processing of personal data of children is carried out in a “verifiably safe” manner. Such Data Fiduciaries may be exempted from compliance with the restriction on tracking or behavioural monitoring of children or targeted advertising directed at children, among other things.
Current Data Protection Law
The SPDI Rules do not specifically govern employment-related personal data, which would broadly be governed by the requirements that are applicable to personal information or SPDI, depending on the nature of such data. For instance, name, address, age, etc, would be considered personal information and would be subject to the requirements applicable to personal information under the SPDI Rules. However, biometric information collected for attendance, financial information, etc, would be considered SPDI under the SPDI Rules, requiring written/electronic consent to be obtained before the collection of such information.
Upcoming Data Protection Law
Unlike the SPDI Rules, the DPDP Act specifically deals with personal data processed for employment purposes. The DPDP Act recognises two bases for the processing of personal data – namely consent and non-consent based “certain legitimate uses”.
One of the legitimate uses identified in the DPDP Act is “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee”.
The DPDP Act does not define the phrase “employment purpose”, which will become clear once jurisprudence develops on this aspect. This means that the personal data can be processed without seeking consent or providing corresponding rights that apply to consent-based processing if such processing can be justified for the purpose of employment or for safeguarding the employer from any loss or liability.
There are no specific guidelines or regulations on the transfer of personal data in asset deals in India. Accordingly, any transfer of personal data in asset deals in India would be governed by the general data protection laws and the applicable sectoral laws.
However, the DPDP Act has made certain carve-outs or exemptions for personal data processing requirements that would be relevant to asset deals. Under the DPDP Act, the provisions pertaining to the obligations of a Data Fiduciary (except the general obligation of complying with the DPDP Act and taking reasonable security safeguards to prevent personal data breach), the rights and duties of Data Principals and transfer-related requirements of personal data do not apply if the processing is necessary for the following:
Current Data Protection Law
As per the SPDI Rules, an entity or any person on its behalf can transfer personal information and/or SPDI to any other entity or person located in India or abroad if such entity or person ensures the same level of data protection as is required to be adhered to under the SPDI Rules. The transfer would only be allowed if consent has been sought or if it is necessary for the performance of the lawful contract between the entity and the provider of information.
Upcoming Data Protection Law
The DPDP Act, on the other hand, gives the government power to, by notification, restrict the transfer of personal data for processing to such country or territory outside India as may be notified – ie, to provide a negative list of countries to which the transfer of personal data will be restricted. Furthermore, if there is a higher degree of restriction/protection on transfers of personal data outside India in any law (or sectoral regulation) other than the DPDP Act, then this higher regime must be followed. Accordingly, sectoral laws such as those relating to RBI’s payment systems-related data (having data localisation requirements) will continue to be applicable.
However, personal data transfers are exempted from the requirements under the DPDP Act under certain conditions, including but not limited to the following:
No approvals from the government are required for international data transfers under the SPDI Rules.
However, in the past, the government has been critical of access to information by certain countries and has taken steps to block such access. For instance, in 2020 the government blocked certain mobile applications upon receiving reports about “stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India”. Similar concerns had also been raised by the Indian Cyber Crime Coordination Centre of the Ministry of Home Affairs. Accordingly, the government decided to block the apps in the interest of the sovereignty, integrity, defence and security of India.
While the DPDP Act does not stipulate any requirement to seek approval for international transfers of data per se, it does give the government wide powers to impose any restrictions on such transfer as it may notify through delegated legislation. Accordingly, the government can always impose the obligation to seek approval for transferring data internationally. Please see 5.5 Recent Developments regarding developments under the Draft DPDP Rules.
There are no data localisation requirements under the SPDI Rules.
There are no specific data localisation requirements under the DPDP Act, but such requirements can be introduced through delegated legislation or rules.
The CERT-IN Directions mandate enabling the logs of all ICT systems and maintaining them securely for a rolling period of 180 days within the Indian jurisdiction. As per the FAQs to the CERT-IN Directions, these logs can be stored outside India if they can be presented to the CERT-IN within a reasonable time.
Sectoral Laws
There are data localisation or access requirements under sectoral laws, some of which are identified below.
Banking
The RBI has a soft data localisation mandate under the Circular on Storage of Payment Data and the associated FAQs, according to which authorised payment system providers are required to store the entire payment data in systems located in India. However, for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.
Insurance
The Insurance Regulatory and Development Authority of India (Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority) Regulations 2025 require that records related to policies issued and claims made in India shall be held in data centres located and maintained within the country.
Securities
In the Cloud Services Framework, SEBI has mandated that data including logs and any other data/information pertaining to regulated entities in any form stored in the cloud must reside in India; in the case of foreign investors, the regulated entities must keep the original data/transactions/logs and make them available and easily accessible in legible and usable form in India.
A data localisation mandate had also been introduced in the Cybersecurity and Cyber Resilience Framework by SEBI in respect of regulated entities’ regulatory data as well as data in human/application readable form if the data centre is operated outside India. However, after receiving pushback regarding this mandate, SEBI issued a clarification on 31 December 2024 and put the data localisation requirement on hold until further notice.
Telecom
The UL requires a licensee to not transfer any subscriber-related accounting information (except for international roaming/billing) and user information (except pertaining to foreign subscribers using an Indian operator’s network while roaming) outside India.
Corporate
The Companies Act 2013 requires every company to maintain books of account and financial statements for every financial year. Under the Companies (Accounts) Rules, 2014, such information must be accessible in India if maintained in electronic mode. The Consumer Protection (Direct Selling) Rules, 2021 require a direct selling entity to take steps to store sensitive personal data in India.
Section 69A of the IT Act grants the government power to issue directions to block public access to any information in the interest of the sovereignty and integrity of India, security of state, friendly relations with foreign states, etc, if it deems it necessary. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (the “Blocking Rules”) issued pursuant to this provision outline the procedure that must be followed for blocking content. Under the Blocking Rules, anyone can make a complaint to an intermediary to block content. This complaint will then be shared with a designated officer of the government and will be examined by a government committee, which must make reasonable efforts to reach out to the originator of the content/intermediary. The committee will submit its final recommendations to the relevant Ministry, pursuant to which the designated officer will issue the blocking orders. Confidentiality must be maintained in respect of the complaints and actions taken during the blocking process.
The constitutionality of this provision had been challenged in the case of Shreya Singhal v Union of India before the Supreme Court of India, stating that the originator of the content is not given an opportunity for a pre-decisional hearing, and that the confidentiality requirement was unconstitutional. The Court upheld the validity of this provision and clarified that any action taken under Section 69A must be backed by a reasoned order, such that the order can be challenged. The Court further observed that Section 69A does not require an intermediary to determine the legality of the content and that safe harbour would only be lost if the intermediary failed to take down the content upon a court order or government order.
In addition, the DPDP Act grants the government authority to direct any government agency or intermediary to block access to information generated, transmitted, received, stored or hosted on any computer resource that enables a Data Fiduciary to offer goods or services to Data Principals in India, upon receiving a written reference from the DPB. The government must provide an opportunity for the party concerned to be heard, and must take action only if satisfied that doing so is necessary for the public interest. The government is also required to record its reasons for taking such action.
As noted in 1.1 Overview of Data and Privacy-Related Laws, in January 2025 the government published the Draft DPDP Rules for public consultation. The Draft DPDP Rules impose restrictions on cross-border data transfers for:
The Draft DPDP Rules also propose that such cross-border transfers would be subject to requirements specified by the government, through general or special orders, for making such data available to foreign states or to entities under the control of such states.
Furthermore, the Draft DPDP Rules propose data localisation requirements for SDFs by implementing measures to ensure that personal data and traffic data, as specified by the government and based on the recommendations of a committee constituted by the government, is not transferred outside India.
8th Floor, VJ Business Tower
Plot No A-6, Sector 125
Noida, Uttar Pradesh
201301
India
+91 120 4633900
+91 120 4633999
info@saikrishnaassociates.com www.saikrishnaassociates.comData Protection Highlights in India
India’s draft Digital Personal Data Protection Rules, 2025 (Data Privacy Rules) are intended to implement India’s new privacy law, the Digital Personal Data Protection Act, 2023 (DPDPA), and were released for public comments on 3 December 2024.
2025 marks more than seven years after the incident that triggered the search for a new data privacy law in India: on 26 September 2018, the Indian Supreme Court ruled that information privacy was a fundamental right, and required the Indian government to come up with a new data law. In the seven years since that Supreme Court judgment, there has been continuing rapid growth in digitalisation in India and across the world. India and the world have also gone through a global pandemic, and India has seen two national elections and the rise of a new “online” generation. In the past couple of years, the emergence of game-changing new technologies such as generative AI has challenged privacy regulations and models.
The Draft Privacy Rules were available for public consultation until mid-February 2025. When they are finalised and notified, the Digital Personal Data Protection Act, 2023 will become operational. Life for businesses collecting and processing data of Indian individuals will change in the following ways once the new DPDPA is implemented in 2025.
Imagining life under the DPDPA
The term “Personal Data” means any data about an individual, who can be identified by, or in relation to, such data. The DPDPA applies to any processing of “Personal Data” within the territory of India, and to any processing of such data outside India if such processing is in connection with any activity related to the offering of goods or services to data principals within the territory of India. Such Personal Data can be processed only with the consent of the data principal, or pursuant to certain limited “legitimate uses” set out under the DPDPA.
How will life change: five major impacts of the new DPDPA
What becomes harder: processing children’s data
The DPDPA requires “data fiduciaries” to undertake certain compliances for processing the Personal Data of children (ie, individuals under the age of 18). These include:
The requirement under the parent act to obtain “verifiable parental consent” for processing children’s data continues in the Draft Privacy Rules, which note that data fiduciaries must adopt “appropriate technical and organisational measures” to ensure that “verifiable” consent is obtained from a parent or lawful guardian of a child prior to processing the latter’s Personal Data. In addition to obtaining verifiable consent, the Draft Rules also require data fiduciaries to undertake due diligence to ensure that the individual identifying themselves as a particular child’s parent/guardian is an adult.
The Draft Privacy Rules also provide some exemptions when it comes to obtaining verifiable consent for the processing of children’s Personal Data. For one, certain categories of data fiduciaries are exempt from these obligations, such as clinical, mental health and educational establishments, allied healthcare professionals, creches and day care facilities. For this, the processing of a child’s data is to be strictly limited to healthcare, education and safety uses that are essential for the child’s well-being and protection. This may hint at more exemptions being possible in the future, based on purpose.
What becomes easier: data retention timelines
To date, there has been little to no guidance available on data retention and purging practices, particularly when it comes to Personal Data. In fact, Indian businesses are often unsophisticated in storing, indexing and accessing discrete sets of data. The DPDPA mandates that Personal Data should not be stored if the consent of the data subject has been withdrawn, or if the purpose for which the data was collected no longer subsists. Even so, given the multifarious types of data that businesses in India will collect, additional guidance would be welcome.
It is good news then, that the Draft Privacy Rules contain a good amount of detail on the permitted data retention timelines for different categories of data fiduciaries. Schedule III to these draft rules prescribes bespoke retention periods for e-commerce companies, online gaming platforms and social media companies, and also denotes the purposes for which such data can be retained. In addition, data fiduciaries will need to give 48 hours' notice to data subjects before erasing their Personal Data that is available to the data fiduciary.
The inclusion of different retention periods for different types of data serves as good guidance, and encourages businesses to “map” the data they already hold in terms of how long it will need to be retained. Perhaps most importantly, this will enable Indian businesses to delete or purge data that is no longer relevant or needed with some level of confidence. If the volume of Personal Data stored in various locations decreases, this will hopefully lead to a more secure ecosystem when it comes to potential breaches of data.
What becomes clearer: cross-border data transfers
One of the biggest fears among Indian businesses, if not the biggest, was that the new law would prescribe data localisation. Over the past decade, a number of Indian regulators have demanded that data should be stored within India. This includes the Reserve Bank of India’s view on payment data, the companies regulator’s view on books of account, and the insurance regulator’s mandate to store insurance data within India, among others. This trend poses challenges to Indian businesses, particularly those that are owned by overseas companies, in their day-to-day operations.
The DPDPA does not mandate data localisation. An earlier draft version of the privacy law suggested a “whitelist” mechanism, pursuant to which the Indian government would prescribe the jurisdictions to which data could be transferred. The final DPDPA goes the other way, and requires the government to specifically bar data transfers to a particular jurisdiction, under a “blacklist” mechanism. In addition, there are no requirements to enter into DPAs or SCCs or similar while transferring data outside of India (although this requirement may change in the future).
As was clarified in the parent law, there are no overarching restrictions even in the Draft Privacy Rules on the transfer of Personal Data outside India. That said, the central government retains the power to specify restrictions in cases where such Personal Data is made available to any foreign state, or to any instrumentality of a foreign state. In addition, Significant Data Fiduciaries will need to adopt measures to ensure that certain Personal Data (as identified by the government, but as yet unspecified) is not transferred outside India.
The wild card: privacy v artificial intelligence
A crucial aspect of the new DPDPA is how it will impact emerging sectors and technologies. Over the last few years, artificial intelligence (AI) has become more and more integral to various businesses. As AI continues to evolve and develop, applying laws such as the DPDPA to its systems and processes becomes a challenge in itself. The Indian government has repeatedly confirmed that it is not planning to regulate AI as a product or service. An EU-style AI law is not currently contemplated, but sectoral laws and the new privacy statute will impact how businesses can use AI.
There are quite a few touchpoints between Personal Data and AI. In the first instance, Personal Data is often used to train AI models. The Delhi High Court is currently hearing a challenge to OpenAI’s use of copyrighted content to train its AI models. Similar issues may arise if Personal Data of Indian individuals is used to train or otherwise develop AI – it is unclear if this fits into any of the current legitimate uses under the DPDPA. But without any alternative routes, AI companies may continue to access Personal Data of individuals to train their models.
On the other hand, AI tools can be applied to Personal Data sets and used to analyse, forecast and make automated decisions about individuals. Automated data processing and decision-making is often faster and cheaper, and does away with the need for human factors. But at the same time, such processing and decision-making remain susceptible to biases, discrimination and abuse. Such processing may also violate the principles that underline the DPDPA, including “data minimisation”.
Finally, unlike in cases where Personal Data is processed by human agents, it is often difficult to identify and control processing activity that is carried out by automated systems. As such, the interplay of the DPDPA and AI will depend heavily on how the government and the new Data Protection Board view and prescribe such interplay. It will be up to the regulators to interpret the DPDPA in ways that do not hinder AI development, while at the same time working to protect the interests of individual data subjects. That said, it is undeniable that not all answers to this conundrum are evident at this time.
What companies need to do
With the DPDPA close to implementation, Indian businesses will need to make a start on data privacy compliance. Most Indian businesses will have obligations under the new DPDPA, mainly relating to securing data, obtaining clear consent from data principals, managing data breaches, and protecting vulnerable groups such as children. Companies that are well prepared not only minimise the risk of legal fines and enforcement, but also foster greater trust among their customers and stakeholders. To stay ahead, businesses active in India should start conducting a “gap analysis” and data audits to assess their current readiness and address any gaps before the rules are enforced.
2nd Floor, Hague Building
Dr SS Ram Gulam Marg
Ballard Estate
Fort
Mumbai – 400 001
India
+91 22 6177 2900
practicemanager@btgadvaya.com btgadvaya.com