Decrypting India’s Data Protection Regime: Principles of Data Protection

India’s data protection legislation is presently anchored in the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). The IT Act and SPDI Rules, despite the criticism they attracted, did incorporate core data protection principles such as purpose limitation, minimisation, storage limitation, security and accuracy.

However, unlike the SPDI Rules, which embedded these principles in a narrow and fragmented manner solely for “Sensitive Personal Data or Information” (“SPDI”), the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules 2025 (“Rules”) creates a comprehensive, stand-alone framework that makes these principles explicit and enforceable.

This article is the third in a series examining India’s new digital privacy regime, and it focuses on the core data protection principles.

Treatment of Data

The DPDP Act has taken a fundamentally different approach from the SPDI Rules. It adopts a single, broad definition of “personal data” and does not create a separate statutory category of SPDI that attracts a distinct set of rights or duties. Once the DPDP Act is fully brought into force and section 43A of the IT Act is omitted pursuant to its consequential amendments, the SPDI Rules will effectively become redundant and cease to operate as a separate privacy framework.

The DPDP Act recognises that some personal data is more sensitive than others. When designating Significant Data Fiduciaries, the Central Government may consider the volume and sensitivity of the data they process. The Act also gives special protection to children’s data by requiring verifiable parental (or guardian) consent and prohibiting processing that is detrimental to a child’s well-being. In parallel, sectoral regulators (RBI, SEBI, IRDAI, UIDAI, health authorities, etc.) single out financial, health and other high-risk data for heightened protection within their own frameworks.

Data Protection Principles

Together, the DPDP Act and Rules set out a unified framework of core data protection principles. The general obligations for data fiduciaries have been set out as under:

1. The Act and Rules prescribe clear, plain-language notice at the time of collection, specifying the purposes for which personal data will be processed.
2. The Act allows for the processing of only such personal data as is necessary for the specified purpose, mandates erasure once the purpose is served;
3. The Rules have introduced a “deemed end-of-purpose” concept where, after a period of complete inactivity, the purpose is treated as having ended;
4. Data Fiduciary have to maintain completeness, accuracy and consistency of personal data. This is reinforced by the Data Principal’s rights to seek correction and completion. 
5. Data Fiduciaries must implement technical and organisational measures and “reasonable security safeguards” set out in the Rules;
6. Data Fiduciaries remains responsible for compliance even when using data processors. They must provide accessible mechanisms for rights requests and grievances;
7. Data Fiduciaries must notify the Data Protection Board and affected Data Principals of a personal data breach in the form and within the timeframes prescribed by the Rules. 

Enforceable Rights of Data Principals

Under the DPDP regime, the rights of the Data Principal are the main way the core data protection principles “come alive” in practice. They have been given the following enforceable rights against Data Fiduciaries:

1. Right to obtain a copy of their data, description of processing activities, details of Data Fiduciaries (or classes of them) with whom the data has been shared.
2. The right to correction and completion of their data as well as their right to seek erasure of that data that is no longer necessary.
3. The right to withdraw consent at any time (as easily as it was given).
4. The right to grievance redressal and to escalate unresolved complaints to the Data Protection Board.
5. The right to nominate another person to exercise these rights in the event of their death or incapacity.

Penalty

Failures relating to security safeguards and breach reporting attract the heaviest exposure, a personal data breach arising from failure to implement reasonable security measures can invite a penalty of up to INR 250 crore (approx. USD 27.7 Million). 

Non-adherence with obligations in relation to children or failure to notify the Board and affected Data Principals, can invite a penalty of up to INR 200 crore (approx. USD 22 Million). 

Failure to honour erasure and storage-limitation duties, non-compliance with Data Principal rights (including access, correction and withdrawal of consent), or processing in breach of the purpose limitation, data minimisation or lawful-basis requirements can attract substantial monetary penalties up to INR 50 crore (approx. USD 5.5 Million) or INR 150 crore (approx. USD 16.6 Million) in case of Significant Data Fiduciaries. 

Conclusion

The current framework under the IT Act only gestures towards core data protection principles, whereas the DPDP regime extends these principles to all digital personal data and makes them enforceable through the Data Protection Board. For organisations, the task now is to build compliance programmes anchored in these DPDP principles and to operationalise Data Principal rights, deletion and inactivity rules, governance obligations and breach-notification duties.

Authored by CSL Chambers, New Delhi: Sumeet Lall (Partner - Sumeet.Lall@cslchambers.com), Nikhil Lal (Legal Director – nikhil.lal@cslchambers.com) – The contents of this document are for informational purposes only and should not be treated as a legal opinion. Should you have any queries relating to the content of this insight piece or require further information, please don’t hesitate to contact us.