India's data protection regime has entered an active enforcement phase. The Digital Personal Data Protection Act (India's principal data protection legislation, referred to below as the DPDP Act) received presidential assent in 2023. Implementing rules and enforcement guidance are now being finalised and progressively notified. Businesses that process personal data of Indian residents – whether from within India or from abroad – face real and immediate compliance obligations. Organisations that have treated the DPDP Act as a future concern are now in a position of genuine legal exposure.
India's data protection legislation introduces obligations for every entity that acts as a data fiduciary – the Indian legislative equivalent of a data controller – when processing personal data of individuals located in India. Significant data fiduciaries, a designated sub-category, face additional requirements including the appointment of a local Data Protection Officer and mandatory data localisation for certain categories. The Data Protection Board of India (DPB), the statutory body established to adjudicate complaints and enforce the legislation. Is in the process of becoming operational, with enforcement capacity expected to be exercised within the current financial year.
This alert summarises the regulatory developments now in effect, identifies which business categories are affected, and sets out the immediate actions international companies must take.
What has changed and when it takes effect
The DPDP Act establishes a consent-based regime for personal data processing. Every data fiduciary must obtain free, specific, informed, and unambiguous consent before processing personal data. This consent mechanism must be granular: a single omnibus consent is not sufficient. Consent notices must be presented in plain language and, where practicable, in languages listed in the Indian constitution.
The legislation also governs cross-border data transfer. The central government retains the power to restrict transfers to specified countries. Until a positive list of permitted destinations is notified, international companies must assess transfer risk on a case-by-case basis. Organisations accustomed to GDPR compliance frameworks will note both similarities and material differences: India's regime does not replicate the adequacy decision model and places heavier reliance on consent rather than legitimate interest as a lawful basis.
Penalties under the legislation are substantial. Financial sanctions for a personal data breach resulting from a failure to implement reasonable security safeguards can reach several hundred crore rupees. Repeated non-compliance attracts escalating penalties. The DPB – functioning as the designated enforcement authority, the Indian equivalent of a Data Protection Authority (DPA) – is empowered to conduct inquiries, direct remediation, and impose financial penalties without requiring a court order.
India's sectoral regulators are also active in this space. The Securities and Exchange Board of India (SEBI) has issued guidance on data governance for market intermediaries. The Reserve Bank of India (RBI) continues to enforce payment data localisation requirements for regulated entities. Companies operating in financial services, fintech, or capital markets must therefore manage obligations under the DPDP Act alongside existing sectoral requirements – these regimes do not replace one another.
Which businesses are affected and the compliance threshold
The DPDP Act applies to any entity that processes digital personal data of individuals located in India – regardless of where the data processor or data fiduciary is incorporated. A European holding company that receives employee or customer data from an Indian subsidiary is a data fiduciary subject to this legislation. There is no de minimis exemption based on company size for basic compliance obligations.
The significant data fiduciary designation triggers the most demanding requirements. The central government designates entities as significant data fiduciaries based on the volume of data processed, sensitivity of data, national security implications, and the risk to individual rights. Once designated, a significant data fiduciary must appoint a Data Protection Officer based in India, conduct periodic data protection impact assessments, and retain a third-party auditor. International companies with large Indian user bases or processing sensitive personal data – including health data, financial data, and biometric data – should assume a meaningful risk of designation.
Companies incorporated under the Companies Act 2013 that collect personal data in the course of business – whether from customers, employees, or third parties – are subject to the full scope of the legislation. The Arbitration and Conciliation Act framework is relevant where cross-border data disputes give rise to contractual claims: data processing agreements with Indian counterparties should now include arbitration clauses and data breach notification obligations that align with the DPDP Act's timelines.
For a detailed review of your compliance position under India's data protection legislation, contact us at ferrazwhitmore.com/services/data-protection/india/ or email info@ferrazwhitmore.com.
Immediate actions for international companies
The window for voluntary remediation is narrowing. The DPB's operational capacity is increasing. Acting now reduces both the financial exposure and the reputational risk of an enforcement notice. International companies should take the following steps without delay.
- Map your data flows. Identify every category of personal data collected from Indian residents. Confirm where it is stored, who processes it, and whether any cross-border data transfer takes place. This mapping exercise is the foundation of every other compliance action.
- Audit your consent mechanisms. Review all consent notices and opt-in flows directed at Indian users or employees. Consent must be granular, revocable, and presented in accessible language. Existing cookie banners and privacy notices designed for GDPR compliance are unlikely to meet India's requirements without amendment.
- Assess significant data fiduciary risk. Evaluate whether the volume or sensitivity of data you process creates a material risk of designation. If designation is likely, begin the process of identifying a resident Data Protection Officer and planning for mandatory audits.
- Update data processing agreements. All contracts with Indian data processors must be revised to reflect the obligations introduced by the DPDP Act. Breach notification timelines, sub-processor controls, and audit rights are now mandatory contractual elements.
- Engage sectoral compliance counsel. If your Indian operations involve financial services, healthcare, or telecom, your DPDP Act obligations layer onto existing RBI, SEBI, and sectoral regulatory requirements. These need to be managed as a unified compliance programme, not as separate workstreams.
Companies operating across multiple regulatory environments – including those already managing data protection enforcement in the UAE – should treat India as a separate and materially distinct compliance obligation. The legal standards, enforcement posture, and penalty regimes differ significantly between jurisdictions.
For international companies developing AI-driven products that process Indian user data, additional considerations arise under India's emerging technology regulation. Our analysis of AI law obligations in India provides further context on where these two regulatory regimes intersect.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers regulatory compliance, enforcement response, and cross-border data transfer structuring in India, the EU, the UAE, and across Asia-Pacific markets. Engaging a lawyer in India with genuine cross-border experience matters when obligations span multiple legal regimes simultaneously. As an international law firm in India and across the Asia-Pacific region, we support technology companies, financial institutions, and multinational groups in building data protection programmes that are both locally compliant and internationally coherent. Our team includes practitioners with experience advising on regulatory matters before data protection authorities in civil law and common law systems alike. To discuss your India data protection exposure, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.