Data & Privacy ยท India
Data protection & privacy law in India (2026)
India shaded by its data & privacy status
Data protection in India: comprehensive law, under Digital Personal Data Protection Act, 2023 (DPDP Act), with the Digital Personal Data Protection Rules, 2025 notified by the Ministry of Electronics and Information Technology (MeitY); supervised by the Data Protection Board of India (DPBI)..
India has a comprehensive, GDPR-style personal-data protection law: the Digital Personal Data Protection Act, 2023, whose implementing Rules were notified on 13 November 2025. The Act applies to digital personal data and is enforced by a new statutory regulator, the Data Protection Board of India. Provisions are commencing in phases, the Board's establishment is already in force, while the core compliance obligations (consent, notice, breach reporting, data-principal rights) become effective on 13 May 2027.
Key points
The DPDP Act, 2023 received assent in August 2023; MeitY notified the operative Digital Personal Data Protection Rules, 2025 on 13 November 2025 under Section 40 of the Act, bringing the regime into effect on a phased basis.
Enforcement rests with the Data Protection Board of India (DPBI), a four-member body headquartered in New Delhi; provisions establishing the Board took effect immediately on 13 November 2025, with appointments via a Search-cum-Selection Committee chaired by the Cabinet Secretary.
Phase I (13 Nov 2025): Data Protection Board provisions. Phase II (13 Nov 2026): consent-manager registration and obligations. Phase III (13 May 2027): core processing obligations, data-principal rights, government information-call powers, and appeals to the tribunal.
Data fiduciaries must process personal data on lawful basis/consent, give notice, ensure data accuracy, implement reasonable security safeguards, report breaches to the DPBI and affected individuals, and erase data once the purpose is served.
Individuals (data principals) have rights to information, correction, erasure, and grievance redressal. Section 9 requires verifiable parental/guardian consent before processing the personal data of children (under 18).
Financial penalties run up to โน250 crore (e.g. failure to prevent data breaches) and โน200 crore for breaches of children's-data obligations. Cross-border transfers are permitted subject to Central Government conditions/restrictions (Rule 15), with certain restrictions on Significant Data Fiduciaries.
Timeline - major decisions & events
MeitY notified the Digital Personal Data Protection Rules, 2025, bringing parts of the 2023 Act into force and establishing the Data Protection Board of India; consent-manager rules apply from Nov 2026 and most substantive obligations from May 13, 2027. This finally operationalises India's standalone privacy regime.
Press Information Bureau (PIB) โMeitY published draft rules to implement the DPDP Act, covering consent notices, breach reporting, children's data and Significant Data Fiduciary duties, inviting public feedback by Feb 18, 2025. This was the first concrete operational detail after 18 months of the Act sitting un-enforced.
Press Information Bureau (PIB) โThe President assented to the DPDP Act after passage by both houses (Lok Sabha Aug 7, Rajya Sabha Aug 9), creating India's first dedicated personal-data law with consent-based processing, data-principal rights and penalties up to Rs 250 crore. It is the foundation of today's privacy framework.
MeitY โAfter scrapping the 2019 bill, MeitY released a slimmer, principles-based DPDP Bill for consultation, signalling a shift away from the GDPR-style omnibus approach. This draft became the template for the 2023 Act.
MeitY โThe government withdrew the PDP Bill 2019 after the Joint Parliamentary Committee proposed 81 amendments, opting to redraft a simpler law rather than pass the comprehensive GDPR-inspired text. This reset India's privacy legislation by three years.
PRS Legislative Research โCERT-In directed all entities to report cyber incidents including data breaches within six hours and retain logs for 180 days within India. It remains the binding breach-reporting regime pending full DPDP enforcement.
CERT-In โA 5-judge bench upheld the Aadhaar Act while invalidating Section 57, barring private companies (banks, telecoms) from compelling Aadhaar authentication absent a backing law. It set key limits on data collection and purpose limitation.
Supreme Court Observer โThe expert committee chaired by Justice B.N. Srikrishna submitted its report 'A Free and Fair Digital Economy' with a GDPR-inspired draft bill, the first official blueprint for a comprehensive Indian data law. It framed the next five years of legislation.
MeitY โA unanimous nine-judge Supreme Court bench held that the right to privacy, including informational privacy, is intrinsic to Article 21 of the Constitution, overruling earlier contrary precedents. This created the constitutional mandate for a data-protection law.
Supreme Court Observer โRules under Section 43A defined 'sensitive personal data or information' (passwords, financial, health, biometric data) and required body corporates to maintain reasonable security practices and obtain consent. These were India's primary data-protection rules until the DPDP regime.
India Official Gazette (via DataGuidance) โIndia's first cyber-law received Presidential assent, recognising electronic records and later (via Section 43A and Section 72A) providing the earliest statutory hooks for protecting personal data and penalising unauthorised disclosure. It anchored data protection for over two decades.
India Code (Legislative Dept.) โIndia - other topics
Data & Privacy in other countries
Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ