Data & Privacy · India
Data protection & privacy laws in India (2026)
India shaded by its data & privacy status
India has a comprehensive, GDPR-style personal-data protection law: the Digital Personal Data Protection Act, 2023, whose implementing Rules were notified on 13 November 2025. The Act applies to digital personal data and is enforced by a new statutory regulator, the Data Protection Board of India. Provisions are commencing in phases—the Board's establishment is already in force, while the core compliance obligations (consent, notice, breach reporting, data-principal rights) become effective on 13 May 2027.
Key points
The DPDP Act, 2023 received assent in August 2023; MeitY notified the operative Digital Personal Data Protection Rules, 2025 on 13 November 2025 under Section 40 of the Act, bringing the regime into effect on a phased basis.
Enforcement rests with the Data Protection Board of India (DPBI), a four-member body headquartered in New Delhi; provisions establishing the Board took effect immediately on 13 November 2025, with appointments via a Search-cum-Selection Committee chaired by the Cabinet Secretary.
Phase I (13 Nov 2025): Data Protection Board provisions. Phase II (13 Nov 2026): consent-manager registration and obligations. Phase III (13 May 2027): core processing obligations, data-principal rights, government information-call powers, and appeals to the tribunal.
Data fiduciaries must process personal data on lawful basis/consent, give notice, ensure data accuracy, implement reasonable security safeguards, report breaches to the DPBI and affected individuals, and erase data once the purpose is served.
Individuals (data principals) have rights to information, correction, erasure, and grievance redressal. Section 9 requires verifiable parental/guardian consent before processing the personal data of children (under 18).
Financial penalties run up to ₹250 crore (e.g. failure to prevent data breaches) and ₹200 crore for breaches of children's-data obligations. Cross-border transfers are permitted subject to Central Government conditions/restrictions (Rule 15), with certain restrictions on Significant Data Fiduciaries.
Timeline - major decisions & events
MeitY notified the Digital Personal Data Protection Rules, 2025, bringing parts of the 2023 Act into force and establishing the Data Protection Board of India; consent-manager rules apply from Nov 2026 and most substantive obligations from May 13, 2027. This finally operationalises India's standalone privacy regime.
Press Information Bureau (PIB) ↗MeitY published draft rules to implement the DPDP Act, covering consent notices, breach reporting, children's data and Significant Data Fiduciary duties, inviting public feedback by Feb 18, 2025. This was the first concrete operational detail after 18 months of the Act sitting un-enforced.
Press Information Bureau (PIB) ↗The President assented to the DPDP Act after passage by both houses (Lok Sabha Aug 7, Rajya Sabha Aug 9), creating India's first dedicated personal-data law with consent-based processing, data-principal rights and penalties up to Rs 250 crore. It is the foundation of today's privacy framework.
MeitY ↗After scrapping the 2019 bill, MeitY released a slimmer, principles-based DPDP Bill for consultation, signalling a shift away from the GDPR-style omnibus approach. This draft became the template for the 2023 Act.
MeitY ↗The government withdrew the PDP Bill 2019 after the Joint Parliamentary Committee proposed 81 amendments, opting to redraft a simpler law rather than pass the comprehensive GDPR-inspired text. This reset India's privacy legislation by three years.
PRS Legislative Research ↗CERT-In directed all entities to report cyber incidents including data breaches within six hours and retain logs for 180 days within India. It remains the binding breach-reporting regime pending full DPDP enforcement.
CERT-In ↗A 5-judge bench upheld the Aadhaar Act while invalidating Section 57, barring private companies (banks, telecoms) from compelling Aadhaar authentication absent a backing law. It set key limits on data collection and purpose limitation.
Supreme Court Observer ↗The expert committee chaired by Justice B.N. Srikrishna submitted its report 'A Free and Fair Digital Economy' with a GDPR-inspired draft bill, the first official blueprint for a comprehensive Indian data law. It framed the next five years of legislation.
MeitY ↗A unanimous nine-judge Supreme Court bench held that the right to privacy, including informational privacy, is intrinsic to Article 21 of the Constitution, overruling earlier contrary precedents. This created the constitutional mandate for a data-protection law.
Supreme Court Observer ↗Rules under Section 43A defined 'sensitive personal data or information' (passwords, financial, health, biometric data) and required body corporates to maintain reasonable security practices and obtain consent. These were India's primary data-protection rules until the DPDP regime.
India Official Gazette (via DataGuidance) ↗India's first cyber-law received Presidential assent, recognising electronic records and later (via Section 43A and Section 72A) providing the earliest statutory hooks for protecting personal data and penalising unauthorised disclosure. It anchored data protection for over two decades.
India Code (Legislative Dept.) ↗India - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →