The legislative start of Data Protection in India
In a technologically developing world, perhaps no legal topic is as variously covered as data protection. Traditionally the European Union is seen as being the strictest legislator on data protection, together with Germany, which enforced further stricter provisions on a national level. Most major economies, including the USA, Canada, Brazil, China, and the Philippines have enacted data protection laws on how companies and governments are allowed to process personal data of their respective citizens and foreign citizens alike.
In its efforts to modernise legislation, India passed the Digital Personal Data Protection Act (DPDP Act) in August 2023, whose provisions are entering gradually into force from November 2025 until May 2027. It’s the first standalone legislation of its kind in India and aims to build a common framework for the protection of personal data. It replaces and expands the provisions outline in the Information Technology Act (IT Act) of 2000. The DPDP is also the first piece of legislation that uses the generic feminine, referring to individuals with “she/her” pronouns.
The principles in the DPDP Act attempt to establish principles of data processing and data ownership, as well as enforce punishments for misuse of data. India falls under the countries globally with moderate enforcement of data protection, and the legislation has been criticised for giving more power to government bodies accessing citizens’ data.
The Act envisions consent principles that require explicit consent from users, along with detailed information on how the data will be used. This consent must be renewed if the data is to be used in a different way than outlined in the information given to the user. Furthermore, data principal rights outlined in the act include a user’s rights to access, correct, delete, and port personal data.
However, the act does not have a fix data localisation requirement, meaning that the data need not be stored on Indian territory. It also allows for cross-border data transfer if such a transfer isn’t prohibited by another government Act or Order. This usually includes cross-border transfers with countries that do not collaborate on data sharing with India.
To monitor compliance the DPDP Act set up the Data Protection Board of India, formed in November 2025, and still without a website. Its role is to enforce the Act and deal with all reported irregularities when its provisions aren’t being met. The Board issues recommendations on compliance, as well as penalties for non-compliance, and is to act as a mediator in out-of-court disputes.
In short, India is now expanding its data protection provisions and compliance is going to be more layered than it was before. Yet the Act presents itself as an update to Indian legislation in its regulation of data affairs. While not free of criticism on a political level, businesses are mostly exempt from any worries, apart from the usual due-diligence when handling user data in foreign markets.
Stefan Radaković