Practice Area

Data Protection

Overview

India’s Digital Personal Data Protection Act, 2023 establishes a comprehensive framework for the processing of digital personal data — imposing obligations on Data Fiduciaries regarding consent, purpose limitation, data accuracy, security safeguards, and data principal rights. With penalties reaching INR 250 crore per instance for specified violations, compliance is no longer a back-office function but a board-level risk management priority. Corpus Lawyers advises businesses on DPDP Act compliance, privacy programme design, and data-related regulatory and contractual matters.

DPDP Act Compliance Programme

Advisory across the lifecycle on compliance with the Digital Personal Data Protection Act, 2023 — covering data mapping and classification, consent management framework design, privacy notice drafting, data principal rights mechanisms, and Significant Data Fiduciary obligations.

Privacy Policy and Notice Drafting

Drafting of privacy notices, consent forms, and data processing disclosures that comply with the DPDP Act’s requirements for clear and accessible communication — covering purpose specification, data categories collected, retention periods, and rights of data principals.

Data Processing Agreements

Drafting and negotiation of data processing agreements and data protection addenda between Data Fiduciaries and Data Processors, covering scope of processing, sub-processor management, security obligations, breach notification procedures, and liability allocation.

Cross-Border Data Transfer Advisory

Advisory on cross-border transfer of personal data under the DPDP Act’s provisions and any notified transfer frameworks — covering structural requirements for international data transfers and assessment of data protection standards in receiving jurisdictions.

Data Breach Response

Advisory on data breach management and notification obligations under the DPDP Act — including breach assessment, notification to the Data Protection Board of India, communication to affected data principals, and documentation of breach response actions.

Data Protection in M&A Transactions

Data protection due diligence in M&A transactions, covering assessment of the target’s compliance posture, identification of data protection liabilities, and structuring of representations, warranties, and indemnities relating to data protection in acquisition documentation.

Landmark Authorities and Doctrinal Framework

Data-protection law in India consolidates around the Digital Personal Data Protection Act, 2023, read with the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (which the DPDP Act will progressively supersede on full implementation). The Supreme Court judgment in K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 established privacy as a fundamental right under Article 21 and provided the constitutional foundation for the DPDP framework.

The DPDP Act, 2023 was notified on 11 August 2023; the rules and operational framework have been notified in stages since 2024, with further notifications ongoing. The Act applies to processing of digital personal data within India and to processing outside India in connection with offering goods or services to Data Principals in India. The extraterritorial reach brings offshore processors serving Indian consumers within the framework.

Consent is the primary ground for lawful processing, supplemented by the enumerated “legitimate uses” under Section 7. Consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action. Consent notices must be in plain language, in any of the scheduled languages, and must provide withdrawal mechanics that are as easy as the grant mechanics. Existing consent under the pre-DPDP framework remains valid only where the consent satisfies the new requirements.

The Data Protection Board of India, established under the Act, is the enforcement authority. Penalties scale up to INR 250 crore per instance for breaches, with calibration based on the nature of the breach, the type of personal data, the repetition, and the mitigation steps taken. The enforcement architecture moves Indian data-protection risk from a regulatory-nuisance posture to a material-enterprise-exposure posture.

Current Doctrinal Shifts and Live Questions

Significant Data Fiduciary designation. The central government may designate any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of personal data, risk to Data Principal rights, potential impact on sovereignty and integrity, risk to electoral democracy, security of the State, and public order. Designated SDFs must appoint a Data Protection Officer based in India, an independent data auditor, and must undertake periodic data-protection impact assessments. The designation criteria and early designations continue to shape compliance planning.

Cross-border data transfer framework. Section 16 of the DPDP Act permits cross-border transfer except to countries specifically restricted by the central government. Sectoral regulators (RBI for payment data, IRDAI for insurance data, SEBI for capital-markets data) continue to operate their own localisation frameworks. The layered framework — DPDP default permission, sectoral localisation requirements, contractual data-transfer obligations — requires coordinated mapping for any entity with international data operations.

Children’s data and age-verification architecture. Section 9 prohibits tracking, behavioural monitoring, and targeted advertising directed at children, and requires verifiable parental consent for processing children’s data. The practical architecture for age verification and parental consent — particularly for social media, gaming, and edtech platforms — is a live design challenge. The government has proposed exemptions for certain verified processing classes; the final framework is still in consultation.

Data Principal rights — access, correction, erasure, grievance. Sections 11-14 grant Data Principals rights to access personal data summary, to correct and update personal data, to erase personal data (subject to exceptions), and to grievance-redressal. Operationalising these rights at scale — subject access request workflows, identity verification, response timelines — is the dominant 2026 compliance workstream for most enterprise data operations.

Data Protection Compliance Programme Architecture

A DPDP-compliant programme integrates seven elements. First, data inventory and data-flow mapping — identification of all personal data processed, processing purposes, retention periods, and cross-border flows. Second, consent infrastructure — consent notices, consent management platforms, consent withdrawal mechanisms, and consent record-keeping. Third, vendor and processor management — DPDP-compliant contractual clauses, processor due diligence, and processor-contract audit. Fourth, data-principal rights workflow — request intake, identity verification, response, and closure. Fifth, security architecture — reasonable security safeguards, encryption where appropriate, access controls, and breach-response playbook. Sixth, governance — DPO appointment where designated as SDF, cross-functional coordination, and board-level reporting. Seventh, documentation and evidence — DPIA records, audit trails, and demonstrable compliance.

The programme should be built in stages, not in a single implementation push. Stage one is data inventory and gap analysis; stage two is consent infrastructure and high-risk processing remediation; stage three is vendor remediation and rights-workflow operationalisation; stage four is continuous monitoring and periodic DPIA. Attempting all stages in parallel typically produces documentation without operational maturity.