Author Archives: Priya Mehta

How does the concept of “significant data fiduciaries” affect compliance burdens in India?

Introduction

India’s Digital Personal Data Protection Act (DPDPA) 2023, set to become fully operational by 2025, introduces a modern and structured approach to data governance. One of the most critical concepts in the Act is the classification of certain organizations as Significant Data Fiduciaries (SDFs). This classification is designed to place higher accountability on entities that pose greater risks to data privacy due to the volume, sensitivity, or impact of their data processing activities.

Being labeled an SDF significantly raises the bar for compliance obligations under the DPDPA. These obligations are designed to ensure that entities handling large-scale or sensitive personal data operate with a higher degree of responsibility, transparency, and security. This article explains what constitutes a Significant Data Fiduciary and how this status increases compliance burdens for organizations in India.

Definition of a Data Fiduciary

Under the DPDPA, a Data Fiduciary is any person, company, or entity that determines the purpose and means of processing digital personal data. This includes businesses, NGOs, startups, government departments, and platforms that collect, process, store, or use individuals’ personal information.

What Is a Significant Data Fiduciary (SDF)?

A Significant Data Fiduciary is a special category of data fiduciary that processes large volumes or sensitive categories of personal data and therefore has a higher impact on individuals or the public interest. These entities are not self-declared; they are formally notified by the Central Government based on specific factors.

Criteria for Classification as an SDF

According to Section 10 of the DPDPA, the following parameters are considered when identifying an SDF:

  1. Volume and Sensitivity of Data Processed
    Entities processing large amounts of personal or sensitive personal data (such as health, financial, biometric data).

  2. Risk to Data Principal Rights
    Firms whose processing activities are likely to significantly impact individuals’ privacy or security.

  3. Impact on Sovereignty and Integrity of India
    Companies involved in critical sectors or that influence democratic rights, security, or national infrastructure.

  4. Use of Emerging Technologies
    Entities using AI, profiling, algorithmic decisions, or surveillance tools.

  5. Risk to Electoral Democracy
    Platforms influencing public opinion or digital campaigning may also qualify.

Example:
A large social media platform with 50 million Indian users that engages in user profiling, content targeting, and stores biometric data may be classified as an SDF.

How Does SDF Status Increase Compliance Burden?

Being declared an SDF comes with additional compliance responsibilities beyond what is required for regular data fiduciaries. These obligations are aimed at ensuring that high-risk organizations are held to stricter privacy, security, and governance standards.

Here are the key areas where SDFs face additional compliance:

1. Appointment of a Data Protection Officer (DPO)
Every SDF must appoint a qualified Data Protection Officer who will act as the central point of contact for data protection compliance and coordinate with the Data Protection Board.

  • The DPO must be based in India.

  • The DPO is responsible for grievance redressal, privacy impact assessments, and overseeing compliance activities.

2. Mandatory Data Protection Impact Assessments (DPIA)
Before initiating any data processing activity that poses significant risks, an SDF must conduct a DPIA.

  • This is a documented analysis of how a new product, service, or system may affect individuals’ privacy rights.

  • DPIAs must identify risks, mitigation strategies, and security controls.

3. Periodic Audits by Independent Firms
SDFs are required to conduct periodic audits of their data processing systems by external, independent auditors.

  • These audits must examine compliance with DPDPA rules, data security standards, and consent mechanisms.

  • Audit reports may be requested by the Data Protection Board.

4. Additional Record-Keeping and Documentation
SDFs must maintain detailed records of data flows, consent forms, processing purposes, grievance redressal logs, and more.

  • This information must be stored securely and made available to authorities upon request.

  • Data lifecycle documentation is necessary for accountability.

5. More Stringent Security Safeguards
SDFs must implement advanced data protection technologies including:

  • Encryption at rest and in transit

  • Access control systems

  • Intrusion detection and response protocols

  • Data masking or pseudonymization where necessary

6. Enhanced Transparency Requirements
SDFs must provide greater transparency to data principals, including:

  • Easy-to-understand privacy policies

  • Real-time access to data collected

  • Clear grievance redressal mechanisms

  • Opt-in options for sensitive data processing

7. Reporting to the Data Protection Board of India
SDFs may be required to submit annual compliance reports to the Data Protection Board or respond to regulatory queries more frequently.

  • This includes proof of audits, DPIAs, data breach incidents, and policy changes.

8. Cross-Border Transfer Documentation
If SDFs transfer data to entities outside India, they must ensure:

  • The transfer complies with government-approved conditions

  • Documentation is available regarding destination country adequacy

  • Explicit user consent is obtained for sensitive data transfers

Compliance Cost Implications for SDFs

With these added responsibilities, compliance for SDFs involves higher financial, human resource, and technological investment. These include:

  • Hiring or training a qualified Data Protection Officer

  • Engaging legal counsel for DPIA and impact analysis

  • Employing IT and security teams to build safe infrastructure

  • Paying for regular third-party audits and certifications

  • Establishing internal privacy training programs for staff

  • Upgrading user-facing platforms to improve transparency and data access

Example:
A health-tech startup collecting biometric and genetic data will need to implement detailed DPIA before launching services, hire a DPO, encrypt all health records, and ensure real-time user dashboards for consent and access—adding significant development and operations cost.

Legal Risks and Penalties for Non-Compliance

SDFs face higher risk exposure if they fail to meet their enhanced obligations. Penalties under the DPDPA include:

  • ₹150 crore for failure to fulfill duties specific to SDFs

  • ₹250 crore for breach due to inadequate safeguards

  • ₹200 crore for not honoring user rights

Moreover, reputation damage, client contract cancellations, and loss of licenses may follow from high-profile non-compliance.

Why SDF Classification Matters for Global Businesses

Multinational tech companies, fintech platforms, healthcare providers, cloud service providers, and social media platforms operating in India are likely to be classified as SDFs.

These entities must:

  • Align DPDPA compliance with GDPR, CCPA, and other international privacy regulations

  • Localize data centers if required

  • Strengthen user privacy protections across their global products

  • Respond promptly to regulatory orders from Indian authorities

How Businesses Can Prepare for SDF Obligations

To proactively prepare for SDF classification and compliance:

  • Conduct an internal data risk assessment to evaluate exposure

  • Appoint or train a DPO and create a privacy team

  • Develop a standard DPIA template and process

  • Begin external audit arrangements in advance

  • Build automated consent, access, and erasure systems for users

  • Update privacy policies and educate employees

  • Establish a legal compliance strategy for multi-jurisdictional operations

Conclusion

The classification of organizations as Significant Data Fiduciaries under the DPDPA 2025 framework brings with it a substantially increased burden of compliance, governance, and accountability. These obligations are not meant to hinder businesses but to ensure that entities handling massive volumes or sensitive types of personal data do so with diligence, transparency, and integrity. Indian companies and global firms operating in India must assess their data processing risks and prepare accordingly, both in terms of infrastructure and policy. Early investment in data protection not only helps avoid penalties but also builds user trust and long-term business sustainability in the data economy.

What are the penalties for data privacy violations under Indian and international regulations?

Penalties for Data Privacy Violations Under Indian and International Regulations

Introduction

In the digital era, data privacy has become one of the most critical aspects of global business and governance. With rising incidents of cyberattacks, data leaks, and misuse of personal information, governments around the world have enacted strong privacy laws. These laws carry severe penalties for violations to ensure that organizations are held accountable for mishandling personal data. In India, the Digital Personal Data Protection Act (DPDPA) 2023, operational by 2025, defines a legal structure with significant penalties. Globally, frameworks like the EU’s General Data Protection Regulation (GDPR), California’s CCPA/CPRA, Brazil’s LGPD, and others also enforce substantial fines and sanctions. Businesses today must be aware of these frameworks to avoid legal, financial, and reputational damage.

Penalties Under Indian Law – DPDPA 2023/2025

The DPDPA introduces a structured penalty regime enforced by the Data Protection Board of India (DPBI). It applies to all entities processing the personal data of Indian citizens, including both private companies and government departments.

1. Failure to Prevent Personal Data Breach
Maximum Penalty: ₹250 crore
This penalty applies when an organization fails to implement reasonable security safeguards to prevent unauthorized or accidental access, use, disclosure, or loss of personal data.

2. Failure to Notify the Data Protection Board and Individuals About a Breach
Maximum Penalty: ₹200 crore
Organizations must report data breaches to the Data Protection Board and affected individuals promptly. Failure to do so results in heavy fines.

3. Violation of Data Principal Rights
Maximum Penalty: ₹200 crore
If a company fails to respond to or honor user rights such as access, correction, erasure, or grievance redressal, the Board may impose this penalty.

4. Non-Compliance With Consent Requirements
Maximum Penalty: ₹150 crore
This includes processing data without valid consent, not allowing withdrawal of consent, or failing to inform users properly about data use.

5. Failure of Significant Data Fiduciaries to Fulfill Additional Duties
Maximum Penalty: ₹150 crore
Significant Data Fiduciaries must appoint Data Protection Officers, conduct risk assessments, and meet higher accountability standards. Failure in this regard can attract this penalty.

6. Mishandling of Children’s Data
Maximum Penalty: ₹100 crore
This applies when personal data of children is processed without verified parental consent or is used in ways that are likely to harm the child.

7. Non-Compliance With Orders of the Data Protection Board
Maximum Penalty: ₹50 crore
If a company ignores the orders or directions of the Data Protection Board, it can be fined even without a data breach.

Penalties Under the EU General Data Protection Regulation (GDPR)

The GDPR is a strict and globally influential privacy law that applies to any company, regardless of location, that processes data of EU residents.

1. Lower-Tier Violations
Maximum Penalty: €10 million or 2% of global annual turnover
This tier includes failure to maintain proper records, lack of data protection officers where required, or delayed breach notifications.

2. Upper-Tier Violations
Maximum Penalty: €20 million or 4% of global annual turnover
These apply to serious violations such as unlawful data processing, violation of user rights, failure to obtain consent, or unauthorized data transfers to third countries.

Notable GDPR Fines
Amazon – €746 million for unlawful advertising
Meta – Over €1.2 billion for illegal cross-border data transfers
British Airways – £20 million for security failures leading to data breach

Penalties Under California’s CCPA and CPRA

The CCPA and its amended version CPRA give California residents control over their data and penalize organizations for non-compliance.

1. Civil Penalties
$2,500 per violation or $7,500 per intentional violation
This includes failure to disclose data usage, ignoring user deletion or opt-out requests, or selling personal data unlawfully.

2. Private Right of Action in Case of Breach
Consumers can sue for $100 to $750 per data breach incident or actual damages
For large-scale breaches, this can lead to class-action lawsuits costing millions of dollars.

Penalties Under Brazil’s LGPD (Lei Geral de Proteção de Dados)

Brazil’s LGPD is modeled on GDPR and applies to companies handling data of Brazilian citizens.

1. Administrative Fines
Up to 2% of Brazilian revenue capped at R$50 million (approximately ₹75 crore) per violation
It covers consent violations, unlawful processing, and inadequate security.

2. Public Disclosure and Suspension
In addition to monetary penalties, regulators can suspend data processing activities or require public disclosure of violations.

Penalties Under Singapore’s PDPA (Personal Data Protection Act)

Singapore enforces strict privacy rules and has recently expanded its penalty provisions.

1. Monetary Penalties
Up to S$1 million or 10% of annual turnover in Singapore (whichever is higher)
This includes failure to notify breaches, processing without consent, or poor safeguards.

2. Business Restrictions
Authorities may suspend data activities or order system shutdowns in severe cases.

Penalties Under Australia’s Privacy Act (After 2022 Reforms)

Australia’s Privacy Act has been toughened to deal with modern data threats.

1. Maximum Fines
Up to AUD 50 million or 30% of adjusted annual turnover
This applies to repeated, large-scale or deliberate violations.

2. Reputation Sanctions
Australian authorities often name violating companies publicly, leading to loss of consumer trust.

Comparison Table of Global Privacy Law Penalties

Country/Regulation Maximum Fine Trigger Conditions
India (DPDPA) ₹250 crore Data breach, no consent, violation of rights
EU (GDPR) €20 million or 4% global turnover Cross-border misuse, no consent, security failures
USA (CCPA/CPRA) $7,500 per violation + damages Failure to allow opt-out, no disclosure
Brazil (LGPD) 2% of revenue, up to R$50 million No consent, breach, rights ignored
Singapore (PDPA) 10% of turnover or S$1 million No breach notice, misuse of data
Australia AUD 50 million or 30% of turnover Repeated or intentional privacy failures

Other Legal Consequences of Non-Compliance

Apart from direct financial penalties, organizations may face additional legal and reputational consequences:

1. Contract Termination
Global clients may cancel contracts if a service provider violates data privacy obligations or loses compliance certifications.

2. Lawsuits and Class Actions
In jurisdictions like the US, UK, and Australia, consumers can sue for damages resulting from privacy violations.

3. Regulatory Investigations
Regulators may conduct audits, freeze processing activities, or suspend business licenses.

4. Criminal Liability Under Indian IT Act
Section 72A of the IT Act penalizes disclosure of personal data without consent with up to 3 years imprisonment or ₹5 lakh fine.

5. Brand and Trust Damage
Public disclosures of data leaks or regulatory actions severely damage brand image and customer loyalty.

Steps to Avoid Penalties

To avoid penalties, businesses must build strong privacy management systems:

Appoint a Data Protection Officer (DPO)
Conduct Data Protection Impact Assessments (DPIAs)
Secure data with encryption and access control
Create user dashboards for consent and data management
Ensure timely breach notifications and internal response plans
Train staff on compliance and privacy awareness
Monitor third-party vendors for data protection standards

Conclusion

Data privacy penalties around the world, including under India’s DPDPA, are becoming stricter and more expensive. These fines are not limited to monetary loss—they can damage a company’s credibility, disrupt operations, and lead to legal entanglements. Indian organizations must understand both domestic and international privacy laws and adopt a privacy-by-design culture. By prioritizing transparency, consent, user rights, and breach response, companies can ensure compliance and maintain user trust in a data-sensitive global economy.

How can businesses implement “privacy by design” principles to meet DPDPA requirements?

Introduction

The Digital Personal Data Protection Act (DPDPA) 2023, scheduled to become fully effective in 2025, has laid down a modern framework for personal data handling in India. One of the most forward-looking requirements under this law is the implementation of “Privacy by Design” principles. Though not explicitly defined in a separate section like the EU’s GDPR, the philosophy of privacy as a built-in feature rather than an afterthought is deeply embedded in the DPDPA’s obligations for Data Fiduciaries (organizations collecting or processing data).

Privacy by Design (PbD) is not merely a policy—it’s a systemic approach to designing systems, processes, and business practices that embed privacy and data protection into every layer of the organization, starting from the idea stage to product launch and operations.

Implementing PbD principles under DPDPA ensures that businesses not only stay compliant but also build trust, transparency, and security for their users and stakeholders.

Understanding “Privacy by Design” in the Context of DPDPA

While the DPDPA does not use the exact term “Privacy by Design” in every clause, its obligations reflect the same underlying intent. Key principles that relate to PbD include:

  • Purpose Limitation: Data should be collected only for specified, clear, and lawful purposes.

  • Data Minimization: Only the necessary data should be collected and processed.

  • Storage Limitation: Data should not be retained longer than necessary.

  • Security Safeguards: Personal data must be protected against breaches and unauthorized access.

  • Transparency and Choice: Individuals should have clear options to control their data.

The Data Protection Board of India and Central Government rules are expected to publish further implementation standards aligned with these principles.

Seven Core Principles of Privacy by Design and How to Apply Them Under DPDPA

1. Proactive Not Reactive; Preventive Not Remedial

Businesses must embed privacy as a proactive approach rather than responding only after problems occur.

Implementation Strategies:

  • Conduct Data Protection Impact Assessments (DPIAs) before launching new products or processing new categories of data.

  • Perform vulnerability scans, risk analysis, and compliance checklists at the planning stage.

  • Establish internal privacy review committees to evaluate new marketing campaigns, partnerships, or vendor deals involving personal data.

Example: Before rolling out a location-based discount feature in an e-commerce app, assess what geolocation data is collected, whether it’s really necessary, and how to secure it.

2. Privacy as the Default Setting

By default, systems should collect the minimum necessary data, and users should not have to opt out to protect their privacy.

Implementation Strategies:

  • Use opt-in mechanisms for features that require personal data (like targeted ads, GPS tracking).

  • Pre-configure systems to disable sharing by default, unless the user explicitly enables it.

  • Avoid pre-ticked boxes or forced consent for non-essential services.

Example: When a customer signs up for a newsletter, the email marketing checkbox should be empty by default, allowing them to actively opt-in.

3. Privacy Embedded into Design

Privacy should be part of the architecture of IT systems, software, apps, and business processes, not bolted on later.

Implementation Strategies:

  • Involve privacy engineers and legal teams in the early design phase.

  • Use data anonymization, pseudonymization, and tokenization for analytics or testing purposes.

  • Automate data deletion, access logs, and audit trails within the system architecture.

Example: An HR software platform can embed a feature to auto-delete job applicant data after 6 months unless retention is legally required.

4. Full Functionality—Positive-Sum, Not Zero-Sum

Privacy should not be sacrificed for other goals like usability, innovation, or profit. Instead, aim for win-win outcomes.

Implementation Strategies:

  • Design user interfaces that inform and guide, without disrupting user experience.

  • Balance personalization and privacy by using aggregated insights instead of individual profiling when possible.

Example: A fitness app can offer personalized workout suggestions using local device processing rather than sending sensitive health data to external servers.

5. End-to-End Security—Lifecycle Protection

Ensure that personal data is secure across its entire lifecycle, from collection to storage to deletion.

Implementation Strategies:

  • Use encryption, multi-factor authentication, and access controls.

  • Define data retention periods for each category of data.

  • Build processes to safely destroy or de-identify data once it’s no longer needed.

Example: A bank may retain transaction logs for 7 years due to regulations but must delete or mask personal identifiers when this period ends.

6. Visibility and Transparency

Systems and practices must be open to scrutiny. Data Principals should know what data is collected, why, and how it’s used.

Implementation Strategies:

  • Maintain and publish privacy policies in clear, local languages.

  • Create user dashboards where individuals can access, edit, or delete their data.

  • Send notifications when privacy policies are updated or data sharing terms change.

Example: An OTT platform can provide users with a page showing what data it collects, like viewing history, payment info, and preferences—with options to download or delete it.

7. Respect for User Privacy—User-Centric Design

Keep the needs, rights, and expectations of the Data Principal at the center of all design choices.

Implementation Strategies:

  • Make data rights easy to exercise (e.g., one-click deletion or correction requests).

  • Train customer support staff to handle privacy-related queries.

  • Avoid “dark patterns” that mislead users into giving up more data.

Example: A mobile app should allow users to delete their account completely (not just deactivate it) without going through long customer service loops.

Steps for Businesses to Operationalize Privacy by Design

1. Conduct a Privacy Gap Assessment

  • Map current data collection practices, policies, third-party sharing

  • Identify areas where DPDPA or PbD principles are not being followed

2. Appoint a Privacy Officer or Team

  • Appoint a Data Protection Officer (DPO) for medium to large companies

  • Define responsibilities such as privacy audits, DPIAs, training, and breach response

3. Build Privacy Controls Into Product Development

  • Use privacy impact checklists during product roadmap discussions

  • Review all new features for potential data exposure

4. Automate Privacy Operations

  • Implement Consent Management Platforms (CMPs)

  • Use tools for user access requests, policy version tracking, and automated deletion workflows

5. Train Employees on Privacy

  • Run regular workshops for tech, sales, marketing, and HR teams

  • Share best practices and legal updates related to DPDPA and global laws (like GDPR)

6. Create a Privacy Governance Framework

  • Define policies for:

    • Data retention and deletion

    • Third-party data sharing

    • Data breach response

    • Consent lifecycle management

Examples of Privacy by Design in Indian Business Context

Example 1: Healthcare Startup
A telemedicine app ensures privacy by:

  • Collecting only essential health information during consultations

  • Storing data on encrypted servers in India

  • Letting users download and delete their health history

Example 2: Fintech Platform
A digital loan provider implements PbD by:

  • Encrypting Aadhaar and PAN details

  • Using OTP-based authentication

  • Allowing users to delete KYC documents once loans are closed

Example 3: E-commerce Company
A shopping platform:

  • Builds a preference center for email and SMS notifications

  • Lets users disable personalized recommendations

  • Displays cookie options clearly during first website visit

Conclusion

Implementing Privacy by Design is not just about checking boxes—it’s about building ethical, trustworthy, and future-ready businesses. Under the DPDPA 2025, Indian organizations must take a systematic, user-centric, and proactive approach to privacy. Embedding privacy into product design, team culture, technology infrastructure, and third-party partnerships not only ensures legal compliance but also builds competitive advantage in a digital world where customers value security and control over their personal data.

By making privacy the default, Indian businesses can lead in both compliance and customer trust as India steps into a data-protected future.

What are the legal implications of non-compliance with data breach notification requirements in India?

Introduction

With the rise in cyberattacks, data theft, ransomware, and system vulnerabilities, data breaches have become one of the most critical risks faced by organizations today. To address this, India’s Digital Personal Data Protection Act (DPDPA) 2023, set to be fully operational as DPDPA 2025, imposes legal obligations on businesses and other entities to report data breaches to the appropriate authorities and affected individuals.

Failure to comply with these data breach notification requirements has serious legal consequences, including financial penalties, reputational damage, and even investigations by regulatory bodies. In this context, understanding the breach notification requirements and the legal risks of non-compliance is essential for organizations operating in India.

Definition of a Data Breach Under Indian Law

Under the DPDPA, a data breach refers to any unauthorized or accidental disclosure, sharing, alteration, loss, access to, or misuse of personal data that compromises the confidentiality, integrity, or availability of that data.

This includes:

  • Hacking of databases

  • Insider data theft

  • Ransomware attacks

  • Accidental leaks via emails or misconfigured servers

  • Third-party service provider breaches

Key Data Breach Notification Obligations Under DPDPA 2025

According to Section 8(6) of the DPDPA:

  • Every Data Fiduciary (organization processing data) must report a data breach to the Data Protection Board of India (DPBI) as soon as possible, and within the prescribed time (to be notified via rules).

  • If the breach poses a risk to the rights of Data Principals (individuals), the organization must also inform the affected individuals.

  • The notification must include:

    • The nature and scale of the breach

    • The personal data affected

    • Likely consequences for Data Principals

    • Steps taken to mitigate or prevent future breaches

    • A grievance redressal contact for users

This obligation exists regardless of intent or cause — whether the breach was accidental or malicious.

Legal Implications of Non-Compliance

1. Monetary Penalties by the Data Protection Board

The DPDPA authorizes the Data Protection Board of India to impose financial penalties for breach-related violations.

According to the Schedule of Penalties in the Act:

  • Failure to notify the Board and affected individuals of a data breach can result in a fine of up to ₹200 crore (2 billion INR).

  • The actual penalty depends on factors such as:

    • Nature and severity of the breach

    • Duration of delay in reporting

    • Volume of data and number of affected individuals

    • Intent or negligence involved

    • Damage caused to individuals

Example:
A fintech company suffers a breach of financial data of 1 million customers and delays reporting for 10 days. If found negligent, the Board may impose a significant portion of the ₹200 crore maximum penalty.

2. Additional Liability for Significant Data Fiduciaries

Organizations classified as Significant Data Fiduciaries (SDFs) — such as those dealing with large-scale sensitive personal data or those impacting national interest — have heightened obligations.

If an SDF fails to notify a breach:

  • It can attract stricter scrutiny

  • Senior officers may be personally liable

  • The firm may face compliance audits

  • DPOs (Data Protection Officers) can be held accountable

3. Civil Suits and Compensation Claims

Though DPDPA does not explicitly create a compensation framework, individuals whose rights are violated due to a data breach may:

  • File complaints with the Data Protection Board

  • Pursue legal action under contract law or consumer protection law

  • Seek damages for financial or emotional harm

If a breach causes identity theft, reputational loss, or fraud, affected persons may approach consumer forums or civil courts claiming compensation.

Example:
A healthcare app leaks medical records of patients. Affected users may sue the company for emotional distress or reputational damage under Indian tort law or the Consumer Protection Act.

4. Reputational and Commercial Consequences

Non-compliance, especially when exposed in the public domain, leads to:

  • Loss of customer trust

  • Brand damage

  • Investor concern

  • Loss of business contracts, especially from international clients demanding data security compliance

Many B2B SaaS or IT service contracts with global clients include data breach clauses. Failure to notify may result in:

  • Termination of contracts

  • Breach of SLA obligations

  • Exposure to global regulatory liabilities (like GDPR fines)

5. Criminal Implications Under Other Laws

While DPDPA focuses on civil penalties, criminal provisions under other Indian laws can also apply:

a. The Information Technology Act, 2000 (IT Act):

  • Section 72A punishes disclosure of personal data without consent with up to 3 years of imprisonment or ₹5 lakh fine

  • Section 43A makes companies liable to compensate users if data is mishandled due to negligence

b. Indian Penal Code (IPC):

  • Sections related to criminal breach of trust, cheating, or data theft may apply if insiders or hackers are involved

6. Impact on Regulatory Licenses and Industry Compliance

Non-compliance with data breach rules can lead to:

  • Suspension or revocation of licenses by industry regulators (e.g., RBI, IRDAI, SEBI)

  • Enforcement actions under sectoral IT/cybersecurity regulations

  • Additional compliance audits and scrutiny from data commissioners

Example:
A payment company regulated by the RBI suffers a breach but fails to report it within the mandated 6-hour window under RBI cybersecurity guidelines. It can be penalized both under RBI regulations and the DPDPA.

7. International Implications

For Indian companies handling EU or US customer data, failure to report breaches under Indian law may also:

  • Trigger GDPR penalties (which mandate 72-hour breach reporting)

  • Breach contract terms with global partners

  • Lead to blacklisting or loss of cross-border data transfer permissions

Example:
A Noida-based SaaS company serving French clients fails to report a breach affecting EU data. It may face enforcement by the EU Data Protection Authority, in addition to Indian penalties.

How Organizations Can Ensure Compliance

To avoid legal implications, companies should:

  • Establish incident detection and response plans

  • Define a 24×7 breach response team

  • Create a data breach notification policy

  • Set up automatic alerts for unusual activity or system compromise

  • Maintain contact databases for regulators and users to enable quick notification

  • Use tools for data classification and breach impact analysis

  • Train employees on breach response protocols

Example Policy Flow:

  1. Identify and contain the breach

  2. Assess its impact on personal data

  3. Notify internal DPO/legal team within 2–6 hours

  4. Draft and submit report to Data Protection Board

  5. Notify affected users with actionable steps (e.g., change passwords)

  6. Log the entire process for audit trails

Conclusion

Non-compliance with data breach notification requirements under the DPDPA 2025 exposes Indian businesses to severe financial penalties, legal action, criminal liability, and brand damage. With regulators increasingly taking a zero-tolerance stance on breach secrecy or delay, organizations must adopt proactive strategies, implement robust monitoring systems, and train teams to react swiftly.

Data privacy and breach preparedness must be treated as a core compliance and business continuity responsibility, not just a technical issue. By building a culture of transparency, accountability, and quick response, businesses can safeguard themselves from legal fallout and build greater trust in India’s fast-evolving digital ecosystem,

How does the GDPR influence data privacy strategies for Indian companies with global operations?

Introduction

The General Data Protection Regulation (GDPR), enforced by the European Union in May 2018, is one of the world’s most stringent data privacy laws. While it is an EU regulation, its extraterritorial scope means that it applies not only to companies within the EU, but also to any non-EU business — including Indian companies — that process the personal data of EU citizens or residents.

For Indian businesses with global operations or clients in the European Union, GDPR compliance is not optional. It has fundamentally reshaped how Indian companies approach data governance, privacy risk, security, cross-border transfers, and customer trust. From IT services firms to e-commerce platforms, banking, healthcare, and SaaS companies, GDPR has pushed Indian firms to rethink and reformulate their data privacy strategies to stay globally relevant and legally compliant.

1. Understanding the Scope of GDPR for Indian Companies

GDPR applies to Indian companies that:

  • Offer goods or services (free or paid) to individuals in the EU

  • Monitor the behavior of people in the EU (e.g., through cookies, behavioral advertising, analytics)

  • Process EU customer data on behalf of another company (as a data processor)

This means an Indian company does not need to have a physical office in Europe to fall under GDPR; if it handles EU personal data in any way, it must comply.

Example:
An Indian IT firm building cloud-based CRM software for a German client will be subject to GDPR as it processes EU customer data.

2. Key GDPR Principles Shaping Indian Data Privacy Strategies

GDPR is built on principles that Indian companies must integrate into their data strategies:

a. Lawfulness, Fairness, and Transparency
Data must be collected and used lawfully, fairly, and with full transparency to the individual. Indian firms must provide clear privacy notices, obtain informed consent, and explain how data is used.

b. Purpose Limitation
Data should only be collected for a specific, legitimate purpose, and not used for anything beyond that without additional consent.

c. Data Minimization
Only the minimum amount of personal data necessary for a specific purpose should be collected.

d. Accuracy and Updation
Firms must ensure the personal data they hold is accurate and up-to-date.

e. Storage Limitation
Data should not be stored longer than necessary. Indian firms must create data retention policies and automate deletion mechanisms.

f. Integrity and Confidentiality
Indian companies must ensure data security through encryption, access controls, audit logs, etc.

g. Accountability
They must be able to demonstrate compliance through documentation, records, Data Protection Impact Assessments (DPIAs), and appointing Data Protection Officers (DPOs) where required.

3. Operational Changes Triggered by GDPR Compliance

To align with GDPR, Indian companies with global exposure have made several operational and strategic changes:

a. Revising Privacy Policies and Terms of Service
Organizations rewrote their privacy notices to reflect GDPR terms: purpose of processing, legal basis, data subject rights, contact information for privacy queries, etc.

b. Appointing Data Protection Officers (DPOs)
Companies meeting specific thresholds (e.g., large-scale data processing, sensitive data) have appointed internal or external DPOs to oversee compliance.

c. Creating Data Subject Rights Portals
Indian firms created online dashboards or request forms to allow EU users to exercise GDPR rights such as:

  • Right to access

  • Right to rectification

  • Right to erasure (right to be forgotten)

  • Right to data portability

  • Right to restrict processing

  • Right to object to automated profiling

d. Conducting Data Protection Impact Assessments (DPIAs)
Especially for high-risk processing (biometrics, profiling, etc.), Indian firms carry out DPIAs to evaluate the risks to EU users and take corrective actions.

e. Managing Data Breaches Responsibly
GDPR mandates reporting of data breaches to EU authorities within 72 hours. Indian firms have built incident response plans, breach notification workflows, and security operations to detect and act quickly.

f. Updating Vendor and Client Contracts
Indian exporters of data services sign Data Processing Agreements (DPAs) with clients, embedding GDPR clauses like:

  • Data controller-processor roles

  • Sub-processor disclosure

  • Cross-border transfer safeguards

  • Return/deletion of data on termination

g. Adopting Privacy by Design and Default
GDPR compels companies to embed privacy features from the ground up. Indian software firms have shifted to:

  • Anonymization and pseudonymization of user data

  • Limited data access for staff

  • “Opt-in” settings instead of “opt-out”

  • Role-based access controls in IT systems

4. Impact on Cross-Border Data Transfers

GDPR restricts personal data transfers outside the EU unless:

  • The receiving country has adequate data protection laws

  • Standard Contractual Clauses (SCCs) are signed

  • Binding Corporate Rules (BCRs) are in place for multinationals

India is not yet recognized as an “adequate” jurisdiction, so Indian companies must:

  • Sign SCCs with EU clients

  • Ensure EU data is stored in secure, compliant environments

  • Document data flow maps and transfer protocols

Example:
A Bengaluru-based HR tech firm serving clients in France must use SCCs and store data in GDPR-compliant European cloud regions or demonstrate safeguards if storing data in India.

5. Influence on Indian Data Protection Laws

GDPR has deeply influenced India’s data protection landscape:

  • The DPDPA 2023/2025 is inspired by GDPR, though simpler in scope.

  • Concepts like data fiduciary, data principal, consent, processing limitation, and data breach notification are similar.

  • The push for consent managers, data minimization, and children’s data protection mirrors GDPR’s requirements.

This alignment makes it easier for Indian firms to comply with both DPDPA and GDPR using unified systems and policies.

6. Competitive Advantage and Trust Building

Companies that invest in GDPR compliance often enjoy:

  • Stronger client relationships in Europe and other privacy-conscious markets

  • Faster onboarding with foreign clients due to ready privacy certifications

  • Greater trust among international customers who value transparency

  • Reduced legal and regulatory risks, avoiding heavy fines (up to €20 million or 4% of annual turnover under GDPR)

7. Sector-Wise Impact in India

  • IT/ITES Companies: Must handle large volumes of EU client data under processor contracts. GDPR compliance is essential to secure outsourcing deals.

  • E-commerce Platforms: Must align cookie practices, consent flows, marketing opt-ins with GDPR to sell in the EU.

  • Fintech and BFSI: Must manage high-risk financial and biometric data with maximum care. GDPR impacts KYC and fraud analytics tools.

  • Healthcare Startups: Processing health data of EU patients requires heightened safeguards and DPIAs.

  • SaaS Platforms: GDPR-compliant design and hosting are often demanded by global clients during onboarding.

8. Challenges Faced by Indian Companies

While GDPR offers benefits, it also presents challenges:

  • High compliance cost for SMEs

  • Legal complexity and fear of penalties

  • Difficulty in managing data flows across jurisdictions

  • Lack of trained privacy professionals in India

  • Conflicts between Indian localization demands (like RBI norms) and GDPR transfer rules

To address these, many Indian firms:

  • Hire EU-based representatives or consultants

  • Get ISO 27701 or GDPR certification

  • Conduct regular internal audits and privacy training

Conclusion

GDPR has significantly influenced the way Indian companies plan and execute their data privacy strategies. It has set a gold standard that Indian firms must follow to access and thrive in the European market. By embedding GDPR principles — transparency, consent, purpose limitation, accountability — into their culture, Indian companies not only ensure legal compliance but also gain a strong ethical and competitive edge.

As data privacy becomes central to global digital trust, GDPR-readiness is no longer a burden but a business enabler for Indian firms seeking to grow internationally. With the parallel implementation of India’s DPDPA, the time is ripe for companies to adopt a “privacy-by-default and global-by-design” approach to thrive in a privacy-first world.

What are the rights of data principals, including erasure and correction, under DPDPA?

Introduction

The Digital Personal Data Protection Act (DPDPA) 2023, which is being implemented operationally in 2025, marks a new era of data privacy regulation in India. The law aims to protect the personal data of individuals, known under the Act as Data Principals, by granting them specific rights over their own information.

These rights are designed to ensure that individuals maintain control, transparency, and autonomy over how their data is collected, used, stored, and shared. One of the key pillars of the DPDPA is the empowerment of Data Principals to access, correct, erase, and manage their personal data held by organizations (called Data Fiduciaries).

Understanding these rights is essential for both individuals and businesses to remain compliant and trustworthy.

Who is a Data Principal?

Under DPDPA 2025, a Data Principal is the individual to whom the personal data relates. In case of a child (under 18 years) or a person with disability, their parent or lawful guardian is considered the Data Principal.

Key Rights of Data Principals

DPDPA provides several specific rights to Data Principals. These include:

1. Right to Access Personal Data

Data Principals have the right to:

  • Obtain a summary of their personal data being processed by a Data Fiduciary

  • Know the processing purposes

  • Understand the categories of data being processed

  • Know with whom their data has been shared

  • View the duration of data storage

  • Know about the source of the data, if it was not directly collected from the Data Principal

This right allows individuals to be fully informed about what data organizations hold and how it’s being used.

Example: A customer using a mobile wallet service can request to know what personal and transactional data the company stores, whether it is shared with third-party marketing partners, and for how long it will be retained.

2. Right to Correction and Erasure

This is one of the most powerful rights granted under the DPDPA.

Right to Correction:
Data Principals have the right to correct inaccurate or misleading personal data about them that is held by a Data Fiduciary.

This includes:

  • Fixing incorrect name, address, date of birth, contact information, etc.

  • Updating out-of-date information

  • Removing irrelevant or false data

Right to Erasure:
Data Principals can request the erasure (deletion) of their personal data that:

  • Is no longer necessary for the purpose it was collected

  • Was collected based on consent which has now been withdrawn

  • Is being processed unlawfully

  • Must be erased to comply with legal obligations

However, the right to erasure is subject to the fiduciary’s legal obligations. If the data must be retained for legal, regulatory, or contractual obligations, the organization may reject the request but must provide a valid justification.

Example:
If an individual has closed their online shopping account and withdrawn consent, they can request the company to delete their personal data (name, email, payment details, etc.). However, the company may retain order-related records for tax or warranty reasons, with clear justification.

3. Right to Grievance Redressal

Every Data Principal has the right to lodge a complaint with the concerned Data Fiduciary if:

  • Their data has been misused

  • Their correction or erasure request was denied without proper reason

  • They experienced delay in access or action

Fiduciaries must provide a mechanism to handle grievances and respond within a reasonable time (notified by rules).

If unsatisfied, the Data Principal may appeal to the Data Protection Board of India, which will act as a quasi-judicial body.

Example: A user requests an app company to correct their gender and mobile number. The company ignores the request. The user can escalate the complaint to the Data Protection Board if no resolution is offered.

4. Right to Nominate

In case a Data Principal becomes incapacitated or dies, they have the right to nominate another person who can exercise their data rights on their behalf.

This is especially important for:

  • Digital legacy management

  • Managing health records

  • Financial accounts after death

Example: A person can nominate their spouse to manage or delete their digital accounts in the event of their death.

5. Right to Withdraw Consent

Where data is collected based on consent, the Data Principal has the right to:

  • Withdraw consent at any time

  • Ensure that such withdrawal is as easy as giving consent

Upon withdrawal, the Data Fiduciary must stop processing the relevant data unless legally required to retain it.

Example: A user who signed up for a newsletter can withdraw consent and expect the company to stop sending marketing emails and delete their related records.

6. Right to Be Informed

This is a foundational right, enabling all other rights. Data Principals must be:

  • Clearly informed before data is collected

  • Told about purposes of processing

  • Made aware of their rights under DPDPA

The information must be provided in clear, simple, and multiple languages (as applicable).

Example: A food delivery app must notify users during sign-up that their data may be used for location tracking, order fulfillment, and targeted ads. The user must be able to understand this information easily.

How Can Data Principals Exercise Their Rights?

Under the DPDPA, organizations (Data Fiduciaries) must:

  • Create easy-to-use tools or platforms for data access, correction, and erasure

  • Offer digital mechanisms, such as account settings or online forms, to raise requests

  • Respond within timelines to be notified by the government

  • Provide reasons in writing if any request is denied

  • Record and monitor how these requests are handled

For greater control, individuals may also use Consent Managers, authorized intermediaries who help Data Principals manage and track consents across multiple services.

Responsibilities of Data Fiduciaries

To support Data Principal rights, every Data Fiduciary must:

  • Maintain records of user consents and requests

  • Enable correction and deletion tools

  • Establish grievance redressal systems

  • Verify identity before processing such requests to prevent fraud

  • Retain only necessary data for as long as required

  • Appoint a Data Protection Officer (DPO) if they are classified as Significant Data Fiduciaries

Limitations and Conditions

While the rights of Data Principals are broad, some limitations apply:

  • Data cannot be deleted if required for legal obligations, e.g., tax, criminal investigations, medical records

  • Correction or deletion may be denied if the identity of the requester cannot be verified

  • Requests that are frivolous, repetitive, or excessive may be rejected

Penalties for Non-Compliance

Failure to honor these rights can lead to heavy penalties:

  • Up to ₹200 crore for failure to implement safeguards or respond to legitimate requests

  • Organizations may also face loss of reputation, legal cases, and cancellation of licenses in some sectors

Conclusion

DPDPA 2025 empowers Indian citizens with comprehensive rights over their personal data, bringing India closer to international data protection standards. The rights to access, correction, erasure, nomination, grievance redressal, and consent withdrawal create a strong legal framework where the individual—not the organization—is in control of personal information.

Businesses and platforms must redesign their systems, customer service processes, and data architectures to meet these obligations and enable real-time response to Data Principal requests. For individuals, these rights mark a turning point toward greater digital empowerment and privacy in India’s growing digital economy.

Understanding cross-border data transfer restrictions and guidelines under Indian law.

Introduction

As global digital interactions grow, the cross-border transfer of personal data has become an integral part of business operations. Whether it’s a tech company outsourcing customer support to another country, or a payment processor transmitting user data across borders for real-time transaction processing, seamless data flow is critical. However, such flows raise crucial concerns about privacy, misuse, jurisdiction, and national security.

India’s data protection framework — particularly through the Digital Personal Data Protection Act (DPDPA) 2023, operational as of 2025 — introduces a structured and legally enforceable approach to regulate cross-border transfers of personal data. These rules aim to strike a balance between enabling international business and protecting the rights and privacy of Indian citizens, known legally as Data Principals.

This article explores the meaning, restrictions, conditions, and compliance requirements for cross-border data transfers under Indian law, with examples and interpretations to help businesses and professionals understand their obligations.

Meaning of Cross-Border Data Transfer

Cross-border data transfer refers to the transmission of digital personal data from servers or systems located within India to servers or entities outside India. This may include:

  • Storing customer data on foreign servers (e.g., cloud storage in the US or Europe)

  • Sharing employee data with overseas headquarters

  • Outsourcing data processing functions (analytics, marketing, payroll) to third-party vendors abroad

While such transfers are often essential for operational efficiency, they expose data to different legal systems and potentially lesser data protection standards, prompting the need for a regulatory safeguard.

Evolution of Cross-Border Data Regulation in India

India has long debated data localization and transfer rules:

  • 2017–2018: The Justice Srikrishna Committee proposed strict localization for sensitive personal data.

  • 2019 PDP Bill: Proposed that sensitive personal data must be stored in India, though copies could be transferred abroad with conditions.

  • 2023 DPDPA (final law): Took a more practical and business-friendly approach, removing the mandatory localization requirement but still introducing selective restrictions.

Key Provisions on Cross-Border Data Transfers Under DPDPA 2025

Unlike earlier drafts, the DPDPA 2023/2025 does not outright restrict all data transfers, nor does it require mandatory data localization. Instead, it allows cross-border data transfers by default, subject to certain government-issued restrictions.

The relevant features of the law are:

1. Government-Notified “Restricted Countries” Clause
Section 16 of the DPDPA empowers the Central Government to restrict the transfer of personal data to certain countries or territories based on considerations such as:

  • National security

  • Friendly relations with that country

  • Risk of misuse

  • Data protection standards in the receiving country

If a country is notified as “restricted”, then data transfers to that country will be prohibited.

However, as of now, no country list has been officially notified, meaning cross-border transfers are currently allowed unless and until specific countries are blacklisted.

2. Consent and Purpose Limitation
Even if transfers are permitted:

  • They must be based on valid user consent

  • The user must be informed in advance that their data may be transferred internationally

  • The transfer must adhere to the purpose for which data was originally collected

For example, if a travel booking platform is collecting passport and payment data for booking international tickets, it must inform users during consent that their data may be shared with global airlines or payment gateways abroad.

3. Contractual Safeguards
Although the DPDPA doesn’t mandate this, it is a best practice (and often required by foreign laws like the GDPR) to include Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in contracts with foreign vendors. These clauses should:

  • Define how data will be handled

  • Restrict data misuse

  • Require security standards

  • Mandate breach notification protocols

4. Protection of Data Principal Rights
Regardless of where data is transferred, the Indian citizen’s rights (such as right to withdraw consent or correct data) must be enforceable and respected. This means that organizations must ensure their foreign partners have mechanisms to support such rights.

5. Role of Data Protection Board of India (DPBI)
If any cross-border data transfer leads to a breach, misuse, or violation of rights, the Data Protection Board can initiate an investigation, and the originating company in India can be held liable, even if the actual misuse happened abroad.

6. Special Rules for Government Data
Data related to government contracts, strategic infrastructure, or critical sectors (like defense, healthcare, telecom) may be subject to sectoral restrictions or national security guidelines, even if not specifically restricted under DPDPA. These restrictions are often issued under separate rules or government orders.

7. Sensitive Personal Data (SPD) and Children’s Data
While DPDPA treats all personal data under the same umbrella, businesses should treat sensitive personal data (such as biometric, health, financial, and children’s data) with additional caution. Cross-border transfers of such data should be conducted only when:

  • The receiving entity has adequate safeguards

  • User rights are contractually protected

  • Proper encryption and anonymization are used

Illustrative Example: How Cross-Border Transfer Works

Example 1: E-commerce Platform

A company named Shopora India Pvt. Ltd., based in Mumbai, uses an email marketing service hosted in Ireland to send personalized promotional emails to its Indian customers. It collects user data (email, purchase history, browsing behavior) and shares it with the Irish platform.

To comply with DPDPA:

  • Shopora must inform users that their data may be processed outside India

  • It must take consent at the time of sign-up

  • It must ensure the foreign service provider has proper data security and privacy protocols

  • If Ireland is later designated as a restricted country, Shopora must stop transferring data there and find an alternate solution

Example 2: Indian Fintech Sharing Data with US Analytics Partner

An Indian fintech company shares customer transaction patterns with a US-based AI company for predictive analytics.

They must:

  • Get user consent

  • Ensure data is pseudonymized or encrypted

  • Enter into a binding agreement with the US partner on handling of data

  • Comply with sectoral RBI guidelines if applicable

  • Be ready to stop transfer if US is notified as a restricted country

Challenges in Cross-Border Transfers

Several businesses face operational challenges while ensuring cross-border compliance:

  • Lack of clarity on which countries may become restricted in the future

  • Inconsistent international laws (e.g., difference between Indian law and EU’s GDPR)

  • Difficulty in monitoring third-party data usage once transferred

  • Legal uncertainty when data is moved via global cloud platforms (like AWS, Azure)

To overcome these, organizations should:

  • Maintain a map of all international data flows

  • Limit transfers to countries with strong privacy laws

  • Use strong contracts and data processing agreements

  • Choose cloud regions and vendors based on data protection standards

Comparison with Global Laws

Let’s look at how DPDPA’s stance compares with other countries:

GDPR (EU): Allows transfers only to countries with adequate data protection, or via SCCs or Binding Corporate Rules. Very strict.

CCPA (California): Less restrictive, but requires disclosures and opt-outs for sale of personal data.

Singapore PDPA: Allows cross-border transfers if the receiving party ensures comparable protection.

India’s DPDPA: More flexible, permits transfer by default unless restricted. Places emphasis on consent and government control rather than adequacy assessments.

This shows that while India is adopting a liberal transfer model, it retains sovereign control by reserving the right to blacklist specific countries.

Conclusion

India’s DPDPA 2025 introduces a modern, globally-aligned yet India-first approach to cross-border data flows. It avoids blanket restrictions and allows transfers by default, while enabling the government to step in if necessary. For businesses, this means greater freedom — but also the responsibility to manage consent, partner contracts, user rights, and security across borders.

Organizations must treat cross-border data not just as a technical task, but as a legal obligation. They should audit their data flow, evaluate risks, and build policies that align with India’s emerging privacy regime. As the Central Government starts notifying restricted countries and more specific rules, compliance will shift from voluntary to mandatory. Early preparation is key to ensure business continuity, consumer trust, and legal safety in a world increasingly dependent on global data exchange.

How can organizations ensure transparent consent mechanisms under the DPDPA 2025 framework?

Introduction

India’s Digital Personal Data Protection Act (DPDPA) 2023, set to be enforced as DPDPA 2025 with more detailed provisions and operational rules, marks a transformative change in how organizations handle personal data. A cornerstone of this law is the requirement of “informed, clear, specific, and freely given consent” by individuals (called Data Principals) before their personal data is processed. Consent must be obtained transparently and ethically, empowering individuals to retain control over their personal information.

To comply with DPDPA 2025 and avoid penalties, organizations must establish transparent consent mechanisms. Transparency in consent doesn’t merely mean having a checkbox on a form; it requires end-to-end practices ensuring users fully understand what data is being collected, why, for how long, and with whom it will be shared. This document explores how businesses can implement such mechanisms with examples, best practices, and a deep understanding of the legal framework.

Understanding Consent Under DPDPA 2025

Under DPDPA, consent is the primary legal basis for processing personal data, unless certain “legitimate uses” apply. For consent to be valid, it must be:

  1. Free – Given without coercion or misleading terms

  2. Informed – The user knows exactly what data is collected and how it will be used

  3. Specific – Each purpose for data use must have separate, identifiable consent

  4. Unambiguous – No vague or broad language

  5. Granular and Revocable – Data Principals must be allowed to selectively opt in and out of certain data uses and withdraw consent at any time

Failure to comply can lead to penalties up to ₹250 crore, depending on the type of violation and the authority’s discretion.

Key Principles of Transparent Consent Mechanisms

To make consent mechanisms transparent under DPDPA 2025, organizations should follow a layered and user-friendly approach. Key principles include:

Clarity and Simplicity in Language: Consent requests should be in plain language, avoiding legal or technical jargon. The DPDPA mandates the use of local languages (including Hindi and regional languages) to ensure all individuals can understand the request.

Purpose Limitation: Each consent should be tied to a specific, limited purpose. If new purposes arise, new consent must be obtained.

Easy Access to Consent Records: Data Principals must have the ability to view, track, and manage their consents. This could be through a personal data dashboard or account settings page.

Right to Withdraw Consent: Consent should be revocable as easily as it was given. Withdrawal must not result in unfair treatment of the user unless the service requires that data for core functionality.

Notice Before Consent: A “Notice + Consent” model must be adopted. Before taking consent, a clear and concise notice explaining the data processing details must be presented.

Granular Consent: Users should be able to selectively consent to specific categories of data and purposes, not forced to accept everything through a single “Accept All” button.

Use of Consent Managers: DPDPA introduces the concept of Consent Managers, which are independent platforms or services that allow individuals to manage and monitor their data consents across multiple organizations.

How to Ensure Transparent Consent Mechanisms: Best Practices

1. Design Clear Consent Forms and Interfaces
Make user interfaces that explicitly state:

  • What data is being collected

  • For what purposes

  • Duration of storage

  • Third parties involved (if any)

  • User’s rights

For example, instead of saying:
“We may collect your data to provide better services.”

Say:
“We collect your location and browsing history to recommend local restaurants. You may opt out of location tracking.”

2. Layered Notice Design
Adopt a layered notice approach:

  • First layer: Short, crisp summary

  • Second layer: Detailed, full privacy policy

This way, users can quickly understand the key points, with the option to read more if needed.

3. Use Visual Aids
Visuals like icons, sliders, toggles, and color codes can help users grasp consent requests faster. For example, a green toggle for enabled consent and grey for disabled makes it intuitive.

4. Provide Language Options
DPDPA 2025 emphasizes inclusivity. Offer users the option to read the consent notice and privacy terms in their preferred language. This is especially important in India’s multilingual environment.

5. Real-Time Notifications for Consent Changes
Inform users when:

  • A third party will access their data

  • Purpose of data usage changes

  • Any new data is collected that wasn’t covered in the original consent

This builds trust and ensures continual compliance.

6. Enable Consent Review Dashboards
Allow users to view a history of all consents given, edit preferences, and withdraw consent. Include timestamps, purpose, and data shared in this dashboard.

Example: MyDataControl by a bank allows customers to see all data shared with financial partners and revoke access at any time.

7. Train Teams for Compliance
Your tech, marketing, legal, and data science teams must understand what constitutes valid consent. Train them to avoid dark patterns like pre-checked boxes, nudging, or bundling consent with irrelevant terms.

8. Deploy Consent Management Platforms (CMPs)
Use secure tools that automate, record, and manage consents, ensuring legal proof. These can be in-house dashboards or third-party solutions.

Examples include: OneTrust, TrustArc, or native CMPs built into apps and websites.

9. Include Opt-Out and Granularity Options
Respect the user’s right to choose which data is shared and which is not. Avoid “all-or-nothing” approaches.

Example: A travel app should let users opt in to share GPS location but opt out of sharing phone contacts.

10. Use Consent Managers Registered Under DPDPA
As per the law, you can integrate with authorized Consent Managers, allowing users to centrally manage their data rights across different companies.

This system resembles UPI in spirit: users can log in to a consent manager and approve or deny requests from any participating organization.

Example of Transparent Consent Implementation:

Case Study: Lazoro.in (a fictional handcrafted decor brand)

Lazoro sells wall art online. To improve user personalization, they want to collect:

  • Browsing behavior

  • Purchase history

  • Email for promotional campaigns

Here’s how they ensure transparent consent:

  1. On first visit, a pop-up appears:
    “Lazoro would like to use your browsing data to recommend products. You can decline this and still use our services.”

  2. The user sees 3 checkboxes:

  • I agree to Lazoro collecting browsing history ✅

  • I agree to receive promotional emails ⬜

  • I agree to data sharing with marketing partners ⬜

  1. Below checkboxes: “You can manage or withdraw your consents any time under ‘Privacy Settings’.”

  2. All options are explained in Hindi and English.

  3. A link to a privacy dashboard is available in the footer.

  4. Every 90 days, users are reminded via email to review their data consents.

This approach ensures Lazoro complies with all DPDPA transparency norms, builds trust, and avoids penalties.

Challenges in Implementation

Despite good intentions, many businesses struggle with transparent consent. Common issues include:

  • Ambiguous language in consent notices

  • Forcing users to consent for essential services

  • No easy way to withdraw or view consent history

  • Third-party integrations (like analytics or ads) that bypass consent

To overcome these, organizations must involve privacy officers, tech architects, and legal advisors while designing data systems.

Role of the Data Protection Board of India (DPBI)

DPDPA 2025 establishes the Data Protection Board of India, which will:

  • Oversee enforcement of consent rules

  • Investigate breaches

  • Handle complaints from Data Principals

  • Issue guidance on consent standards

  • Impose fines if violations are found

So, businesses must proactively align with board expectations. Having clear audit trails and transparent policies is essential.

Conclusion

Transparent consent under DPDPA 2025 is not just a compliance formality; it’s a business necessity and an ethical responsibility. With a growing digital population in India, ensuring users’ data rights are respected will define brand reputation, user loyalty, and legal standing. By designing clear consent interfaces, using multilingual support, enabling consent dashboards, and avoiding coercion, businesses can win trust while staying compliant.

Organizations must view consent as a long-term relationship with the user, not just a one-time checkbox. Doing so not only avoids legal risk but also demonstrates accountability and respect in a data-driven world.

What are the key obligations for data fiduciaries under the new Indian data protection rules?

Introduction
Under the Digital Personal Data Protection Act (DPDPA), 2023, which is set to become fully enforceable by 2025, the Government of India has laid out specific responsibilities for entities called data fiduciaries. A data fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. These obligations are designed to ensure accountability, transparency, and the protection of individual privacy. All businesses that handle personal data in digital form must comply with these obligations, whether they collect it directly or receive it from another party.

Obligation 1: Obtain Valid and Informed Consent
Data fiduciaries must obtain clear, informed, and specific consent from users before collecting their personal data. The consent must be given voluntarily and must be based on clear information about what data will be collected and for what purpose. Consent should not be obtained by default or as a precondition for accessing unrelated services. Users should also have the right to withdraw their consent at any time.

Example
If a shopping website like Flipkart wants to collect data to send promotional emails, it must show users a checkbox asking for their consent. It cannot automatically assume consent or make it a hidden part of the terms and conditions.

Obligation 2: Purpose Limitation
Personal data must be collected only for specific, lawful, and stated purposes. A business cannot collect data for one reason and then use it for another unrelated purpose without obtaining additional consent from the user.

Example
If a travel site like MakeMyTrip collects a user’s passport number for flight booking, it cannot later use this information for unrelated services like insurance marketing unless it gets separate consent.

Obligation 3: Data Minimization
Only data that is strictly necessary for fulfilling the stated purpose should be collected. Businesses should avoid asking for excessive or irrelevant information from users.

Example
An app that delivers groceries should only ask for name, address, contact number, and payment information. It should not ask for personal details like marital status or religion unless required by law or a specific service.

Obligation 4: Storage Limitation
Data fiduciaries must not retain personal data longer than necessary. Once the purpose for which the data was collected is fulfilled, the data should be deleted or anonymized. Businesses must set internal retention timelines and ensure old or unused data is cleared periodically.

Example
If an online learning platform like Byju’s collects user data for course access, it should delete the data once the course ends and the student no longer needs the service.

Obligation 5: Accuracy of Data
Data fiduciaries are required to keep personal data accurate and up-to-date. They must provide a mechanism for individuals to review and correct their data.

Example
If a user’s delivery address changes on Amazon, the platform must allow the user to update their information and ensure the new address is used for all future orders.

Obligation 6: Implement Security Safeguards
Businesses must implement reasonable technical and organizational security measures to protect personal data from unauthorized access, disclosure, or breach. These include encryption, firewall protection, access controls, employee training, and breach detection systems.

Example
A financial app like PhonePe must ensure that user data is encrypted, login credentials are securely stored, and regular security audits are conducted to detect vulnerabilities.

Obligation 7: Grievance Redressal Mechanism
Data fiduciaries must provide an effective and responsive grievance redressal system. Users should be able to file complaints related to their data, consent, deletion requests, or misuse, and businesses must resolve these within the time specified by law.

Example
If a user contacts Paytm with a complaint about unauthorized data sharing, Paytm must investigate the issue and provide a formal resolution within the legal time frame.

Obligation 8: Enabling User Rights
Data fiduciaries are responsible for enabling individuals to exercise their rights under the Act. These include the right to access personal data, the right to correct or delete it, the right to withdraw consent, and the right to be informed about how data is used.

Example
If a user of Swiggy wants to delete their account and associated data, Swiggy must allow the user to initiate the deletion request and confirm once the data has been removed from its systems.

Obligation 9: Breach Notification
In the event of a data breach, the data fiduciary must inform the affected individuals as well as the Data Protection Board of India. The notification must be made promptly, including details of the nature of the breach and steps taken to minimize its impact.

Example
If a cyberattack exposes customer emails and phone numbers at Ola, the company must immediately notify the affected users and report the incident to the Board with a full explanation.

Obligation 10: Appointment of Data Protection Officer (for SDFs)
Organizations that are classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process must appoint a Data Protection Officer (DPO). The DPO will be responsible for ensuring compliance, managing grievances, and acting as the point of contact with the Data Protection Board.

Example
A telecom company like Jio would be considered a Significant Data Fiduciary and must appoint a qualified DPO to oversee all data protection responsibilities within the company.

Obligation 11: Conducting Data Protection Impact Assessments (DPIAs)
SDFs must conduct regular assessments of the potential risks their data processing activities pose to individuals. These assessments help in identifying vulnerabilities and applying safeguards to reduce risk.

Example
An insurance company that uses automated algorithms to assess customer profiles must carry out DPIAs to ensure its system does not unfairly discriminate or expose users to harm.

Obligation 12: Cross-Border Data Transfer Compliance
Data fiduciaries can transfer personal data outside India only to countries approved by the central government. Even after the data is transferred, fiduciaries must ensure that the data continues to be processed in a manner that protects individual rights.

Example
A company like Google India can store or process user data on servers in the US only if the US is among the countries notified by the government and all protective safeguards are maintained.

Obligation 13: Maintain Records and Audit Trails
Data fiduciaries are required to maintain records of their data processing activities, including when consent was taken, how long the data was stored, who accessed it, and when it was deleted. This is important for audits and demonstrating compliance.

Example
A food delivery app like Zomato should keep an internal log of every user consent interaction, data sharing with delivery partners, and data deletion request history for verification purposes.

Obligation 14: Accountability and Transparency
Data fiduciaries must publish a privacy policy, clearly outline how personal data is handled, and be transparent about any data-sharing with third parties. They are also accountable for ensuring that all their third-party vendors or processors comply with DPDPA regulations.

Example
If Myntra outsources its customer support to a third-party agency, it must ensure that the agency handles personal data with the same level of security and compliance required under Indian law.

Conclusion
The DPDPA 2023 places significant responsibilities on data fiduciaries to manage personal data ethically, securely, and transparently. These obligations reflect a broader shift toward recognizing data privacy as a fundamental right in India. For businesses, this means redesigning data systems, rewriting privacy policies, setting up grievance redressal procedures, implementing technical safeguards, and ensuring organizational compliance. Non-compliance can attract penalties of up to ₹250 crore, reputational loss, and possible suspension of operations. Companies that embrace these changes proactively will not only avoid penalties but also build stronger relationships with users, win trust, and position themselves for sustainable success in a privacy-first digital economy.

How does India’s DPDPA 2023/2025 impact data handling practices for businesses?

Introduction
The Digital Personal Data Protection Act (DPDPA) 2023, expected to be fully implemented by 2025, is India’s first comprehensive law dedicated to governing the use, processing, and storage of digital personal data. It reflects a major shift in India’s digital regulatory framework, placing strong emphasis on the protection of individual privacy and personal data rights. The DPDPA is designed to create a balance between the rights of individuals (Data Principals) and the lawful interests of businesses (Data Fiduciaries). Inspired by global data protection frameworks such as the European Union’s GDPR, it sets out detailed requirements for how businesses should collect, handle, store, and process personal data in India.

Core Principles of the DPDPA
The DPDPA is based on important foundational principles including purpose limitation, consent-based data processing, data minimization, storage limitation, accuracy, accountability, and transparency. These principles are embedded throughout the Act and form the guiding standards for all data handling practices in India. Businesses must not only comply with these principles in letter but also in spirit, by redesigning internal processes and technologies.

Requirement of Valid Consent
The Act mandates that no personal data shall be processed without obtaining explicit, clear, and informed consent from the individual. Consent must be free, specific, informed, unambiguous, and given through affirmative action. Individuals must also have the ability to withdraw consent at any point.

Impact on Businesses
Businesses must redesign all user interfaces where personal data is collected—such as websites, forms, and mobile applications—to include transparent consent forms and options to revoke consent. The commonly used practices of passive consent or bundled terms and conditions are no longer allowed. Every business must track consent and show proof that it was legally obtained.

Example
If Flipkart collects user data for sending promotional emails, it must show a separate opt-in checkbox where users can agree or disagree. It cannot automatically enroll users in marketing communication by default.

Obligations of Data Fiduciaries
Under the DPDPA, all businesses that handle personal data are known as Data Fiduciaries and must follow legal obligations such as informing users about the purpose of data collection, processing data only for legitimate use, ensuring data accuracy, implementing security safeguards, and allowing users to exercise their rights. Fiduciaries are expected to build systems that support these requirements.

Example
An app like Practo that stores sensitive health data must now provide a mechanism for users to correct errors in their medical history or delete outdated records, while ensuring data is encrypted and protected from unauthorized access.

Purpose Limitation and Data Minimization
The DPDPA requires that data be collected only for specific and declared purposes. The purpose must be shared with the user at the time of consent, and businesses are expected to collect only data that is strictly necessary for the stated purpose. Collecting extra data “just in case” is not allowed under this law.

Example
A ticket booking platform like IRCTC can ask for the passenger’s name, age, and ID, but it cannot ask for income, education level, or religious beliefs unless that data is essential for the service being provided.

Data Principal Rights
The DPDPA introduces several important rights for individuals, including the right to access their data, the right to correct inaccuracies, the right to delete data, the right to be informed, and the right to withdraw consent. Businesses are obligated to create internal systems to allow users to exercise these rights efficiently.

Example
If a Zomato user decides to delete their profile and all order history, Zomato must comply with this request and confirm the deletion. They must not keep any data unless it is legally required (such as for tax records).

Consent Managers
DPDPA introduces the concept of Consent Managers—neutral platforms authorized by the government to help individuals manage their consents across platforms. These managers can help users view, withdraw, or provide consent for multiple services from a single dashboard.

Example
A financial app like PhonePe might integrate with a consent manager such as Sahamati, enabling users to manage their consents for data sharing with various banks, lenders, and apps.

Children’s Data Protection
Special provisions are made for protecting the personal data of children under the age of 18. Parental consent is mandatory before processing data of minors. Businesses are also restricted from conducting behavioral tracking or serving targeted advertisements to minors.

Example
EdTech platforms like Byju’s must collect verifiable parental consent before enrolling a child and must ensure no personalized ads or data tracking are done on children’s usage patterns.

Cross-Border Data Transfer Rules
The law allows data to be transferred to countries that the Indian government notifies from time to time. This is a more relaxed stance compared to earlier drafts that called for strict data localization. However, the receiving countries must have strong data protection standards in place.

Example
Amazon India may process some of its data using servers in the United States, provided the US is among the countries approved by the Indian government and Amazon ensures compliance with Indian laws.

Data Breach Notification Requirements
In the event of a data breach, businesses must inform both the affected individuals and the Data Protection Board of India. Timely reporting and transparency are emphasized to ensure users are not kept in the dark.

Example
If Paytm faces a cyberattack in which credit card details are leaked, the company must immediately notify all affected users, publish a disclosure, and report the incident to the Data Protection Board.

Significant Data Fiduciaries (SDFs)
Some businesses will be classified as Significant Data Fiduciaries (SDFs) based on factors such as volume and sensitivity of data handled, potential impact on user rights, and scale of operations. These businesses will be subject to enhanced obligations like data audits, privacy impact assessments, appointing Data Protection Officers, and publishing compliance reports.

Example
Jio, which manages sensitive call records and customer data, would likely be an SDF and must hire a full-time Data Protection Officer and regularly submit reports to the Data Protection Board.

Penalties and Enforcement
The DPDPA establishes a Data Protection Board that will monitor compliance, investigate complaints, and impose penalties. Financial penalties for non-compliance can go up to ₹250 crore for serious violations. The Board can also recommend remedial actions and initiate legal proceedings.

Example
If MakeMyTrip fails to provide a user with access to their personal data within the required time, or continues using deleted data, the company can be fined and investigated by the Board.

Impact on Specific Sectors
E-commerce platforms must be careful with recommendation engines and user profiling. They must collect only necessary data and obtain explicit consent for marketing. Healthcare organizations must follow data encryption and access control standards while allowing data corrections. Financial institutions will need robust security infrastructure and must implement customer-controlled consent flows. EdTech firms must ensure no behavioral tracking of minors. Startups will face compliance costs but can benefit from early adoption and user trust.

Opportunities for Businesses
While the DPDPA presents a strong compliance challenge, it also offers new business opportunities. Companies that proactively follow the law will earn customer trust, become eligible for international partnerships, and strengthen brand reputation. Businesses that prioritize data protection can turn compliance into a competitive advantage.

Conclusion
The DPDPA 2023/2025 is a transformative law that impacts every stage of data handling—from collection and storage to sharing and deletion. It requires Indian businesses to treat personal data with transparency, accountability, and respect. Although compliance will involve reworking policies, building consent mechanisms, training staff, and deploying secure technologies, the long-term benefits include increased user trust, reduced risk of data breaches, and enhanced global competitiveness. By embedding privacy-by-design and user rights into their systems, businesses can not only meet legal requirements but also lead the way in building a responsible digital economy in India.