AS LAW OFFICES

Privacy and AI

Privacy Compliance in India – Legal Position and Requirements

Introduction

Privacy in India has evolved from a constitutional aspiration to a legally enforceable right, gaining statutory recognition under the Digital Personal Data Protection Act, 2023 (DPDPA). For decades, India lacked a comprehensive data protection law, relying instead on constitutional interpretations, sectoral regulations, and information technology rules. The Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) established privacy as a fundamental right under Article 21 of the Constitution, setting the stage for legislative reform.

The DPDPA now represents India’s first dedicated data protection statute, seeking to balance individual privacy, corporate innovation, and state interests in security and governance. For businesses, especially digital enterprises and startups, privacy compliance is no longer optional but a legal requirement with financial and reputational consequences.

This article examines the legal position on privacy in India, the core requirements of compliance, and the practical steps organisations must adopt.

Evolution of Privacy in India

1. Constitutional Recognition

  • Puttaswamy (2017) – The nine-judge bench held privacy to be intrinsic to the right to life and liberty. It underlined informational privacy as central to individual autonomy.
  • Privacy is therefore enforceable against both state and private actors, requiring legislation for operationalisation.

2. Pre-DPDPA Regime

  • Information Technology Act, 2000 (IT Act) and IT Rules, 2011 (SPDI Rules) were the only privacy-related laws. They regulated sensitive personal data, requiring consent for collection and mandating reasonable security practices.
  • Sectoral regulators – RBI, SEBI, IRDAI, and TRAI issued privacy obligations in financial, securities, insurance, and telecom sectors.

3. Legislative Reform Journey

  • Justice B.N. Srikrishna Committee Report (2018) recommended a data protection law.
  • Personal Data Protection Bill, 2019 was introduced but later withdrawn due to criticism.
  • Digital Personal Data Protection Act, 2023 was enacted, simplifying provisions while retaining core privacy protections.

The Digital Personal Data Protection Act, 2023 – Key Features

The DPDPA applies to processing of digital personal data in India and extraterritorially where processing is linked to Indian users.

1. Applicability

  • Covers all entities (“data fiduciaries”) processing digital personal data.
  • Applies to foreign entities if they offer goods or services in India.

2. Rights of Individuals (“Data Principals”)

  • Right to Access Information – To know what personal data is collected and how it is used.
  • Right to Correction and Erasure – To correct or erase inaccurate data.
  • Right to Nominate – Nomination for exercise of rights in case of incapacity or death.
  • Right to Grievance Redress – Through a data fiduciary’s grievance officer.

3. Duties of Data Principals

Unlike GDPR, individuals also have duties:

  • Not to impersonate, suppress material information, or file frivolous complaints.

4. Obligations of Data Fiduciaries

  • Consent-based processing – Explicit, informed consent required, with notice in plain language.
  • Purpose limitation – Data must only be processed for stated purposes.
  • Storage limitation – Data must be erased once the purpose is fulfilled.
  • Security safeguards – Implementation of technical and organisational measures.
  • Breach notification – Mandatory reporting of personal data breaches to the Data Protection Board of India.

5. Significant Data Fiduciaries (SDFs)

The government may classify certain entities as SDFs based on volume and sensitivity of data. Additional obligations include:

  • Appointing a Data Protection Officer (DPO) based in India.
  • Conducting Data Protection Impact Assessments (DPIAs).
  • Regular audits.

6. Cross-Border Data Transfers

Unlike earlier drafts, the DPDPA allows free cross-border transfers unless restricted by government notification.

7. Penalties

  • Heavy financial penalties up to ₹250 crore per breach for non-compliance.
  • Data Protection Board empowered to adjudicate.

Comparative Note – GDPR vs DPDPA

While inspired by the EU’s General Data Protection Regulation (GDPR), the DPDPA simplifies compliance:

AspectGDPRDPDPA (India)
BasisRights-based, detailed obligationsSimpler, consent-driven
RightsAccess, rectification, erasure, portability, objectionAccess, correction, erasure, grievance redress
DutiesNo duties for individualsExplicit duties for Data Principals
Supervisory AuthorityIndependent Data Protection AuthoritiesCentral government-appointed Data Protection Board
PenaltiesUp to 4% of global turnoverUp to ₹250 crore per breach

This comparative simplicity is meant to ease compliance for Indian businesses while ensuring accountability.

Compliance Requirements for Organisations

To comply with DPDPA, organisations must implement structured privacy programs:

1. Governance and Accountability

  • Designate a Data Protection Officer (DPO) (mandatory for SDFs).
  • Establish a privacy compliance framework covering collection, processing, storage, and disposal.

2. Consent Management

  • Develop clear consent notices in local languages.
  • Implement easy withdrawal mechanisms.

3. Data Mapping and Classification

  • Maintain a record of data flows – what personal data is collected, why, where stored, and for how long.
  • Classify sensitive data (health, biometric, financial) for additional safeguards.

4. Security Measures

  • Encryption, pseudonymisation, and access control.
  • Periodic vulnerability testing and cybersecurity audits.

5. Vendor and Third-Party Management

  • Contracts with processors should mandate compliance with DPDPA.
  • Vendors must implement equivalent security controls.

6. Grievance Redress and User Rights Management

  • Appoint grievance officers.
  • Establish timelines for responding to rights requests.

7. Training and Awareness

  • Train employees handling personal data.
  • Build a culture of privacy compliance.

8. Data Breach Response

  • Develop incident response plans.
  • Mandatory reporting to the Data Protection Board and affected individuals.

Sector-Specific Privacy Compliance

1. Healthcare

  • Sensitive health data requires higher safeguards.
  • Must comply with Telemedicine Practice Guidelines (2020) and Medical Council regulations.

2. Financial Services

  • Regulated by RBI and SEBI.
  • Obligations include KYC privacy, secure authentication, and data localisation in some cases.

3. Telecom and Technology

  • TRAI imposes additional safeguards on telecom operators.
  • Startups must ensure alignment with DPDPA and IT Act obligations.

Challenges in Privacy Compliance

  • Awareness gap – Many SMEs lack knowledge of DPDPA requirements.
  • Operational costs – Implementing DPIAs, audits, and security safeguards require investment.
  • Cross-border complexities – Multinational firms must align DPDPA with GDPR and other global frameworks.
  • Regulatory uncertainty – Rules and notifications under DPDPA still awaited.

Practical Roadmap for Compliance

  1. Gap Assessment – Audit current data practices.
  2. Policy Framework – Draft privacy policies, consent notices, retention schedules.
  3. Technology Deployment – Consent management tools, encryption, access controls.
  4. Stakeholder Engagement – Train staff and inform users.
  5. Audit and Monitor – Conduct regular audits and update governance models.

Conclusion

Privacy compliance in India has transitioned from being a corporate “good-to-have” to a legal and constitutional imperative. The DPDPA, 2023 institutionalises privacy as a statutory obligation, requiring organisations to design systems around consent, accountability, and security. For businesses, especially in digital and data-driven sectors, compliance ensures not just avoidance of penalties but also consumer trust, investor confidence, and competitive advantage.

As India integrates deeper into the global digital economy, alignment with international frameworks like GDPR will be essential. Ultimately, compliance with privacy law is not a burden but an opportunity to embed ethics and resilience into business models.

References (OSCOLA)

  • Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1.
  • Digital Personal Data Protection Act, 2023 (India).
  • Information Technology Act, 2000 (India).
  • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • RBI, Guidelines on Digital Lending (2022).
  • SEBI, Cybersecurity and Cyber Resilience Framework (2019).
  • OECD, Digital Security Risk Management for Economic and Social Prosperity (2015).
  • Graham Greenleaf, ‘India’s 2023 Data Protection Act: Third Time Lucky’ (2023) 190 Privacy Laws & Business International Report 1.

This website is not an attempt to advertise or solicit clients, and does not seek to create or invite any lawyer-client relationship and is only intended to share information purposes and to inform about the initiatives undertaken by the AS Law Offices. The content herein or on such links should not be construed as a legal reference or legal advice.

Readers are advised not to act on any information contained herein or on the links and should refer to legal counsels and experts in their respective jurisdictions for further information and to determine its impact.

This website has been made solely for the providing information about AS Law Offices. While it has been carefully prepared to ensure that the information provided herein is accurate and up-to-date but AS Law Offices is not responsible for any reliance that a reader places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof. Reader is advised to confirm the veracity of the same from independent and expert sources.

We advise against the use of the communication platform provided on this website for exchange of any confidential, business or politically sensitive information. User is requested to use his or her judgment and exchange of any such information shall be solely at the user’s risk.

This website also uses cookies on its website to improve its usability. This helps us in providing a good user experience and to also help in improving our website. By continuing to use our website without changing your privacy settings, you agree to our use of the cookies.

I Agree I Disagree