Paternity, Privacy & Penalties
King Stubb & Kasiva, Advocates and Attorneys KING STUBB & KASIVAAdvocates and Attorneys
Privacy & Data Protection
Research Series · No. 06
A KSK Research Report

Paternity, Privacy, and Penalties: The DPDP Trap for IVF Hospitals

Unpacking the legal friction between donor anonymity, paternity rights, and India’s new data privacy regime.

2026 First Edition
Strictly Private & Confidential
For institutional distribution
KSK Research Series · No. 06Executive Summary

Executive Summary

The compliance time bomb inside India’s fertility boom

India’s Assisted Reproductive Technology sector is projected to cross $3.5 billion by 2030. But alongside the boom in baby-making comes a boom in data. IVF clinics are no longer merely medical facilities — they are highly sensitive biological databases.

$3.5B
Projected Indian ART market by 2030
5GB+
Data generated per IVF cycle
3gen
Generations of genetic data per file
₹250Cr
Maximum penalty under the DPDP Act [≈ US$30M]

The enactment of the Digital Personal Data Protection (DPDP) Act, 2023, has thrown a wrench into the workings of fertility centres. The industry is caught in a legal paradox: the ART Act, 2021 mandates strict donor anonymity, while the DPDP Act grants individuals the right to access their personal data — including their genetic lineage.

Add the complexities of paternity disputes, the sensitivity of reproductive-health data, and penalties up to ₹250 Crore [≈ US$30M], and the conclusion is unavoidable.

IVF hospitals are sitting on a compliance time bomb.The DPDP Trap · KSK Privacy & Data Protection

This report dissects the “DPDP Trap,” maps the overlapping legislation, and provides a strategic blueprint for fertility centres to survive the new privacy regime.

KSK · Paternity, Privacy & Penalties · 202602
Part I · The MarketChapter 1
01

The IVF Boom & the Data Deluge

Why every fertility cycle is a multi-generational data event.

To understand the scale of the DPDP challenge, you must first understand the scale of data generation in modern fertility treatment. An average IVF cycle generates over 5 GB of data — from hormonal profiles and ultrasound imaging to embryonic time-lapse photography and genetic-sequencing reports.

Unlike a standard surgical procedure, IVF data is multi-generational. It involves the genetic data of the patient, the partner, and potentially a third-party donor — three Data Principals in a single file.

The ₹30,000 Cr [≈ US$3.6B] paradox: as the market grows, so does the riskGraphic 01
$0B$1B$2B$3B$4B0255075100 1.52.02.63.03.33.5This gap is yourDPDP exposure.202020222024202620282030 IVF MARKET ($B) ▮ BREACH RISK INDEX ―
Indicative: Indian ART market projection vs. a normalised healthcare data-breach risk index, 2020–2030. Converted at ≈ ₹83.3/US$1.
What an IVF clinic actually storesGraphic 02
IVF Data REPOSITORY !
35%  Genetic / Biological data
30%  Medical records
20%  Financial / Insurance
15%  Behavioural / Lifestyle

The 35% genetic slice is the single highest-risk category under the DPDP Act — it is immutable, multi-generational and, for donor-conceived children, contested.

Representative composition of a fertility clinic data repository.
KSK · Paternity, Privacy & Penalties · 202603
Part II · The TrapChapter 2
02

The “DNA Dilemma”

Paternity, privacy, and the law in direct collision.

This is the epicentre of the DPDP Trap. Friction arises when the rights of a child conceived via IVF clash with the contractual rights of the parents and the legal mandate of the State.

The paternity-test problem

A couple divorces. The husband disputes paternity of a child born via IVF and demands the clinic hand over embryonic records, genetic reports and donor profiles. Under the Code of Civil Procedure, courts can order production of documents. But under the DPDP Act the clinic is the Data Fiduciary — handing over sensitive reproductive data without the mother’s explicit consent could itself be a breach.

The anonymity-vs-access paradox

An 18-year-old, donor-conceived individual writes to your clinic demanding to know the identity of their donor:

  • A

    If the clinic provides the data

    It violates the ART Act, 2021 (s.30) and risks losing its registration.

  • B

    If the clinic denies the data

    It violates the DPDP Act (ss.6 & 11); the child files a grievance with the Data Protection Board, triggering penalties.

Where Indian law asks IVF clinics to be in two places at onceGraphic 03
ART ACT, 2021 Mandates donor anonymity (s.30) Protects clinic from reveal DPDP ACT, 2023 Right to access Right to know genetic source Right to erasure THE DPDP TRAP non-compliance zone
ART Act donor-anonymity duties overlaid on DPDP access rights. The overlap is the non-compliance zone.
The paternity-dispute workflowGraphic 04
Trigger
Husband disputes paternity
Court summons embryonic records, genetic reports & donor profiles
the clinic must choose
Branch A — submits records
DPDP violation
No consent from the mother (a second Data Principal)
→ up to ₹250 Cr [≈ US$30M] + civil suit
Branch B — denies records
Contempt of court
Potential obstruction of justice
→ judicial penalty + censure
Conclusion
Standard legal compliance fails in the digital age.
Both branches of a court-ordered disclosure expose the clinic to penalty.

Where standard legal compliance fails in the digital age.Chapter 2 · The DNA Dilemma

KSK · Paternity, Privacy & Penalties · 202604
Part III · The LawChapter 3
03

Navigating the Regulatory Spaghetti

The DPDP Act does not exist in a vacuum.

  • i

    The PCPNDT Act, 1994

    Regulates pre-natal diagnostic techniques. A leak of guarded ultrasound or genetic data is not just a privacy issue — it is a criminal offence.

  • ii

    The IT Act, 2000 (s.43A)

    Though the DPDP Act supersedes the SPDI Rules, the IT Act’s compensation provisions remain a grey area during the transition.

  • iii

    National ART & Surrogacy Registry (NARSH)

    Mandatory uploads turn clinics into data suppliers to the State — raising the question of who is liable when the government database is breached.

The compliance heatmapGraphic 05
Store embryo data
Share reports w/ patient
Upload to NARSH
Respond to court order
DPDP Act, 2023
Compliant
Compliant
Ambiguous
High risk
ART Act, 2021
Compliant
Compliant
Compliant
High risk
PCPNDT Act, 1994
Ambiguous
Compliant
Compliant
Ambiguous
IT Act, 2000
Compliant
Ambiguous
Ambiguous
Ambiguous
Clearly compliant
Ambiguous — caution
High risk of contradiction
Regulatory exposure by clinic action. “Respond to court order” and “Upload to NARSH” carry the most contradiction.
KSK · Paternity, Privacy & Penalties · 202605
Part IV · Consent & CostChapter 4
04

Consent under the Microscope

The death of the blanket consent form.

The DPDP Act effectively kills the “blanket consent” forms used in 95% of Indian hospitals — the ten-page document signed at admission. Under the Act, consent must be specific, granular and freely given.

A clinic cannot bundle consent for “performing IVF” with “storing genetic data on local servers” or “sharing data with the National ART Registry.” Patients must be able to say yes to the procedure but no to specific processing — without it affecting their care.

The death of the blanket consentGraphic 06
A single bundled signature gives way to layered, revocable, purpose-specific consent.
Practical consequence

Every consent journey must be re-papered: bloodwork, embryo transfer and registry upload each require their own, withdrawable, opt-in.

KSK · Paternity, Privacy & Penalties · 202606
Part IV · Consent & CostChapter 5
05

The Cost of Non-Compliance

From “put-in-place-security” to “pay-the-price.”

The DPDP Act shifted India from a security-obligation model to a penalty model. For mid-to-large IVF chains, the numbers are existential.

₹250Cr
[≈ US$30M]
The maximum penalty under the DPDP Act — the children’s-data band that frozen-embryo and donor-conceived files fall straight into.
The DPDP penalty escalatorGraphic 07
Stop-processing order
01
No DPO appointed / minor non-compliance
₹50 Cr [≈ US$6M]
02
Breach from negligent security (e.g. ransomware on EMRs)
₹200 Cr [≈ US$24M]
03
Failure to notify the Board & affected patients
₹250 Cr [≈ US$30M]
04
Breach involving a child / embryo’s genetic data
Why IVF data is among the most expensive data on earth.

Beyond the financial penalty, reputational damage in the fertility industry is fatal. Trust is the only currency IVF hospitals trade in; a breach implying mix-ups in embryos or donor identities destroys a clinic’s reputation overnight.

KSK · Paternity, Privacy & Penalties · 202607
Part V · The BlueprintChapter 6
06

Blueprint for “Fertile” Compliance

Do not panic — architect.

  1. Cryptographic separation of data Technical

    Technically segregate “medical data” from “genetic / lineage data,” so a court order for medical records cannot accidentally expose a donor’s identity.

  2. Layered digital consent Policy

    Adopt dynamic consent management — patients sign off at bloodwork, at embryo transfer, and before any registry upload.

  3. A Data-Fiduciary firewall for NARSH Contractual

    When uploading to the national registry, act strictly as a collector and transfer liability to the State by contract and by technical design.

  4. Drafting for the “unborn Data Principal” Governance

    State explicitly how data on frozen embryos or gametes is handled if prospective parents die, divorce, or abandon the cycle.

The IVF data trust pyramidGraphic 08
Ethical governancePaternity disputes · donor anonymityPolicy alignmentART consent forms · NARSH protocolsTechnical securityEncryption · access controls · ransomware shields

You cannot handle the ethical dilemmas at the apex without the technical security at the base.

Compliance is a pyramid — the ethical apex rests on the technical base.
KSK · Paternity, Privacy & Penalties · 202608
ClosingConclusion

Conclusion

Privacy is a clinical imperative, not an IT issue

The ART Act was a necessary step toward regulating a booming sector. But the subsequent DPDP Act created a legislative blind spot: the IVF industry must now balance the biological rights of parents and donors against the digital rights of children.

“Paternity, Privacy, and Penalties” is not a catchy phrase — it is the reality of modern reproductive healthcare. Hospitals that treat data privacy as an IT-department issue will find themselves trapped. Those that recognise it as a core clinical and ethical imperative will build the trust necessary to lead India’s fertility future.

Disclaimer

This report is for informational purposes and does not constitute legal advice. Clinics should consult qualified privacy counsel to implement specific compliance frameworks.

KSK · Paternity, Privacy & Penalties · 202609
The PracticeContact

Privacy & Data Protection at KSK

Speak to the practice

We help fertility centres translate the DPDP Act into operational reality — consent architecture, data segregation, NARSH contracting and breach-response readiness.

How we help

A DPDP readiness programme for IVF & ART providers

01
Gap & risk assessment

Map every data flow against the DPDP, ART, PCPNDT and IT Acts.

02
Consent & policy re-paper

Layered, revocable consent and a registry-upload firewall.

03
Breach-response readiness

Board-notification playbooks and the ₹250 Cr [≈ US$30M] exposure plan.

Request the companion checklist. A one-page “DPDP Consent Form Checklist for IVF Clinics” is available on request.

Contact the practice
King Stubb & Kasiva · Advocates and Attorneys10

King Stubb & Kasiva, Advocates and Attorneys · Privacy & Data Protection Research Series · No. 06 · 2026. For institutional distribution. privacy@ksandk.com