India Digital Personal Data Protection Act came into full force on Wednesday, establishing the country first comprehensive personal data protection law after years of deliberation. The Act mandates that all organisations collecting personal data must obtain explicit, purpose-specific consent from users, appoint a Data Protection Officer for entities processing large volumes of sensitive data, and notify users within 72 hours of a data breach. The law applies to both Indian companies and foreign entities processing data of Indian residents.
The Data Protection Board, the enforcement authority established under the Act, announced it will begin investigations from April 2026 following a six-month compliance window. Penalties for data breaches range from Rs 50 crore for minor violations to Rs 250 crore for significant breaches affecting large numbers of users. MeitY Secretary S. Krishnan said the law balances individual privacy rights with the practical needs of India digital economy. International compliance experts said the Indian law borrows elements from the GDPR and PDPA Singapore but is tailored to India unique data ecosystem and digital payment infrastructure.