Legal & Ethical Aspects

What are the legal definitions of cybercrime, including hacking and data theft, in India?

Introduction

As India continues to digitalize its economy and public services, the threat of cybercrime has escalated dramatically. From unauthorized access to systems, to data theft, phishing, and identity fraud, cybercriminals target individuals, businesses, and government agencies alike. To address this, India has enacted laws under the Information Technology Act, 2000 (IT Act) and the Indian Penal Code (IPC) to define and penalize such offences.

Understanding the legal definitions of cybercrime, especially in the context of hacking, data theft, and related offences, is critical for businesses, individuals, and law enforcement.

What Is Cybercrime?

Cybercrime refers to any criminal activity that involves a computer, network, or digital device. It includes crimes where computers are either the target (e.g., hacking) or the tool (e.g., phishing scams or spreading malware).

In Indian law, cybercrime is primarily governed by:

  • The Information Technology Act, 2000 (as amended in 2008)

  • The Indian Penal Code (IPC), 1860

  • Supplemented by sectoral regulations (e.g., RBI guidelines, DPDPA 2023)

Key Legal Definitions and Provisions

1. Hacking – Section 66 of the IT Act

Definition:
Hacking is defined as unauthorized access to or damage of a computer system, data, or network, with the intention to destroy, delete, alter, or steal data, or diminish its value.

Legal Language (Section 66):
If any person, dishonestly or fraudulently, does any act referred to in Section 43 (such as accessing or downloading data without permission), they shall be punishable under Section 66.

Punishment:

  • Imprisonment up to 3 years

  • Fine up to ₹5 lakh

  • Or both

Example:
If a person gains access to a company’s internal server and deletes customer records, it constitutes hacking.

2. Data Theft – Section 43(b) & Section 66 of the IT Act

Definition:
Data theft is the unauthorized downloading, copying, or extraction of data, including personal or confidential information, from a computer system.

Legal Provision (Section 43(b)):
If a person downloads, copies, or extracts any data, database, or information from a system or network without permission, they are liable to pay damages.

When done with fraudulent or dishonest intent, it becomes a criminal offence under Section 66.

Punishment:
Same as hacking – up to 3 years of imprisonment, fine up to ₹5 lakh, or both.

Example:
A former employee accesses a company’s client database after resignation and copies it to sell to a competitor.

3. Identity Theft – Section 66C of the IT Act

Definition:
Using someone else’s identity credentials like passwords, biometric data, or digital signatures without authorization.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹1 lakh

Example:
Using another person’s Aadhaar number or credit card credentials to make online purchases.

4. Cheating by Personation Using Computer Resource – Section 66D

Definition:
Cheating someone by pretending to be another person using digital means (emails, social media, fake websites).

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹1 lakh

Example:
Creating a fake banking website to trick users into entering personal financial details.

5. Cyber Terrorism – Section 66F of the IT Act

Definition:
Unauthorized access to computer systems with the intent to threaten sovereignty, integrity, or security of India, or to cause death, injury, or damage to critical infrastructure.

Punishment:

  • Life imprisonment

Example:
A cyberattack on the railway network, air traffic control, or power grid with malicious intent.

6. Publishing Obscene or Private Images – Section 66E

Definition:
Capturing, publishing, or transmitting images of a person’s private areas without consent.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹2 lakh

Example:
Leaking private photographs of individuals without consent on social media.

7. Tampering With Computer Source Documents – Section 65

Definition:
Knowingly destroying, altering, or concealing computer source code or programs required to be maintained by law.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹2 lakh

Example:
An IT employee deletes crucial software source code to disrupt services or hide fraud.

8. Sending Offensive Messages via Communication Service – Section 66A (Struck Down)

Note:
Section 66A, which dealt with sending “offensive” messages via email or social media, was struck down by the Supreme Court in 2015 (Shreya Singhal v. Union of India) for violating free speech.

9. Cybercrime Provisions Under Indian Penal Code (IPC)

While the IT Act is the main law, IPC sections are often used in parallel for related crimes:

Section 379 – Theft
If physical theft is involved alongside data theft, IPC 379 may be invoked.

Section 420 – Cheating and Dishonest Inducement
Used in email frauds, phishing, or online job scams.

Section 406 – Criminal Breach of Trust
Applicable when someone entrusted with data misuses it.

Section 468 – Forgery for Cheating
Applicable in fake documents or identity-related cyber fraud.

Civil vs Criminal Liability

Under the IT Act, certain offences (like unauthorized data access under Section 43) are civil offences, leading to compensation or damages. When coupled with dishonest or fraudulent intent (Section 66), they become criminal offences, punishable by imprisonment and fines.

Important Cases

1. Sony India Pvt. Ltd. v. Harmeet Singh
The first major cybercrime case involving credit card fraud through online shopping. The court upheld the applicability of the IT Act for e-commerce fraud.

2. State of Tamil Nadu v. Suhas Katti
One of the first convictions under cybercrime law. The accused posted obscene messages about a woman on a Yahoo message group, leading to a conviction under Sections 67 and 509 IPC.

Recent Developments and Future Frameworks

  1. Digital Personal Data Protection Act (DPDPA), 2023
    Once implemented, the DPDPA will introduce additional rules and penalties for data misuse, consent violations, and breach reporting.

  2. CERT-In Guidelines
    The Indian Computer Emergency Response Team (CERT-In) has made it mandatory to report cyber incidents (data breaches, system compromises) within 6 hours.

  3. Cyber Police Stations
    Special cybercrime cells have been established across major cities and states to investigate IT-related crimes.

Conclusion

India’s legal system has recognized the growing threat of cybercrime and has defined hacking, data theft, identity fraud, and online cheating in precise terms through the Information Technology Act, 2000, and supplemented by relevant provisions of the Indian Penal Code. These definitions carry strict punishments, including imprisonment and financial penalties. As digital dependency increases, businesses and individuals must stay aware of these laws, implement cyber hygiene practices, and report offences to relevant authorities promptly. Understanding these legal provisions not only helps in compliance and prevention but also plays a vital role in securing India’s digital ecosystem.

How does the GDPR influence data privacy strategies for Indian companies with global operations?

Introduction

The General Data Protection Regulation (GDPR), enforced by the European Union in May 2018, is one of the world’s most stringent data privacy laws. While it is an EU regulation, its extraterritorial scope means that it applies not only to companies within the EU, but also to any non-EU business — including Indian companies — that process the personal data of EU citizens or residents.

For Indian businesses with global operations or clients in the European Union, GDPR compliance is not optional. It has fundamentally reshaped how Indian companies approach data governance, privacy risk, security, cross-border transfers, and customer trust. From IT services firms to e-commerce platforms, banking, healthcare, and SaaS companies, GDPR has pushed Indian firms to rethink and reformulate their data privacy strategies to stay globally relevant and legally compliant.

1. Understanding the Scope of GDPR for Indian Companies

GDPR applies to Indian companies that:

  • Offer goods or services (free or paid) to individuals in the EU

  • Monitor the behavior of people in the EU (e.g., through cookies, behavioral advertising, analytics)

  • Process EU customer data on behalf of another company (as a data processor)

This means an Indian company does not need to have a physical office in Europe to fall under GDPR; if it handles EU personal data in any way, it must comply.

Example:
An Indian IT firm building cloud-based CRM software for a German client will be subject to GDPR as it processes EU customer data.

2. Key GDPR Principles Shaping Indian Data Privacy Strategies

GDPR is built on principles that Indian companies must integrate into their data strategies:

a. Lawfulness, Fairness, and Transparency
Data must be collected and used lawfully, fairly, and with full transparency to the individual. Indian firms must provide clear privacy notices, obtain informed consent, and explain how data is used.

b. Purpose Limitation
Data should only be collected for a specific, legitimate purpose, and not used for anything beyond that without additional consent.

c. Data Minimization
Only the minimum amount of personal data necessary for a specific purpose should be collected.

d. Accuracy and Updation
Firms must ensure the personal data they hold is accurate and up-to-date.

e. Storage Limitation
Data should not be stored longer than necessary. Indian firms must create data retention policies and automate deletion mechanisms.

f. Integrity and Confidentiality
Indian companies must ensure data security through encryption, access controls, audit logs, etc.

g. Accountability
They must be able to demonstrate compliance through documentation, records, Data Protection Impact Assessments (DPIAs), and appointing Data Protection Officers (DPOs) where required.

3. Operational Changes Triggered by GDPR Compliance

To align with GDPR, Indian companies with global exposure have made several operational and strategic changes:

a. Revising Privacy Policies and Terms of Service
Organizations rewrote their privacy notices to reflect GDPR terms: purpose of processing, legal basis, data subject rights, contact information for privacy queries, etc.

b. Appointing Data Protection Officers (DPOs)
Companies meeting specific thresholds (e.g., large-scale data processing, sensitive data) have appointed internal or external DPOs to oversee compliance.

c. Creating Data Subject Rights Portals
Indian firms created online dashboards or request forms to allow EU users to exercise GDPR rights such as:

  • Right to access

  • Right to rectification

  • Right to erasure (right to be forgotten)

  • Right to data portability

  • Right to restrict processing

  • Right to object to automated profiling

d. Conducting Data Protection Impact Assessments (DPIAs)
Especially for high-risk processing (biometrics, profiling, etc.), Indian firms carry out DPIAs to evaluate the risks to EU users and take corrective actions.

e. Managing Data Breaches Responsibly
GDPR mandates reporting of data breaches to EU authorities within 72 hours. Indian firms have built incident response plans, breach notification workflows, and security operations to detect and act quickly.

f. Updating Vendor and Client Contracts
Indian exporters of data services sign Data Processing Agreements (DPAs) with clients, embedding GDPR clauses like:

  • Data controller-processor roles

  • Sub-processor disclosure

  • Cross-border transfer safeguards

  • Return/deletion of data on termination

g. Adopting Privacy by Design and Default
GDPR compels companies to embed privacy features from the ground up. Indian software firms have shifted to:

  • Anonymization and pseudonymization of user data

  • Limited data access for staff

  • “Opt-in” settings instead of “opt-out”

  • Role-based access controls in IT systems

4. Impact on Cross-Border Data Transfers

GDPR restricts personal data transfers outside the EU unless:

  • The receiving country has adequate data protection laws

  • Standard Contractual Clauses (SCCs) are signed

  • Binding Corporate Rules (BCRs) are in place for multinationals

India is not yet recognized as an “adequate” jurisdiction, so Indian companies must:

  • Sign SCCs with EU clients

  • Ensure EU data is stored in secure, compliant environments

  • Document data flow maps and transfer protocols

Example:
A Bengaluru-based HR tech firm serving clients in France must use SCCs and store data in GDPR-compliant European cloud regions or demonstrate safeguards if storing data in India.

5. Influence on Indian Data Protection Laws

GDPR has deeply influenced India’s data protection landscape:

  • The DPDPA 2023/2025 is inspired by GDPR, though simpler in scope.

  • Concepts like data fiduciary, data principal, consent, processing limitation, and data breach notification are similar.

  • The push for consent managers, data minimization, and children’s data protection mirrors GDPR’s requirements.

This alignment makes it easier for Indian firms to comply with both DPDPA and GDPR using unified systems and policies.

6. Competitive Advantage and Trust Building

Companies that invest in GDPR compliance often enjoy:

  • Stronger client relationships in Europe and other privacy-conscious markets

  • Faster onboarding with foreign clients due to ready privacy certifications

  • Greater trust among international customers who value transparency

  • Reduced legal and regulatory risks, avoiding heavy fines (up to €20 million or 4% of annual turnover under GDPR)

7. Sector-Wise Impact in India

  • IT/ITES Companies: Must handle large volumes of EU client data under processor contracts. GDPR compliance is essential to secure outsourcing deals.

  • E-commerce Platforms: Must align cookie practices, consent flows, marketing opt-ins with GDPR to sell in the EU.

  • Fintech and BFSI: Must manage high-risk financial and biometric data with maximum care. GDPR impacts KYC and fraud analytics tools.

  • Healthcare Startups: Processing health data of EU patients requires heightened safeguards and DPIAs.

  • SaaS Platforms: GDPR-compliant design and hosting are often demanded by global clients during onboarding.

8. Challenges Faced by Indian Companies

While GDPR offers benefits, it also presents challenges:

  • High compliance cost for SMEs

  • Legal complexity and fear of penalties

  • Difficulty in managing data flows across jurisdictions

  • Lack of trained privacy professionals in India

  • Conflicts between Indian localization demands (like RBI norms) and GDPR transfer rules

To address these, many Indian firms:

  • Hire EU-based representatives or consultants

  • Get ISO 27701 or GDPR certification

  • Conduct regular internal audits and privacy training

Conclusion

GDPR has significantly influenced the way Indian companies plan and execute their data privacy strategies. It has set a gold standard that Indian firms must follow to access and thrive in the European market. By embedding GDPR principles — transparency, consent, purpose limitation, accountability — into their culture, Indian companies not only ensure legal compliance but also gain a strong ethical and competitive edge.

As data privacy becomes central to global digital trust, GDPR-readiness is no longer a burden but a business enabler for Indian firms seeking to grow internationally. With the parallel implementation of India’s DPDPA, the time is ripe for companies to adopt a “privacy-by-default and global-by-design” approach to thrive in a privacy-first world.

What are the rights of data principals, including erasure and correction, under DPDPA?

Introduction

The Digital Personal Data Protection Act (DPDPA) 2023, which is being implemented operationally in 2025, marks a new era of data privacy regulation in India. The law aims to protect the personal data of individuals, known under the Act as Data Principals, by granting them specific rights over their own information.

These rights are designed to ensure that individuals maintain control, transparency, and autonomy over how their data is collected, used, stored, and shared. One of the key pillars of the DPDPA is the empowerment of Data Principals to access, correct, erase, and manage their personal data held by organizations (called Data Fiduciaries).

Understanding these rights is essential for both individuals and businesses to remain compliant and trustworthy.

Who is a Data Principal?

Under DPDPA 2025, a Data Principal is the individual to whom the personal data relates. In case of a child (under 18 years) or a person with disability, their parent or lawful guardian is considered the Data Principal.

Key Rights of Data Principals

DPDPA provides several specific rights to Data Principals. These include:

1. Right to Access Personal Data

Data Principals have the right to:

  • Obtain a summary of their personal data being processed by a Data Fiduciary

  • Know the processing purposes

  • Understand the categories of data being processed

  • Know with whom their data has been shared

  • View the duration of data storage

  • Know about the source of the data, if it was not directly collected from the Data Principal

This right allows individuals to be fully informed about what data organizations hold and how it’s being used.

Example: A customer using a mobile wallet service can request to know what personal and transactional data the company stores, whether it is shared with third-party marketing partners, and for how long it will be retained.

2. Right to Correction and Erasure

This is one of the most powerful rights granted under the DPDPA.

Right to Correction:
Data Principals have the right to correct inaccurate or misleading personal data about them that is held by a Data Fiduciary.

This includes:

  • Fixing incorrect name, address, date of birth, contact information, etc.

  • Updating out-of-date information

  • Removing irrelevant or false data

Right to Erasure:
Data Principals can request the erasure (deletion) of their personal data that:

  • Is no longer necessary for the purpose it was collected

  • Was collected based on consent which has now been withdrawn

  • Is being processed unlawfully

  • Must be erased to comply with legal obligations

However, the right to erasure is subject to the fiduciary’s legal obligations. If the data must be retained for legal, regulatory, or contractual obligations, the organization may reject the request but must provide a valid justification.

Example:
If an individual has closed their online shopping account and withdrawn consent, they can request the company to delete their personal data (name, email, payment details, etc.). However, the company may retain order-related records for tax or warranty reasons, with clear justification.

3. Right to Grievance Redressal

Every Data Principal has the right to lodge a complaint with the concerned Data Fiduciary if:

  • Their data has been misused

  • Their correction or erasure request was denied without proper reason

  • They experienced delay in access or action

Fiduciaries must provide a mechanism to handle grievances and respond within a reasonable time (notified by rules).

If unsatisfied, the Data Principal may appeal to the Data Protection Board of India, which will act as a quasi-judicial body.

Example: A user requests an app company to correct their gender and mobile number. The company ignores the request. The user can escalate the complaint to the Data Protection Board if no resolution is offered.

4. Right to Nominate

In case a Data Principal becomes incapacitated or dies, they have the right to nominate another person who can exercise their data rights on their behalf.

This is especially important for:

  • Digital legacy management

  • Managing health records

  • Financial accounts after death

Example: A person can nominate their spouse to manage or delete their digital accounts in the event of their death.

5. Right to Withdraw Consent

Where data is collected based on consent, the Data Principal has the right to:

  • Withdraw consent at any time

  • Ensure that such withdrawal is as easy as giving consent

Upon withdrawal, the Data Fiduciary must stop processing the relevant data unless legally required to retain it.

Example: A user who signed up for a newsletter can withdraw consent and expect the company to stop sending marketing emails and delete their related records.

6. Right to Be Informed

This is a foundational right, enabling all other rights. Data Principals must be:

  • Clearly informed before data is collected

  • Told about purposes of processing

  • Made aware of their rights under DPDPA

The information must be provided in clear, simple, and multiple languages (as applicable).

Example: A food delivery app must notify users during sign-up that their data may be used for location tracking, order fulfillment, and targeted ads. The user must be able to understand this information easily.

How Can Data Principals Exercise Their Rights?

Under the DPDPA, organizations (Data Fiduciaries) must:

  • Create easy-to-use tools or platforms for data access, correction, and erasure

  • Offer digital mechanisms, such as account settings or online forms, to raise requests

  • Respond within timelines to be notified by the government

  • Provide reasons in writing if any request is denied

  • Record and monitor how these requests are handled

For greater control, individuals may also use Consent Managers, authorized intermediaries who help Data Principals manage and track consents across multiple services.

Responsibilities of Data Fiduciaries

To support Data Principal rights, every Data Fiduciary must:

  • Maintain records of user consents and requests

  • Enable correction and deletion tools

  • Establish grievance redressal systems

  • Verify identity before processing such requests to prevent fraud

  • Retain only necessary data for as long as required

  • Appoint a Data Protection Officer (DPO) if they are classified as Significant Data Fiduciaries

Limitations and Conditions

While the rights of Data Principals are broad, some limitations apply:

  • Data cannot be deleted if required for legal obligations, e.g., tax, criminal investigations, medical records

  • Correction or deletion may be denied if the identity of the requester cannot be verified

  • Requests that are frivolous, repetitive, or excessive may be rejected

Penalties for Non-Compliance

Failure to honor these rights can lead to heavy penalties:

  • Up to ₹200 crore for failure to implement safeguards or respond to legitimate requests

  • Organizations may also face loss of reputation, legal cases, and cancellation of licenses in some sectors

Conclusion

DPDPA 2025 empowers Indian citizens with comprehensive rights over their personal data, bringing India closer to international data protection standards. The rights to access, correction, erasure, nomination, grievance redressal, and consent withdrawal create a strong legal framework where the individual—not the organization—is in control of personal information.

Businesses and platforms must redesign their systems, customer service processes, and data architectures to meet these obligations and enable real-time response to Data Principal requests. For individuals, these rights mark a turning point toward greater digital empowerment and privacy in India’s growing digital economy.

Understanding cross-border data transfer restrictions and guidelines under Indian law.

Introduction

As global digital interactions grow, the cross-border transfer of personal data has become an integral part of business operations. Whether it’s a tech company outsourcing customer support to another country, or a payment processor transmitting user data across borders for real-time transaction processing, seamless data flow is critical. However, such flows raise crucial concerns about privacy, misuse, jurisdiction, and national security.

India’s data protection framework — particularly through the Digital Personal Data Protection Act (DPDPA) 2023, operational as of 2025 — introduces a structured and legally enforceable approach to regulate cross-border transfers of personal data. These rules aim to strike a balance between enabling international business and protecting the rights and privacy of Indian citizens, known legally as Data Principals.

This article explores the meaning, restrictions, conditions, and compliance requirements for cross-border data transfers under Indian law, with examples and interpretations to help businesses and professionals understand their obligations.

Meaning of Cross-Border Data Transfer

Cross-border data transfer refers to the transmission of digital personal data from servers or systems located within India to servers or entities outside India. This may include:

  • Storing customer data on foreign servers (e.g., cloud storage in the US or Europe)

  • Sharing employee data with overseas headquarters

  • Outsourcing data processing functions (analytics, marketing, payroll) to third-party vendors abroad

While such transfers are often essential for operational efficiency, they expose data to different legal systems and potentially lesser data protection standards, prompting the need for a regulatory safeguard.

Evolution of Cross-Border Data Regulation in India

India has long debated data localization and transfer rules:

  • 2017–2018: The Justice Srikrishna Committee proposed strict localization for sensitive personal data.

  • 2019 PDP Bill: Proposed that sensitive personal data must be stored in India, though copies could be transferred abroad with conditions.

  • 2023 DPDPA (final law): Took a more practical and business-friendly approach, removing the mandatory localization requirement but still introducing selective restrictions.

Key Provisions on Cross-Border Data Transfers Under DPDPA 2025

Unlike earlier drafts, the DPDPA 2023/2025 does not outright restrict all data transfers, nor does it require mandatory data localization. Instead, it allows cross-border data transfers by default, subject to certain government-issued restrictions.

The relevant features of the law are:

1. Government-Notified “Restricted Countries” Clause
Section 16 of the DPDPA empowers the Central Government to restrict the transfer of personal data to certain countries or territories based on considerations such as:

  • National security

  • Friendly relations with that country

  • Risk of misuse

  • Data protection standards in the receiving country

If a country is notified as “restricted”, then data transfers to that country will be prohibited.

However, as of now, no country list has been officially notified, meaning cross-border transfers are currently allowed unless and until specific countries are blacklisted.

2. Consent and Purpose Limitation
Even if transfers are permitted:

  • They must be based on valid user consent

  • The user must be informed in advance that their data may be transferred internationally

  • The transfer must adhere to the purpose for which data was originally collected

For example, if a travel booking platform is collecting passport and payment data for booking international tickets, it must inform users during consent that their data may be shared with global airlines or payment gateways abroad.

3. Contractual Safeguards
Although the DPDPA doesn’t mandate this, it is a best practice (and often required by foreign laws like the GDPR) to include Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in contracts with foreign vendors. These clauses should:

  • Define how data will be handled

  • Restrict data misuse

  • Require security standards

  • Mandate breach notification protocols

4. Protection of Data Principal Rights
Regardless of where data is transferred, the Indian citizen’s rights (such as right to withdraw consent or correct data) must be enforceable and respected. This means that organizations must ensure their foreign partners have mechanisms to support such rights.

5. Role of Data Protection Board of India (DPBI)
If any cross-border data transfer leads to a breach, misuse, or violation of rights, the Data Protection Board can initiate an investigation, and the originating company in India can be held liable, even if the actual misuse happened abroad.

6. Special Rules for Government Data
Data related to government contracts, strategic infrastructure, or critical sectors (like defense, healthcare, telecom) may be subject to sectoral restrictions or national security guidelines, even if not specifically restricted under DPDPA. These restrictions are often issued under separate rules or government orders.

7. Sensitive Personal Data (SPD) and Children’s Data
While DPDPA treats all personal data under the same umbrella, businesses should treat sensitive personal data (such as biometric, health, financial, and children’s data) with additional caution. Cross-border transfers of such data should be conducted only when:

  • The receiving entity has adequate safeguards

  • User rights are contractually protected

  • Proper encryption and anonymization are used

Illustrative Example: How Cross-Border Transfer Works

Example 1: E-commerce Platform

A company named Shopora India Pvt. Ltd., based in Mumbai, uses an email marketing service hosted in Ireland to send personalized promotional emails to its Indian customers. It collects user data (email, purchase history, browsing behavior) and shares it with the Irish platform.

To comply with DPDPA:

  • Shopora must inform users that their data may be processed outside India

  • It must take consent at the time of sign-up

  • It must ensure the foreign service provider has proper data security and privacy protocols

  • If Ireland is later designated as a restricted country, Shopora must stop transferring data there and find an alternate solution

Example 2: Indian Fintech Sharing Data with US Analytics Partner

An Indian fintech company shares customer transaction patterns with a US-based AI company for predictive analytics.

They must:

  • Get user consent

  • Ensure data is pseudonymized or encrypted

  • Enter into a binding agreement with the US partner on handling of data

  • Comply with sectoral RBI guidelines if applicable

  • Be ready to stop transfer if US is notified as a restricted country

Challenges in Cross-Border Transfers

Several businesses face operational challenges while ensuring cross-border compliance:

  • Lack of clarity on which countries may become restricted in the future

  • Inconsistent international laws (e.g., difference between Indian law and EU’s GDPR)

  • Difficulty in monitoring third-party data usage once transferred

  • Legal uncertainty when data is moved via global cloud platforms (like AWS, Azure)

To overcome these, organizations should:

  • Maintain a map of all international data flows

  • Limit transfers to countries with strong privacy laws

  • Use strong contracts and data processing agreements

  • Choose cloud regions and vendors based on data protection standards

Comparison with Global Laws

Let’s look at how DPDPA’s stance compares with other countries:

GDPR (EU): Allows transfers only to countries with adequate data protection, or via SCCs or Binding Corporate Rules. Very strict.

CCPA (California): Less restrictive, but requires disclosures and opt-outs for sale of personal data.

Singapore PDPA: Allows cross-border transfers if the receiving party ensures comparable protection.

India’s DPDPA: More flexible, permits transfer by default unless restricted. Places emphasis on consent and government control rather than adequacy assessments.

This shows that while India is adopting a liberal transfer model, it retains sovereign control by reserving the right to blacklist specific countries.

Conclusion

India’s DPDPA 2025 introduces a modern, globally-aligned yet India-first approach to cross-border data flows. It avoids blanket restrictions and allows transfers by default, while enabling the government to step in if necessary. For businesses, this means greater freedom — but also the responsibility to manage consent, partner contracts, user rights, and security across borders.

Organizations must treat cross-border data not just as a technical task, but as a legal obligation. They should audit their data flow, evaluate risks, and build policies that align with India’s emerging privacy regime. As the Central Government starts notifying restricted countries and more specific rules, compliance will shift from voluntary to mandatory. Early preparation is key to ensure business continuity, consumer trust, and legal safety in a world increasingly dependent on global data exchange.

How can organizations ensure transparent consent mechanisms under the DPDPA 2025 framework?

Introduction

India’s Digital Personal Data Protection Act (DPDPA) 2023, set to be enforced as DPDPA 2025 with more detailed provisions and operational rules, marks a transformative change in how organizations handle personal data. A cornerstone of this law is the requirement of “informed, clear, specific, and freely given consent” by individuals (called Data Principals) before their personal data is processed. Consent must be obtained transparently and ethically, empowering individuals to retain control over their personal information.

To comply with DPDPA 2025 and avoid penalties, organizations must establish transparent consent mechanisms. Transparency in consent doesn’t merely mean having a checkbox on a form; it requires end-to-end practices ensuring users fully understand what data is being collected, why, for how long, and with whom it will be shared. This document explores how businesses can implement such mechanisms with examples, best practices, and a deep understanding of the legal framework.

Understanding Consent Under DPDPA 2025

Under DPDPA, consent is the primary legal basis for processing personal data, unless certain “legitimate uses” apply. For consent to be valid, it must be:

  1. Free – Given without coercion or misleading terms

  2. Informed – The user knows exactly what data is collected and how it will be used

  3. Specific – Each purpose for data use must have separate, identifiable consent

  4. Unambiguous – No vague or broad language

  5. Granular and Revocable – Data Principals must be allowed to selectively opt in and out of certain data uses and withdraw consent at any time

Failure to comply can lead to penalties up to ₹250 crore, depending on the type of violation and the authority’s discretion.

Key Principles of Transparent Consent Mechanisms

To make consent mechanisms transparent under DPDPA 2025, organizations should follow a layered and user-friendly approach. Key principles include:

Clarity and Simplicity in Language: Consent requests should be in plain language, avoiding legal or technical jargon. The DPDPA mandates the use of local languages (including Hindi and regional languages) to ensure all individuals can understand the request.

Purpose Limitation: Each consent should be tied to a specific, limited purpose. If new purposes arise, new consent must be obtained.

Easy Access to Consent Records: Data Principals must have the ability to view, track, and manage their consents. This could be through a personal data dashboard or account settings page.

Right to Withdraw Consent: Consent should be revocable as easily as it was given. Withdrawal must not result in unfair treatment of the user unless the service requires that data for core functionality.

Notice Before Consent: A “Notice + Consent” model must be adopted. Before taking consent, a clear and concise notice explaining the data processing details must be presented.

Granular Consent: Users should be able to selectively consent to specific categories of data and purposes, not forced to accept everything through a single “Accept All” button.

Use of Consent Managers: DPDPA introduces the concept of Consent Managers, which are independent platforms or services that allow individuals to manage and monitor their data consents across multiple organizations.

How to Ensure Transparent Consent Mechanisms: Best Practices

1. Design Clear Consent Forms and Interfaces
Make user interfaces that explicitly state:

  • What data is being collected

  • For what purposes

  • Duration of storage

  • Third parties involved (if any)

  • User’s rights

For example, instead of saying:
“We may collect your data to provide better services.”

Say:
“We collect your location and browsing history to recommend local restaurants. You may opt out of location tracking.”

2. Layered Notice Design
Adopt a layered notice approach:

  • First layer: Short, crisp summary

  • Second layer: Detailed, full privacy policy

This way, users can quickly understand the key points, with the option to read more if needed.

3. Use Visual Aids
Visuals like icons, sliders, toggles, and color codes can help users grasp consent requests faster. For example, a green toggle for enabled consent and grey for disabled makes it intuitive.

4. Provide Language Options
DPDPA 2025 emphasizes inclusivity. Offer users the option to read the consent notice and privacy terms in their preferred language. This is especially important in India’s multilingual environment.

5. Real-Time Notifications for Consent Changes
Inform users when:

  • A third party will access their data

  • Purpose of data usage changes

  • Any new data is collected that wasn’t covered in the original consent

This builds trust and ensures continual compliance.

6. Enable Consent Review Dashboards
Allow users to view a history of all consents given, edit preferences, and withdraw consent. Include timestamps, purpose, and data shared in this dashboard.

Example: MyDataControl by a bank allows customers to see all data shared with financial partners and revoke access at any time.

7. Train Teams for Compliance
Your tech, marketing, legal, and data science teams must understand what constitutes valid consent. Train them to avoid dark patterns like pre-checked boxes, nudging, or bundling consent with irrelevant terms.

8. Deploy Consent Management Platforms (CMPs)
Use secure tools that automate, record, and manage consents, ensuring legal proof. These can be in-house dashboards or third-party solutions.

Examples include: OneTrust, TrustArc, or native CMPs built into apps and websites.

9. Include Opt-Out and Granularity Options
Respect the user’s right to choose which data is shared and which is not. Avoid “all-or-nothing” approaches.

Example: A travel app should let users opt in to share GPS location but opt out of sharing phone contacts.

10. Use Consent Managers Registered Under DPDPA
As per the law, you can integrate with authorized Consent Managers, allowing users to centrally manage their data rights across different companies.

This system resembles UPI in spirit: users can log in to a consent manager and approve or deny requests from any participating organization.

Example of Transparent Consent Implementation:

Case Study: Lazoro.in (a fictional handcrafted decor brand)

Lazoro sells wall art online. To improve user personalization, they want to collect:

  • Browsing behavior

  • Purchase history

  • Email for promotional campaigns

Here’s how they ensure transparent consent:

  1. On first visit, a pop-up appears:
    “Lazoro would like to use your browsing data to recommend products. You can decline this and still use our services.”

  2. The user sees 3 checkboxes:

  • I agree to Lazoro collecting browsing history ✅

  • I agree to receive promotional emails ⬜

  • I agree to data sharing with marketing partners ⬜

  1. Below checkboxes: “You can manage or withdraw your consents any time under ‘Privacy Settings’.”

  2. All options are explained in Hindi and English.

  3. A link to a privacy dashboard is available in the footer.

  4. Every 90 days, users are reminded via email to review their data consents.

This approach ensures Lazoro complies with all DPDPA transparency norms, builds trust, and avoids penalties.

Challenges in Implementation

Despite good intentions, many businesses struggle with transparent consent. Common issues include:

  • Ambiguous language in consent notices

  • Forcing users to consent for essential services

  • No easy way to withdraw or view consent history

  • Third-party integrations (like analytics or ads) that bypass consent

To overcome these, organizations must involve privacy officers, tech architects, and legal advisors while designing data systems.

Role of the Data Protection Board of India (DPBI)

DPDPA 2025 establishes the Data Protection Board of India, which will:

  • Oversee enforcement of consent rules

  • Investigate breaches

  • Handle complaints from Data Principals

  • Issue guidance on consent standards

  • Impose fines if violations are found

So, businesses must proactively align with board expectations. Having clear audit trails and transparent policies is essential.

Conclusion

Transparent consent under DPDPA 2025 is not just a compliance formality; it’s a business necessity and an ethical responsibility. With a growing digital population in India, ensuring users’ data rights are respected will define brand reputation, user loyalty, and legal standing. By designing clear consent interfaces, using multilingual support, enabling consent dashboards, and avoiding coercion, businesses can win trust while staying compliant.

Organizations must view consent as a long-term relationship with the user, not just a one-time checkbox. Doing so not only avoids legal risk but also demonstrates accountability and respect in a data-driven world.

What are the key obligations for data fiduciaries under the new Indian data protection rules?

Introduction
Under the Digital Personal Data Protection Act (DPDPA), 2023, which is set to become fully enforceable by 2025, the Government of India has laid out specific responsibilities for entities called data fiduciaries. A data fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. These obligations are designed to ensure accountability, transparency, and the protection of individual privacy. All businesses that handle personal data in digital form must comply with these obligations, whether they collect it directly or receive it from another party.

Obligation 1: Obtain Valid and Informed Consent
Data fiduciaries must obtain clear, informed, and specific consent from users before collecting their personal data. The consent must be given voluntarily and must be based on clear information about what data will be collected and for what purpose. Consent should not be obtained by default or as a precondition for accessing unrelated services. Users should also have the right to withdraw their consent at any time.

Example
If a shopping website like Flipkart wants to collect data to send promotional emails, it must show users a checkbox asking for their consent. It cannot automatically assume consent or make it a hidden part of the terms and conditions.

Obligation 2: Purpose Limitation
Personal data must be collected only for specific, lawful, and stated purposes. A business cannot collect data for one reason and then use it for another unrelated purpose without obtaining additional consent from the user.

Example
If a travel site like MakeMyTrip collects a user’s passport number for flight booking, it cannot later use this information for unrelated services like insurance marketing unless it gets separate consent.

Obligation 3: Data Minimization
Only data that is strictly necessary for fulfilling the stated purpose should be collected. Businesses should avoid asking for excessive or irrelevant information from users.

Example
An app that delivers groceries should only ask for name, address, contact number, and payment information. It should not ask for personal details like marital status or religion unless required by law or a specific service.

Obligation 4: Storage Limitation
Data fiduciaries must not retain personal data longer than necessary. Once the purpose for which the data was collected is fulfilled, the data should be deleted or anonymized. Businesses must set internal retention timelines and ensure old or unused data is cleared periodically.

Example
If an online learning platform like Byju’s collects user data for course access, it should delete the data once the course ends and the student no longer needs the service.

Obligation 5: Accuracy of Data
Data fiduciaries are required to keep personal data accurate and up-to-date. They must provide a mechanism for individuals to review and correct their data.

Example
If a user’s delivery address changes on Amazon, the platform must allow the user to update their information and ensure the new address is used for all future orders.

Obligation 6: Implement Security Safeguards
Businesses must implement reasonable technical and organizational security measures to protect personal data from unauthorized access, disclosure, or breach. These include encryption, firewall protection, access controls, employee training, and breach detection systems.

Example
A financial app like PhonePe must ensure that user data is encrypted, login credentials are securely stored, and regular security audits are conducted to detect vulnerabilities.

Obligation 7: Grievance Redressal Mechanism
Data fiduciaries must provide an effective and responsive grievance redressal system. Users should be able to file complaints related to their data, consent, deletion requests, or misuse, and businesses must resolve these within the time specified by law.

Example
If a user contacts Paytm with a complaint about unauthorized data sharing, Paytm must investigate the issue and provide a formal resolution within the legal time frame.

Obligation 8: Enabling User Rights
Data fiduciaries are responsible for enabling individuals to exercise their rights under the Act. These include the right to access personal data, the right to correct or delete it, the right to withdraw consent, and the right to be informed about how data is used.

Example
If a user of Swiggy wants to delete their account and associated data, Swiggy must allow the user to initiate the deletion request and confirm once the data has been removed from its systems.

Obligation 9: Breach Notification
In the event of a data breach, the data fiduciary must inform the affected individuals as well as the Data Protection Board of India. The notification must be made promptly, including details of the nature of the breach and steps taken to minimize its impact.

Example
If a cyberattack exposes customer emails and phone numbers at Ola, the company must immediately notify the affected users and report the incident to the Board with a full explanation.

Obligation 10: Appointment of Data Protection Officer (for SDFs)
Organizations that are classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process must appoint a Data Protection Officer (DPO). The DPO will be responsible for ensuring compliance, managing grievances, and acting as the point of contact with the Data Protection Board.

Example
A telecom company like Jio would be considered a Significant Data Fiduciary and must appoint a qualified DPO to oversee all data protection responsibilities within the company.

Obligation 11: Conducting Data Protection Impact Assessments (DPIAs)
SDFs must conduct regular assessments of the potential risks their data processing activities pose to individuals. These assessments help in identifying vulnerabilities and applying safeguards to reduce risk.

Example
An insurance company that uses automated algorithms to assess customer profiles must carry out DPIAs to ensure its system does not unfairly discriminate or expose users to harm.

Obligation 12: Cross-Border Data Transfer Compliance
Data fiduciaries can transfer personal data outside India only to countries approved by the central government. Even after the data is transferred, fiduciaries must ensure that the data continues to be processed in a manner that protects individual rights.

Example
A company like Google India can store or process user data on servers in the US only if the US is among the countries notified by the government and all protective safeguards are maintained.

Obligation 13: Maintain Records and Audit Trails
Data fiduciaries are required to maintain records of their data processing activities, including when consent was taken, how long the data was stored, who accessed it, and when it was deleted. This is important for audits and demonstrating compliance.

Example
A food delivery app like Zomato should keep an internal log of every user consent interaction, data sharing with delivery partners, and data deletion request history for verification purposes.

Obligation 14: Accountability and Transparency
Data fiduciaries must publish a privacy policy, clearly outline how personal data is handled, and be transparent about any data-sharing with third parties. They are also accountable for ensuring that all their third-party vendors or processors comply with DPDPA regulations.

Example
If Myntra outsources its customer support to a third-party agency, it must ensure that the agency handles personal data with the same level of security and compliance required under Indian law.

Conclusion
The DPDPA 2023 places significant responsibilities on data fiduciaries to manage personal data ethically, securely, and transparently. These obligations reflect a broader shift toward recognizing data privacy as a fundamental right in India. For businesses, this means redesigning data systems, rewriting privacy policies, setting up grievance redressal procedures, implementing technical safeguards, and ensuring organizational compliance. Non-compliance can attract penalties of up to ₹250 crore, reputational loss, and possible suspension of operations. Companies that embrace these changes proactively will not only avoid penalties but also build stronger relationships with users, win trust, and position themselves for sustainable success in a privacy-first digital economy.

How does India’s DPDPA 2023/2025 impact data handling practices for businesses?

Introduction
The Digital Personal Data Protection Act (DPDPA) 2023, expected to be fully implemented by 2025, is India’s first comprehensive law dedicated to governing the use, processing, and storage of digital personal data. It reflects a major shift in India’s digital regulatory framework, placing strong emphasis on the protection of individual privacy and personal data rights. The DPDPA is designed to create a balance between the rights of individuals (Data Principals) and the lawful interests of businesses (Data Fiduciaries). Inspired by global data protection frameworks such as the European Union’s GDPR, it sets out detailed requirements for how businesses should collect, handle, store, and process personal data in India.

Core Principles of the DPDPA
The DPDPA is based on important foundational principles including purpose limitation, consent-based data processing, data minimization, storage limitation, accuracy, accountability, and transparency. These principles are embedded throughout the Act and form the guiding standards for all data handling practices in India. Businesses must not only comply with these principles in letter but also in spirit, by redesigning internal processes and technologies.

Requirement of Valid Consent
The Act mandates that no personal data shall be processed without obtaining explicit, clear, and informed consent from the individual. Consent must be free, specific, informed, unambiguous, and given through affirmative action. Individuals must also have the ability to withdraw consent at any point.

Impact on Businesses
Businesses must redesign all user interfaces where personal data is collected—such as websites, forms, and mobile applications—to include transparent consent forms and options to revoke consent. The commonly used practices of passive consent or bundled terms and conditions are no longer allowed. Every business must track consent and show proof that it was legally obtained.

Example
If Flipkart collects user data for sending promotional emails, it must show a separate opt-in checkbox where users can agree or disagree. It cannot automatically enroll users in marketing communication by default.

Obligations of Data Fiduciaries
Under the DPDPA, all businesses that handle personal data are known as Data Fiduciaries and must follow legal obligations such as informing users about the purpose of data collection, processing data only for legitimate use, ensuring data accuracy, implementing security safeguards, and allowing users to exercise their rights. Fiduciaries are expected to build systems that support these requirements.

Example
An app like Practo that stores sensitive health data must now provide a mechanism for users to correct errors in their medical history or delete outdated records, while ensuring data is encrypted and protected from unauthorized access.

Purpose Limitation and Data Minimization
The DPDPA requires that data be collected only for specific and declared purposes. The purpose must be shared with the user at the time of consent, and businesses are expected to collect only data that is strictly necessary for the stated purpose. Collecting extra data “just in case” is not allowed under this law.

Example
A ticket booking platform like IRCTC can ask for the passenger’s name, age, and ID, but it cannot ask for income, education level, or religious beliefs unless that data is essential for the service being provided.

Data Principal Rights
The DPDPA introduces several important rights for individuals, including the right to access their data, the right to correct inaccuracies, the right to delete data, the right to be informed, and the right to withdraw consent. Businesses are obligated to create internal systems to allow users to exercise these rights efficiently.

Example
If a Zomato user decides to delete their profile and all order history, Zomato must comply with this request and confirm the deletion. They must not keep any data unless it is legally required (such as for tax records).

Consent Managers
DPDPA introduces the concept of Consent Managers—neutral platforms authorized by the government to help individuals manage their consents across platforms. These managers can help users view, withdraw, or provide consent for multiple services from a single dashboard.

Example
A financial app like PhonePe might integrate with a consent manager such as Sahamati, enabling users to manage their consents for data sharing with various banks, lenders, and apps.

Children’s Data Protection
Special provisions are made for protecting the personal data of children under the age of 18. Parental consent is mandatory before processing data of minors. Businesses are also restricted from conducting behavioral tracking or serving targeted advertisements to minors.

Example
EdTech platforms like Byju’s must collect verifiable parental consent before enrolling a child and must ensure no personalized ads or data tracking are done on children’s usage patterns.

Cross-Border Data Transfer Rules
The law allows data to be transferred to countries that the Indian government notifies from time to time. This is a more relaxed stance compared to earlier drafts that called for strict data localization. However, the receiving countries must have strong data protection standards in place.

Example
Amazon India may process some of its data using servers in the United States, provided the US is among the countries approved by the Indian government and Amazon ensures compliance with Indian laws.

Data Breach Notification Requirements
In the event of a data breach, businesses must inform both the affected individuals and the Data Protection Board of India. Timely reporting and transparency are emphasized to ensure users are not kept in the dark.

Example
If Paytm faces a cyberattack in which credit card details are leaked, the company must immediately notify all affected users, publish a disclosure, and report the incident to the Data Protection Board.

Significant Data Fiduciaries (SDFs)
Some businesses will be classified as Significant Data Fiduciaries (SDFs) based on factors such as volume and sensitivity of data handled, potential impact on user rights, and scale of operations. These businesses will be subject to enhanced obligations like data audits, privacy impact assessments, appointing Data Protection Officers, and publishing compliance reports.

Example
Jio, which manages sensitive call records and customer data, would likely be an SDF and must hire a full-time Data Protection Officer and regularly submit reports to the Data Protection Board.

Penalties and Enforcement
The DPDPA establishes a Data Protection Board that will monitor compliance, investigate complaints, and impose penalties. Financial penalties for non-compliance can go up to ₹250 crore for serious violations. The Board can also recommend remedial actions and initiate legal proceedings.

Example
If MakeMyTrip fails to provide a user with access to their personal data within the required time, or continues using deleted data, the company can be fined and investigated by the Board.

Impact on Specific Sectors
E-commerce platforms must be careful with recommendation engines and user profiling. They must collect only necessary data and obtain explicit consent for marketing. Healthcare organizations must follow data encryption and access control standards while allowing data corrections. Financial institutions will need robust security infrastructure and must implement customer-controlled consent flows. EdTech firms must ensure no behavioral tracking of minors. Startups will face compliance costs but can benefit from early adoption and user trust.

Opportunities for Businesses
While the DPDPA presents a strong compliance challenge, it also offers new business opportunities. Companies that proactively follow the law will earn customer trust, become eligible for international partnerships, and strengthen brand reputation. Businesses that prioritize data protection can turn compliance into a competitive advantage.

Conclusion
The DPDPA 2023/2025 is a transformative law that impacts every stage of data handling—from collection and storage to sharing and deletion. It requires Indian businesses to treat personal data with transparency, accountability, and respect. Although compliance will involve reworking policies, building consent mechanisms, training staff, and deploying secure technologies, the long-term benefits include increased user trust, reduced risk of data breaches, and enhanced global competitiveness. By embedding privacy-by-design and user rights into their systems, businesses can not only meet legal requirements but also lead the way in building a responsible digital economy in India.