Navigating India’s Digital Privacy Laws: What Every Citizen Should Know.

Have you ever stopped to think about what really happens to the photos or personal details you upload on the internet? In today’s world, almost everyone is on social media—sharing moments, posting pictures, joining trends, and creating a digital identity without even realising how much they’re putting out there. What’s even more worrying is that children’s photos and personal moments are being uploaded regularly, often without understanding the long-term consequences.

Once something goes online, it becomes incredibly difficult to control who sees it, how it’s used, or where it might end up. And with artificial intelligence advancing faster than ever, our digital footprints are more vulnerable to misuse, manipulation, or unwanted tracking. Anyone—from big tech companies to unknown third parties—can collect, analyse, or repurpose your data in ways you may never know.

This raises a crucial question: how protected is your personal information in the digital world, and what laws are in place to safeguard your privacy?

At The Kanoon Angle, we break it down in simple language, explaining the laws that govern digital privacy in India and exploring how safe your data really is.

DIGITAL PRIVACY

India did not had a single, comprehensive law dedicated solely to data protection for many years. Instead, personal data was mainly regulated under the Information Technology (IT) Act, 2000 and the rules framed under it.

In 2017, a nine-judge constitutional bench of the Supreme Court, in Justice K. S. Puttaswamy (Retd.) v. Union of India , held that privacy is a fundamental right under Article 21, which guarantees the right to life and personal liberty. This landmark judgment laid the foundation for India’s modern data protection framework.

To address privacy concerns in the digital age, the government set up a Committee of Experts on Data Protection in 2017, chaired by Justice B. N. Srikrishna. The Committee submitted its report in July 2018, which guided the creation of India’s data protection laws.The Digital Personal Data Protection Bill, 2023 was later introduced, passed by the Lok Sabha on 7 August 2023 and by the Rajya Sabha on 9 August 2023, marking India’s first dedicated digital privacy law.

On 11 August 2023, the Government of India officially published the Digital Personal Data Protection Act, 2023, which will form the backbone of India’s personal data protection and regulatory framework. The Act lays down clear rules for how digital personal data can be collected, processed, stored, and transferred, ensuring better protection of individuals’ information in the digital space.

The Digital Personal Data Protection Rules, 2025 were initially published as a draft on 3 January 2025 in the Gazette of India, inviting public comments, objections, and suggestions within 45 days. After carefully considering the feedback received, the Central Government finalized the rules, which were officially notified on 13 November 2025. These rules now provide a detailed framework to regulate the collection, processing, storage, and sharing of personal data in India.Not all rules come into effect at the same time. Some rules are effective immediately from the date of publication, while Rule 4, which deals with the consent manager, will come into effect one year after publication. Several other rules will become applicable eighteen months after publication. This phased approach gives organizations and individuals sufficient time to adjust and comply with the new requirements for collecting, storing, and handling personal data in India.

Application of the Act

This act applies to any personal data that is handled in India, whether it was collected directly in digital form or written on paper first and later converted into digital form. It also applies to companies or platforms outside India if they use your data while offering goods or services to people in India.

So basically, if your data belongs to you and you are in India, this law protects it—no matter where the company handling it is located.

When Your Data Is Not Protected Under the Act?

The Act also clearly explains the situations where the law does not apply. They are;

• Personal or household use: The Act does not apply when someone uses personal data only for private purposes—like saving contacts, storing family photos, or noting birthdays.

• Data already made public: If personal data has already been made public—either by the person themselves or because the law requires it—then the Act does not cover that data.

In simpler terms, if someone shares her own personal information for a blogging purpose on social media, it becomes public—and the Act will not protect it.

How Your Data Can Be Legally Used?

You can only use someone’s personal data in ways that are allowed by law and for a valid reason. This can happen in two ways: either the person whose data is being used (also called the Data Principal) gives their consent, or the data is used for certain legitimate purposes allowed under the law.

If the person is a child—anyone under 18 years of age—their parents or legal guardian can make decisions on their behalf. The same applies to a person with a disability, whose guardian can manage their data for them. The consent should clearly show that the person agrees to their data being used for a specific purpose and should cover only the data necessary for that purpose. Before asking consent to use your personal data, the Data Fiduciary (the organisation collecting your data) must give the person a clear notice. This notice has to tell you three things:

1. What data they want and why- They must clearly explain which personal data they want to collect and for what purpose.

2. How you can use your rights- They must tell you how you can withdraw your consent, ask for correction or deletion of your data, or use other rights available under Section 6(4) and Section 13.

3. How to complain- They must inform you how to file a complaint with the Data Protection Board if you feel your data is being misused or your rights are violated.

If the consent is given before the commencement of the act the then Data Fiduciary must give a notice to the Data Principal as soon as reasonably possible.

The Data Fiduciary may continue to process the data until the person withdraws their consent, ensuring that individuals remain in control of their personal information at all times.

What amounts to Consent ?

Valid consent under the act must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Any part of a consent agreement that violates the provisions of this Act, its rules, or any other existing law will be invalid to the extent of that violation.

• Every consent request must be provided in simple, plain language, with the option for the Data Principal to read it in English or any language listed in the Eighth Schedule, and it must include contact details of the Data Protection Officer or another authorised person for exercising rights under the Act.

• If personal data is being processed on the basis of consent, the Data Principal can withdraw that consent at any time, and the process of withdrawing it must be just as easy as giving it. However, the Data Principal will bear the consequences of such withdrawal, and the withdrawal will not affect the legality of data processing already done before the consent was withdrawn.

• If a Data Principal withdraws her consent, the Data Fiduciary must stop processing her personal data within a reasonable time and ensure that all its Data Processors also stop doing so. The only exception is when the processing is legally required or permitted under this Act, its rules, or any other law currently in force in India.

• A Data Principal can give, manage, review, or withdraw her consent through a registered Consent Manager, who is accountable to her and must act on her behalf as per the prescribed obligations. Every Consent Manager must be registered with the Board and meet the required technical, operational, financial, and other standards.

• If the processing of personal data is based on consent and any dispute arises, the Data Fiduciary must prove that proper notice was given and that valid consent was obtained in accordance with the Act and its rules.

Legitimate Use of Data

A Data Fiduciary may process personal data of a Data Principal for any of following uses;

1. Personal data may be processed for the specific purpose for which the Data Principal has voluntarily shared it, provided she has not indicated that she does not consent;

2. The State or its instrumentalities may process personal data to provide any subsidy, benefit, service, certificate, licence, or permit if the Data Principal has consented or if the data exists in a government database. All processing must follow standards set by the Central Government or applicable law;

3. Personal data may be processed for the State to perform legal functions or protect India’s sovereignty, integrity, or security.

4. To comply with a legal obligation that requires any person to disclose information to the State or its instrumentalities, as long as such processing follows the disclosure rules of that specific law;

5. To comply with any judgment, decree, or order issued under Indian law, or foreign orders related to contractual or civil claims;

6. To respond to a medical emergency involving a threat to the life or immediate health of the Data Principal or any other individual;

7. To provide medical treatment or health services during an epidemic, disease outbreak, or any public health threat;

8. To ensure safety, assistance, or services during a disaster or a breakdown of public order.the term “disaster” shall have the same meaning as defined in clause (d) of section 2 of the Disaster Management Act, 2005;

9. Personal data may be processed for employment purposes or to protect the employer from loss or liability. This includes activities such as preventing corporate espionage, maintaining confidentiality of trade secrets, intellectual property, or classified information, or providing any service or benefit requested by a Data Principal who is an employee.

Responsibilities of Data Fiduciary (the person or organisation with whom you have shared your Data)

1. Overall Responsibility- A Data Fiduciary is responsible for complying with the law in all personal data processing, even if the Data Principal fails to act or there is an agreement to the contrary.

2. Use of Data Processors- A Data Fiduciary may engage a Data Processor to handle personal data on its behalf only under a valid contract and strictly for activities related to offering goods or services.

3. Accuracy and Consistency- If personal data is used to make decisions affecting the Data Principal or shared with another Data Fiduciary, the Data Fiduciary must ensure it is complete, accurate, and consistent.

4. Technical and Organisational Measures- The Data Fiduciary must implement appropriate measures to comply effectively with the law and its rules.

5. Data Security- Personal data, whether processed directly or through a Data Processor, must be protected with reasonable security safeguards to prevent breaches.

6. Data Breach Notification- In case of a breach, the Data Fiduciary must inform the Board and affected Data Principals in the prescribed manner.

7. Erasure of Personal Data-Personal data must be erased:

   1. When the Data Principal withdraws consent, or

   2. When the specified purpose is no longer being served.

      A purpose is considered no longer served if the Data Principal does not approach the Data Fiduciary for its performance or exercise her rights over that data for a prescribed period.The Data Fiduciary must also ensure its Data Processor erases any shared personal data.

8. Contact Information-The Data Fiduciary must publish the contact details of the Data Protection Officer (or a responsible person) to address queries from Data Principals.

9. Grievance Redressal-The Data Fiduciary must establish an effective mechanism to handle complaints and grievances of Data Principals.

10. Clarification on Approach by Data Principal-A Data Principal is considered not to have approached the Data Fiduciary if she has not initiated contact in person, electronically, or physically for the performance of the specified purpose.

Processing Personal Data of Children and Persons with Disabilities

A Data Fiduciary must obtain verifiable consent from the parent or lawful guardian before processing personal data of a child or a person with a disability. The processing must not harm the child’s well-being, and tracking, behavioural monitoring, or targeted advertising directed at children is prohibited. Certain exceptions may apply as prescribed, and the Central Government may notify an age above which some obligations do not apply if processing is verifiably safe.

Significant data Fiduciary

The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary based on factors such as the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, the potential impact on India’s sovereignty and integrity, risks to electoral democracy, the security of the State, and public order. Obligations of a Significant Data Fiduciary are;

1. Appoint a Data Protection Officer (DPO) who represents the SDF under the Act, is based in India, reports to the Board of Directors or a similar governing body, and acts as the point of contact for grievance redressal.

2. Appoint an independent data auditor to evaluate compliance with the Act

3. Implement additional measures such as periodic Data Protection Impact Assessments, audits, and any other prescribed safeguards consistent with the law.

Your Rights Over Your Personal Data

Today, almost everyone has shared their personal information digitally in some way, but we often have no idea how organisations are using it. Under the new law, if your personal data is being used, you now have certain rights and protections to know, control, and safeguard it.

1. Right to Access Your Personal Data

If you’ve given consent to a Data Fiduciary to process your personal data, you have the right to request- A summary of your personal data being processed and how it’s being used.The names of other Data Fiduciaries or Data Processors your data has been shared with, along with details of the shared data.Any other information about your data and its processing, as allowed by law.

Note: This doesn’t apply if your data was shared with another Data Fiduciary legally authorized to access it, for example, for investigating offences, cyber incidents, or for prosecution purposes.

2. Right to correction and erasure of personal data

As a Data Principal, you have the right to correct, complete, update, or erase any personal data you’ve previously consented to share. The Data Fiduciary must correct inaccurate or misleading data, complete incomplete information, and update outdated details. You can also request the erasure of your data, which must be carried out unless retaining it is necessary for the specified purpose or required by law.

3. Right of grievance redressa

   As a Data Principal, you have the right to raise complaints or grievances if a Data Fiduciary or Consent Manager mishandles your personal data or fails to respect your rights under the law. The Data Fiduciary or Consent Manager must respond to your grievance within a specified time. You are expected to use this grievance mechanism first before approaching the Data Protection Board.

4. Right to Nominate Someone

   As a Data Principal, you have the right to nominate another person to exercise your data rights in case of your death or incapacity. Incapacity here means being unable to exercise your rights due to unsoundness of mind or physical infirmity. This ensures that someone you trust can manage your personal data on your behalf when you cannot.

Your Duties When Sharing Personal Data

If you’ve shared your personal data digitally, you also have some responsibilities under the law. They are;

1. Follow all applicable laws while exercising your rights under this Act.

2. Do not impersonate anyone else when providing your personal data.

3. Do not hide or suppress important information when giving data for documents, IDs, or proofs issued by the State.

4. Avoid filing false or frivolous complaints or grievances with a Data Fiduciary or the Board.

5. Provide only authentic and verifiable information when requesting corrections or erasure of your data

Data Protection Board of India

The Data Protection Board of India will function as an independent legal body with its own identity. It will have a separate name, perpetual existence, and a common seal. This means the Board can own property, enter into contracts, and take legal action—or face legal action—in its own name, subject to the provisions of the law. The head office of the Board will be located in the National Capital Region (NCR).

The Board will consist of one Chairperson and four Members, whose appointments will be notified by the Central Government.

To ensure competence and credibility, every Member—including the Chairperson—must be a person of high integrity and proven ability. They should have practical experience or expertise in areas such as data governance, public administration, consumer or social protection laws, dispute resolution, information technology, the digital economy, or regulatory frameworks. Importantly, at least one Member of the Board must be a legal expert, ensuring proper legal oversight in data protection matters.

The Chairperson and Members will hold office for a term of two years and may be reappointed for one more term. To safeguard their independence, no Chairperson or Member can be removed from office without being given a fair opportunity to be heard.

In case the Chairperson is unable to perform her duties due to illness, absence, or any other reason, the senior-most Member will temporarily take charge until the Chairperson resumes office.

For the smooth functioning of its work, the Board may also appoint officers and employees, with the prior approval of the Central Government, on terms and conditions as prescribed under the law.

Legal Remedy if there is breach of personal data

The Data Protection Board has the authority to inquire into breaches and impose penalties in the following situations:

• If a personal data breach is reported by Data fiduciary, the Board can direct urgent remedial measures and investigate the breach.

• If a Data Principal complains about a personal data breach or a Data Fiduciary not following its obligations, the Board can investigate and impose penalties.

• If a Consent Manager fails to comply with obligations related to a Data Principal’s data, the Board can look into it and take action.

• If there’s a breach of registration conditions by a Consent Manager, the Board can investigate and penalize.

• If the Central Government reports a breach by an intermediary under the law, the Board can inquire and impose penalties.

Powers of the Board to Issue Directions

To ensure effective implementation of the law, the Data Protection Board has the authority to issue directions to any person. However, this power is not arbitrary. Before issuing any direction, the Board must give the concerned person a fair opportunity to be heard and must clearly record the reasons for its decision in writing.

Once a direction is issued, the person to whom it is addressed is legally bound to comply with it.

The law also provides flexibility and safeguards. If a person is affected by a direction issued by the Board, or if the Central Government makes a reference, the Board has the power to modify, suspend, withdraw, or cancel that direction. While making such changes, the Board may impose specific conditions that must be complied with for the modification or withdrawal to take effect.

How the Board Functions and Conducts Inquiries

The Data Protection Board functions as an independent body and, as far as possible, follows a digital-first approach. This means that complaints can be filed online, hearings may be conducted virtually, and orders or decisions are communicated electronically.

When the Board receives a complaint, an intimation, a reference, or a direction from the Government, it first examines whether there are sufficient grounds to proceed. If the Board finds that the matter does not require further action, it may close the case, but only after recording its reasons in writing.

However, if the Board is satisfied that there are valid grounds, it will initiate an inquiry to examine whether the concerned person or organisation has complied with the provisions of the law.

During an inquiry, the Board follows the principles of natural justice and records reasons for all its actions. It has powers similar to a civil court, such as:

• Summoning and questioning individuals under oath

• Collecting evidence, documents, and affidavits

• Inspecting books, records, or data

• Seeking assistance from police or government officers, who must comply

The Board cannot disrupt daily business operations or seize equipment unnecessarily. It may also issue interim orders if needed, after giving the person a chance to be heard.After the inquiry, the Board may either close the case or proceed to impose penalties, always giving the concerned person an opportunity to be heard. If a complaint is found to be false or frivolous, the Board can warn the complainant or impose costs.This ensures that inquiries are fair, transparent, and efficient while protecting both the rights of Data Principals and the operational needs of organisations.

Exclusive Authority of the Board

No civil court can hear any case or suit regarding matters that the Board is empowered to handle under this Act. Also, courts or other authorities cannot issue injunctions against any action taken by the Board under its powers. This makes the Board the final authority for enforcing and overseeing personal data protection under the law.

Appeal Against Orders of the Data Protection Board

Any person aggrieved by an order or direction issued by the Data Protection Board has the right to file an appeal before the Appellate Tribunal constituted under the Telecom Regulatory Authority of India Act, 1997. All appeals are required to be filed in digital form, in the manner prescribed by the Appellate Tribunal.

• Time limit for filing an appeal: An appeal must ordinarily be filed within 60 days from the date of receipt of the Board’s order, along with the prescribed form and fee. However, the Appellate Tribunal may allow a delayed appeal if the appellant is able to show a sufficient cause for not filing it within the stipulated period.

• Appeal fee and mode of payment:The appeal must be accompanied by a fee equivalent to that applicable under the Telecom Regulatory Authority of India Act, 1997. The Chairperson of the Appellate Tribunal has the discretion to reduce or waive the fee. All payments are to be made digitally, through UPI or any other payment system authorised by the Reserve Bank of India.

• Procedure and powers of the Tribunal:The Appellate Tribunal is not bound by the technical procedures of the Civil Procedure Code, 1908. Instead, it follows the principles of natural justice and has the freedom to regulate its own procedure, subject to the provisions of the Act. After giving all parties a fair opportunity to be heard, the Tribunal may confirm, modify, or set aside the order or direction of the Data Protection Board. Copies of its decision are sent to both the Board and the parties concerned.

• Speedy and digital adjudication:Appeals are to be dealt with as expeditiously as possible, with an endeavour to dispose of them within six months. If this timeframe cannot be met, the Tribunal must record its reasons in writing. The Tribunal functions as a digital office, using techno-legal measures to receive appeals, conduct hearings, and deliver decisions—without requiring the physical presence of individuals, while retaining the power to summon and examine persons on oath where necessary.

Execution of Orders and Mediation

Orders passed by the Appellate Tribunal carry the same legal force as a decree of a civil court. The Tribunal itself has all the powers of a civil court to ensure that its orders are properly implemented and complied with. Alternatively, it may transmit its order to a local civil court for execution, which will then enforce it as if it were its own decree.

In addition to adjudication, the law also encourages amicable resolution of disputes. If the Data Protection Board believes that a complaint can be effectively resolved through mediation, it may direct the concerned parties to attempt a mutually agreed mediation process or follow mediation procedures prescribed under any applicable law. This approach promotes faster, cooperative, and less adversarial settlement of disputes wherever possible.

Monetary Penalties for Breach of the Law

If, after an inquiry, the Board finds that a person has significantly violated the provisions of this Act, it can impose a monetary penalty as specified in the Schedule, after giving the person a chance to be heard.

While deciding the penalty, the Board considers factors such as:

• The nature, seriousness, and duration of the breach

• The type of personal data affected

• Whether the breach is repetitive

• If the person gained or avoided a loss because of the breach

• Any steps taken to mitigate the damage and how effective they were

• Whether the penalty is proportionate and effective to prevent future breaches

• The likely impact of the penalty on the person

All penalties collected by the Board are credited to the Consolidated Fund of India, ensuring that fines serve the public interest.

Appeal to the Supreme Court

If a person is aggrieved by a final order of the Appellate Tribunal, a further appeal lies to the Supreme Court of India. Such an appeal is governed by section 18 of the Telecom Regulatory Authority of India Act, 1997, and it overrides the normal procedures of the Civil Procedure Code or any other law. Importantly, an appeal to the Supreme Court is not available against interlocutory (interim) orders, and it can be filed only on substantial questions of law, similar to a second appeal under section 100 of the Civil Procedure Code. No appeal is permitted where the Tribunal’s decision has been passed with the consent of the parties. The appeal must be filed within 90 days from the date of the Tribunal’s order, although the Supreme Court may allow a delayed appeal if sufficient cause for the delay is shown.

Relationship with Other Laws

The provisions of this Act add to existing laws and do not replace them. However, if there is ever a conflict between this Act and any other law, the provisions of this Act will take priority to the extent of the conflict. This ensures that personal data protection rules are always upheld.

CONCLUSION

Digital privacy laws are essential in our increasingly connected world. They protect personal information, promote transparency, and empower individuals to take control of their data. As technology continues to evolve, understanding these laws is no longer optional—it is critical. Recognising this need, India has now introduced a comprehensive legal framework for digital privacy, making data protection more structured, enforceable, and effective. With clear obligations on organisations and well-defined rights for individuals, people now have greater control over the security and use of their personal data.

But rights always come with responsibilities. While individuals are empowered to exercise their data rights, they are also expected to act responsibly in the digital space—staying informed, exercising rights in good faith, and avoiding misuse. Similarly, organisations must ensure lawful, transparent, and secure processing of data. Digital privacy is therefore not just a legal entitlement—it is a shared responsibility, and only when both individuals and institutions act responsibly can we build a safer and more trustworthy digital ecosystem.

In this modern age, where data is often seen as a currency, understanding digital privacy laws is not just beneficial, it is essential. By embracing these laws and advocating for our rights, we can help shape a future where privacy is respected and protected.

Disclaimer: All information in this blog is for educational purposes only and is directly referred from the Act. This is not professional legal advice. The law language has been simplified to help readers understand their rights and responsibilities.

Stay informed. Stay empowered. Follow The Kanoon Angle for your daily dose of law made simple