India Data Privacy Regulations
Overview
Passed in August 2023, the DPDP Act is India's first comprehensive horizontal privacy legislation.It centers on digital data processing, clear- cut consent models, and imposes heavy fines for failure to take reasonable security safeguards.
Processing of digital personal data within India, and processing outside India if offering goods/services to data principals in India.
Key Rules & Obligations
Breach Notification
To be prescribed in approaching rules (currently general CERT-In rules dictate 6 hours for severe cyber security incidents).
Maximum Penalties
Up to ₹250 crore (~$30 million USD) for failure to prevent data breaches.
Data Transfers
Currently adopts a "whitelist/blacklist" approach allowing transfers unless restricted by the government, though specific rules are pending.
Individual Rights
- •Right to access
- •Right to correction and erasure
- •Right of grievance redressal
- •Right to nominate
Enforcement Authority
Data Protection Board of India (DPBI)
Contact: TBD
Notable Breaches in India
| Company | Year | Records Exposed | Regulation Violated |
|---|---|---|---|
| AIIMS Delhi | 2022 | Ransomware (health data) | IT Act (Pre-DPDP) |
| Domino's India | 2021 | 180,000,000 | IT Rules 2011 |
Official Sources
- Ministry of Electronics and IT (MeitY)Verified: 2024-03-01
Frequently Asked Questions
Is the Indian DPDP Act active?
The Act was passed in 2023, but the exact enforcement date depends on the union government publishing operational rules, making 2024/2025 transition years.
Does India's data law apply to paper records?
No, the DPDP Act applies strictly to digital personal data, or data collected offline and subsequently digitized.
What is the maximum penalty under the DPDP Act?
The Data Protection Board can levy single fines up to ₹250 crore against Data Fiduciaries for failing to secure personal data.
Last updated: March 5, 2026
Notice an error? Report a correction