Current Law

At present, the Information Technology Act, 2000 (the “IT Act”) is the parent legislation under which the delegated legislation – the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “SPDI Rules”) – provides the framework for data protection and privacy. The SPDI Rules are outdated and are due to be overhauled by dedicated legislation on data protection, called the Digital Personal Data Protection Act, 2023 or the DPDP Act (the “upcoming law”), which was introduced in August 2023.

For context, the IT Act contains specific provisions on privacy and data protection. For instance, Section 72 imposes a penalty for breach of confidentiality and privacy, and Section 72A imposes a penalty for disclosure of information in breach of a lawful contract.

Section 43A imposes a liability on a “body corporate” (ie, a company, firm, sole proprietorship or other association of individuals engaged in commercial or professional activities) to pay damages by way of compensation for any negligence in implementing and maintaining reasonable security practices and procedures that may result in wrongful loss or wrongful gain to any person. Given the requirement of maintaining reasonable security practices and procedures under Section 43A, the government notified the SPDI Rules in 2011, stipulating the requirements for data protection by body corporates in India. The IT Act read with the SPDI Rules forms the current data protection regime in India.

The SPDI Rules apply to the collection and processing of personal information, which means any information that – directly or indirectly, in combination with other information available or likely to be available to a body corporate – is capable of identifying such person. Personal information is further categorised into sensitive personal data or information (SPDI), which consists of information relating to passwords, financial information, physical, physiological and mental health conditions, sexual orientation, medical records and history, and biometric information, among others. This distinction between personal information and SPDI is important because the requirements and obligations on body corporates for handling personal information and SPDI are different under the SPDI Rules.

Updating Data Protection Regulation

Given the need to update the SPDI Rules due to their inherent gaps and rudimentary nature, the regulatory landscape for data protection, privacy and cybersecurity in India is gradually shifting towards ensuring and enforcing data protection in business operations, with the Supreme Court recognising the “right to privacy” as a fundamental right under the Indian Constitution in 2017, in the case of Justice K.S. Puttaswamy (Retd) v Union of India. This case was monumental and served as the impetus for the government to implement a dedicated data protection framework for India.

Introduction of the Upcoming Law

After several years of contemplation and multiple iterations through draft bills, the Parliament passed the DPDP Act in August 2023 to serve as the first dedicated legislation for data protection and privacy in India. The DPDP Act will replace the SPDI Rules once it comes into force, with any processing of personal information or data continuing to be governed by the SPDI Rules in the meantime.

The DPDP Act provides a principles-based framework for the processing of “digital” personal data – ie, personal data in digital form about an individual who is identifiable by or in relation to such data. It also applies to non-digital personal data that is digitised subsequently. Unlike the SPDI Rules, the DPDP Act does not subcategorise personal data into sensitive personal data.

Several obligations under the DPDP Act will be operationalised through the delegated legislation or “rules” to be issued under the DPDP Act, such as cross-border transfer, notice requirements, notification of “Significant Data Fiduciaries”, treatment of children’s data, consent managers, etc.

Draft Rules Under the DPDP Act

Nearly two years after the introduction of the DPDP Act, in January 2025 the Ministry of Electronics and Information Technology (MeitY) published the draft of the Digital Personal Data Protection Rules, 2025 (the “Draft DPDP Rules”), which was open for public comment until 5 March 2025. At present, these rules are in the draft stage and will be finalised after the stakeholder consultation process; they will then become effective upon their notification in the official gazette. The Draft DPDP Rules may undergo further changes considering public and stakeholder comments before they are finalised and notified.

Notable provisions proposed in the Draft DPDP Rules include the following.

Notice

The DPDP Act requires every request for consent to be accompanied or preceded by a notice. As per the Draft DPDP Rules, this notice must be provided in clear, plain language, and must be presented independently of any other information. The notice must provide an itemised description of the personal data sought to be processed, its specified purpose, an itemised description of the goods or services to be provided, a communication link for accessing the website and/or app, and a description of any other means for enabling the withdrawal of consent, the exercise of rights and making a complaint to the Data Protection Board of India.

The proposed requirements of providing “itemised descriptions” and independent presentation of the notice are more onerous than in the EU GDPR.

Notification of personal data breach

Upon becoming aware of a personal data breach, a Data Fiduciary (an entity who alone or in conjunction with another entity determines the means and purpose of the processing of personal data) must inform, without delay, each affected Data Principal (an individual to whom the personal data relates) and the Data Protection Board of India (DPB – an independent adjudicating body that will enforce the DPDP Act) about the nature and extent of the breach, potential consequences, mitigation measures, safety measures and business contact information of an individual who can respond to their queries. After this, a detailed report will have to be submitted to the DPB within 72 hours (unless an extension is granted by the DPB upon a written request) with updated information about the breach, mitigation and remedial measures, findings regarding the person responsible for the breach, and a report about the Data Principal notification. The proposed requirements of notifying affected Data Principals and double reporting to the DPB is onerous. These proposed reporting requirements are also in addition to requirements to report breaches to a separate authority under cybersecurity regulations.

Verifiable consent

Verifiable consent of a parent/lawful guardian will have to be obtained before processing the personal data of a child or a person with disability. As per the Draft DPDP Rules, appropriate technical and organisational measures would have to be adopted to ensure that verifiable consent of the parent is obtained before the processing of a child's personal data. The DPDP Rules also provide mechanisms to verify parental consent through identity details of the parent available to the Data Fiduciary, or through voluntarily provided identity and age details of the parent or a virtual token mapped to the same, issued by an entity authorised by law/government, including through a digital locker service provider. Due diligence must be undertaken to ensure that the person identifying as the parent is an identifiable adult and that the lawful guardian is appointed by a court or competent authority as per the Indian guardianship law.

Reasonable security safeguards

It has been proposed that minimum baseline safeguards must be adopted by a Data Fiduciary, such as encryption, obfuscation of virtual tokens mapped to that personal data, and visibility on the accessing of personal data. No specific standards have been prescribed.

Cross-border transfer

The government may direct, by general or special orders, Data Fiduciaries to meet certain specific requirements (or restrictions) for transferring personal data to foreign states or entities under the control of such states.

Additional obligations for Significant Data Fiduciaries (SDF)

SDFs are a category of a Data Fiduciary that will be notified by the government based on its assessment of factors listed in the DPDP Act. The Draft DPDP Rules require SDFs to undertake audits and Data Protection Impact Assessments (DPIA) annually, and to ensure that a report regarding these activities is submitted to the DPB. Furthermore, due diligence will have to be exercised to verify that the “algorithmic software” deployed by an SDF for personal data processing does not pose risks to the Data Principal’s rights. The government can specify certain personal data sets and traffic data that cannot be transferred outside India, based on the recommendations of a committee constituted by the government; in effect, this is a data localisation requirement for an SDF.

Consent managers

The DPDP Act allows a Data Principal to give, manage, review or withdraw consent through a Consent Manager. The Draft DPDP Rules stipulate the registration requirements and obligations of such Consent Managers, including that they must be incorporated in India and have sufficient capacity to fulfil their obligations, including technical, operational and financial capacity. These Consent Managers are also required to onboard Data Fiduciaries onto their platform to send requests to users and avoid any conflict of interest with Data Fiduciaries in respect of managerial personnel having directorship or financial interests. Onboarding with a Consent Manager is not mandatory.

Timelines for erasure of data

The Draft DPDP Rules mandate that e-commerce platforms with at least 20 million registered users in India, online gaming intermediaries with at least 5 million registered users in India, and social media intermediaries with at least 20 million registered users in India must erase a Data Principal’s personal data if the Data Principal has not engaged with the Data Fiduciary for the performance of the specified purpose, or exercised their rights regarding the processing, for a period of three years, whichever is the latest. A Data Fiduciary is also required to notify the Data Principal at least 48 hours in advance about the scheduled erasure. No clarity is available on timelines for other types of Data Fiduciaries.

The DPDP Act allows the government to implement the provisions in a phased manner by appointing different dates for the coming into force of different provisions of the DPDP Act. The Draft DPDP Rules also propose that the provisions pertaining to the functioning of the DPB will come into effect immediately upon notification of the rules. However, the more critical provisions for Data Fiduciaries – such as the manner of providing notice, treatment of children’s data, designation of Significant Data Fiduciaries, etc – will come into effect later. According to unofficial reports, the government has indicated that it will provide a period of two years to transition to the requirements under the DPDP Act.

Cybersecurity and Sectoral Laws

The IT Act imposes a cybersecurity reporting requirement. The IT Act read with the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “CERT-IN Rules”) and the Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (the “CERT-IN Directions”) comprise the cybersecurity regulations in India. The cybersecurity reporting requirements get triggered in case of a “cybersecurity incident” and are in addition to the reporting requirements in the DPDP Act, once that comes into force. The CERT-IN Rules and the CERT-IN Directions apply to cybersecurity incidents including but not limited to data breaches, data leaks, unauthorised access of IT systems, ransomware attacks, identity thefts, etc.

In addition, sectors such as finance, telecommunications, securities, insurance, etc, are governed by specific regulations that impose data protection requirements on regulated entities.

Current Data Protection Law

While the SPDI Rules do not specify a regulator per se, an adjudicating officer (AO) is appointed under the IT Act to judge whether any person has committed a contravention of any of the provisions of the IT Act or any of the rules made thereunder, which renders such person liable to pay a penalty or compensation.

Upcoming Data Protection Law

The DPB will be established under the DPDP Act, and will operate at the national level. The DPB will be a body corporate that will function as an independent body as per the procedure provided in the rules to the DPDP Act.

Cybersecurity Law

The Indian Computer Emergency Response Team (CERT-IN) serves as the national agency for incident response and performs functions such as:

• the collection, analysis and dissemination of information on cyber incidents;
• forecast and alerts of cybersecurity incidents;
• advising on emergency measures for handling cybersecurity incidents; and
• co-ordinating cyber incident response activities.

It also issues guidelines, advisories and vulnerability notes relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

Sectoral Laws

In addition to the above, there are sectoral regulators that enforce data protection regulations in their respective sectors, such as:

• Reserve Bank of India (RBI) for the banking sector;
• AOs appointed under the Telecommunication Act, 2023 (the “Telecom Act”) for the telecoms sector;
• the Securities and Exchange Board of India (SEBI) for the securities market; and
• the Insurance Regulatory and Development Authority for the insurance sector.

Current Data Protection Law

Under the current regime (ie, the IT Act and the SPDI Rules), an AO holds the power of a civil court, and proceedings before AOs are deemed judicial proceedings. While deciding the quantum of compensation, AOs are required to consider:

• the amount of unfair advantage resulting from the default;
• the amount of loss caused to any person resulting from the default; and
• the repetitive nature of the default.

The IT Act does not stipulate the maximum fine for contravention of the SPDI Rules, simply stating that the body corporate would be liable to pay damages by way of compensation to the affected person.

Section 72A of the IT Act imposes a fine of up to INR25 lakhs (approximately USD29,000) for disclosing personal information obtained under a lawful contract to another person without consent and with the intent to cause wrongful gain or loss, or in violation of the contract.

Upcoming Data Protection Law

Under the DPDP Act, the DPB will have the power to:

• inquire into a personal data breach;
• direct urgent remedial or mitigation measures in the event of a personal data breach;
• impose penalties for such breaches; and
• function as a civil court in respect of:
1. summoning, enforcing the attendance of, and examining any person;
2. receiving evidence;
3. inspecting any data, book, document, etc; and
4. any other matters that may be prescribed through rules.

Upon the communication of a personal data breach, a complaint from a Data Principal or a reference made by the government regarding a breach in observing directions made to an intermediary, the DPB will determine if there are sufficient grounds to proceed with the inquiry and record its reasons for its actions during the inquiry. The DPB cannot prevent access nor seize any equipment capable of adversely affecting the daily functioning of a person.

The DPB will function as an independent digital office and would adopt the techno-legal measures as may be prescribed in the rules. The Draft DPDP Rules do not specifically propose such measures and simply state that the DPB may adopt techno-legal measures that do not require the physical presence of any individual. This, however, will not affect that power of the DPB to summon and enforce attendance.

The DPDP Act prescribes monetary penalties of INR50 crore (approximately USD5.75 million) up to INR250 crore (approximately USD28.5 million) depending on the nature of the contravention of provisions of the DPDP Act.

Cybersecurity Law

For non-compliance with the cybersecurity requirements under the CERT-IN Directions, the IT Act prescribes imprisonment for up to one year or a fine of up to INR1 crore (approximately USD116,000), or both.

Orders pertaining to contravention of the SPDI Rules issued by the AO are infrequent and pertain to negligence in implementing and maintaining reasonable security practices and procedures, causing wrongful loss or wrongful gain to any person. According to the publicly available orders, AOs have awarded compensation ranging from INR50,000 to INR1.3 crore (approximately USD575 to USD150,000). These cases largely pertained to telecoms service providers, banks and other financial institutions.

While there is information about investigations and probes conducted by the CERT-IN, there is no publicly available information regarding any fines imposed by the CERT-IN in case of a cybersecurity incident.

Once the DPDP Act comes into force and the DPB becomes fully operational, the jurisprudence in this area will develop further.

At present, there is no specific law pertaining to the regulation of AI in India. However, the development, deployment and use of AI technologies are subject to prevailing laws and regulations in other areas of law, such as data protection, intellectual property, intermediary liability, etc. Moreover, any entity deploying AI that qualifies as an intermediary under the IT Act would have to comply with the due diligence requirements provided in the Information Technology (Intermediary Guidelines) Rules, 2021 (the “IT Rules 2021”).

The government has launched various initiatives towards harnessing the potential of AI in India. In 2023, it proposed a statutory framework called the Digital India Act (DIA), which will purportedly regulate emerging technologies including AI. While no draft of the DIA has yet been circulated, the MeitY shared a presentation during stakeholder meetings conducted in 2023, according to which the DIA seeks to regulate emerging technologies such as AI/ML and Virtual Reality/Augmented Reality, focusing on hi-risk AI systems through a legal, institutional quality testing framework to examine regulatory models, algorithmic accountability, zero-day threat and vulnerability assessment, AI-based ad-targeting, content moderation, intermediaries through an updated framework, etc.

A report on AI Governance Guidelines Development (the “AI Report”) was published in January 2025, for public consultation, by the subcommittee of the Advisory Group that was created by the government to develop an India-specific regulatory framework for AI, analyse gaps and offer recommendations for developing a regulatory framework for AI governance in India.

The AI Report proposes the following principles for responsible AI governance based on international guidelines and Indian frameworks:

• transparency – adequate information must be provided to the user of an AI system;
• accountability – developers and deployers must take responsibility for AI outcomes;
• safety, reliability and robustness – AI systems must be resilient to risks, errors, misuse, etc;
• privacy and security – applicable data protection laws must be complied with, to maintain users’ privacy;
• fairness – AI systems must be fair and inclusive, and should not perpetuate biases and prejudices;
• human-centred values – AI systems should be subject to human oversight;
• inclusive innovation – AI should promote sustainable growth; and
• digital by design governance – technology must be leveraged for regulation and to ensure compliance with applicable law.

The subcommittee conducted a gap analysis and examined the issues and concerns surrounding deepfakes, cybersecurity and privacy in general, among other matters, such as copyright infringement and the antitrust dynamics of AI under current law. Furthermore, the report states that mechanisms should be in place for data quality, data integrity and “security-by-design”.

The AI Report proposes the following recommendations to fill the gaps identified in the report:

• establishing an interministerial AI co-ordination committee/governance group and adopting a whole-of-government approach to unify efforts of various AI governance authorities and institutions at the national level;
• setting up a technical secretariat as a technical advisory body to support the governance group;
• setting up an AI incident database to monitor real-world AI problems and their impact;
• engaging with the industry to adopt voluntary transparency commitments in a manner that complements the existing legal framework;
• examining the appropriateness and viability of the technical measures to strengthen compliance and enforcement tools across AI ecosystems; and
• forming a subgroup to work with MeitY on strengthening the legal framework for digital industries under the DIA.

AI and data protection are interconnected, since AI relies on datasets to generate output. These datasets often contain personal information or data, and are used during all stages of AI training, development, deployment and use. Accordingly, any development and use of AI would have to comply with the data protection laws and cybersecurity laws in the country, particularly for the collection, processing and storage of data.

Impact of DPDP Act on AI

With the introduction of the DPDP Act, the focus of data protection is set to move to consent-based processing. The term “processing” has been defined broadly in the DPDP Act to mean a “wholly or partly automated operation or set of operations performed on digital personal data”, including operations such as collection, recording, organisation, storage, adaptation, retrieval, use, sharing, dissemination or erasure. Accordingly, consent will have to be obtained for the processing of personal data obtained from users, developers and third parties, and while scraping from private databases.

The DPDP Act will not apply if the AI platform uses publicly available personal data and if the processing is done for statistical, research and archival purposes. In addition, the transfer of personal data from India to other countries would be subject to the requirements and restrictions under the data protection laws, which may play a crucial role in the development of indigenous infrastructure and practices surrounding AI technologies.

As noted in 1.5 AI Regulation, the need to comply with the data protection laws has also been recognised in the AI Report.

Impact of Cybersecurity Laws on AI

From a cybersecurity perspective, the developers and deployers of AI technology would have to ensure that they have reasonable security safeguards in place to prevent any cybersecurity incidents such as data breaches, data leaks, attacks on IoT devices, attacks or malicious activities affecting systems, servers, software or applications related to AI, and machine learning. The CERT-IN also requires service providers and companies to enable logs of all ICT systems, and to maintain them in India.

Any regulatory and legal framework that is being developed to govern and harness the potential of AI technologies would have to be cognisant of these considerations, and would also have to take into account the practical implications at the organisational and user levels.

In 2017, in the case of Justice K.S. Puttaswamy (Retd) v Union of India, a nine-judge bench of the Supreme Court declared that the “right to privacy” was a fundamental right under the “right to life” provided in the Indian Constitution. The Court recognised the importance of protecting one’s identity and information, as well as the freedom to share or withhold such information as per an individual's choice. However, fundamental rights are subject to restrictions. According to the Court, invasion of the right to privacy must meet the following three-fold requirement:

• legality in terms of the existence of law to justify the encroachment;
• necessity in terms of a legitimate state aim, such that the law meets the test of reasonability identified in the Indian Constitution, which provides a guarantee against arbitrary state action; and
• proportionality of means adopted for meeting the object of the law.

Since the Puttaswamy judgment, privacy litigation in India has gained momentum, with various facets of privacy being recognised through cases filed before the High Courts of states in India. Recent cases upholding the right to privacy include the following.

Right to Be Forgotten

There is no formal recognition of this right under Indian data protection laws. The DPDP Act provides the right to the erasure of information but does not include the right to be forgotten within its ambit. However, various courts in India have upheld this right in judicial pronouncements. In ABC v State & Anr, the Delhi High Court recently directed the Court Registry to remove the name of the petitioner and one of the respondents from court records and its search results from public search engines in light of the fundamental right to privacy and the right to be forgotten when the criminal proceedings in the case had been quashed by the Court.

However, in Ikanoon Software Development Pvt Ltd v Karthick Theodore & Ors., the Supreme Court of India recently stayed an order passed by the Madras High Court that had directed the legal search engine Indian Kanoon to remove a judgment from its website (instead of just the personal details), citing the right to be forgotten. According to news reports, while hearing the matter, the Supreme Court orally remarked that redacting personal details in sensitive cases could be justified but removing the entire judgment would be excessive. The matter is pending before the Supreme Court as of January 2025.

Spousal Privacy

Spousal privacy has been upheld in various cases before the High Courts in India. In R v B, the Madras High recently ruled that the collection of call data records of a spouse without her consent cannot be admitted as evidence in court due to her right to privacy.

Privacy of Rape Victims

The Supreme Court recently directed that all references to the name of the victim in a murder and alleged rape case promptly be removed from all social media platforms and electronic media, along with any photographs and video clips depicting the deceased. After this order and given the sensitive nature of the case, the MeitY issued a press release urging all social media companies to ensure that such sensitive information is not further disseminated.

Data Breaches

In the matter of Star Health and Allied Insurance v Telegram Messenger & Ors, wherein Star Health alleged that its customer database was hacked and that personal information including sensitive personal information was being leaked through Telegram, the Madras High Court granted an interim injunction directing Telegram to take down and block all posts or chatbots identified by Star Health. Similarly, in Niva Bupa Health Insurance Company Limited v Telegram, the Delhi High Court recently granted an ad-interim injunction directing platforms, including Telegram, to block and disable accounts linked to an anonymous entity that threatened to leak sensitive personal data of the customers of the insurance company.

Doxing

While addressing a case where the plaintiff claimed that her private information was maliciously disclosed online after she posted a tweet about a political figure, the Delhi High Court emphasised the significant privacy risks and potential harms associated with such acts. The Court noted that since the tweet was not anonymous it did not qualify as doxing, but directed the social media platform to remove defamatory tweets and disclose the Basic Subscriber Information of the accounts involved.

Deepfakes and AI

Various Indian courts have deliberated upon the misuse of AI tools and applications, particularly in respect of celebrities. While most of these cases have addressed the issue of violation of personality rights by using deepfakes, these cases have also commented upon the celebrities’ right to privacy.

Big Tech and Antitrust

The Competition Commission of India (CCI) imposed a penalty on Meta under the Competition Act, 2002 for abusing its dominant position in relevant markets for “online display advertising” and “OTT messaging apps through smartphones”. The CCI observed that WhatsApp’s privacy policy, which required users to accept expanded data collection and share terms with other Meta companies, was being implemented on a “take-it-or-leave-it” basis, thereby limiting user choice and transparency.

Recent litigation in India has addressed the following topics.

• Courts have declared that the right to privacy includes the right to be forgotten and accordingly the right to gain access to information must be balanced against the right to privacy of an individual, especially if no public interest is being served by keeping the information public.
• While the term “doxing” has not been defined in Indian law, such acts can result in violation of the right to privacy. Accordingly, a balance needs to be maintained between access to open information and the safeguarding of privacy. In the absence of a legal framework addressing the issue of doxing, the courts can resort to the law of tort to uphold the right to privacy.
• The right to privacy also includes spousal privacy, which is accordingly protected under the Constitution of India.
• The victims of violence cannot be divested of their fundamental right to privacy.
• Celebrities enjoy a right to privacy, and unauthorised or malicious use of their name, voice, dialogues and images illegally, including for commercial purposes, cannot be permitted due to their personality rights.

Indian laws provide for class action suits to be filed before civil courts, where one or more persons can institute a class action lawsuit on behalf of other persons with the same interests, with the permission of the court.

However, there are no provisions in the IT Act, the SPDI Rules or the DPDP Act that provide for collective redress in India; in fact, the DPDP Act specifically restricts the jurisdiction of civil courts to entertain suits or proceedings in respect of any matter that is within the jurisdiction of the DPB. The DPDP Act also states that courts and regulatory authorities are prohibited from granting any injunction in respect of any action taken or to be taken in pursuance of any power provided under the DPDP Act.

However, Indian courts recognise the concept of public interest litigation, which can be filed by a person or group for public good and for the enforcement of their fundamental rights (which includes the right to privacy).

There is no dedicated regulation governing the use of IOT services and the rights and obligations of data holders and data processing services; various laws and regulations across sectors cover data regulation for these services.

Telecommunication Law

The Telecom Act addresses the development, expansion and operation of telecommunication services and telecommunication networks, and also governs matters connected thereto. The term “telecommunication” is defined broadly in the Telecom Act to include IOT services within the scope of the Telecom Act. However, not all provisions of the Telecom Act have yet come into force.

The Department of Telecommunications (DoT) regulates and grants licences for telecommunication services in India. These licences have been issued under the erstwhile legislation governing telecommunication in India, which remains in force for a period (specified in the Telecom Act) until it migrates to the new requirements under the Telecom Act.

Under the licence (ie, Unified Licence, or UL), operational, commercial, financial, security and technical conditions applicable to all service categories have been provided, including:

• a requirement for licensees to retain all commercial records/Call Detail Records/Exchange Detail Records/IP Detail Records with regard to the communications exchanged on the network;
• a prohibition on employing bulk encryption equipment in their network;
• taking steps to ensure the confidentiality of customer information; and
• being responsible for ensuring the protection of privacy of communication and that unauthorised interception of messages does not take place.

There are also specific requirements for the services covered within the ambit of the UL, such as access services, internet services and machine-to-machine services.

Several rules have been notified under the Telecom Act, such as the Telecommunications (Telecom Cyber Security) Rules, 2024 (the “Telecom Cybersecurity Rules”), which will also have to be complied with while providing IoT services. Even if these obligations do not apply to the IoT service providers directly, the obligations may contractually trickle down to such service providers from the telecom service providers. Separately, the Telecom Regulatory Authority of India (TRAI) has also deliberated on various issues that impact IoT/M2M services in India.

Based on these deliberations, the Guidelines for registration process of “Machine to Machine” service providers & WPAN/WLAN Connectivity Provider for M2M Services (the “M2MSP Guidelines”) regulate M2M services in India and address concerns relating to their interface with telecom service providers, security, encryption, etc. These guidelines require entities to register themselves with the DoT and comply with, among other things, the Know-Your-Customer (KYC) and related guidelines and maintenance of customer data requirements. The guidelines also mandate technical and security measures to ensure the protection of communication and data privacy.

Information Technology Law

Although the IT Act does not specifically mention the term “internet of things”, its provisions apply to IoT devices and services in several ways. For instance, in respect of data protection, the SPDI Rules (and subsequently the DPDP Act) would apply to processing personal data in providing such services.

Furthermore, the CERT-IN Rules and the CERT-IN Directions, as well as the reporting requirements, apply to such services from a cybersecurity perspective. Cloud service providers are required to register accurate information, such as the names of subscribers hiring the service, period of hire, IP addresses allotted to them, and validated addresses and contact numbers.

IoT platforms that qualify as intermediaries would also be subject to the due diligence requirements under the IT Rules 2021, including:

• prominently publishing the privacy policy and user agreements on the website/app;
• making reasonable efforts to ensure that prohibited or harmful information is not hosted, uploaded or published through such platforms;
• taking down content upon receiving actual knowledge of the unlawful content/information being stored, hosted or published by the intermediary;
• retaining user registration information for 180 days; and
• securing computer resource and information contained in it.

Sectoral Laws

IoT services would also be subject to the requirements under sectoral laws. For instance, IoT-based payment systems would have to comply with the RBI guidelines for secure transactions and data storage. In fact, the mandate on tokenisation of card details on devices has also recently been extended to IoT devices.

The Guidelines for acquiring and producing Geospatial Data and Geospatial Data Services including Maps (the “Geospatial Guidelines”) regulate the collection, use and acquisition of geospatial data and maps of India in product content and materials being offered to Indian customers. According to these guidelines, entities do not require prior approval, clearance or a licence for the collection, generation, preparation, dissemination, storage, publication, updating and/or digitisation of geospatial data and maps in India, apart from the requirements mandated under the Geospatial Guidelines. These guidelines impose restrictions in the form of indicating a “negative list of attributes” and a “threshold value” for spatial accuracy of geospatial data and maps.

Foreign entities are prohibited from generating geospatial data or maps at a scale finer than the threshold value specified in the Geospatial Guidelines. However, geospatial data or maps created at a coarser scale, resolution or accuracy are permitted for foreign companies.

Since there is no dedicated statute on data regulation for IoT services and data processing services, the data protection requirement will flow from data protection laws in India, since such services handle both personal and non-personal data sets. Accordingly, entities offering such services would have to comply with consent, notice, disclosure, transfer and reasonable security-related requirements under the data protection law of India. Furthermore, IoT systems and data processing services will also be subject to various cybersecurity rules.

The general obligations and rights stipulated in the SPDI Rules and the DPDP Act would apply to the processing of personal data by IoT service providers.

Current Data Protection Law

The SPDI Rules provide the right to review the information, and ensure that any information found to be inaccurate or deficient is corrected or amended. These rules also provide the right to withdraw consent and the right to grievance redressal to the provider of information. The obligations for body corporates include:

• providing a privacy policy on the website;
• collecting SPDI only with written/electronic consent;
• not retaining SPDI for longer than is required for the purposes for which the information may lawfully be used;
• compliance with disclosure and transfer-related requirements; and
• implementing reasonable security standards.

Upcoming Data Protection Law

Under the DPDP Act, a Data Principal has the right to access (on request) a summary of personal data and processing activities, the identities of all Data Fiduciaries and Data Processors, and any other information that may be prescribed through rules. The right to the correction, completion, updating and erasure of personal data, and the right to withdraw consent, have also been provided for consent-based processing of personal data. The right to grievance redressal and the right to nominate another person in the event of death or incapacity are available irrespective of the bases for the processing of personal data.

As far as obligations under the DPDP Act are concerned, a Data Fiduciary is required to process personal data only for a lawful purpose. Furthermore, a notice needs to be provided for consent-based processing of personal data. The DPDP Act also stipulates general obligations for a Data Fiduciary, including but not limited to:

• general compliance with the provisions of the DPDP Act, including for processing undertaken by a Data Processor (engaged through a valid contract);
• implementing appropriate technical and organisational measures;
• taking reasonable security safeguards to prevent personal data breaches;
• notifying the affected Data Principal and the DPB regarding any personal data breach; and
• establishing grievance redressal mechanisms.

The Draft DPDP Rules further elaborate on some of these obligations, including, for instance, stipulating minimum baseline security measures that must be adopted by a Data Fiduciary.

Cybersecurity Law

The CERT-IN Directions require cloud service providers to register accurate information pertaining to the following and to maintain it for five years or a longer period as may be required under law after the cancellation or withdrawal of registration:

• validated names of subscribers or customers who are hiring the services;
• the period of hiring such services, including dates;
• IP addresses allotted to/being used by the members;
• email address, IP address and time stamp used at the time of registration/onboarding;
• the purpose for hiring services;
• validated address and contact numbers; and
• the ownership pattern of the subscribers/customers hiring services.

Sectoral Law

Obligations under sectoral laws will also apply. For instance, the M2MSP Guidelines provide technical and security conditions that must be adhered to for providing M2M services in India, including:

• adhering to KYC-related guidelines;
• ensuring quality of service;
• providing details of the authorised telecom licensee from which connectivity has been sourced;
• ensuring protection of privacy of communication and data as per applicable law; and
• providing a decryption facility for the content riding on its network as and when required by the authorities.

The UL also stipulates certain conditions, such as maintaining log-in/log-out details of all subscribers for a minimum period of two years. Furthermore, the Framework for Adoption of Cloud Services by SEBI Regulated Entities (the “Cloud Service Framework”) provides guidelines on the cloud framework that must be adopted by entities regulated by SEBI for maintaining data privacy, security and regulatory compliance.

Please see 1.2 Regulators.

There are no laws that specifically regulate the use of cookies in India.

Both current (SPDI Rules) and upcoming (DPDP Act) data protection laws apply to identifiable personal information. Accordingly, cookies would only be governed by the SPDI Rules and later by the DPDP Act if such cookies qualify as personal identifiable data or information. Accordingly, all corresponding obligations relating to the processing of personal data will also apply to the use of cookies if they qualify as identifiable personal data or information.

Current Data Protection Law

Given the rudimentary framework of the SPDI Rules, marketing and personalised advertisements have largely remained unregulated in India. Having said that, when the DPDP Act comes into force, the general principles recognised therein – such as data minimisation, consent-based processing, etc – would apply to such advertisements and marketing practices, and would require entities to revisit the policies and practices concerning programmatic advertising and reliance on third parties for data.

Upcoming Data Protection Law

The DPDP Act prohibits a Data Fiduciary from undertaking tracking or behavioural monitoring of children or targeted advertising directed at them. However, the government can notify purposes and classes of Data Fiduciaries that can be exempted from the restriction on tracking or behavioural monitoring of children or targeted advertising directed at children subject to conditions prescribed by it. The government can also notify a lower age for children (ie, lower than 18 years, which is the age of majority in India) for processing if it is satisfied that the Data Fiduciary has ensured that the processing of personal data of children is carried out in a “verifiably safe” manner. Such Data Fiduciaries may be exempted from compliance with the restriction on tracking or behavioural monitoring of children or targeted advertising directed at children, among other things.

Current Data Protection Law

The SPDI Rules do not specifically govern employment-related personal data, which would broadly be governed by the requirements that are applicable to personal information or SPDI, depending on the nature of such data. For instance, name, address, age, etc, would be considered personal information and would be subject to the requirements applicable to personal information under the SPDI Rules. However, biometric information collected for attendance, financial information, etc, would be considered SPDI under the SPDI Rules, requiring written/electronic consent to be obtained before the collection of such information.

Upcoming Data Protection Law

Unlike the SPDI Rules, the DPDP Act specifically deals with personal data processed for employment purposes. The DPDP Act recognises two bases for the processing of personal data – namely consent and non-consent based “certain legitimate uses”.

One of the legitimate uses identified in the DPDP Act is “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee”.

The DPDP Act does not define the phrase “employment purpose”, which will become clear once jurisprudence develops on this aspect. This means that the personal data can be processed without seeking consent or providing corresponding rights that apply to consent-based processing if such processing can be justified for the purpose of employment or for safeguarding the employer from any loss or liability.

There are no specific guidelines or regulations on the transfer of personal data in asset deals in India. Accordingly, any transfer of personal data in asset deals in India would be governed by the general data protection laws and the applicable sectoral laws.

However, the DPDP Act has made certain carve-outs or exemptions for personal data processing requirements that would be relevant to asset deals. Under the DPDP Act, the provisions pertaining to the obligations of a Data Fiduciary (except the general obligation of complying with the DPDP Act and taking reasonable security safeguards to prevent personal data breach), the rights and duties of Data Principals and transfer-related requirements of personal data do not apply if the processing is necessary for the following:

• a scheme of compromise, arrangement, merger or amalgamation of two or more companies;
• a reconstruction by way of demerger or otherwise;
• the transfer of undertaking of one or more company to another company; or
• the division of one or more companies, approved by a court or tribunal or any other competent authority.

Current Data Protection Law

As per the SPDI Rules, an entity or any person on its behalf can transfer personal information and/or SPDI to any other entity or person located in India or abroad if such entity or person ensures the same level of data protection as is required to be adhered to under the SPDI Rules. The transfer would only be allowed if consent has been sought or if it is necessary for the performance of the lawful contract between the entity and the provider of information.

Upcoming Data Protection Law

The DPDP Act, on the other hand, gives the government power to, by notification, restrict the transfer of personal data for processing to such country or territory outside India as may be notified – ie, to provide a negative list of countries to which the transfer of personal data will be restricted. Furthermore, if there is a higher degree of restriction/protection on transfers of personal data outside India in any law (or sectoral regulation) other than the DPDP Act, then this higher regime must be followed. Accordingly, sectoral laws such as those relating to RBI’s payment systems-related data (having data localisation requirements) will continue to be applicable.

However, personal data transfers are exempted from the requirements under the DPDP Act under certain conditions, including but not limited to the following:

• the processing of personal data necessary for the enforcement of a legal right or claim;
• the processing for prevention, detection, investigation or prosecution of any offence or contravention of law in India;
• the processing of personal data of Data Principals outside India under contracts with persons outside India by individuals or entities based in India; and
• the processing for a merger, amalgamation, demerger or transfer of two or more companies duly approved by competent authorities.

No approvals from the government are required for international data transfers under the SPDI Rules.

However, in the past, the government has been critical of access to information by certain countries and has taken steps to block such access. For instance, in 2020 the government blocked certain mobile applications upon receiving reports about “stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India”. Similar concerns had also been raised by the Indian Cyber Crime Coordination Centre of the Ministry of Home Affairs. Accordingly, the government decided to block the apps in the interest of the sovereignty, integrity, defence and security of India.

While the DPDP Act does not stipulate any requirement to seek approval for international transfers of data per se, it does give the government wide powers to impose any restrictions on such transfer as it may notify through delegated legislation. Accordingly, the government can always impose the obligation to seek approval for transferring data internationally. Please see 5.5 Recent Developments regarding developments under the Draft DPDP Rules.

There are no data localisation requirements under the SPDI Rules.

There are no specific data localisation requirements under the DPDP Act, but such requirements can be introduced through delegated legislation or rules.

The CERT-IN Directions mandate enabling the logs of all ICT systems and maintaining them securely for a rolling period of 180 days within the Indian jurisdiction. As per the FAQs to the CERT-IN Directions, these logs can be stored outside India if they can be presented to the CERT-IN within a reasonable time.

Sectoral Laws

There are data localisation or access requirements under sectoral laws, some of which are identified below.

Banking

The RBI has a soft data localisation mandate under the Circular on Storage of Payment Data and the associated FAQs, according to which authorised payment system providers are required to store the entire payment data in systems located in India. However, for cross-border transaction data consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required.

Insurance

The Insurance Regulatory and Development Authority of India (Maintenance of Information by the Regulated Entities and Sharing of Information by the Authority) Regulations 2025 require that records related to policies issued and claims made in India shall be held in data centres located and maintained within the country.

Securities

In the Cloud Services Framework, SEBI has mandated that data including logs and any other data/information pertaining to regulated entities in any form stored in the cloud must reside in India; in the case of foreign investors, the regulated entities must keep the original data/transactions/logs and make them available and easily accessible in legible and usable form in India.

A data localisation mandate had also been introduced in the Cybersecurity and Cyber Resilience Framework by SEBI in respect of regulated entities’ regulatory data as well as data in human/application readable form if the data centre is operated outside India. However, after receiving pushback regarding this mandate, SEBI issued a clarification on 31 December 2024 and put the data localisation requirement on hold until further notice.

Telecom

The UL requires a licensee to not transfer any subscriber-related accounting information (except for international roaming/billing) and user information (except pertaining to foreign subscribers using an Indian operator’s network while roaming) outside India.

Corporate

The Companies Act 2013 requires every company to maintain books of account and financial statements for every financial year. Under the Companies (Accounts) Rules, 2014, such information must be accessible in India if maintained in electronic mode. The Consumer Protection (Direct Selling) Rules, 2021 require a direct selling entity to take steps to store sensitive personal data in India.

Section 69A of the IT Act grants the government power to issue directions to block public access to any information in the interest of the sovereignty and integrity of India, security of state, friendly relations with foreign states, etc, if it deems it necessary. The Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009 (the “Blocking Rules”) issued pursuant to this provision outline the procedure that must be followed for blocking content. Under the Blocking Rules, anyone can make a complaint to an intermediary to block content. This complaint will then be shared with a designated officer of the government and will be examined by a government committee, which must make reasonable efforts to reach out to the originator of the content/intermediary. The committee will submit its final recommendations to the relevant Ministry, pursuant to which the designated officer will issue the blocking orders. Confidentiality must be maintained in respect of the complaints and actions taken during the blocking process.

The constitutionality of this provision had been challenged in the case of Shreya Singhal v Union of India before the Supreme Court of India, stating that the originator of the content is not given an opportunity for a pre-decisional hearing, and that the confidentiality requirement was unconstitutional. The Court upheld the validity of this provision and clarified that any action taken under Section 69A must be backed by a reasoned order, such that the order can be challenged. The Court further observed that Section 69A does not require an intermediary to determine the legality of the content and that safe harbour would only be lost if the intermediary failed to take down the content upon a court order or government order.

In addition, the DPDP Act grants the government authority to direct any government agency or intermediary to block access to information generated, transmitted, received, stored or hosted on any computer resource that enables a Data Fiduciary to offer goods or services to Data Principals in India, upon receiving a written reference from the DPB. The government must provide an opportunity for the party concerned to be heard, and must take action only if satisfied that doing so is necessary for the public interest. The government is also required to record its reasons for taking such action.

As noted in 1.1 Overview of Data and Privacy-Related Laws, in January 2025 the government published the Draft DPDP Rules for public consultation. The Draft DPDP Rules impose restrictions on cross-border data transfers for:

• personal data processed within India; and
• personal data processed outside India in connection with offering goods/services to Data Principals within India.

The Draft DPDP Rules also propose that such cross-border transfers would be subject to requirements specified by the government, through general or special orders, for making such data available to foreign states or to entities under the control of such states.

Furthermore, the Draft DPDP Rules propose data localisation requirements for SDFs by implementing measures to ensure that personal data and traffic data, as specified by the government and based on the recommendations of a committee constituted by the government, is not transferred outside India.