INDIA has always had a flair for grand gestures—the Great Indian Wedding, the Great Indian Family, the Great Indian Dream. Now, we are witnessing another uniquely Indian phenomenon: ‘the Great Indian Privacy Push.’ In a country where millions are navigating an increasingly digital world, the debate has shifted beyond mere data ‘collection’ to focus on who ‘controls’ it and how it is safeguarded. With the introduction of a structured privacy framework, India is setting the stage for a digital transformation that prioritizes data ‘protection.’
This push comes at a defining moment—a time when privacy is no longer a luxury but a necessity. Every time we tap ‘I Accept’ without a second thought, or trade our privacy for convenience, we leave behind digital breadcrumbs across the internet, often without realizing who is collecting them or for what purpose. With millions of Indians going about their digital lives this way, trust in those managing our data is no longer optional—it is essential. And now, for the first time, India is responding with a legal framework designed not just to regulate, but to redefine the rules of the game. This is not just a privacy framework; it is a privacy revolution at a scale that only India can attempt.
The Times, They Are A-Changin’: Meaning of ‘personal data’ at the heart of India’s Shift from the IT Act to the DPDP Act
With the introduction of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the unveiling of the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) for public comment, India has transitioned from a fragmented, sectoral approach to a comprehensive, structured data privacy regime. As G.K. Chesterton wisely put it, “Before you remove a fence, pause long enough to ponder why it was there in the first place.” Before fully embracing this shift, it is essential to examine where we were and what has changed.
For over two decades, India’s digital privacy framework was governed by the Information Technology Act, 2000 (“IT Act”) and its attendant Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). However, these regulations were primarily designed to address cybersecurity, electronic transactions, and preventing cybercrimes rather than to safeguard individual privacy rights. The SPDI Rules applied only to ‘Sensitive Personal Data’, such as passwords, financial details, health records, and biometric data, leaving general personal data largely unregulated.
The DPDP Act significantly expands the scope of protection by defining ‘personal data’ as any data ‘about’ or ‘in relation to’ an individual that makes them identifiable. This broad definition means that even behavioural patterns, geolocation data, license plate numbers and workplace affiliations which may not directly identify an individual and were previously (largely) unregulated, now fall under statutory protection.
A Borderless Regime
In today’s interconnected world, data flows do not stop at national borders – and neither does India’s new privacy framework. The DPDP Act casts a wide net, reaching far beyond Indian territory to encompass any entity processing data of individuals based out of India. Specifically, the DPDP Act applies to two scenarios: (i) processing of digital personal data within India, and (ii) processing outside India when it is connected to offering goods or services to individuals in India. This extra-territorial reach means that whether you are a tech giant in Silicon Valley or a boutique analytics firm in Tel Aviv, if you are handling data of individuals based out of India, you are bound by Indian privacy laws.
‘I Do’ – But Does That Mean Forever? Rethinking Consent in the DPDP Era
In marriage, ‘I do’ is a powerful affirmation but does it mean unquestioning agreement to every decision that follows? A fundamental shift has taken place in consent mechanisms. The SPDI Rules allowed implied consent, enabling businesses to assume user agreement through continued platform use or passive acceptance of terms of service. Under the DPDP Act, consent is no longer a passive, blanket acceptance. The era of implied consent – where businesses could infer user agreement simply from continued platform use or buried terms of service is over. Now, consent must be free, specific, informed, unconditional, and unambiguous, backed by a clear affirmative action.
Yet, DPDP Act also acknowledges that explicit consent is not always practical. Enter ‘deemed consent,’ but with strict guardrails. When a person is rushed to the hospital unconscious, doctors can access their medical records without prior approval because survival cannot wait for paperwork, however, accessing your medical records in an emergency does not extend to selling that data to pharmaceutical companies for marketing.
Dramatis Personae
Data Principals
Consider how dramatically the landscape has shifted. Where individuals once had limited control over their data under SPDI Rules, the DPDP Act transforms them into empowered ‘Data Principals’ – a term that itself signals a fundamental shift in how we view data ownership. Now, you are not just a data point in someone else’s database; you are a principal with rights to modify, delete, update, and revoke consent for your data’s use.
Data Fiduciaries
The DPDP Act introduces ‘Data Fiduciaries’ – entities that determine how and why personal data is processed. Think of your favourite e-commerce platform deciding how to use your shopping history. Some of these fiduciaries are designated as ‘Significant Data Fiduciaries’ based on factors like data volume, sensitivity, and potential impact on national interests. The DPDP Act creates a tiered system of obligations, recognizing that a neighbourhood grocery store’s data handling needs differ from those of a social media giant. Significant Data Fiduciaries face additional requirements, including mandatory audits, and impact/ risk assessments.
The DPDP Act also expands regulatory jurisdiction. The SPDI Rules applied only to ‘body corporates’, meaning government entities and non-corporate organizations were largely exempt. The DPDP Act corrects this, bringing all Data Fiduciaries—public and private—under its regulatory ambit.
For businesses handling personal data, the new regime ushers in an era of enhanced accountability. Data Fiduciaries – from tech startups to traditional businesses – must now treat personal data with the same care as financial assets. Primary obligations, inter alia, include processing data only with consent and consistent with legitimate uses; ensuring processor compliance; responding to user rights request and notifying breaches promptly. Other obligations require implementing robust security measures; maintaining detailed processing records; erasing any personal data collected if specific purpose is not being served/ user has withdrawn consent; and being ready to demonstrate compliance at any time.
Data Processors: The Backbone of Data Handling
While Data Fiduciaries determine the purpose of data processing, Data Processors are the ones who execute it, under strict instructions. They do not have independent authority over personal data—they cannot decide how it is used, shared, or retained beyond what the fiduciary permits. However, their responsibilities are far from insignificant. The DPDP Act ensures that processors are contractually bound to maintain security, confidentiality, and legal compliance.
For example, if a bank (Data Fiduciary) engages a cloud service provider (Data Processor) to analyse customer data for fraud detection, the processor can only use the data for that specific function—it cannot retain, modify, or repurpose the information for its own insights. The Data Fiduciary remains accountable for compliance, but the processor must adhere to strict security measures and report breaches as required.
Meet Your Digital Bodyguards: Consent Managers
Here is where things get interesting. The DPDP Act introduces a new concept of ‘Consent Managers’ – think of them as your privacy data bodyguards. With a minimum net worth requirement of ₹2 crore and strict operational guidelines (as proposed under the Draft Rules), these are not your neighbourhood cybercafé operators. They are meant to be professional privacy intermediaries who help you manage your consent across different platforms. But there are some puzzling restrictions. These Consent Managers cannot ‘read’ your data (which is good for privacy), but this might limit their ability to actually help you make informed decisions. And while they are required to integrate with multiple platforms (which is convenient for users), somebody has got to foot the bill for this integration. Will it be the businesses? The users? or both? The jury is still out.
The Data Protection Board: India’s New Privacy Enforcer
At the heart of the DPDP Act’s enforcement framework lies the Data Protection Board of India (“DPB”)—a regulatory body tasked with ensuring that privacy obligations are not just theoretical but actively upheld. Unlike the SPDI Rules, which lacked a dedicated enforcement authority, the DPB serves as the adjudicating body for data breaches, non-compliance, and grievance redressal. It has the power to investigate violations, impose penalties, and oversee compliance with data protection obligations.
The DPB’s role is critical in balancing business interests with individual rights. It will adjudicate complaints from Data Principals (individuals) regarding failure to exercise their rights (such as denial of data access or deletion requests) and assess whether Data Fiduciaries have implemented adequate security measures. It will also oversee data breach reporting obligations and determine whether companies acted responsibly in securing personal data. The DPB is not just a watchdog—it is the cornerstone of India’s privacy enforcement mechanism.
The Tightrope of Security
Security requirements have also received a major upgrade. While SPDI Rules called for ‘reasonable security practices,’ the DPDP Act gets specific – mandating encryption, masking, and vulnerability audits. It is like moving from asking someone to drive safely to specifying the need for seatbelts, airbags, and regular vehicle inspections. The Draft Rules’ approach to security, reflects a balanced approach between prescriptive security requirements and flexible implementation. While specifying essential security measures, they allow organizations to determine the appropriate level of implementation based on their size, nature of operations, and risk profile. That flexibility is crucial, given the sheer diversity of businesses handling personal data – from nimble startups to legacy enterprises.
Data Without Borders? India’s Selective Approach
In today’s digital economy, personal data rarely stays confined within national borders. Businesses rely on cloud storage, multinational data centers, and global analytics services, making cross-border data transfers a necessity rather than an exception. Whether it is an Indian startup using U.S. based cloud services or a global e-commerce company processing Indian customer data in Singapore, these flows power modern commerce—but also raise concerns about data security, surveillance risks, and regulatory oversight.
The DPDP Act takes a selectively open approach to cross-border transfers—neither a free-for-all nor an outright blockade. Think of it as a smart traffic system at digital borders—green lights for trusted destinations, red lights for risky ones. By default, data transfers are allowed, but with two key guardrails. First, the government can impose a ‘no-fly list’ for data, banning transfers to specific countries that fail to meet India’s data protection standards. Second, data can only be sent to jurisdictions with comparable privacy protections. While transfers to the EU might be seamless, those countries with weak regulatory safeguards may face restrictions.
For example, an Indian fintech company processing customer transactions on cloud servers located in the UK may find the transfer permissible if the UK meets India's adequacy standards. However, if the same company wants to store data in a country with weak privacy laws and government surveillance risks, the Indian government may restrict or prohibit such transfers to safeguard user data.
When is a Digital Native ‘Grown Up’ Enough?
Remember when you got your first email account? For today’s kids, digital life starts much earlier. Perhaps the most contentious aspect of the DPDP Act is the designation of 18 (eighteen) as the age of consent for data processing. In an era where children learn to swipe before they can walk, this threshold seems paradoxically high. The DPDP Act also introduces parental consent verification including via government-issued tokens, which could create logistical nightmares. While the intent to protect minors is commendable, the approach appears to be at odds with global standards. Most jurisdictions rely on self-declaration mechanisms and set lower age thresholds – the EU’s GDPR, for instance, allows member states to set the age between 13 and 16. The Indian approach might inadvertently create a digital divide, potentially excluding a generation of tech-savvy teenagers from the online world.
Carve-Outs: When the Rules Don’t Apply
While the DPDP Act establishes a comprehensive privacy framework, it also recognizes that certain data processing activities cannot be held to the same strict compliance standards as commercial entities. The DPDP Act (Section 17) creates key exemptions for situations where privacy obligations must yield to legal, regulatory, and economic realities. For instance, law enforcement agencies investigating cybercrimes or financial frauds can process personal data without consent if it is necessary for detection, prevention, or prosecution of offenses. Similarly, courts, tribunals, and regulatory bodies performing judicial or quasi-judicial functions are not bound by the DPDP Act’s consent and purpose limitation requirements when processing case-related data.
Beyond government functions, cross-border commercial transactions also benefit from exemptions. If an Indian company processes personal data of individuals outside India under a contract with a foreign entity, the DPDP Act does not apply to that data, ensuring that Indian service providers can continue supporting global operations without unnecessary regulatory conflicts. Additionally, businesses engaged in mergers, demergers, or corporate restructuring can process relevant personal data without seeking fresh consent, as long as such transfers are legally approved. Financial institutions tracking defaulters can also process debtor information for credit recovery purposes without requiring consent – ensuring that privacy rights do not inadvertently shield bad actors from accountability.
These exemptions reflect a pragmatic balance between privacy rights and operational necessity, ensuring that critical functions—whether in law enforcement, corporate transactions, or economic governance—can continue unimpeded while maintaining broad protections for individual data rights.
A Work in Progress
Rolling out this privacy framework across India will be no small feat. Success depends on balancing practicality with protection, and the DPB will play a pivotal role. The success of this implementation strategy will depend on how effectively the board can establish itself and provide guidance during the transition period. Like a traffic cop at a chaotic intersection, the DPB must ensure smooth implementation while setting strong precedents.
The new law may not be perfect, but it is an important step toward creating a more privacy-conscious digital India. As we move forward, we will need continuous dialogue between regulators, businesses, and citizens to refine this framework. After all, in true Indian style, this is not just a policy change – it is a privacy revolution, and everyone is invited to participate.
