Privacy in India: What Data Laws Actually Protect You (And What They Don't)

India’s Digital Personal Data Protection Act promises stronger privacy rights, but important gaps and exemptions remain. This article explains what the law actually protects, where its limits lie, and the practical steps young Indians can take to safeguard their personal data online.

Know Your Digital Rights

India passed the Digital Personal Data Protection (DPDP) Act in August 2023, making it the first comprehensive data protection legislation in the country's history. For the 130+ crore Indians who use digital services daily — from UPI apps to WhatsApp to healthcare portals — this law changes some things and leaves others unchanged.

Understanding what it actually says, and what it does not, is more useful than either the alarmist "all your data is at risk" framing or the naive "we are protected now" response.

What the DPDP Act Says

The law establishes that personal data — any information that can identify you — must be processed only with your consent, only for the purpose for which consent was given, and must be erased when no longer needed.

Consent requirements: companies must obtain clear, specific consent before collecting your data. The consent form must be in plain language (not buried in terms and conditions) and must tell you exactly what data is being collected and why. You have the right to withdraw consent, after which the company must stop processing your data and erase it unless they have another legal basis for holding it. [Likely, based on the Act's provisions]

Your rights under the Act include: the right to access information about what data a company holds on you, the right to correct inaccurate data, the right to erasure (the "right to be forgotten" for your data in certain circumstances), and the right to nominate someone to exercise these rights on your behalf in case of death or incapacity.

Data fiduciaries — organisations that process your data — must implement security safeguards, appoint a Data Protection Officer (for significant processors), and report data breaches to the Data Protection Board within a prescribed timeline.

What the Act Does Not Do

Several important limitations are worth understanding.

Exemptions are broad. The central government has the power to exempt certain entities, including government departments and agencies, from compliance requirements. This means government data collection — which is extensive in India, from Aadhaar to tax systems to health data — may not be subject to the same consent and rights framework as private sector data collection. [Likely]

Enforcement is untested. The Data Protection Board that adjudicates complaints and levies penalties was not yet fully operational as of mid-2025. [Likely] The strength of the Act ultimately depends on the independence and resources of the Board and the willingness to penalise large companies — including platforms with significant political influence — for violations. This remains to be seen.

Surveillance carve-outs exist. The Act allows processing of personal data without consent for national security, law enforcement, and certain public interest purposes. The scope of these exceptions is broad enough to potentially limit the Act's protections in contexts where government data collection is at issue.

Cross-border data flows are not fully resolved. The Act empowers the government to restrict data transfers to certain countries on national security grounds but also to designate trusted transfer destinations. The final framework for cross-border data flows has significant implications for Indian companies processing data on international cloud infrastructure.

Practical Steps You Can Take Now

Review app permissions. On both Android and iOS, you can see which apps have access to your camera, microphone, location, contacts, and health data. Revoke permissions for apps that do not have a clear need for them.

Use UPI with awareness. UPI transactions are mediated by banks and NPCI under an established regulatory framework with meaningful data protections. Third-party UPI apps (PhonePe, GPay, Paytm) have additional data handling practices. Review their privacy policies — specifically what data they share with parent companies and third-party marketers.

Be careful with health apps and platforms. Health data is among the most sensitive personal data categories. Applications collecting symptom data, menstrual cycle information, mental health assessments, or fitness data have direct access to deeply personal information. Check who owns the app, where data is stored, and what their breach history looks like.

Know the complaint mechanism. Once the Data Protection Board is operational, you can file complaints against companies for DPDP Act violations. The mechanism is new, and its effectiveness will develop over time, but the right to complain exists.

The Honest Assessment

The DPDP Act is a real step forward from no data protection legislation, which is what India had before 2023. Whether it meaningfully changes how your data is handled depends on implementation, enforcement, and the government's willingness to apply it to itself as rigorously as to private companies.

Informed, cautious engagement with digital services remains the most reliable self-protection strategy — not because the law has failed, but because no law can fully substitute for individual awareness of the data you share and with whom.