India

The Data Protection Board of India (DPBI) is established under Section 18 of the DPDPA as the adjudicatory body for data protection violations.

The DPBI has the power to inquire into data breaches, impose penalties, and issue directions. It functions as a digital office with proceedings conducted virtually. Members are appointed by the Central Government for a term of 2 years. The Board is not a regulator in the traditional sense — it adjudicates complaints and breach notifications. The Chairperson and members are yet to be formally appointed as of early 2026.

Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The Data Fiduciary must provide a notice in clear, plain language before or at the time of data collection.

Section 6 establishes consent as the primary ground for processing. The notice (Section 5) must specify the personal data being collected and the purpose. Consent must be limited to the data necessary for the specified purpose. Deemed consent (Section 7) applies in specific situations including: voluntary provision of data, State functions, medical emergencies, employment, and publicly available data. Consent Managers (Section 7(9)) are registered entities that enable data principals to manage consent through an accessible platform.

Data principals have rights to access, correction, erasure, grievance redressal, and nomination. Unique right to nominate another person to exercise rights in case of death or incapacity.

Section 11 provides the right to access a summary of personal data and processing activities. Section 12 grants the right to correction, completion, updating, and erasure of personal data. Section 13 establishes the right to grievance redressal — every Data Fiduciary must have a grievance mechanism. Section 14 provides the unique right of nomination, allowing data principals to nominate another to exercise their rights. Section 15 imposes duties on data principals including not filing false complaints and not impersonating others.

Personal data may be transferred to countries not restricted by the Central Government. The Government maintains a negative list (blacklist) approach rather than requiring positive approval for each country.

Section 16(1) permits transfer of personal data to any country or territory outside India, except those notified by the Central Government by a negative list. This is a departure from the earlier approach of the Personal Data Protection Bill, 2019 which required mirroring and localisation. The Central Government may restrict transfers to specific countries considering factors such as adequacy of data protection and strategic interests. As of early 2026, no countries have been formally added to the restricted list. Sector-specific localisation requirements (e.g., RBI circular on payment data) continue to operate independently.

Mandatory notification to the Data Protection Board and affected data principals in the event of a personal data breach. Timeline and format prescribed in the DPDP Rules.

Section 8(6) requires every Data Fiduciary to notify the DPBI and each affected data principal of a personal data breach. The DPDP Rules, 2025 prescribe the form and manner of notification, including a 72-hour notification window to the Board. The notification must include the nature of the breach, approximate number of data principals affected, possible consequences, and measures taken. Data Processors must notify the Data Fiduciary without undue delay upon becoming aware of a breach.

Significant Data Fiduciaries must appoint a Data Protection Officer (DPO) based in India. Not mandatory for all Data Fiduciaries.

Section 10(2) requires Significant Data Fiduciaries (SDFs) to appoint a Data Protection Officer who must be based in India and represent the SDF before the Board. The DPO is the point of contact for grievance redressal. All Data Fiduciaries (not just SDFs) must publish the contact details of a person to answer questions about processing (Section 8(7)), though this is not formally designated as a DPO role. The criteria for designation as an SDF include volume and sensitivity of data processed, risk to data principals, and potential impact on sovereignty and integrity.

Verifiable parental consent required before processing data of children (under 18). Prohibition on tracking, behavioural monitoring, and targeted advertising directed at children.

Section 9 establishes heightened protections for children's data. Verifiable consent of the parent or lawful guardian is required. Processing that is detrimental to the well-being of a child is prohibited. Tracking, behavioural monitoring, and targeted advertising directed at children is prohibited. The Central Government may, by notification, exempt certain Data Fiduciaries from the verifiable consent requirement if the processing is verifiably safe. The age threshold is 18 years, higher than many jurisdictions. For persons with disabilities, the lawful guardian must provide consent.

Schedule-based penalty structure with maximum of ₹250 crore per contravention. DPBI adjudicates and imposes penalties. Appeals to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

The Schedule to the DPDPA prescribes penalties: breach of children's data obligations (₹200 crore), failure to take security safeguards leading to breach (₹250 crore), breach notification failure (₹50 crore), breach of additional SDF obligations (₹150 crore), and general non-compliance (₹50 crore). The DPBI can impose penalties upon inquiry. Appeals lie to TDSAT under Section 29. The penalty amounts are maxima — the Board has discretion based on nature, gravity, duration, and nature of personal data affected. No imprisonment provisions, making this a purely civil penalty regime.

The DPDPA operates alongside existing sector-specific regulations. RBI, SEBI, IRDAI, and telecom regulations on data continue to apply in their respective domains.

Section 3 clarifies that the DPDPA does not affect other laws. Key sector-specific frameworks include: RBI Master Direction on Storage of Payment System Data (2018, amended) requiring payment data localisation; SEBI circular on cybersecurity for stock brokers; IRDAI guidelines on information security; Telecom sector licensing conditions on data retention; IT Act Section 43A and SPDI Rules 2011 (until DPDPA fully supersedes). Healthcare data protection through Clinical Establishments Act and Digital Health Authority guidelines is evolving.

No specific cookie regulation. Online tracking falls under general consent requirements. Cookie consent needed if cookies process personal data with identifiable individuals.

The DPDPA does not contain specific provisions on cookies or tracking technologies. However, if cookies or tracking mechanisms collect or process digital personal data, the general consent requirements under Sections 5-7 apply. This means a cookie notice and consent mechanism would be required if the cookies identify or can identify individuals. Purely functional and analytics cookies that do not process personal data may be exempt. Industry practice is evolving, with many Indian websites adopting GDPR-style cookie banners in anticipation of enforcement.

No specific provisions on AI or automated decision-making in the DPDPA. The general framework applies to AI systems processing personal data.

The DPDPA does not contain specific provisions addressing artificial intelligence, algorithmic decision-making, or automated profiling. General provisions on purpose limitation, consent, and data principal rights apply to personal data processed through AI systems. There is no right to explanation of automated decisions (unlike GDPR Article 22). The Ministry of Electronics and IT has published separate AI governance frameworks, and NITI Aayog has issued Responsible AI principles, but these are non-binding. Sector regulators (RBI, SEBI) have begun addressing AI use in their domains.

No blanket data localisation under DPDPA. Sector-specific localisation requirements remain (RBI payment data, telecom metadata). The negative list approach for cross-border transfer may evolve.

The DPDPA moved away from the strict localisation requirements of the earlier Personal Data Protection Bill, 2019 (which required local storage and processing for sensitive personal data, and critical personal data localisation). Under the current framework, data can flow freely except to countries on the negative list. However, existing sector-specific localisation continues: RBI requires payment system data to be stored only in India; Telecom licensing conditions require CDR data retention in India; CERT-In directions require 180-day log retention in India. The interplay between DPDPA's liberal approach and sector regulators' strict localisation creates a layered compliance requirement.

Central Government may notify Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on volume of data, sensitivity, risk to rights, and impact on sovereignty. SDFs have enhanced obligations.

Section 10 empowers the Central Government to designate SDFs based on: (a) volume and sensitivity of personal data processed, (b) risk to rights of data principals, (c) potential impact on sovereignty, integrity, and security of India, (d) risk to electoral democracy, (e) security of the State, and (f) public order. SDFs must: appoint a DPO based in India, appoint an independent data auditor, conduct periodic Data Protection Impact Assessments (DPIAs), and comply with additional obligations prescribed in the Rules. The DPDP Rules, 2025 prescribe the DPIA methodology and audit frequency. No SDFs have been formally notified as of early 2026, but major tech platforms, telecom operators, and financial institutions are expected to be designated.

Broad exemptions for Government processing. The State can process personal data for subsidies, benefits, licences, permits, and other functions under Section 7(b)-(e).

Section 17(2) empowers the Central Government to exempt any Government instrumentality from all or some provisions of the Act in the interest of sovereignty, integrity, security, friendly relations, maintenance of public order, or prevention of cognisable offences. Section 7 provides deemed consent for State functions including: subsidies and benefits, government-issued certifications, and maintaining law and order. The broad governmental exemption has been criticised for potentially weakening data protection for citizens. Section 36 grants the Central Government rule-making power without apparent oversight limitations. The interplay between Right to Information Act and DPDPA (Section 8(8) clarifies DPDPA does not affect RTI) is significant.