Scope and Key Concepts

The DPDP Act applies to the processing of “digital personal data” within the territory of India, whether such data is collected directly in digital form or is digitised from non-digital form. It also applies extraterritorially where processing outside India is in connection with any activity related to offering goods or services to Data Principals within India (Section 3). At the same time, it carves out clear exclusions: personal or domestic use of data by an individual, and personal data made publicly available by the Data Principal herself or by another person under a legal obligation, fall outside its scope (Section 3(c)).

The Act defines its main actors in Section 2. A “Data Principal” is the individual to whom the personal data relates; in the case of a child, the term includes parents or lawful guardians, and in the case of a person with disability, it includes the lawful guardian acting on her behalf (Section 2(j)). A “Data Fiduciary” is any person who alone or with others determines the purpose and means of processing personal data (Section 2(i)), and a “Data Processor” is any person who processes personal data on behalf of a Data Fiduciary (Section 2(k)). “Personal data” is any data about an individual who is identifiable by or in relation to such data, while “digital personal data” is personal data in digital form (Section 2(t), 2(n)). The Act also establishes the “Data Protection Board of India” (“Board”) as an independent body to enforce the law (Section 18). The DPDP Rules adopt the Act’s definitions and add a few of their own, such as “user account”, “techno‑legal measures” and “verifiable consent” (Rule 2).

Consent, Legitimate Uses and Notice

Processing of personal data is lawful only if it satisfies the substantive conditions in Chapter II. Section 4 provides that a person may process the personal data of a Data Principal only in accordance with the Act and for a lawful purpose, either with the Data Principal’s consent or for certain legitimate uses. “Lawful purpose” is defined broadly as any purpose not expressly forbidden by law (Section 4(2)).

Consent is dealt with in Sections 5 and 6. A request for consent must be preceded or accompanied by a notice from the Data Fiduciary, informing the Data Principal of the personal data and purposes of processing, how she may exercise her rights under Sections 6 and 13, and how she may make a complaint to the Board (Section 5(1)). Where consent has been given before the commencement of the Act, the Data Fiduciary must issue a fresh notice “as soon as reasonably practicable” setting out the same information (Section 5(2)). The Act requires that consent be free, specific, informed, unconditional and unambiguous, indicated by a clear affirmative action, and limited to such personal data as is necessary for the specified purpose (Section 6(1)). Any portion of a consent request that infringes the Act or any other law is invalid to that extent (Section 6(2)). The Act grants the Data Principal a right to withdraw consent at any time, and requires that the ease of withdrawal be comparable to the ease of giving consent (Section 6(4)). Upon withdrawal, the Data Fiduciary and its Data Processors must cease processing unless such processing without consent is required or authorised under another provision of law (Section 6(5)–(6)).

Recognising that consent alone cannot support all processing, Section 7 lists “certain legitimate uses” for which personal data may be processed without consent. These include: where the Data Principal has voluntarily provided personal data for a specified purpose and has not indicated non‑consent; where the State or its instrumentalities process data to provide or issue subsidies, benefits, services, certificates, licences or permits as prescribed; performance of any function by the State or its instrumentalities under law or in the interests of sovereignty and security; disclosure obligations under law; compliance with judgments or decrees; responses to medical emergencies; public health measures; disaster and public order measures; and specific employment‑related purposes such as preventing corporate espionage or maintaining confidentiality of trade secrets (Section 7).

The DPDP Rules flesh out the content and presentation of notices and the mechanics of consent. Rule 3 requires that notices be presented in a way that is understandable on their own, use clear and plain language, give at minimum an itemised description of the personal data and the specified purposes, and include a specific communication link to the Data Fiduciary’s website or app along with a description of other means by which the Data Principal can withdraw consent, exercise her rights and make complaints to the Board.

Obligations of Data Fiduciaries and Processors

Section 8 sets out the general obligations of Data Fiduciaries. It provides that a Data Fiduciary is responsible for complying with the Act and rules for any processing undertaken by it or on its behalf, regardless of any agreement to the contrary or of the Data Principal’s failure to perform her duties (Section 8(1)). A Data Processor may only process personal data on a Data Fiduciary’s behalf under a valid contract and only for activities related to offering goods or services to Data Principals (Section 8(2)). Where personal data is likely to be used to make decisions affecting the Data Principal or to be disclosed to another Data Fiduciary, the processing Data Fiduciary must ensure completeness, accuracy and consistency of the data (Section 8(3)).

Section 8(4) requires implementing appropriate technical and organisational measures to ensure effective observance of the Act and rules. Section 8(5) obliges the Data Fiduciary to protect personal data in its possession or under its control, including in respect of processing by a Data Processor, by taking reasonable security safeguards to prevent personal data breach. In case of a breach, Section 8(6) requires the Data Fiduciary to intimate the Board, and each affected Data Principal in the prescribed form and manner. Section 8(7) mandates erasure of personal data on withdrawal of consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier, subject to retention necessary for compliance with law; Section 8(8) deems the specified purpose to be no longer served where the Data Principal has not approached the Data Fiduciary for performance of the purpose and has not exercised her rights for a prescribed period. Section 8(9) requires publication of the business contact information of a Data Protection Officer, where applicable, or another person able to answer questions about the processing of personal data. Section 8(10) requires that the Data Fiduciary establish an effective mechanism to redress grievances of Data Principals.

The DPDP Rules give these obligations practical content. Rule 6 specifies that “reasonable security safeguards” must include, at a minimum, measures such as encrypting or tokenising personal data; implementing access controls on computer resources; maintaining logs and visibility of access to enable detection, investigation and remediation of unauthorised access; ensuring data backups and other measures for continued processing in case of compromise; requiring Data Processors to implement equivalent safeguards via contract; and taking appropriate technical and organisational measures to ensure effective observance of these safeguards. Rule 7 sets out breach‑notification obligations. On becoming aware of a personal data breach, the Data Fiduciary must inform each affected Data Principal, without delay, in clear and plain language via the user account or registered communication channel, and must describe the breach, likely consequences, mitigation measures taken, safety steps the Data Principal can take, and contact details for queries. It must also intimate the Board without delay, and then within 72 hours (or such longer period as the Board may allow) provide detailed information on the nature, extent, timing and location of the breach, facts and reasons leading to it, mitigation measures, findings regarding the person who caused it, remedial measures and a report of notifications to Data Principals.

Rule 8 connects with Sections 8(7) and 8(8). It requires certain classes of Data Fiduciaries processing personal data for purposes specified in the Third Schedule to erase personal data after the corresponding time periods if the Data Principal neither approaches the Data Fiduciary for the specified purpose nor exercises her rights, unless retention is necessary for compliance with law. In addition, all Data Fiduciaries must retain personal data, associated traffic data and other logs of processing for at least one year from the date of processing for purposes listed in the Seventh Schedule, after which they must erase them unless longer retention is required by law or notified by the Government.

Children, Persons with Disabilities and Verifiable Consent

The Act adopts a stricter approach to processing personal data of children and persons with disabilities who have lawful guardians. Section 9(1) requires that, before processing such data, the Data Fiduciary must obtain verifiable consent of the parent of the child or the lawful guardian, in the manner prescribed. Section 9(2) prohibits the processing of personal data likely to cause any detrimental effect on the well-being of a child. Section 9(3) prohibits tracking, behavioural monitoring or targeted advertising directed at children. Section 9(4) and 9(5) allow the Central Government to prescribe exemptions from these obligations for specified classes of Data Fiduciaries or purposes and to notify, in respect of a Data Fiduciary that processes children’s data in a verifiably safe manner, the age above which the obligations under Section 9(1) and (3) will not apply.

The DPDP Rules define “verifiable consent” in this context. Rule 10 states that for processing a child’s personal data, the Data Fiduciary must adopt appropriate technical and organisational measures to ensure that the verifiable consent comes from a parent, and must verify that the person identifying as a parent is an identifiable adult. This can be done by reference to reliable identity and age details already available with the Data Fiduciary, or details (or virtual tokens mapped to such details) voluntarily provided by the parent or through a Digital Locker service provider or other authorised entity. Rule 11 provides that, for persons with disabilities with lawful guardians, the Data Fiduciary must observe due diligence to verify that the guardian is appointed under applicable guardianship law by a court of law, designated authority or local level committee.

Rule 12 and the Fourth Schedule then identify classes of Data Fiduciaries and purposes for which the prohibitions in Section 9(1) and 9(3) do not apply, subject to conditions. This allows, for example, certain educational platforms or child‑centric services to operate under modified obligations where the risk profile and safeguards justify it.

Significant Data Fiduciaries and Enhanced Obligations

Section 10 introduces the concept of “Significant Data Fiduciary”. The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary based on an assessment of factors such as the volume and sensitivity of personal data processed, risk to Data Principal rights, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order (Section 10(1)). Once so notified, a Significant Data Fiduciary must appoint a Data Protection Officer based in India, who represents it under the Act, is responsible to its Board of Directors or similar governing body and is the point of contact for the grievance‑redress mechanism (Section 10(2)(a)). It must also appoint an independent data auditor to evaluate its compliance with the Act (Section 10(2)(b)), and undertake periodic Data Protection Impact Assessments, audits and such other measures as may be prescribed (Section 10(2)(c)).

Rule 13 builds on these obligations by requiring every Significant Data Fiduciary to conduct a Data Protection Impact Assessment and an audit at least once every twelve months from the date on which it is notified as such, and to cause the person carrying out the assessment and audit to furnish to the Board a report containing significant observations. Rule 13 also requires Significant Data Fiduciaries to verify that technical measures, including algorithms and software used for hosting, displaying, uploading, storing, updating or sharing personal data, are not likely to pose a risk to Data Principal rights, and to ensure that specified categories of personal data and associated traffic data are processed under localisation‑type restrictions, including a prohibition on transfers outside India, where so specified by the Government on the recommendation of a committee.

Rights and Duties of Data Principals

Chapter III, comprising Sections 11 to 15, deals with the rights and duties of Data Principals. Section 11 gives the Data Principal a right, upon request, to obtain from a Data Fiduciary a summary of the personal data being processed and the processing activities, the identities of all other Data Fiduciaries and Data Processors with whom the data has been shared and a description of the personal data shared, and any other information related to her data and its processing as may be prescribed. Section 12 grants the right to correction, completion, updating and erasure of personal data for which she has previously given consent. Data Fiduciaries must correct inaccurate or misleading personal data, complete incomplete data and update data on request, and must erase personal data when requested unless retention is necessary for the specified purpose or to comply with law.

Section 13 provides a right to have readily available means of grievance redressal provided by the Data Fiduciary or Consent Manager in respect of any act or omission relating to the performance of obligations or the exercise of rights under the Act. The Data Fiduciary or Consent Manager must respond to grievances within a prescribed period, and the Data Principal must exhaust this mechanism before approaching the Board. Section 14 allows the Data Principal to nominate another individual, in a prescribed manner, who will exercise her rights in the event of death or incapacity. Section 15 lists duties of Data Principals, including complying with applicable laws when exercising rights, not impersonating others when providing personal data, not suppressing material information while providing data for identity documents, not registering false or frivolous grievances or complaints, and furnishing only verifiably authentic information when seeking correction or erasure.

Rule 14 supports these rights by requiring Data Fiduciaries and Consent Managers to prominently publish, on their websites or apps, details of the means by which Data Principals can make rights‑requests and any identifiers (such as customer IDs, application numbers, email addresses or phone numbers) required to identify them. It also obliges them to publish, within a reasonable period not exceeding ninety days, their internal timeframe for responding to grievances and to implement appropriate measures to meet that timeframe. Rule 14 further clarifies that nomination under Section 14 can be exercised using the means and particulars required by the Data Fiduciary, consistent with its terms of service and applicable law.

Exemptions and State Processing

Chapter IV (Sections 16 and 17) contains special provisions, including cross‑border transfer and exemptions. Section 16 empowers the Central Government, by notification, to restrict the transfer of personal data by a Data Fiduciary to specified countries or territories outside India. It clarifies that nothing in Section 16 overrides any stricter restriction or higher protection under other laws.

Section 17 provides a carefully layered set of exemptions. Section 17(1) disapplies almost all of Chapter II (except Sections 8(1) and 8(5)), Chapter III and Section 16 in certain situations. These include: processing necessary to enforce legal rights or claims; processing by courts, tribunals or other bodies entrusted with judicial, quasi‑judicial, regulatory or supervisory functions, where necessary for those functions; processing in the interest of prevention, detection, investigation or prosecution of offences or contraventions; processing of data of Data Principals outside India pursuant to a contract with a person outside India by a person based in India; processing necessary for schemes of compromise, arrangement, mergers, demergers or similar corporate restructurings approved by a competent authority; and processing to ascertain the financial information, assets and liabilities of loan defaulters by financial institutions, subject to relevant laws.

Section 17(2) disapplies the Act in respect of processing by such State instrumentalities as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to related cognisable offences, and in respect of processing necessary for research, archiving or statistical purposes where data is not used to take decisions specific to a Data Principal and where prescribed standards are followed. Section 17(3) allows the Government, having regard to the volume and nature of personal data processed, to notify certain Data Fiduciaries or classes, including startups, to whom Section 5, Sections 8(3) and 8(7), and Sections 10 and 11 shall not apply. Section 17(4) relaxes Sections 8(7) and 12(2)–(3) where processing is by the State and either is for a purpose that does not include making decisions affecting the Data Principal or falls within specified categories. Section 17(5) allows the Government, within five years of the commencement of the Act, to declare that any provision will not apply to certain Data Fiduciaries or classes for a specified period.

Rule 5, together with the Second Schedule, sets standards for State processing of personal data when providing or issuing subsidies, benefits, services, certificates, licences or permits, requiring lawful, necessary, proportionate and secure processing, limited retention and accuracy. Rule 16 implements the research exemption under Section 17(2)(b) by prescribing standards, also in the Second Schedule, for processing personal data for research, archiving or statistical purposes. Rule 23 allows the Central Government, acting through authorised officers, to require any Data Fiduciary or intermediary to furnish information for purposes listed in the Seventh Schedule (which include enforcing the Act and protecting sovereignty and security), and allows the Government to direct that such requirements not be disclosed to affected Data Principals where disclosure would prejudice these interests.

Data Protection Board of India and Appellate Mechanism

The institutional core of the enforcement framework is the Data Protection Board of India, established under Section 18. The Board is a body corporate with perpetual succession and a common seal, with power to acquire, hold and dispose of property, and to sue or be sued. Its headquarters are notified by the Central Government. Section 19 provides that the Board consists of a Chairperson and such other Members as may be notified, all appointed in the manner prescribed, and requires that the Chairperson and Members be persons of ability, integrity and standing with special knowledge or practical experience in fields such as data governance, social or consumer protection, dispute resolution, ICT, digital economy, law, regulation or techno‑regulation, with at least one legal expert. Section 20 provides that the Chairperson and Members hold office for a term of two years and are eligible for re‑appointment, and that their salary, allowances and terms of service will be as prescribed and cannot be varied to their disadvantage after appointment.

Sections 21 and 22 set out disqualifications and removal, as well as resignation, filling of vacancies and a one‑year cooling‑off period before accepting employment with a Data Fiduciary against whom proceedings were initiated by or before the Chairperson or Member, unless the Government approves earlier employment. Section 23 addresses the procedure for meetings and authentication of Board instruments, and protects Board proceedings from invalidation due to vacancies, appointment defects or procedural irregularities not affecting merits. Section 24 allows the Board, with Government approval, to appoint officers and employees.

Sections 25 to 27 deal with functions, powers and procedure. The Board’s functions include examining intimations of personal data breaches, directing urgent remedial or mitigation measures, inquiring into breaches or contraventions based on intimation, complaints, Government references or court directions, and imposing monetary penalties. The Board has powers similar to those of a civil court in respect of summoning and enforcing attendance, requiring discovery and production of documents, receiving evidence on affidavits and issuing commissions for the examination of witnesses or documents. It must be guided by the principles of natural justice, provide the person concerned with an opportunity of being heard, and record reasons in writing for its decisions.

The DPDP Rules complete the institutional picture. Rule 17 provides for two Search‑cum‑Selection Committees for recommending appointments to the Board: one chaired by the Cabinet Secretary for the Chairperson, and another chaired by the Secretary, Ministry of Electronics and Information Technology, for Members. Rule 18 and the Fifth Schedule specify the salaries and service conditions of the Chairperson and Members. Rule 19 addresses meeting procedures, quorum, voting, conflict‑of‑interest recusal and emergency decision‑making by circulation or by the Chairperson acting alone, subject to subsequent ratification. Rule 20 mandates that the Board function as a “digital office”, adopting techno‑legal measures to conduct proceedings without requiring physical presence, while preserving its power to summon individuals and examine them on oath. Rule 21 provides that the Board may, with Government approval, appoint officers and employees, with their service conditions set out in the Sixth Schedule.

Appeals from Board orders or directions lie to the Appellate Tribunal under Section 29. The Telecom Disputes Settlement and Appellate Tribunal, established under the Telecom Regulatory Authority of India Act, 1997, is designated as the Appellate Tribunal for DPDP purposes. Appeals must be filed within sixty days, with the Tribunal having discretion to condone delay, and the Tribunal is not bound by the Civil Procedure Code but guided by the principles of natural justice. Rule 22 requires that appeals be filed in digital form and accompanied by a fee equivalent to that applicable for appeals under the TRAI Act, payable through digital payment systems such as UPI, unless reduced or waived by the Tribunal Chairperson. It also provides that the Tribunal itself functions as a digital office.

Penalties and Blocking Powers

Section 33 and the Schedule create a detailed penalty framework. The Schedule prescribes maximum penalties for specified contraventions. For serious failures such as non-compliance with Section 8(5) on reasonable security safeguards, penalties can go up to Rs. 250 crore. Breaches of Section 8(6) (failure to notify personal data breaches) and of obligations in respect of children under Section 9 may attract penalties up to Rs. 200 crore. Non‑compliance by Significant Data Fiduciaries with additional obligations under Section 10 may draw penalties up to Rs. 150 crore. Other contraventions of the Act and rules may attract penalties up to Rs. 50 crore. A Data Principal who breaches her duties under Section 15 may be penalised up to Rs. 10,000.

When deciding the quantum of penalty, Section 33(2) requires the Board to consider factors such as the nature, gravity and duration of the breach, the type and nature of personal data affected, the repetitive nature of the breach, undue advantage gained or loss avoided, mitigation efforts, proportionality and effectiveness of the penalty, and the likely impact of the penalty on the person. Section 34 states that all sums realised by way of penalties must be credited to the Consolidated Fund of India.

In cases of repeated and serious non‑compliance, the Act also allows the Central Government, on the Board’s reference, to direct blocking of access by the public to the services of a non-compliant Data Fiduciary, by directing intermediaries to block access to its services, thereby acting as an ultimate deterrent in addition to monetary penalties.

Conclusion

The DPDP Act and the Rules together mark a structural change in India’s data governance landscape. They codify a rights‑based model that gives Data Principals clear, enforceable rights over their digital personal data, impose layered and risk‑based obligations on Data Fiduciaries and Significant Data Fiduciaries, and create a specialised, digital‑first regulator with strong investigative and penalty powers. For organisations, the framework demands careful re‑design of consent and notice flows, data security controls, retention practices, vendor contracts and governance structures. For individuals, it offers a more transparent and accountable environment in which their data is collected and used, anchoring digital commerce and public service delivery in a more robust privacy regime.