CategoriesInsights

India’s New Data Protection Framework

India’s new data protection law ( “Framework”) came into force on November 13, 2025, with full compliance required by May 13, 2027. While several writ petitions challenging provisions around transparency and regulatory independence are pending before the Supreme Court, no stay has been granted and the petitions do not appear to challenge compliance obligations.

What Data is Protected

The Framework protects any data – stored or processed digitally – that identifies or can identify an individual; e.g. name, contact details, government identification numbers, financial and transaction data, behavioural and location data, device identifiers, biometrics, health information, employment and compensation records, etc. Genuinely anonymised data and data that an individual has voluntarily placed in the public domain fall outside the Framework’s scope.

What has changed, and Why it matters

India’s prior data protection regime was narrow in scope, operationally vague, and not effectively enforced. The DPDP Framework replaces it with a comprehensive and more specific set of obligations.

*Unless otherwise indicated, organizations will need to comply with the obligations highlighted below by May 13, 2027.

Standard of Consent: Under the Framework the consent of an individual whose data is collected, processed or stored must be free, specific, informed, unconditional, and affirmative – obtained separately for each distinct processing purpose and not bundled into terms of service or implied from continued use of a platform. This means separate, independently withdrawable consent for behavioural profiling, cross-session tracking, personalised recommendations, targeted notifications, and sharing data with third parties. Generic “improve your experience” consent no longer suffices. Consent requests must stand alone – separate from terms of service, written in plain language, and available in English and any of the 22 official languages.

The Framework provides a limited exemption for legitimate use of data, i.e., processing that is reasonably incidental to a transaction the user has voluntarily initiated. For instance, a user making a purchase implicitly consents to the processing necessary to fulfil that purchase. However, using transaction data to build a behavioural profile for future targeting is a separate purpose and requires fresh consent.

Consent management infrastructure: A new class of regulated intermediary – the Consent Manager – which will give users a single interface to grant, review, and withdraw consent across multiple platforms. The registration window for Consent Managers opens in November 2026. Every business relying on consent as a Data Fiduciary must have systems that can receive and act on consent signals from registered Consent Managers in real time, and must retain consent records for a minimum of one year.

Users’ rights as data owners: The Framework gives users the right to access the data held about them, correct inaccuracies, to have their data erased, to have grievances addressed within 90 days, and to nominate a representative to exercise these rights in the event of death or incapacity. These rights would be effective from May 13, 2027.

Data Fiduciaries’ obligations; consequences of getting it wrong: Any business that collects a user’s personal data for offering its products or services is a ‘Data Fiduciary’ and is required to implement security safeguards (encryption, access controls, system logging, etc.); notify affected users and the Data Protection Board immediately upon a data breach and submit a detailed report to the Board within 72 hours; erase data once the relevant purpose is achieved; and ensure that all vendors, cloud providers, and downstream processors handling that data on the business’s behalf are bound by equivalent security and breach notification obligations through contracts. It is important to note that if a processor suffers a breach, the Data Fiduciary is liable. Penalties range from ₹50 crore for consent and notice failures to ₹250 crore for security failures and ₹200 crore for breach notification failures. Members of the Data Protection Board are yet to be appointed.

The central government has the power to prescribe thresholds and conditions based on which data fiduciaries would become categorized as significant data fiduciaries. The basis for such thresholds and conditions would include data volume, sensitivity, and systemic risk (no thresholds or conditions have been prescribed yet). An SDF should appoint an India-resident Data Protection Officer, and conduct annual Data Protection Impact Assessments, independent audits, and algorithmic integrity reviews. It would be prudent for scaling digital platforms to build readiness for these obligations.

Children’s data – a prohibition regime, not merely a consent regime: Processing data of any person under 18 requires verifiable parental consent obtained through an identity verification platform such as DigiLocker – a checkbox or declaration does not suffice. Behavioural tracking and profiling of minors, and targeted advertising directed at minors are prohibited. Exemptions exist only for healthcare providers, educational institutions, and crèches in narrowly defined safety contexts. The penalty for violations is ₹200 crore. Given India’s substantial adolescent population, this is a significant obligation for customer facing digital platforms.

Legacy Data | An immediate call to action

Organisations that have been collecting personal data in the past must issue a notice to every affected individual disclosing what is held and why as soon as reasonably practicable. For children’s data, the notice goes to the parent or guardian. The data of users who withdraw consent after receiving that notice must be erased.

A Few Final Thoughts

A. New due diligence dimension in funding and M&A deals: We expect DPDP compliance status to form an important aspect of due diligence in Indian M&A and funding deals. It would be interesting to see how the buy side prices any associated diligence red flags.

B. Employee data: Every employer running a digital HR, payroll, attendance, or performance management system is a Data Fiduciary in respect of its employees (an employer may use its employees’ data for legitimate purposes incidental to the employment). Thus non-digital businesses which have digitized HR data will also need to comply with the requirements of the Framework. Also, when HR data is disclosed for due diligence, background verification, investor reporting, etc., a breach in the recipient’s hands is likely to expose the disclosing employer.

C. Emergence of tech solutions: We expect the emergence of technology solutions to enable Data Fiduciaries to comply with their obligations under the Framework, much as GDPR produced a generation of consent management platforms in European markets.

Our DPDP Compliance Workbook for data fiduciaries covering operational workflows, consent architecture, audit parameters, and penalty mapping is available here. Please share with your legal, product, and compliance teams.

This note is prepared by JoyceLaw for informational purposes only and does not constitute legal advice. For transaction-specific or compliance-specific advice, please contact us at counsel@joycelaw.in.

Disclaimer

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. JoyceLaw is, therefore, constrained from providing any further information on this web page except as stated below.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that:

The user wishes to gain more information about JoyceLaw, its practice areas and the firm’s lawyers, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and

None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

JoyceLaw, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.