In this 'Leading Questions' section, Aniket Ghosh provides a concise overview of India’s data protection framework under the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, highlighting key rights, obligations, and enforcement aspects.

Question: What is the primary legal framework governing data privacy in India today?

Answer: India’s data privacy framework is governed by the Digital Personal Data Protection Act, 2023, read with the Digital Personal Data Protection Rules, 2025. Together, they establish a comprehensive regime regulating the processing of digital personal data. While the Act lays down substantive rights, obligations, and penalties, the Rules operationalise the framework by prescribing compliance mechanisms, timelines, consent standards, notice requirements, and breach reporting procedures. This marks India’s first dedicated, enforceable data protection law applicable across sectors.

Question: Is there a regulator under India’s data privacy regime?

Answer: Yes. The DPDP Act establishes the Data Protection Board of India, which is empowered to inquire into non-compliance; impose penalties; direct remedial measures and enforce obligations under the Act and Rules. The Board serves as the primary enforcement authority for India’s data protection framework.

Question: How does the DPDP Act compare with global regimes such as the GDPR?

Answer: While the DPDP framework borrows core concepts from global standards, particularly consent, accountability, and individual rights, it adopts a principles-based, India-specific model, with fewer categorical data classifications and a penalty - only enforcement mechanism rather than criminal liability. This makes India's regime distinct from the GDPR's more prescriptive approach.

Question: What are the key obligations imposed on data fiduciaries?

Answer: Data fiduciaries are required to process personal data lawfully, transparently, and securely. Core obligations include limiting data collection to lawful and necessary purposes, providing clear privacy notices, implementing reasonable technical and organisational safeguards, enabling grievance redressal mechanisms, and responding to personal data breaches. The DPDP Rules further specify formats, timelines, and procedural requirements, making compliance a continuous and demonstrable exercise rather than a one-time checklist.

Question: What are the penalties for non-compliance under the DPDP framework?

Answer: The DPDP Act adopts a civil penalty regime, enforced by the Data Protection Board of India. Depending on the nature and severity of non-compliance, penalties may be imposed for failures such as inadequate security safeguards, breach notification lapses, or violation of consent requirements. The maximum penalty can extend up to ₹250 crore for a single contravention, with the Board considering factors such as harm caused, duration of non-compliance, and mitigating measures taken.

India’s data protection regime is now firmly anchored in the Digital Personal Data Protection Act, 2023, as operationalised by the Digital Personal Data Protection Rules, 2025. Together, they establish a comprehensive framework governing the lawful processing of digital personal data, impose significant compliance obligations on businesses, and expose organisations, Indian and foreign alike, to penalties of up to ₹250 crore for serious violations.

Aniket Ghosh is a Partner at King Stubb & Kasiva.