HomeLawsIndia’s Digital Personal Data Protection Act, 2023 (DPDPA)

India’s Digital Personal Data Protection Act, 2023 (DPDPA)

India’s Digital Personal Data Protection Act, 2023 (DPDPA)

What U.S. Businesses Need to Know

Introduction

India is one of the world’s largest and fastest-growing digital markets, and its first comprehensive data protection law creates significant new compliance obligations for U.S. businesses that handle the personal data of individuals in India.

The Digital Personal Data Protection Act, 2023 (DPDPA) received Presidential assent on August 11, 2023, making it India’s first standalone data protection statute applicable to the private sector. The DPDPA replaces the patchwork of data protection obligations that previously existed under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, providing a consolidated and significantly more rigorous framework for the processing of personal data in and relating to India.

The DPDPA is notable for several reasons. It adopts a broadly consent-centric approach to lawful processing, imposes explicit obligations in respect of children’s data, establishes a new adjudicatory body called the Data Protection Board of India, and provides for substantial financial penalties for non-compliance. Perhaps most significant for U.S. businesses is its express extraterritorial reach: the DPDPA applies not only to the processing of personal data within India, but also to the processing of personal data outside India where that processing is connected with offering goods or services to individuals in India.

As of the time of writing, the DPDPA is not yet fully in force. While the Act itself was enacted in 2023, the Central Government must notify the date of commencement for its various provisions, and the Rules required to operationalise significant portions of the Act have not yet been finalised. Draft Rules were published for public consultation in January 2025. Businesses should therefore treat compliance as an immediate planning priority, not a distant concern: the framework is established in law and the Rules, when finalized, are expected to introduce additional operational requirements on a relatively short implementation timeline.

Legislative Background and Implementation Status

India’s journey toward a standalone data protection law spans more than a decade. Following a landmark ruling by the Supreme Court of India in 2017 recognizing privacy as a fundamental right under the Indian Constitution, a series of drafts were produced, debated, and ultimately withdrawn or revised. The Personal Data Protection Bill, 2019 and its successor, the Data Protection Bill, 2021, were both ultimately withdrawn before enactment. The DPDPA 2023 represents the version that finally crossed the legislative finish line, and its passage through Parliament was notably swift, reflecting the Government’s determination to establish a workable framework without further delay.

The DPDPA is a considerably leaner statute than many of its global counterparts. It delegates a significant volume of detail to Rules to be made by the Central Government, and grants the Central Government broad powers to exempt categories of data fiduciaries, modify obligations, and specify additional requirements by notification. This means that the full compliance picture will only become clear as the Rules and subsequent notifications are published. Businesses that wait until the Rules are finalized before beginning their compliance work will find themselves with insufficient time to build the necessary processes and technical measures.

The Data Protection Board of India, which is the Act’s central enforcement and adjudicatory mechanism, has not yet been constituted. Until the Board is in place, individuals cannot file complaints and penalties cannot be levied under the DPDPA. However, the structural requirements of the Act, including the obligation to implement security safeguards, respect individual rights, and maintain lawful processing practices, will apply from the date of commencement. U.S. businesses should begin building compliance programmes now, treating the Rules consultation as an indicator of the likely shape of final requirements rather than a reason to delay.

Territorial Scope: Does the DPDPA Apply to Your Business?

The DPDPA applies to the processing of digital personal data in two circumstances: first, where the data is collected within the territory of India (whether the processing itself occurs within or outside India); and second, where the processing takes place outside India but is in connection with an activity of offering goods or services to data principals within India. This dual-limb formulation closely mirrors the extraterritorial approach of the European Union’s General Data Protection Regulation and has significant implications for U.S. businesses that operate digital services accessible to Indian users.

In practical terms, if your U.S. business operates a website or application that is directed at or accessible to users in India, processes data in connection with delivering services to Indian customers, maintains accounts or profiles relating to individuals located in India, or processes the personal data of Indian employees or contractors, there is a strong basis for concluding that the DPDPA applies to your operations. The test is functional and purposive: what matters is whether your activity involves offering goods or services to persons in India, not whether your business has a legal entity, office, or server in India.

The DPDPA does, however, carve out certain categories of processing from its scope. Processing for personal or domestic purposes by an individual falls outside the Act. Personal data that has been made publicly available by the data principal, or that has been made publicly available pursuant to a legal obligation, is also excluded. Further exemptions apply to processing by state instrumentalities in connection with national security, public order, and law enforcement. These exemptions are broadly framed and the Rules are expected to elaborate on their scope.

Key Definitions Under the DPDPA

The DPDPA uses a purposive definitional structure that will be familiar in broad outline to practitioners experienced with other data protection frameworks, though the specific terminology and scope of each definition differs from those used in, for example, the GDPR or Japan’s APPI.

Personal Data

Personal data is defined as any data about an individual who is identifiable by or in relation to such data. The definition is intentionally broad and technology-neutral: it encompasses not only direct identifiers such as name, national identity number, and contact details, but also any information that, alone or in combination with other available data, makes a living individual identifiable. Unlike some other frameworks, the DPDPA does not separately enumerate categories of sensitive personal data in the body of the Act itself, leaving the designation of categories attracting heightened protection to Rules made by the Central Government.

Data Principal and Data Fiduciary

A data principal is the individual to whom personal data relates. Where the individual is a child (defined as a person under eighteen years of age) or a person with a disability, their parent or lawful guardian is treated as the data principal for the purposes of exercising rights and giving consent. A data fiduciary is any person, company, or state entity that, alone or in conjunction with others, determines the purpose and means of processing personal data. The concept is functionally equivalent to the ‘controller’ concept used in GDPR-influenced frameworks and places the primary compliance obligations on the data fiduciary. A data processor is a separate person who processes personal data on behalf of a data fiduciary; the DPDPA imposes obligations on data processors primarily through the contracts they enter into with data fiduciaries rather than directly through the Act.

Significant Data Fiduciary

The Central Government has the power to designate a data fiduciary as a Significant Data Fiduciary (SDF), having regard to factors including the volume and sensitivity of the personal data processed, the risk to the rights of data principals, the potential impact on national sovereignty and security, the risk to electoral democracy, the security of the state, and public order. SDFs are subject to a set of additional obligations beyond those applicable to ordinary data fiduciaries. The criteria for SDF designation are broadly drawn, and U.S. businesses processing large volumes of Indian user data, or whose services are likely to be treated as critical to the Indian market, should assess whether they may be at risk of designation.

Lawful Bases for Processing Personal Data

The DPDPA takes a notably streamlined approach to lawful processing, offering two primary bases: consent and what the Act calls ‘legitimate uses.’ This binary structure is simpler than the six-basis framework of the GDPR but conceals important complexity in the details of each basis, particularly in the context of consent.

Consent

Consent is the primary lawful basis under the DPDPA. To be valid, consent must be free, specific, informed, unconditional, and unambiguous, and must be signified by a clear affirmative act. Data fiduciaries must provide the data principal with a notice, in plain language and in each of the twenty-two Scheduled Languages of India upon request, setting out the personal data to be collected and the purpose of processing before or at the time of seeking consent. Consent must be granular: a data principal must be able to consent to one or more specified purposes, and consent to a bundle of undifferentiated uses will not suffice.

Data principals have the right to withdraw consent at any time, with ease comparable to that with which consent was given. Upon withdrawal, the data fiduciary must cease processing the relevant data unless processing is required or authorised under another law. Data fiduciaries should not make the provision of goods or services contingent upon consent to the processing of personal data that is not strictly necessary for those goods or services. The DPDPA also introduces the concept of a consent manager, a Central Government-registered entity through which data principals can give, manage, review, and withdraw consent across multiple data fiduciaries. This innovation reflects India’s existing digital public infrastructure ecosystem, including the account aggregator framework.

Legitimate Uses

The second lawful basis, legitimate uses, encompasses a set of defined circumstances in which personal data may be processed without consent. These include: processing necessary for the performance of a function of the state or state instrumentalities; compliance with a judgment or order under Indian law; responding to a medical emergency involving a threat to life; providing medical treatment or health services during an epidemic or other threat to public health; ensuring safety in a disaster or breakdown of public order; processing for employment-related purposes; and processing necessary to perform a contract to which the data principal is a party.

It is important to note that the DPDPA’s legitimate uses do not include a general ‘legitimate interests’ basis of the kind found in Article 6(1)(f) of the GDPR. This means that U.S. businesses which routinely rely on legitimate interests to justify data processing activities such as fraud prevention, direct marketing, internal analytics, or group data sharing cannot straightforwardly replicate that approach under the DPDPA. Processing for these purposes will typically require either valid consent or a specific statutory basis. Businesses that have mapped their GDPR lawful bases will need to reassess their DPDPA lawful basis mapping accordingly.

Core Obligations of Data Fiduciaries

The DPDPA establishes a set of baseline obligations applicable to all data fiduciaries, drawing on internationally recognised principles of data protection law while adapting them to the Indian context.

Data fiduciaries must process personal data only for lawful, specified purposes and only to the extent necessary for those purposes, and must ensure that the data they hold is accurate and complete where accuracy is necessary for the intended purpose. Personal data may not be retained beyond the period necessary for the specified purpose; data fiduciaries must either erase the data or ensure its erasure once the purpose is served or upon withdrawal of consent, whichever is earlier, unless retention is required under another law. Data fiduciaries must implement reasonable technical and organisational security safeguards to protect personal data from breaches, with the specific standards for ‘reasonable’ measures to be elaborated in the Rules.

When a data fiduciary engages a data processor to process personal data on its behalf, it must do so pursuant to a valid contract. The data fiduciary remains accountable for the processor’s handling of the data, and the processor may only process data in accordance with the fiduciary’s instructions. This structure is familiar to practitioners of GDPR compliance, but U.S. businesses should note that the DPDPA does not contain the same detailed prescriptions for processor contracts that appear in Article 28 of the GDPR. The minimum requirements for such contracts are expected to be specified in the Rules, and businesses should monitor these developments closely.

Every data fiduciary must establish a grievance redressal mechanism through which data principals can raise concerns about the handling of their personal data, and must respond to grievances within the period to be prescribed by the Rules. Data fiduciaries must also publish the contact details of the person responsible for addressing data principal queries, which may be a Data Protection Officer (discussed further below in the context of Significant Data Fiduciaries) or, for ordinary data fiduciaries, another designated contact point.

Children’s Data: A Strict Regime

The DPDPA imposes a particularly rigorous framework for the processing of personal data relating to children, defined as individuals under eighteen years of age. Before processing the personal data of a child, a data fiduciary must obtain verifiable consent from the child’s parent or lawful guardian. The Act prohibits data fiduciaries from processing personal data in a manner that is likely to be detrimental to the wellbeing of a child, and expressly prohibits tracking or behavioural monitoring of children and targeted advertising directed at children.

The parental consent requirement and the prohibition on tracking and targeting are likely to have significant practical implications for U.S. technology companies, social media platforms, gaming operators, streaming services, and any other business that offers digital services which are accessible to minors in India. Unlike some other data protection frameworks, the DPDPA does not currently establish a lower age of digital consent or carve out older teenagers from the category of ‘child.’ All individuals under eighteen are treated as children for these purposes, absent a specific exemption granted by the Central Government.

The Central Government has the power to exempt classes of data fiduciaries from the parental consent obligation, or to modify the requirements applicable to the processing of children’s data, by notification. The draft Rules consulted upon in early 2025 contain additional details on the parental consent verification mechanism, but the specifics remain subject to finalisation. U.S. businesses that currently process data about Indian users without age-gating their services should treat the children’s data provisions as requiring urgent attention in their compliance planning.

Rights of Data Principals

The DPDPA establishes a set of rights exercisable by data principals against data fiduciaries processing their personal data. While the framework is broadly analogous to the individual rights provisions found in GDPR-influenced laws, the specific rights and their scope differ in ways that are material to compliance planning.

The right to information and access entitles a data principal to obtain from the data fiduciary a summary of the personal data being processed, the processing activities being carried out, and the identities of any other data fiduciaries and data processors to whom the data has been disclosed. This right is narrower in scope than the right of access under the GDPR, which requires disclosure of a broader range of information including retention periods, safeguards for cross-border transfers, and the existence of automated decision-making. U.S. businesses should calibrate their access request response procedures to meet the DPDPA’s specific requirements rather than simply applying their GDPR access procedures.

The right to correction and erasure allows a data principal to request the correction of inaccurate or misleading personal data, the completion of incomplete data, and the erasure of personal data that is no longer necessary for the purpose for which it was collected, or in respect of which consent has been withdrawn. Data fiduciaries may decline erasure where retention is required by applicable law. The DPDPA does not currently provide an express equivalent of the GDPR’s right to data portability or the right to object to processing, and it does not include a right to restrict processing as a standalone right. These gaps are significant for businesses accustomed to managing a full suite of GDPR-style rights requests.

The DPDPA introduces a distinctively Indian innovation in the right to nominate: a data principal may nominate another individual to exercise their rights under the Act in the event of the data principal’s death or incapacity. Data fiduciaries must establish procedures to facilitate nominations and to give effect to nominations that are communicated to them. Additionally, every data fiduciary must provide a meaningful grievance redressal mechanism, and data principals whose grievances are not resolved to their satisfaction may escalate to the Data Protection Board of India.

Cross-Border Data Transfers

The DPDPA’s approach to cross-border data transfers represents a significant departure from the adequacy and Standard Contractual Clauses framework familiar to practitioners of GDPR compliance, and is one of the areas of greatest uncertainty for U.S. businesses pending the finalisation of the Rules.

Section 16 of the DPDPA provides that the Central Government may, after an assessment of relevant factors, notify countries or territories to which the transfer of personal data by a data fiduciary shall be restricted. The Act therefore proceeds by restriction rather than permission: transfers are permitted to all destinations unless and until the Central Government adds a specific country or territory to a restricted list. This is sometimes described as a ‘blacklist’ model, as contrasted with the ‘whitelist’ or adequacy model used by Japan and the European Union.

The blacklist model has significant practical implications for U.S. businesses. There is no formal adequacy determination process under the DPDPA. There is no provision for Standard Contractual Clauses or Binding Corporate Rules as independent transfer mechanisms that businesses can deploy to legitimise flows to restricted destinations. If the Central Government adds the United States to its restricted list, it is not clear from the current text of the Act what compliance mechanism would remain available to businesses that need to transfer data to the United States. The Rules are expected to provide greater clarity on this point, and some commentators have suggested that the Central Government may specify conditions or safeguards under which transfers to restricted countries may nonetheless proceed. Businesses should monitor developments closely.

In the meantime, it is worth noting that the earlier drafts of India’s data protection legislation included far more prescriptive data localisation requirements, including mandatory local storage of certain categories of sensitive personal data and a copy requirement for critical personal data. These requirements did not survive into the DPDPA as enacted, and the Act as it stands does not contain explicit data localisation mandates. This is a materially more permissive baseline than earlier drafts had suggested, and many U.S. businesses that were preparing for localisation requirements may find that their current architectures remain compliant, at least pending further notification by the Central Government.

Significant Data Fiduciaries: Enhanced Obligations

Data fiduciaries that are designated by the Central Government as Significant Data Fiduciaries face a set of additional obligations that go beyond the baseline requirements applicable to all data fiduciaries. For U.S. businesses with large-scale operations in the Indian market, the risk of SDF designation is a compliance issue that deserves specific assessment.

Significant Data Fiduciaries are required to appoint a Data Protection Officer. Critically, the DPO must be an individual based in India and must be the point of contact for grievance redressal and regulatory engagement. This requirement is likely to impose a meaningful operational and cost burden on U.S. businesses that do not already have a significant presence in India, particularly those that currently manage their global privacy compliance centrally from the United States or from a European hub. The DPO requirement is also notably different from the GDPR in that it applies not only to public authorities or organisations engaged in large-scale systematic monitoring, but to all SDFs without qualification.

Significant Data Fiduciaries must also appoint an independent data auditor to carry out periodic audits of compliance with the DPDPA and the Rules. The standards and frequency of such audits, and the qualifications required of data auditors, are expected to be specified in the Rules. SDFs must conduct periodic Data Protection Impact Assessments in relation to their processing activities, the procedure and scope of which will also be prescribed. The DPO, auditor, and DPIA requirements collectively create a governance infrastructure that will require advance planning and resource allocation by affected businesses.

The Data Protection Board of India

The Data Protection Board of India is the institutional mechanism through which the DPDPA is enforced. The Board’s structure and character differ meaningfully from the independent supervisory authorities established under GDPR-influenced frameworks in the European Union, Japan, and elsewhere. The Board is constituted and controlled by the Central Government: its Chairperson and members are appointed by the Central Government, and the Government has broad powers to give the Board directions on questions of policy.

The Board operates primarily as an adjudicatory body rather than a proactive regulator. Enforcement proceedings are complaint-driven: a data principal who believes that a data fiduciary has breached the Act may file a complaint with the Board, which then has the power to conduct an inquiry and, if a breach is established, impose a financial penalty. The Board may also take cognisance of breaches on its own initiative in certain circumstances. The Act envisions that the Board will operate digitally by default, with proceedings conducted online and documents served electronically.

The Board’s decisions are subject to appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and further appeals lie to the High Court. This appellate structure, combining an administrative tribunal with judicial review, is broadly familiar to practitioners working in Indian regulatory contexts. U.S. businesses that receive a Board complaint or inquiry should seek qualified Indian legal counsel promptly, as the procedural requirements and timelines for responding to Board proceedings are expected to be stringent once the Board is constituted and operationally active.

Penalties and Enforcement

The DPDPA’s penalty regime is set out in a Schedule to the Act and establishes maximum financial penalties for specific categories of breach. The penalties are substantial by Indian regulatory standards and are broadly comparable in magnitude to significant enforcement actions under GDPR when expressed in U.S. dollar terms, though the scale differs from the GDPR’s percentage-of-global-turnover model.

The most significant penalty, of up to two hundred and fifty crore Indian rupees (approximately thirty million U.S. dollars at current exchange rates), applies to failures to take reasonable security safeguards that result in a personal data breach. Failure to notify the Data Protection Board and affected data principals of a breach carries a maximum penalty of two hundred crore rupees. Non-compliance with obligations concerning the processing of children’s data also attracts a maximum penalty of two hundred crore rupees. Violations of the additional obligations applicable to Significant Data Fiduciaries carry a maximum penalty of one hundred and fifty crore rupees. A general penalty of up to fifty crore rupees applies to other violations of the Act or Rules.

An important feature of the DPDPA’s penalty regime is that penalties are imposed per breach and may accumulate across multiple separate breaches arising from the same course of conduct. The Board is required to take into account specified factors when determining the quantum of any penalty, including the gravity of the breach, the repetitive nature of any breach, the gain derived by the data fiduciary from the breach, and the data fiduciary’s conduct following the breach. Unlike the GDPR, the DPDPA does not create criminal liability for violations: the regime is purely civil and financial. This may be relevant to the risk calculus of U.S. businesses accustomed to the prospect of criminal prosecution under U.S. privacy laws.

Data Breach Notification

The DPDPA imposes a mandatory obligation on data fiduciaries to notify the Data Protection Board and each affected data principal in the event of a personal data breach. The Act defines a personal data breach as an unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of that data.

The content of breach notifications and the timelines within which they must be made are to be prescribed by the Rules. Draft Rules published in early 2025 proposed a notification timeline and content requirements, including the nature of the breach, the categories and approximate number of data principals affected, the likely consequences, and the measures taken or proposed to address the breach. Given that India’s breach notification regime will coexist with notification obligations under U.S. state breach notification laws, U.S. businesses should design their incident response frameworks to accommodate multiple parallel notification tracks. The absence of a harmonised federal breach notification law in the United States makes multi-jurisdictional breach response planning particularly complex.

Practical Steps for U.S. Businesses

The DPDPA’s arrival creates a clear imperative for U.S. businesses with exposure to the Indian market to assess, plan, and begin building compliance programmes. The following steps provide a framework for that effort.

  • Map your Indian personal data footprint. Identify all categories of personal data you hold relating to individuals in India, including how it was collected, on what basis, for what purpose, and where it is currently stored and processed. Pay particular attention to data about children, which will attract the most stringent obligations.
  • Assess your scope of application. Determine whether your business activities amount to the offering of goods or services to data principals in India for the purposes of the DPDPA’s extraterritorial provisions. If in doubt, seek legal advice: the cost of a scoping analysis is far lower than the cost of a penalty for non-compliance.
  • Reassess your lawful basis mapping. If your business currently relies on GDPR legitimate interests as a catch-all basis for processing, you will need to identify alternative lawful bases under the DPDPA, which does not have an equivalent provision. Most commercial processing will need to rest on consent, making the quality and granularity of your consent mechanisms critical.
  • Overhaul consent and notice mechanisms. Review all consent and notice workflows to ensure they will meet DPDPA standards: plain language notices, granular consent, ease of withdrawal, and the ability to provide notices in Scheduled Languages upon request. For digital platforms, this will likely require product and engineering changes.
  • Address children’s data urgently. If your services are accessible to users in India who may be under eighteen, assess whether you have age verification and parental consent mechanisms in place. The prohibition on tracking and behavioural monitoring of children is absolute.
  • Review cross-border transfer arrangements. Until the Central Government publishes its list of restricted countries under Section 16, transfers to the United States are not expressly restricted by the DPDPA. Monitor government notifications closely and prepare contingency arrangements for transfer mechanisms if the United States is added to a restricted list.
  • Prepare for Significant Data Fiduciary designation. If your business processes large volumes of Indian personal data or operates services critical to the Indian market, assess your risk of SDF designation and begin planning for the additional obligations that designation would bring, including a locally-based DPO, data audits, and DPIAs.
  • Build breach response procedures. Establish notification procedures capable of meeting the DPDPA’s breach notification requirements, integrated with your existing multi-jurisdiction incident response plan. Identify responsible personnel and decision-making escalation chains.
  • Establish a grievance redressal mechanism. Implement a clear, accessible process through which data principals in India can raise concerns about your handling of their personal data, and designate a contact point. Ensure your teams can respond within the timeframes prescribed by the Rules when finalised.
  • Monitor the Rules and further government notifications. The DPDPA delegates substantial detail to delegated legislation, and the compliance landscape will evolve materially as the Rules are finalized and the Central Government makes designations and notifications. Establish a process for monitoring and responding to these developments on an ongoing basis.

Conclusion

India’s DPDPA represents a transformative development in the country’s data protection landscape and signals that India intends to be taken seriously as a jurisdiction with rigorous privacy standards. For U.S. businesses with exposure to the Indian market, the Act creates a compliance obligation that is both immediate in its legal effect and still evolving in its practical detail.

The DPDPA shares DNA with other major global frameworks, most notably the GDPR, but it departs from them in important ways that make a like-for-like mapping of existing compliance programmes insufficient. The absence of a legitimate interests basis, the strict children’s data regime, the blacklist approach to cross-border transfers, the role of the Central Government in designating SDFs and making key notifications, and the distinctive institutional structure of the Data Protection Board all require careful and India-specific analysis.

The period between now and full entry into force represents a genuine opportunity for businesses to build compliance programmes that are robust, proportionate to their risk profile, and capable of adaptation as the Rules and further guidance emerge. Engaging specialist data protection counsel with expertise in Indian law will be essential for businesses seeking to navigate the DPDPA’s requirements with confidence and to position themselves appropriately for the enforcement environment that will follow Board constitution.