Research Series · No. 06
Paternity, Privacy, and Penalties: The DPDP Trap for IVF Hospitals
Unpacking the legal friction between donor anonymity, paternity rights, and India’s new data privacy regime.
Executive Summary
The compliance time bomb inside India’s fertility boom
India’s Assisted Reproductive Technology sector is projected to cross $3.5 billion by 2030. But alongside the boom in baby-making comes a boom in data. IVF clinics are no longer merely medical facilities — they are highly sensitive biological databases.
The enactment of the Digital Personal Data Protection (DPDP) Act, 2023, has thrown a wrench into the workings of fertility centres. The industry is caught in a legal paradox: the ART Act, 2021 mandates strict donor anonymity, while the DPDP Act grants individuals the right to access their personal data — including their genetic lineage.
Add the complexities of paternity disputes, the sensitivity of reproductive-health data, and penalties up to ₹250 Crore [≈ US$30M], and the conclusion is unavoidable.
IVF hospitals are sitting on a compliance time bomb.The DPDP Trap · KSK Privacy & Data Protection
This report dissects the “DPDP Trap,” maps the overlapping legislation, and provides a strategic blueprint for fertility centres to survive the new privacy regime.
The IVF Boom & the Data Deluge
Why every fertility cycle is a multi-generational data event.
To understand the scale of the DPDP challenge, you must first understand the scale of data generation in modern fertility treatment. An average IVF cycle generates over 5 GB of data — from hormonal profiles and ultrasound imaging to embryonic time-lapse photography and genetic-sequencing reports.
Unlike a standard surgical procedure, IVF data is multi-generational. It involves the genetic data of the patient, the partner, and potentially a third-party donor — three Data Principals in a single file.
The 35% genetic slice is the single highest-risk category under the DPDP Act — it is immutable, multi-generational and, for donor-conceived children, contested.
The “DNA Dilemma”
Paternity, privacy, and the law in direct collision.
This is the epicentre of the DPDP Trap. Friction arises when the rights of a child conceived via IVF clash with the contractual rights of the parents and the legal mandate of the State.
The paternity-test problem
A couple divorces. The husband disputes paternity of a child born via IVF and demands the clinic hand over embryonic records, genetic reports and donor profiles. Under the Code of Civil Procedure, courts can order production of documents. But under the DPDP Act the clinic is the Data Fiduciary — handing over sensitive reproductive data without the mother’s explicit consent could itself be a breach.
The anonymity-vs-access paradox
An 18-year-old, donor-conceived individual writes to your clinic demanding to know the identity of their donor:
- A
If the clinic provides the data
It violates the ART Act, 2021 (s.30) and risks losing its registration.
- B
If the clinic denies the data
It violates the DPDP Act (ss.6 & 11); the child files a grievance with the Data Protection Board, triggering penalties.
Where standard legal compliance fails in the digital age.Chapter 2 · The DNA Dilemma
Navigating the Regulatory Spaghetti
The DPDP Act does not exist in a vacuum.
- i
The PCPNDT Act, 1994
Regulates pre-natal diagnostic techniques. A leak of guarded ultrasound or genetic data is not just a privacy issue — it is a criminal offence.
- ii
The IT Act, 2000 (s.43A)
Though the DPDP Act supersedes the SPDI Rules, the IT Act’s compensation provisions remain a grey area during the transition.
- iii
National ART & Surrogacy Registry (NARSH)
Mandatory uploads turn clinics into data suppliers to the State — raising the question of who is liable when the government database is breached.
Consent under the Microscope
The death of the blanket consent form.
The DPDP Act effectively kills the “blanket consent” forms used in 95% of Indian hospitals — the ten-page document signed at admission. Under the Act, consent must be specific, granular and freely given.
A clinic cannot bundle consent for “performing IVF” with “storing genetic data on local servers” or “sharing data with the National ART Registry.” Patients must be able to say yes to the procedure but no to specific processing — without it affecting their care.
Every consent journey must be re-papered: bloodwork, embryo transfer and registry upload each require their own, withdrawable, opt-in.
The Cost of Non-Compliance
From “put-in-place-security” to “pay-the-price.”
The DPDP Act shifted India from a security-obligation model to a penalty model. For mid-to-large IVF chains, the numbers are existential.
Beyond the financial penalty, reputational damage in the fertility industry is fatal. Trust is the only currency IVF hospitals trade in; a breach implying mix-ups in embryos or donor identities destroys a clinic’s reputation overnight.
Blueprint for “Fertile” Compliance
Do not panic — architect.
Cryptographic separation of data Technical
Technically segregate “medical data” from “genetic / lineage data,” so a court order for medical records cannot accidentally expose a donor’s identity.
Layered digital consent Policy
Adopt dynamic consent management — patients sign off at bloodwork, at embryo transfer, and before any registry upload.
A Data-Fiduciary firewall for NARSH Contractual
When uploading to the national registry, act strictly as a collector and transfer liability to the State by contract and by technical design.
Drafting for the “unborn Data Principal” Governance
State explicitly how data on frozen embryos or gametes is handled if prospective parents die, divorce, or abandon the cycle.
You cannot handle the ethical dilemmas at the apex without the technical security at the base.
Conclusion
Privacy is a clinical imperative, not an IT issue
The ART Act was a necessary step toward regulating a booming sector. But the subsequent DPDP Act created a legislative blind spot: the IVF industry must now balance the biological rights of parents and donors against the digital rights of children.
“Paternity, Privacy, and Penalties” is not a catchy phrase — it is the reality of modern reproductive healthcare. Hospitals that treat data privacy as an IT-department issue will find themselves trapped. Those that recognise it as a core clinical and ethical imperative will build the trust necessary to lead India’s fertility future.
This report is for informational purposes and does not constitute legal advice. Clinics should consult qualified privacy counsel to implement specific compliance frameworks.
Privacy & Data Protection at KSK
Speak to the practice
We help fertility centres translate the DPDP Act into operational reality — consent architecture, data segregation, NARSH contracting and breach-response readiness.
A DPDP readiness programme for IVF & ART providers
Map every data flow against the DPDP, ART, PCPNDT and IT Acts.
Layered, revocable consent and a registry-upload firewall.
Board-notification playbooks and the ₹250 Cr [≈ US$30M] exposure plan.
Request the companion checklist. A one-page “DPDP Consent Form Checklist for IVF Clinics” is available on request.
Contact the practice