Data & Privacy - India

The DPDP Act, 2023 received assent in August 2023; MeitY notified the operative Digital Personal Data Protection Rules, 2025 on 13 November 2025 under Section 40 of the Act, bringing the regime into effect on a phased basis.

Enforcement rests with the Data Protection Board of India (DPBI), a four-member body headquartered in New Delhi; provisions establishing the Board took effect immediately on 13 November 2025, with appointments via a Search-cum-Selection Committee chaired by the Cabinet Secretary.

Phase I (13 Nov 2025): Data Protection Board provisions. Phase II (13 Nov 2026): consent-manager registration and obligations. Phase III (13 May 2027): core processing obligations, data-principal rights, government information-call powers, and appeals to the tribunal.

Data fiduciaries must process personal data on lawful basis/consent, give notice, ensure data accuracy, implement reasonable security safeguards, report breaches to the DPBI and affected individuals, and erase data once the purpose is served.

Individuals (data principals) have rights to information, correction, erasure, and grievance redressal. Section 9 requires verifiable parental/guardian consent before processing the personal data of children (under 18).

Financial penalties run up to ₹250 crore (e.g. failure to prevent data breaches) and ₹200 crore for breaches of children's-data obligations. Cross-border transfers are permitted subject to Central Government conditions/restrictions (Rule 15), with certain restrictions on Significant Data Fiduciaries.