Legal Explainer “Data Privacy in India – Key Questions & Answers” by Aniket Ghosh, Partner, King Stubb and Kasiva
02 February 2026
– Mr. Aniket Ghosh, Partner (Competition Law and Data Privacy), King Stubb and Kasiva
- What is the primary legal framework governing data privacy in India today?
Answer:
India’s data privacy framework is governed by the Digital Personal Data Protection Act, 2023, read with
the Digital Personal Data Protection Rules, 2025. Together, they establish a comprehensive regime
regulating the processing of digital personal data. While the Act lays down substantive rights, obligations,
and penalties, the Rules operationalise the framework by prescribing compliance mechanisms, timelines,
consent standards, notice requirements, and breach reporting procedures. This marks India’s first
dedicated, enforceable data protection law applicable across sectors. - Is there a regulator under India’s data privacy regime?
Answer:
Yes. The DPDP Act establishes the Data Protection Board of India, which is empowered to inquire into
non-compliance; impose penalties; direct remedial measures and enforce obligations under the Act and
Rules. The Board serves as the primary enforcement authority for India’s data protection framework. - How does the DPDP Act compare with global regimes such as the GDPR?
Answer:
While the DPDP framework borrows core concepts from global standards, particularly consent,
accountability, and individual rights, it adopts a principles-based, India-specific model, with fewer
categorical data classifications and a penalty – only enforcement mechanism rather than criminal liability.
This makes India’s regime distinct from the GDPR’s more prescriptive approach. - What are the key obligations imposed on data fiduciaries?
Answer:
Data fiduciaries are required to process personal data lawfully, transparently, and securely. Core
obligations include limiting data collection to lawful and necessary purposes, providing clear privacy
notices, implementing reasonable technical and organisational safeguards, enabling grievance redressal
mechanisms, and responding to personal data breaches. The DPDP Rules further specify formats,
timelines, and procedural requirements, making compliance a continuous and demonstrable exercise
rather than a one-time checklist. - What are the penalties for non-compliance under the DPDP framework?
Answer:
The DPDP Act adopts a civil penalty regime, enforced by the Data Protection Board of India. Depending
on the nature and severity of non-compliance, penalties may be imposed for failures such as inadequate
security safeguards, breach notification lapses, or violation of consent requirements. The maximum
penalty can extend up to ₹250 crore for a single contravention, with the Board considering factors such as
harm caused, duration of non-compliance, and mitigating measures taken.
Closing Note
India’s data protection regime is now firmly anchored in the Digital Personal Data Protection Act, 2023,
as operationalised by the Digital Personal Data Protection Rules, 2025. Together, they establish a
comprehensive framework governing the lawful processing of digital personal data, impose significant
compliance obligations on businesses, and expose organisations—Indian and foreign alike—to penalties
of up to ₹250 crore for serious violations.