India, Jan. 27 -- The Government of India has issued a release:
Data Protection Board of India: A key institutional feature of the Act is the establishment of the Data Protection Board of India, which is responsible for overseeing compliance, conducting inquiries into data breaches, and ensuring timely corrective action. The Board plays a central role in enforcing the provisions of the Act and in strengthening public trust by providing an effective, accountable mechanism for redressal and enforcement.
Rights and Protections for citizens under DPDP Act, 2023
Right to Give or Refuse Consent:
Right to Know How Data is Used:
Right to Access Personal Data:
Right to Correct Personal Data:
Right to Update Personal Data:
Right to Erase Personal Data:
Right to Nominate Another Person:
Mandatory Response within Ninety Days:
Protection During Personal Data Breaches:
Clear Contact for Queries and Complaints:
Special Protection for Children:
Special Protection for Persons with Disabilities:
Individual has a choice to allow or deny the use of their personal data.
Individuals can seek information on what personal data has been collected, why it has been collected and how it is being used.
Individuals can ask for a summary of their personal data processed that is done by a Data Fiduciary.
Individuals may request corrections to personal data that is inaccurate or incomplete.
Individuals can ask for changes when their details have altered, such as a new address or updated contact number.
Individuals may request the erasure of personal data in certain situations. The Data Fiduciary must consider and act on this request.
Every individual can appoint someone to exercise their data rights on their behalf in case of her death or incapacity.
Data Fiduciaries are required to address all requests related to access, correction, updating or erasure within a maximum of ninety days, ensuring timely action and accountability.
If a breach takes place, individuals must be informed at the earliest. The message must explain what happened and what steps individual can take.
Data Fiduciaries must provide a point of contact for questions relating to personal data. This may be a designated officer or a Data Protection Officer.
When a child's personal data is involved, verifiable consent from a parent or guardian is required. This consent is needed unless the processing relates to essential services such as healthcare, education or real-time safety.
If an individual with a disability cannot make legal decisions even with support, her lawful guardian is required to give consent. This guardian must be verified under the relevant laws.
Key Takeaways
Introduction
Data Privacy Day is internationally observed annually on 28 January. It aims to raise awareness about the importance of protecting personal data and privacy in the digital age. Also known as Data Protection Day, it was designated in 2006 by the Council of Europe to commemorate the signing of Convention 108- the world's first legally binding international treaty on data protection.
Data privacy is a foundational pillar of responsible digital governance. It protects and safeguards citizens' personal information across large-scale digital public platforms. Data privacy builds public trust by strengthening confidence in government-led digital services. Robust data privacy frameworks enable responsible digital use by promoting the safe, ethical, and secure adoption of digital technologies. They also help reduce data and cyber risks by preventing misuse, mitigating cyber threats, and identifying data-related frauds. Furthermore, strong data-protection regimes enhance governance and accountability by ensuring transparency, effective oversight, and clearly defined institutional responsibilities.
In an increasingly digital society, safeguarding personal data is essential to sustaining trust, security, and inclusion. As digital public platforms expand in scale and impact, a strong commitment to data privacy ensures that innovation remains citizen centric, ethical, and accountable. Observing Data Privacy Day reinforces the collective responsibility of governments, institutions, and citizens in protecting digital rights.
India's Expanding Digital Footprint and the Privacy Imperative
India's rapid digitalisation has transformed the way citizens interact with the State, access services, and participate in governance. Digital platforms now operate at population scale, making data a critical public resource that underpins service delivery, inclusion, and innovation. While this transformation has delivered efficiency and accessibility, it has also heightened the importance of safeguarding personal data. As India's digital footprint continues to expand, embedding privacy and security into digital systems has become a central governance priority.
The observance of International Data Privacy Day on 28 January reinforces India's commitment to responsible data practices, public awareness, and trust-based digital governance. As India's digital platforms continue to expand in scale and complexity, embedding privacy by design, robust oversight, and institutional accountability will remain central to ensuring that digital innovation remains secure, inclusive, and citizen centric.
National Data Privacy & Security Readiness
As digital technologies increasingly underpin governance, service delivery, and economic activity, ensuring robust data privacy and cybersecurity has become a national priority. India's expanding digital ecosystem requires a strong legal and institutional framework that protects personal data, secures digital transactions, and builds trust among citizens and businesses. In response, India has put in place a comprehensive and evolving regulatory architecture that balances privacy protection with innovation, accountability, and ease of compliance.
Information Technology (IT) Act, 2000
The IT Act, 2000 is India's core law for cyberspace, providing the legal basis for e-governance, digital commerce, and cybersecurity. In alignment with the National Data Protection and Cybersecurity objectives, the Act grants legal recognition to electronic records and digital signatures, enabling secure online transactions and digital delivery of public services. The Act also establishes key cybersecurity and regulatory mechanisms, including CERT-In as the national incident response agency, along with adjudicatory and appellate bodies for cyber disputes. Provisions such as Sections 3, 3A, 6, 46, 69A, and 70B collectively support authentication, e-governance, adjudication, content blocking for national security, and cyber incident management, forming a robust and secure digital framework for India.
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, notified under the Information Technology Act, have been formulated in line with India's evolving data security and cybersecurity requirements. The Rules lay down due diligence requirements for intermediaries to ensure a safe, trusted, and transparent online environment. Under the Rules, all intermediaries are mandated to establish a robust grievance redressal mechanism for addressing complaints from users or victims in a time-bound manner.
Digital Personal Data Protection (DPDP) Act, 2023
The DPDP Act, 2023, enacted on 11 August 2023, governs the processing of personal data collected through digital means, including data digitised from offline sources. The Act seeks to strike a careful balance between protecting individual privacy and enabling lawful data use to support innovation, service delivery, and economic growth. It follows a SARAL approach: Simple, Accessible, Rational, and Actionable, to ensure clarity, ease of understanding, and practical compliance for all stakeholders.
At its core, the DPDP Act empowers citizens as Data Principals, placing individuals at the centre of India's data protection framework by granting them clear rights, greater control over their personal data, and assurance that organisations handling such data remain responsible, transparent, and accountable.
Digital Personal Data Protection Rules, 2025
Notified on 13 November 2025, the Digital Personal Data Protection Rules, 2025 operationalise the DPDP Act, 2023, strengthening India's data protection framework. Altogether, they establish a clear, citizen centric regime that safeguards personal data while enabling innovation and responsible use.
The Rules place individuals at the centre by empowering citizens with enforceable rights, enhancing accountability of organisations, and curbing misuse and unauthorised exploitation of data.
Together, the DPDP Act and Rules provide regulatory clarity and balance privacy with innovation, supporting a secure, transparent, and future-ready digital economy.
Altogether, these frameworks constitute a coherent and forward-looking approach to data governance in India. By clearly defining rights, responsibilities, and enforcement mechanisms, these measures strengthen institutional accountability, empower citizens, and foster trust in digital systems. As India's digital economy continues to grow in scale and complexity, this robust legal and regulatory foundation ensures that data-driven innovation remains secure, transparent, and citizen centric, reinforcing India's readiness for a resilient and future-ready digital ecosystem.
Additional National Measures for Data Security
The Government of India has undertaken multiple initiatives to strengthen cybersecurity standards, reinforce digital infrastructure, and promote cyber awareness, with the objective of ensuring an open, safe, trusted, and accountable Internet ecosystem. In view of evolving cyber threats, the following measures have been implemented:
These initiatives reflect the Government of India's comprehensive and forward-looking approach to cybersecurity, combining standards, capacity building, citizen awareness, and crisis preparedness. By strengthening institutional mechanisms and aligning with global best practices, India continues to enhance trust, resilience, and security across its digital ecosystem in the face of evolving cyber threats.
Conclusion
Data Privacy Day serves as a timely reminder that trust is the cornerstone of India's rapidly expanding digital ecosystem. As digital public infrastructure increasingly shapes governance, service delivery, and everyday life across the country, protecting personal data is not merely a technical requirement but a democratic imperative. India's evolving legal frameworks, strong institutional mechanisms, and citizen centric initiatives reflect a firm commitment to ensuring that digital innovation remains safe, ethical, and accountable.
With the rollout of the Digital Personal Data Protection Framework, strengthened cybersecurity institutions, and sustained investments in capacity building and awareness, India is steadily advancing towards a secure and future-ready digital environment. Recognising the significance of data privacy reinforces the shared responsibility of the Government, digital platforms, and citizens to safeguard personal data, build trust, and ensure that India's digital transformation remains inclusive, resilient, and citizen centric.
References
Ministry of Communications
Ministry of Electronics & Information Technology
Ministry of Home Affairs
PIB Headquarters
Data Protection Day, EU
Data Protection Day, Council of Europe
Others
Click here to see pdf
Disclaimer: Curated by HT Syndication.
