top of page

Data Privacy & Protection Law

With the exponential rise in digital interactions, businesses are collecting and processing more personal data than ever before. The legal framework governing data privacy in India has become a central concern for organizations of all sizes, especially with the recent enactment of the Digital Personal Data Protection Act, 2023 (DPDPA).

At Apar Law, we present key insights on India’s evolving data protection regime, relevant for entities handling user data across sectors such as technology, fintech, health-tech, and e-commerce.​

Legal Landscape of Data Privacy in India

🔹 Information Technology Act, 2000

The foundational legislation governing data privacy is the Information Technology Act, 2000, supplemented by the IT Rules, 2011, which apply to any business or body corporate collecting sensitive personal data. Key requirements include obtaining user consent, implementing reasonable security practices, and notifying users of data use.

🔹 Digital Personal Data Protection Act, 2023 (DPDPA)

India’s new DPDP Act, 2023, introduces a comprehensive, rights-based data protection regime, aligning Indian privacy law with global standards like the EU General Data Protection Regulation (GDPR). It defines the obligations of Data Fiduciaries (entities processing data) and the rights of Data Principals (individuals whose data is collected).

 

Core Concepts in Indian Data Protection Law

  • Consent-Based Data Processing

Under both the IT Rules and DPDPA, personal data can only be collected and processed with clear, informed, and voluntary consent from the user. Purpose limitation and data minimization are key principles embedded in the law.

  • Reasonable Security Measures

Entities are expected to adopt reasonable security practices and procedures, such as ISO/IEC 27001 compliance, robust encryption, and access control policies to mitigate risks of data breaches or unauthorized access.

 

  • Cross-Border Data Transfers

The DPDPA provides a framework for international data transfers, where personal data may only be transferred to countries notified by the Central Government. Businesses handling cross-border services must assess data localization and adequacy compliance.

  • Rights of Data Principals

Indian data privacy laws grant individuals the right to:

  • Access their data

  • Correct or delete their data

  • Withdraw consent

  • File complaints with the Data Protection Board of India

 

  • Data Breach Notification

Organizations are required to notify the Data Protection Board and possibly CERT-In, depending on the nature of the breach, in accordance with the CERT-In Directions of 2022.

Business Impact of Data Privacy Compliance

For tech companies, startups, and global enterprises operating in or serving the Indian market, ensuring data privacy compliance is essential. Non-compliance can lead to:

  • Regulatory penalties

  • Reputational damage

  • Suspension of data processing rights

  • Loss of user trust

bottom of page