India is on the brink of a pivotal moment in its data privacy landscape - one that will reshape not only regulatory practice but also the everyday interaction of individuals and businesses with digital ecosystems. With the Digital Personal Data Protection Act, 2023 (‘DPDP Act’) and its accompanying Rules (‘DPDP Rules’) poised for implementation, the task of integrating this new framework within the existing regulatory regime assumes critical importance.

The central issue is whether the DPDP regime will operate in harmony with parallel obligations or whether it risks creating conflicting compliance tracks. The DPDP Act has largely sought to avoid potential conflicts with the erstwhile regulatory framework governing data privacy through the repeal of relevant provisions and rules of the Information Technology Act. A significant exception, however, is the 2022 directions issued by the Indian Computer Emergency Response Team (‘CERT-In’) under Section 70-B(6) of the Information Technology Act, 2000 (‘CERT-In Directions’), which continue to survive.

This article aims to examine a few select areas of overlap between the CERT-In Directions and the DPDP Act, with a view to assessing whether such convergence leads to duplication, friction, or a more comprehensive regime of data governance.

CERT-In: Security-centric

Section 70-B of the Information Technology Act establishes the CERT-In as a national agency with a security-centric mandate, expressly empowered to issue directions to defined categories of entities such as service providers, intermediaries, data centres, body corporates and any other person.

DPDP Act: Entity agnostic and activity-centric 

In contrast, the applicability of the DPDP Act is framed in activity-centric terms rather than being entity-specific. In other words, the Act regulates the processing of personal data irrespective of the nature or identity of the entity engaged in such processing. Section 3 of the Act, which sets out the scope of application, makes it evident that the sweep of the DPDP Act is expansive. The only carve-outs relate to personal data processed by an individual for purely personal or domestic purposes, personal data already made publicly available by the Data Principal or personal data made available pursuant to a legal obligation.

Therefore, there exists a significant degree of overlap between the DPDP Act and the CERT-In framework. While the DPDP Act is privacy-driven and activity-centric, focusing on the rights of individuals in relation to their personal data, the CERT-In Directions are security-driven, aimed at building resilience and ensuring timely responses to cyber incidents. Yet both regimes converge upon many of the same actors - cloud service providers, data centres, intermediaries and other digital service entities, thereby creating parallel compliance obligations.

It is useful at this stage to consider two principal areas of overlap.

Indian entities face a complex legal landscape when it comes to reporting data breaches and cybersecurity incidents. A single event can trigger obligations under at least two distinct regulatory frameworks - the DPDP Act and the CERT-In Directions. Understanding the purpose and requirements of each regime is crucial for effective compliance.

The Security-Centric Mandate: CERT-In's 6-Hour Rule

CERT-In Directions impose a strict six-hour reporting window for a wide array of cybersecurity incidents. These incidents broadly include:

- Unauthorized access to IT systems.

- Ransomware, data leaks and denial-of-service attacks.

- Attacks on cloud services, IoT networks and critical infrastructure.

The CERT-In Incident Reporting Form requires detailed technical inputs, including information about the affected system (domain/URL, IP address, operating system, application details, location), along with a brief description of the incident. CERT-In’s compressed timeline prioritises immediate containment and cyber-resilience.

The Privacy-Centric Mandate: The DPDP Act's 72-Hour Rule

In contrast, the DPDP Act establishes a clear, privacy-focused framework for reporting personal data breaches. As outlined in Rule 7(2) of the (draft) DPDP Rules, a Data Fiduciary who becomes aware of a breach must:

- Notify the Data Protection Board of India (‘DPBI’) without delay, providing a description of the breach, including its nature, extent, timing, location, and likely impact.

- File a detailed report within 72 hours (or a longer period if granted an extension by the DPBI) covering the breach's causes, containment and mitigation measures, and notifications issued to affected Data Principals.

This framework is explicitly designed to protect the rights of individuals.

Reconciling Dual Obligations

The legal and operational challenge for organizations is that a single event, such as a ransomware attack, can trigger both reporting obligations. Organisations are therefore subject to multiple timelines and several regulators. In addition to these, sectoral regulators such as the RBI, IRDAI, and SEBI impose their own breach reporting requirements, each tailored to the specific needs of their regulated industries, further expanding the compliance landscape.

The CERT-In imposes broad data retention requirements aimed at strengthening cybersecurity resilience. On the other hand, the DPDP Act grants individuals the 'right to erasure,' demanding that organizations delete personal data once its purpose is served. Navigating these two seemingly contradictory regimes requires a detailed understanding of their respective scopes and key exceptions.

CERT-In's broad and mandatory retention requirements

CERT-In’s directives, issued under the Information Technology Act, 2000, are primarily security-driven. They impose a series of strict, long-term data retention and logging obligations on a wide range of entities.

1. Log Maintenance for 180 Days

CERT-In mandates that 'all service providers, intermediaries, data centres, body corporate and government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered/ directed by CERT-In. This is a baseline requirement for all covered entities, ensuring a minimum period for forensic analysis and incident response.

2. Extended retention for specific sectors

Beyond the general 180-day rule, CERT-In imposes even more stringent requirements on specific entities, recognizing their critical role in the digital economy. For instance:

- Data Centres, Virtual Private Server (VPS), Cloud Service, and VPN Service providers are required to 'maintain accurate information' about their customers for a 'period of 5 years or longer duration as mandated by the law.' This includes details such as 'validated names of subscribers/ customers,' 'IPs allotted,' 'purpose for hiring services,' and 'validated address and contact numbers.'

- Virtual Asset Service Providers, Virtual Asset Exchange Providers, and Custodian Wallet Providers are required to 'mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.' These records must be detailed enough to allow individual transactions to be reconstructed, including 'information relating to the identification of the relevant parties, including IP addresses, along with timestamps and time zones.'

While CERT-In is often described as mandating log-keeping, the requirement to reconstruct incidents goes beyond passive storage. Reconstruction entails the retrieval, correlation, and analysis of logs to identify affected systems, assess impact, and coordinate mitigation actions that could constitute active processing of personal data.

The obligation to maintain information for a minimum of five years applies broadly to Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, Virtual Asset Exchange providers, and Custodian Wallet providers (as defined by the Ministry of Finance from time to time). Within the construct of the DPDP Act, a Data Centre service provider would ostensibly fall within the definition of a Data Processor, whereas the customer engaging the Data Centre would be classified as a Data Fiduciary. The sweep of this requirement is therefore very wide, effectively covering most key intermediaries in the digital ecosystem.

Right to erasure under the DPDP regime

While Sections 8(7)(a) and 12 of the DPDP Act appear to confer a right to erasure, both provisions condition this right on compliance with applicable laws. Section 17 goes further, expressly permitting the continued processing of retained personal data where necessary for regulatory, judicial, or investigatory purposes. On a first reading, therefore, the right to erasure appears more notional than substantive.

However, the overarching principle of purpose limitation of the DPDP Act operates as a crucial safeguard. This principle is reinforced by Sections 8(7)(a) and 12, which clarify that retention is permitted only where it is necessary for the specified purpose or for compliance with prevailing laws. Thus, even though the exemptions to erasure appear broad, the statutory framework incorporates guardrails that confine retention and processing within defined limits.

For Data Principals, the implication is that even when they exercise their right to erasure, their personal data may still be retained to satisfy statutory obligations, including those under the CERT-In Directions. For Data Fiduciaries and Data Processors, the compliance challenge is therefore tricky. In practice, once the original purpose of data collection has been fulfilled and/ or when a Data Principal requests erasure, the Data Fiduciary may need to expressly notify the individual that their data is being retained and potentially processed solely to meet CERT-In obligations, and not for any commercial exploitation. The real challenge for Data Fiduciaries will be building compliance systems that can retain and process data lawfully for regulatory or security reasons, without losing sight of the DPDP Act’s core principle of purpose limitation.

This dual regulatory intersection highlights the practical challenges entities face in navigating overlapping compliance tracks. Addressing these challenges requires judicial interpretation and legislative refinement.

About the authors: Davis Kanjamala and Vaishnavi Viswanathan are Partners and Viswanathan G is a Director at Viswanathan & Associates.

Disclaimer: The opinions expressed in this article are those of the author. The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.