Top 10 operational impacts of India’s DPDPA – Scope, key definitions and lawful data processing
This article provides insight on scope, key definitions and lawful data processing in relation to India's DPDPA.
Published: 21 Sept. 2023
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
Since the Supreme Court of India declared the right to privacy a fundamental right in a landmark 2017 judgement and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. India achieved its goal with the enactment of the Digital Personal Data Protection Act on 11 Aug. 2023, followed by the notification of the Digital Personal Data Protection Rules, 2025 on 13 Nov. 2025 to enforce and operationalize the law.
The DPDPA replaces a set of rules made under Section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law with a non-functioning enforcement system and no reported cases to date.
In crafting the DPDPA, India’s government reviewed established privacy frameworks in other countries including the EU General Data Protection Regulation, whose influence is evident through some of the legal concepts in the act. That said, while individual data privacy and consumer rights lie at the heart of the GDPR and other data protection laws, the DPDPA appears to have also been driven by India’s concerns around national security and other political issues. This may explain the unique and distinct features of the act that depart from the GDPR and similar data privacy regimes.
Scope
The DPDPA covers any entity that processes digital personal data within India and its union territories. Data in non-digitized forms are excluded. The act also imposes extraterritorial jurisdiction and covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.
However, the act differs from the GDPR by excluding from its purview the profiling of data subjects from outside the territory of India if not in connection to providing any good or service to the data subject. For instance, profiling individuals located in India from outside the country for statistical purposes may not trigger any obligations of data processing entities under the DPDPA.
Key definitions
A data fiduciary is defined as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This concept is directly borrowed from the GDPR.
A data principal is an individual to whom personal data relates. Where such an individual is a child, the term includes their parent or lawful guardian. Where the individual is disabled, it includes the lawful guardian acting on their behalf.
A data processor is defined as any person who processes personal data on behalf of a data fiduciary. Notably, unlike the GDPR, the DPDPA does not directly impose such obligations on the data processor. The act instead expects data fiduciaries to ensure compliance by the data processors they engage with through data processing agreements.
Special category of data and the significant data fiduciary
In a clear departure from the GDPR and the previous rules, which both categorize data based on sensitivity, the DPDPA uniformly applies to all types of personal data — defined as “any data about an individual who is identifiable by or in relation to such data.”
In what might come as good news to covered entities, the DPDPA does not impose additional obligations on data processing entities that process sensitive personal data, as identified under the rules, or critical personal data, as was proposed in an earlier draft of the law. Neither does it refer to any special category of data expressly mentioned in the GDPR, such as racial or ethnic origin, political opinions, or sexual orientation, which require heightened protection under the European regulation.
However, companies do need to consider whether they are a significant data fiduciary, as these data processing entities have a higher compliance burden. Significant data fiduciaries are classified as such based on the volume and sensitivity of the personal data and other prescribed criteria. This means companies routinely dealing with sensitive or large volumes of personal data are likely to be classified as such, and so, should particularly focus on reviewing their data privacy practices to ensure compliance with the act.
For example, although the DPDP Rules do not classify specific entities that fall under the category of significant data fiduciary, Rule 13 prescribes additional obligations for them. These requirements include conducting an annual data protection impact assessment and audit, reporting significant findings to the Data Protection Board of India, ensuring algorithmic software does not risk data principals’ rights, and restricting certain personal and traffic data from being transferred outside India, as mandated by the government.
Furthermore, Rule 8 requires a class of data fiduciaries — listed in the Third Schedule to the DPDP Rules — to meet certain timelines for the deletion of personal data. Although the DPDPA suggests using a high volume of users as one criterion for classifying entities as significant data fiduciaries, this requirement has not expressly been applied to e-commerce entities, online gaming services or social media intermediaries under the rules. Nevertheless, these impose an additional compliance burden: time-bound deletion requirements that do not otherwise apply to data fiduciaries in general. It is not clear whether this is a legislative or administrative oversight — where Rule 3 is in fact meant for significant data fiduciaries— or intentional, with the government planning to define them in the future.
Who and what is exempted?
Besides excluding the processing by an individual for personal or domestic purposes from its application, the DPDPA also specifically excludes most publicly available personal data, as long as it was made public by the data principal (for example, views made public by a social media user) or by someone else under a legal obligation to publish the data (such as the personal data of directors that regulated companies must publicly disclose by law). The first form of publicly available information appears to permit external companies to scrape data from social networks and process it.
The DPDPA, read with Rule 16, also exempts the processing of personal data necessary for research or statistical purposes, which is an extremely broad exception. But the act will still apply to such processing if research or statistical activity is used to make “any decision specific to the data principal.” Further, such data processing is only exempt if it complies with standards specified in the Second Schedule to the DPDP Rules. The schedule emphasizes compliance with standard data protection principles found in other frameworks, such as lawful processing, data accuracy, data retention for required purposes or legal compliance, security safeguards against data breaches, transparency to data principals, etc.
Moreover, the DPDPA provides broad exceptions for government entities while also exempting data processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, and the prevention of incitement to commit crimes. But these subsequent exceptions require notice to the government to be available. While the DPDP Rules also provide broad exceptions to government entities, they do impose limited obligations in certain contexts, such as processing data for welfare schemes. Otherwise, the government is generally exempted from the purview of the act.
Finally, in a provision appearing to promote new businesses, Section 17(3) of the DPDPA empowers the government to exempt any category of data fiduciaries from certain or all compliance obligations under the act, while categorically referring to startups as one such class or business that may be exempted. Notably, contrary to the expectations of the startup industry, this exemption is not mentioned in the rules.
Grounds for processing
The DPDPA hinges on consent as ground for processing personal data, although additional narrowly defined or situation-based lawful grounds are also available. These are defined as “certain legitimate uses” listed under Section 7. The most relevant to the private sector include specified purposes for which the data principal has voluntarily provided their personal data and has not indicated their objection to the use of such personal data for that purpose, fulfilment of any legal/judicial obligations of a specified nature, medical emergencies and health services, situations involving the breakdown of public order, and employment-related purposes.
Notably, the act does not include contractual necessity and legitimate interests — legal grounds for data processing under the GDPR and other developed data protection laws. These are probably the most common grounds for data processing utilized by organizations today, particularly global companies that treat the GDPR as the gold standard to process personal data. The lack of these as express grounds for processing may pose a serious challenge to businesses, especially large organizations already relying on these grounds to process personal data for routine or necessary business operations.
Consent and notice
Like the GDPR, the DPDPA requires that consent for processing of personal data must be “free, specific, informed, unambiguous and unconditional with a clear affirmative action.” Further, the consent should be limited to such personal data as is necessary for the specified purpose in the request for consent. In practice, this may mean that data fiduciaries cannot rely on “bundled consent.”
The notice for consent must inform the data principal about the personal data and the purpose of its processing, how they can exercise their rights under the act, and the process for filing a complaint with the DPBI. Importantly from an operational perspective, where a data principal has given consent to processing prior to the act, the data fiduciary needs to provide notice with the said details “as soon as it is reasonably practicable.”
To complement the requirement for data principals to provide specific and informed consent, Rule 3 sets out clear standards; it requires that notices be presented in clear and plain language and include a detailed description of the personal data, its specific purpose, and a list of the goods and services that will use it. The data fiduciary must also provide an easily accessible link to their website and/or app, along with a way for the data principal to withdraw consent, exercise their rights under the DPDPA, and file a complaint with the DPBI. However, the mechanisms and specific requirements of how the notice is to be given is largely left up to the discretion of the data fiduciaries.
In what is perhaps one of the most important rights from the perspective of data subjects, similar to the GDPR, data principals have a right to withdraw their consent at any time and data fiduciaries are required to ensure that withdrawing consent is as easy as giving consent. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain the data applies. Additionally, data fiduciaries must ask any processors to stop processing the data for which consent has been withdrawn.
Conclusion
While a few provisions remain unclear and certain aspects are left to the discretion of the government that may be notified in future, the DPDPA along with the DPDP Rules aim to eliminate a confusing framework of existing rules while promoting innovation, regulatory certainty, and protecting individual privacy in ways that may seem to mimic the GDPR and earlier drafts of the law. But it tries to do so in a more practical way that is sensitive to the context of India’s business and cultural attitudes to data and emerging technologies. Therefore, companies may find it necessary to localize their compliance programs while also enabling themselves to seize opportunities to do more with their personal data within the framework of the act.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA – Scope, key definitions and lawful data processing
This article provides insight on scope, key definitions and lawful data processing in relation to India's DPDPA.
Published: 21 Sept. 2023
Last updated: 20 Jan. 2026
Contributors:
Sandeep Sangwan
Director - Legal, CBRE South Asia Private Limited
CIPP/A, CIPP/E
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
Since the Supreme Court of India declared the right to privacy a fundamental right in a landmark 2017 judgement and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. India achieved its goal with the enactment of the Digital Personal Data Protection Act on 11 Aug. 2023, followed by the notification of the Digital Personal Data Protection Rules, 2025 on 13 Nov. 2025 to enforce and operationalize the law.
The DPDPA replaces a set of rules made under Section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law with a non-functioning enforcement system and no reported cases to date.
In crafting the DPDPA, India’s government reviewed established privacy frameworks in other countries including the EU General Data Protection Regulation, whose influence is evident through some of the legal concepts in the act. That said, while individual data privacy and consumer rights lie at the heart of the GDPR and other data protection laws, the DPDPA appears to have also been driven by India’s concerns around national security and other political issues. This may explain the unique and distinct features of the act that depart from the GDPR and similar data privacy regimes.
Scope
The DPDPA covers any entity that processes digital personal data within India and its union territories. Data in non-digitized forms are excluded. The act also imposes extraterritorial jurisdiction and covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.
However, the act differs from the GDPR by excluding from its purview the profiling of data subjects from outside the territory of India if not in connection to providing any good or service to the data subject. For instance, profiling individuals located in India from outside the country for statistical purposes may not trigger any obligations of data processing entities under the DPDPA.
Key definitions
A data fiduciary is defined as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This concept is directly borrowed from the GDPR.
A data principal is an individual to whom personal data relates. Where such an individual is a child, the term includes their parent or lawful guardian. Where the individual is disabled, it includes the lawful guardian acting on their behalf.
A data processor is defined as any person who processes personal data on behalf of a data fiduciary. Notably, unlike the GDPR, the DPDPA does not directly impose such obligations on the data processor. The act instead expects data fiduciaries to ensure compliance by the data processors they engage with through data processing agreements.
Special category of data and the significant data fiduciary
In a clear departure from the GDPR and the previous rules, which both categorize data based on sensitivity, the DPDPA uniformly applies to all types of personal data — defined as “any data about an individual who is identifiable by or in relation to such data.”
In what might come as good news to covered entities, the DPDPA does not impose additional obligations on data processing entities that process sensitive personal data, as identified under the rules, or critical personal data, as was proposed in an earlier draft of the law. Neither does it refer to any special category of data expressly mentioned in the GDPR, such as racial or ethnic origin, political opinions, or sexual orientation, which require heightened protection under the European regulation.
However, companies do need to consider whether they are a significant data fiduciary, as these data processing entities have a higher compliance burden. Significant data fiduciaries are classified as such based on the volume and sensitivity of the personal data and other prescribed criteria. This means companies routinely dealing with sensitive or large volumes of personal data are likely to be classified as such, and so, should particularly focus on reviewing their data privacy practices to ensure compliance with the act.
For example, although the DPDP Rules do not classify specific entities that fall under the category of significant data fiduciary, Rule 13 prescribes additional obligations for them. These requirements include conducting an annual data protection impact assessment and audit, reporting significant findings to the Data Protection Board of India, ensuring algorithmic software does not risk data principals’ rights, and restricting certain personal and traffic data from being transferred outside India, as mandated by the government.
Furthermore, Rule 8 requires a class of data fiduciaries — listed in the Third Schedule to the DPDP Rules — to meet certain timelines for the deletion of personal data. Although the DPDPA suggests using a high volume of users as one criterion for classifying entities as significant data fiduciaries, this requirement has not expressly been applied to e-commerce entities, online gaming services or social media intermediaries under the rules. Nevertheless, these impose an additional compliance burden: time-bound deletion requirements that do not otherwise apply to data fiduciaries in general. It is not clear whether this is a legislative or administrative oversight — where Rule 3 is in fact meant for significant data fiduciaries— or intentional, with the government planning to define them in the future.
Who and what is exempted?
Besides excluding the processing by an individual for personal or domestic purposes from its application, the DPDPA also specifically excludes most publicly available personal data, as long as it was made public by the data principal (for example, views made public by a social media user) or by someone else under a legal obligation to publish the data (such as the personal data of directors that regulated companies must publicly disclose by law). The first form of publicly available information appears to permit external companies to scrape data from social networks and process it.
The DPDPA, read with Rule 16, also exempts the processing of personal data necessary for research or statistical purposes, which is an extremely broad exception. But the act will still apply to such processing if research or statistical activity is used to make “any decision specific to the data principal.” Further, such data processing is only exempt if it complies with standards specified in the Second Schedule to the DPDP Rules. The schedule emphasizes compliance with standard data protection principles found in other frameworks, such as lawful processing, data accuracy, data retention for required purposes or legal compliance, security safeguards against data breaches, transparency to data principals, etc.
Moreover, the DPDPA provides broad exceptions for government entities while also exempting data processing for specific purposes, such as activities that are in the interest of the sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order, and the prevention of incitement to commit crimes. But these subsequent exceptions require notice to the government to be available. While the DPDP Rules also provide broad exceptions to government entities, they do impose limited obligations in certain contexts, such as processing data for welfare schemes. Otherwise, the government is generally exempted from the purview of the act.
Finally, in a provision appearing to promote new businesses, Section 17(3) of the DPDPA empowers the government to exempt any category of data fiduciaries from certain or all compliance obligations under the act, while categorically referring to startups as one such class or business that may be exempted. Notably, contrary to the expectations of the startup industry, this exemption is not mentioned in the rules.
Grounds for processing
The DPDPA hinges on consent as ground for processing personal data, although additional narrowly defined or situation-based lawful grounds are also available. These are defined as “certain legitimate uses” listed under Section 7. The most relevant to the private sector include specified purposes for which the data principal has voluntarily provided their personal data and has not indicated their objection to the use of such personal data for that purpose, fulfilment of any legal/judicial obligations of a specified nature, medical emergencies and health services, situations involving the breakdown of public order, and employment-related purposes.
Notably, the act does not include contractual necessity and legitimate interests — legal grounds for data processing under the GDPR and other developed data protection laws. These are probably the most common grounds for data processing utilized by organizations today, particularly global companies that treat the GDPR as the gold standard to process personal data. The lack of these as express grounds for processing may pose a serious challenge to businesses, especially large organizations already relying on these grounds to process personal data for routine or necessary business operations.
Consent and notice
Like the GDPR, the DPDPA requires that consent for processing of personal data must be “free, specific, informed, unambiguous and unconditional with a clear affirmative action.” Further, the consent should be limited to such personal data as is necessary for the specified purpose in the request for consent. In practice, this may mean that data fiduciaries cannot rely on “bundled consent.”
The notice for consent must inform the data principal about the personal data and the purpose of its processing, how they can exercise their rights under the act, and the process for filing a complaint with the DPBI. Importantly from an operational perspective, where a data principal has given consent to processing prior to the act, the data fiduciary needs to provide notice with the said details “as soon as it is reasonably practicable.”
To complement the requirement for data principals to provide specific and informed consent, Rule 3 sets out clear standards; it requires that notices be presented in clear and plain language and include a detailed description of the personal data, its specific purpose, and a list of the goods and services that will use it. The data fiduciary must also provide an easily accessible link to their website and/or app, along with a way for the data principal to withdraw consent, exercise their rights under the DPDPA, and file a complaint with the DPBI. However, the mechanisms and specific requirements of how the notice is to be given is largely left up to the discretion of the data fiduciaries.
In what is perhaps one of the most important rights from the perspective of data subjects, similar to the GDPR, data principals have a right to withdraw their consent at any time and data fiduciaries are required to ensure that withdrawing consent is as easy as giving consent. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain the data applies. Additionally, data fiduciaries must ask any processors to stop processing the data for which consent has been withdrawn.
Conclusion
While a few provisions remain unclear and certain aspects are left to the discretion of the government that may be notified in future, the DPDPA along with the DPDP Rules aim to eliminate a confusing framework of existing rules while promoting innovation, regulatory certainty, and protecting individual privacy in ways that may seem to mimic the GDPR and earlier drafts of the law. But it tries to do so in a more practical way that is sensitive to the context of India’s business and cultural attitudes to data and emerging technologies. Therefore, companies may find it necessary to localize their compliance programs while also enabling themselves to seize opportunities to do more with their personal data within the framework of the act.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
IAPP Global Legislative Predictions 2026
