Data Privacy And The Indian IT Industry: Legal Framework, Compliance Obligations, And Emerging Risks

Introduction

In an era where data has become the backbone of the digital economy, data privacy is no longer a peripheral compliance issue, it is a core governance and business risk, particularly for India’s information technology industry. The constitutional recognition of privacy as a fundamental right in K.S. Puttaswamy v. Union of India¹ (2017) marked a watershed moment in Indian jurisprudence. The Supreme Court unequivocally held that informational privacy forms an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution, while simultaneously underscoring the need for a robust statutory framework to regulate the collection, processing, storage, and dissemination of personal data.

India’s data protection regime has since evolved from a fragmented, sector-specific approach under the Information Technology Act, 2000 (“IT Act”) to a comprehensive, standalone framework under the Digital Personal Data Protection Act, 2023 (“DPDP Act”). This transition has significant implications for IT companies, technology service providers, SaaS platforms, outsourcing firms, and multinational corporations operating in or servicing the Indian market.

The Information Technology Act, 2000: A Limited and Fragmented Privacy Regime

Prior to the enactment of the DPDP Act, data protection obligations in India were primarily derived from the IT Act and the rules framed thereunder. While the IT Act was never intended to function as a comprehensive data protection statute, certain provisions sought to address privacy concerns in a limited manner.

Civil and Criminal Liability for Data Breaches

• Section 43A imposes civil liability on body corporates that fail to implement “reasonable security practices and procedures” to protect sensitive personal data or information. Such failure exposes the organisation to compensation claims for losses suffered by affected individuals.
• Section 72A criminalises the disclosure of personal information in breach of a lawful contract, extending liability to companies and their employees acting in the course of employment.

Privacy-Related Offences and State Surveillance Powers

• Section 66E criminalises the violation of privacy through the capturing, publishing, or transmission of private images without consent.
• Section 69 empowers the government to intercept, monitor, or decrypt electronic communications in the interests of national security, public order, or sovereignty.

Despite these provisions, judicial interpretations under the IT Act failed to establish clear standards for lawful processing, consent, purpose limitation, or data subject rights. The absence of a dedicated regulator and uniform compliance obligations resulted in legal uncertainty, particularly for IT companies handling large volumes of personal data across borders. This lacuna ultimately necessitated comprehensive legislative reform.

The Digital Personal Data Protection Act, 2023: A Paradigm Shift

The DPDP Act represents India’s first consolidated data protection legislation, aligning domestic law with global privacy standards while retaining sovereign regulatory control.

Scope and Extraterritorial Application

The DPDP Act applies to:

• Processing of digital personal data within India; and
• Processing of personal data outside India where such processing is connected to offering goods or services to individuals in India.

This extraterritorial reach is particularly relevant for global IT and outsourcing companies servicing Indian users from offshore locations.

Key Definitions Under the DPDP Act

The Act introduces legally significant definitions that form the foundation of compliance obligations:

• Personal Data: Any data relating to an identifiable individual.
• Data Principal: The individual to whom the personal data relates.
• Data Fiduciary: The entity that determines the purpose and means of processing personal data.
• Data Processor: Any person processing personal data on behalf of a data fiduciary.

Certain categories of processing are excluded, including personal or domestic use by individuals and data made publicly available by the data principal or under law.

Consent-Centric Processing and Lawful Grounds

At the heart of the DPDP Act lies a consent-driven model of data processing. Personal data may be processed only for lawful purposes and upon obtaining free, informed, specific, and unambiguous consent from the data principal. Consent must be capable of being withdrawn at any time, and upon withdrawal, the data fiduciary is required to cease processing unless retention is mandated by law. The Act also recognises limited exemptions from consent and notice requirements, including:

• Enforcement of legal rights or claims;
• Processing by courts, tribunals, and regulatory authorities;
• Prevention, investigation, or prosecution of offences;
• Certain cross-border contractual processing arrangements; and
• Processing by the State in the interests of national security, public order, or sovereignty.

Rights of Data Principals

The DPDP Act significantly enhances individual control over personal data by conferring enforceable statutory rights, including:

• Right to Access and Confirmation: To ascertain whether personal data is being processed and to obtain a copy.
• Right to Correction and Erasure: To rectify inaccurate or incomplete data and seek erasure where data is no longer required.
• Right to Nomination: To designate a representative to exercise data rights in the event of death or incapacity.

These rights impose operational and technological obligations on IT companies to maintain responsive and transparent data management systems.

Obligations of Data Fiduciaries and Significant Data Fiduciaries

Data fiduciaries are required to implement reasonable security safeguards, maintain processing records, and establish effective grievance redressal mechanisms. Enhanced obligations apply to entities classified as Significant Data Fiduciaries, based on factors such as volume and sensitivity of data processed and potential risk to data principals. Such entities must:

• Appoint a Data Protection Officer based in India;
• Conduct periodic data protection impact assessments and audits; and
• Ensure heightened compliance and accountability standards.

The Act expressly prohibits contractual clauses that dilute data principal rights or exclude fiduciary liability, reinforcing consumer protection and accountability.

Regulatory Oversight: The Data Protection Board of India

The DPDP Act establishes the Data Protection Board of India, vested with investigative, adjudicatory, and enforcement powers. The Board may:

• Inquire into data breaches and non-compliance;
• Issue interim directions, including suspension of data processing activities;
• Impose monetary penalties; and
• Provide relief to affected data principals.

The Board’s functioning is expected to shape India’s evolving data protection jurisprudence and compliance culture.

Implications for the Indian IT Industry

For India’s IT sector, the DPDP Act signals a fundamental shift from reactive compliance to proactive data governance. Data protection now intersects with corporate risk management, contractual structuring, cybersecurity, and cross-border operations. Non-compliance carries not only financial penalties but also reputational and operational risks.

Conclusion

India’s data privacy regime has matured from fragmented statutory protections to a structured, rights-based framework anchored in constitutional values. The DPDP Act brings clarity, accountability, and regulatory oversight to personal data processing, significantly raising the compliance threshold for IT companies and digital businesses. As enforcement mechanisms take shape, data privacy will increasingly function as a strategic legal and commercial consideration rather than a mere regulatory formality.

For organisations operating in India’s data-driven economy, early alignment with the DPDP Act is not only prudent, it is essential.

1. AIR 2017 SC 4161. ↩︎