Navigating India’s Digital Personal Data Protection Act

India’s Digital Personal Data Protection Act, 2023 (DPDP Act) establishes the country’s first comprehensive data protection framework, governing how businesses collect, process, store and transfer personal data of Indian residents. For foreign companies operating in India — whether through subsidiaries, GCCs, branch offices, e-commerce platforms or SaaS applications — the DPDP Act creates new compliance obligations covering consent management, data localisation, cross-border transfer, breach notification and children’s data protection. With implementation rules being progressively notified and the Data Protection Board becoming operational, companies must prepare now. T&A Consulting helps foreign businesses understand and comply with India’s evolving data protection landscape.

Introduction: India’s Data Protection Framework Takes Shape

India’s journey toward comprehensive data protection legislation spanned nearly a decade. The Supreme Court’s landmark Puttaswamy judgment of 2017 established the right to privacy as a fundamental right. The Justice B.N. Srikrishna Committee produced a draft bill in 2018. Several iterations followed before the Digital Personal Data Protection Act was enacted in August 2023. The Act applies to the processing of digital personal data within India and to the processing of personal data outside India if it involves offering goods or services to individuals in India.

The DPDP Act is deliberately principle-based rather than prescriptive, with detailed implementation rules being notified progressively by the Central Government. The Data Protection Board of India (DPB), the enforcement authority, has been established and is becoming operational. While the Act is not yet fully enforced pending completion of rule notification, companies are expected to be compliance-ready, as enforcement can begin relatively quickly once rules are finalised.

Key Concepts and Obligations

• Data fiduciary and data principal. The DPDP Act uses the terms “data fiduciary” (the entity that determines the purpose and means of processing personal data, equivalent to GDPR’s “controller”) and “data principal” (the individual whose data is being processed, equivalent to “data subject”). Any foreign company processing personal data of individuals in India is a data fiduciary under the Act.
• Consent. Personal data can be processed only with the free, specific, informed and unambiguous consent of the data principal, given through a clear affirmative action. Consent must be sought for a specified purpose and can be withdrawn at any time. The consent mechanism must be in clear, plain language and provide the data principal with the option to withdraw consent as easily as it was given.
• Legitimate uses. The Act provides certain exemptions where processing is permitted without consent, including for the performance of a contract, compliance with a legal obligation, responding to a medical emergency, employment-related processing and processing by the State for government functions.
• Data principal rights. Individuals have the right to access their data, request correction and erasure, nominate a representative, and seek grievance redressal. Data fiduciaries must establish accessible grievance redressal mechanisms.
• Cross-border data transfer. The Act permits cross-border transfer of personal data by default, except to countries specifically restricted by the Central Government through notification. This is a significant departure from earlier drafts that had proposed strict data localisation. However, the government retains the power to restrict transfers to specific jurisdictions, and sectoral regulators (RBI, SEBI, IRDAI) maintain their own data localisation requirements.
• Significant data fiduciaries. The Central Government may designate certain data fiduciaries as “significant” based on the volume and sensitivity of data they process. Significant data fiduciaries face additional obligations including appointing a Data Protection Officer based in India, conducting Data Protection Impact Assessments and periodic audits.
• Children’s data. Processing personal data of children (under 18) requires verifiable parental consent. Targeted advertising and behavioural monitoring of children is prohibited. Companies offering digital services used by children must implement age verification mechanisms.
• Breach notification. Data fiduciaries must notify the Data Protection Board and affected data principals of any personal data breach. The notification must be made “without unreasonable delay” though specific timeframes are expected in the implementation rules.

Penalties and Enforcement

The DPDP Act provides for significant financial penalties. The maximum penalty for a single violation is Rs 250 crore (approximately $30 million). Specific penalty ranges include up to Rs 200 crore for failure to take reasonable security safeguards to prevent data breaches, up to Rs 200 crore for failure to notify the Board and data principals of a breach, up to Rs 150 crore for breaches related to children’s data, and up to Rs 10,000 for individuals providing false information or making frivolous complaints.

The Data Protection Board of India is the adjudicatory body. Unlike the EU’s supervisory authorities, the DPB functions primarily as a tribunal that hears complaints and determines penalties, rather than as a proactive regulator conducting audits and issuing guidance. However, the Board has the power to direct data fiduciaries to take remedial measures and can impose significant financial consequences for non-compliance.

Comparison with GDPR: Key Differences

Foreign companies familiar with GDPR should note several important differences:

• Cross-border transfers. The DPDP Act takes a “blacklist” approach (transfers permitted unless the destination is specifically restricted), unlike GDPR’s “whitelist” approach (transfers restricted unless the destination has an adequacy decision or appropriate safeguards are in place). This makes cross-border data flows from India potentially easier than from the EU, though the government’s power to restrict transfers introduces uncertainty.
• No DPO mandate for all. Only “significant data fiduciaries” must appoint a Data Protection Officer. Standard data fiduciaries have no DPO requirement, though they must establish grievance redressal mechanisms.
• No right to data portability. Unlike GDPR, the DPDP Act does not include a right to data portability, though data principals can access and correct their data.
• Government exemptions. The Act provides broad exemptions for government data processing, including national security, law enforcement and public order, which are wider than GDPR’s equivalent provisions.
• Consent-centric. The Act relies more heavily on consent as the primary legal basis for processing, with fewer alternative legal grounds compared to GDPR’s six lawful bases.

Practical Implications for Foreign Companies

• Companies with India customers. Any foreign company offering goods or services to individuals in India must comply with the DPDP Act, regardless of whether it has a physical presence in India. This includes e-commerce platforms, SaaS providers, digital content services and any business that collects personal data from Indian users.
• Companies with India operations. Foreign companies with subsidiaries, GCCs or branch offices must comply with employee data processing requirements, including consent management, access rights and breach notification. The interaction with the Labour Codes (which require digital payroll and compliance systems) creates additional data processing obligations.
• Sectoral overlaps. Companies in financial services, insurance, healthcare and telecommunications must comply with both the DPDP Act and sector-specific data requirements from RBI, SEBI, IRDAI and TRAI. RBI’s data localisation requirement for payment data, for example, operates independently of the DPDP Act’s cross-border transfer provisions.
• Data processors and vendors. Foreign companies that process data on behalf of Indian data fiduciaries (cloud service providers, BPO operators, analytics companies) must comply through their contractual obligations with the data fiduciary, including security measures, breach notification and data deletion requirements.

How T&A Consulting Supports Data Protection Compliance

T&A Consulting provides comprehensive advisory for foreign companies navigating India’s data protection landscape:

• DPDP Act readiness assessment. We evaluate your current data processing practices against the DPDP Act’s requirements, identify gaps and design a compliance roadmap.
• Consent management framework. We design consent collection, management and withdrawal mechanisms that comply with the Act’s requirements while maintaining user experience.
• Cross-border transfer assessment. We evaluate your data transfer arrangements, identify applicable sectoral localisation requirements and design compliant data flow architectures.
• Breach response planning. We develop breach detection, assessment, notification and remediation protocols aligned with the DPDP Act and sectoral requirements.
• Ongoing compliance support. We monitor regulatory developments, rule notifications and DPB enforcement actions, providing timely updates and compliance adjustments.

Contact us at: pnijhawan@taglobalgroup.com to discuss DPDP Act compliance for your India operations.

Sources & references:
MeitY (Ministry of Electronics and IT), India Briefing, Mondaq, Deloitte, Bar & Bench