Navigating India’s Data Privacy Landscape: Legal Framework as on June 2025

Posted On - 11 June, 2025 • By - Aurelia Menezes

Introduction  

The evolution of data privacy in India has witnessed a significant transformation over the past decade, marked by judicial activism, legislative reforms, and global pressure to align with international data protection standards.  

As of June 1, 2025, India’s data protection landscape is anchored by two primary legal frameworks: the Information Technology Act, 2000, along with the Sensitive Personal Data or Information (SPDI) Rules, 2011, and the newly enacted Digital Personal Data Protection Act, 2023 (“DPDP Act”). While the latter heralds a modern and principle-based regime, it is yet to come into force pending finalisation of subordinate legislation. 

Until the DPDP Act is operationalised, the Information Technology Act, 2000 (“IT Act”) read with the SPDI Rules, 2011 remains the primary legislation governing data privacy in India. Section 43A of the IT Act imposes civil liability on body corporates for negligence in implementing reasonable security practices while handling sensitive personal data, which includes passwords, financial information, biometric data, and health records.

Key requirements under the SPDI Rules include: 

  • Obtaining consent before data collection and disclosure; 
  • Providing a privacy policy; 
  • Ensuring data retention only for lawful purposes; 
  • Mandating reasonable security practices such as ISO/IEC 27001 compliance. 

The SPDI Rules are applicable only to “body corporates” and do not expressly confer rights on data subjects. There is also an absence of a dedicated enforcement body, resulting in limited effectiveness. 

The Digital Personal Data Protection Act, 2023: Awaiting Enforcement  

The DPDP Act received Presidential assent on August 11, 2023. However, as of June 1, 2025, the Act is not in force as the Central Government has not yet notified the effective date or the implementing rules under Section 40 of the Act. 

The DPDP Act introduces a comprehensive and rights-based framework based on the following key principles: 

  • Lawful and fair processing of personal data; 
  • Purpose limitation and data minimisation; 
  • Notice and consent mechanisms; 
  • Right to correction, erasure, grievance redressal, and data portability for Data Principals; 
  • Obligations on Data Fiduciaries and Data Processors;
  • Creation of the Data Protection Board of India as an adjudicatory authority. 

 The Act applies to: 

  • Processing of digital personal data within India; 
  • Processing of personal data outside India if connected to goods/services targeting Indian individuals. 

Core Definitions and Scope  

  • Personal Data: Any data about an individual who is identifiable by or in relation to such data. 
  • Data Principal: The individual to whom the personal data relates (includes parents or guardians for children and persons with disabilities). 
  • Data Fiduciary: Entity determining purpose and means of processing. 
  • Data Processor: Entity processing data on behalf of a fiduciary. 
  • Significant Data Fiduciary (SDF): Notified based on volume/sensitivity of data, potential harm, and risks to sovereignty or electoral democracy. 

Responsibilities of Stakeholders  

Data Fiduciaries must: 

  •  Obtain informed consent from data principals; 
  • Issue notices specifying purposes and grievance redressal mechanisms; 
  • Ensure data accuracy, security safeguards, and restricted retention; 
  • Notify breaches to the Data Protection Board and affected individuals; 
  • Implement additional compliance measures if designated as SDF (e.g., DPO appointment, data audits). 

Data Processors are required to: 

  • Adhere to contractual obligations with fiduciaries; 
  • Maintain data confidentiality and security; 
  • Assist in breach notifications and erasure requests. 

Consent Managers, a novel concept, are entities empowered to manage consent on behalf of data principals and must be registered with the Board. 

Data Breach Notification and the Role of CERT-In  

The DPDP Act mandates notification to the Data Protection Board in the event of a personal data breach. While the detailed breach reporting timelines and format will be defined in the rules, the draft rules circulated in early 2025 prescribe a 72-hour reporting window. 

Separately, Section 70B of the IT Act requires mandatory reporting of cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In). The April 2022 guidelines expanded the list of reportable incidents and mandated compliance within six hours. Non-compliance can attract penalties under Section 70B(7), including fines up to INR 100,000 and imprisonment up to one year. 

Therefore, until the DPDP Act is in force, entities must continue to report applicable breaches to CERT-In in addition to preparing for dual reporting obligations. 

Penalties and Enforcement  

Under the IT Act: 

  • Section 43A permits compensation to affected persons for negligent data handling; 
  • Section 72 prescribes imprisonment up to two years for unauthorised disclosure by officials; 
  • Section 72A penalises service providers disclosing information without consent. 

Under the DPDP Act:  

The Data Protection Board of India is empowered to impose civil penalties up to INR 250 crore per contravention based on factors such as nature, gravity, and duration of breach. 

Indicative penalties under the DPDP Act include: 

Violation Maximum Penalty 
Failure to take security measures INR 250 crore 
Non-reporting of breach INR 200 crore 
Violating children’s data norms INR 200 crore 
Non-compliance by Significant Data Fiduciaries INR 150 crore 
General non-compliance INR 50 crore 
Individual non-compliance INR 10,000 

Unlike the IT Act, the DPDP Act does not create criminal offences but adopts a regulatory adjudication model. 

Transitional Considerations for Organisations 

  •  Map personal data flows and conduct data protection impact assessments; 
  • Update privacy notices and consent frameworks; 
  • Review vendor and processor agreements; 
  • Nominate a Data Protection Officer (if likely to be classified as SDF); 
  • Implement breach readiness and CERT-In compliance mechanisms. 
  • Proactive compliance will not only mitigate legal risks but also signal responsible data stewardship to regulators, customers, and investors. 

Conclusion  

As India prepares to implement the Digital Personal Data Protection Act, 2023, the transitional period offers a critical opportunity for organisations to build or upgrade their privacy compliance infrastructure. Until the enforcement date is officially notified, the IT Act and SPDI Rules continue to govern data privacy. The future regime will bring India closer to global standards, balancing innovation and privacy in a digitally empowered society. 

Organisations must remain vigilant and agile in responding to both legislative developments and enforcement trends in this rapidly evolving space. 

Contributed by – Rohan Chinnappa