Data Privacy & Digital Rights
Your rights under India's Digital Personal Data Protection Act 2023 + DPDP Rules 2025: access and correction, erasure, consent withdrawal, grievance redress, and the Data Protection Board. NCII takedown via IT Act s. 67/67A and the Sahyog portal.
Covered in this guide:
India's data-protection regime entered force in phases starting 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 under the Digital Personal Data Protection Act, 2023 (DPDPA). The Data Protection Board of India (DPB) is now operational; the Consent Manager Framework goes live 13 November 2026; full operational compliance — notice, consent, breach reporting, rights handling — by 13 May 2027. Until then, the Information Technology Act, 2000 and the SPDI Rules 2011 continue to govern cybercrime and remain the active route for offences against personal data. CERT-In directions (28 April 2022) require incident reporting within 6 hours for specified categories of cyber-incident. Sahyog portal (sahyog.mha.gov.in) is the unified portal for content takedown intimations under IT Act s. 79(3)(b) and rule-based blocking. For NCII (non-consensual intimate imagery), the IT Act s. 67/67A, BNS s. 79, and POCSO Act (for minors) apply.
Key Laws
Digital Personal Data Protection Act, 2023
Act No. 22 of 2023; DPDP Rules, 2025 notified by MeitY on 13 November 2025
First standalone Indian data-protection law. Rights of data principals: access, correction, erasure, grievance, nominate; consent-based processing; cross-border-transfer notified-country regime; Data Protection Board of India enforces.
Information Technology Act, 2000
Act No. 21 of 2000
Cyber-crime and electronic record law. Continues to apply alongside DPDPA. ss. 43A (compensation for negligent data handling), 65 (tampering source code), 66 (computer-related offences), 66C (identity theft), 66E (privacy violation by capturing private images), 67 (obscene material), 67A (sexually explicit material).
SPDI Rules, 2011
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Govern handling of sensitive personal data (passwords, financial, health, sexual orientation, medical records, biometrics). Continue in force until DPDPA fully replaces them in 13 May 2027.
CERT-In Directions, 2022
Indian Computer Emergency Response Team Direction No. 20(3)/2022-CERT-In dated 28 April 2022
Mandatory cyber-incident reporting to CERT-In within 6 hours. Applies to body corporates, service providers, intermediaries, data centres. Maintain ICT logs for 180 days.
Bharatiya Nyaya Sanhita, 2023 — Offences against women and obscenity
Act No. 45 of 2023, ss. 75 (sexual harassment), 79 (insulting modesty), 294 (obscene acts), 296 (obscene songs)
Substantive criminal law. Covers offline and online conduct. NCII cases overlap with IT Act ss. 67 / 67A.
Your Rights as a Data Principal under DPDPA 2023
The DPDPA gives every Data Principal — that is, you, the individual whose personal data is being processed — five concrete enforceable rights against a Data Fiduciary (the company or person that deter...
Reporting a Data Breach to CERT-In and the Data Protection Board
India runs two parallel breach-reporting regimes.CERT-In (Indian Computer Emergency Response Team) under MeitY enforces the 28 April 2022 Directions. Specified cyber-incidents — including ransomware,...
Non-Consensual Intimate Image Takedown in India
If sexually explicit images or videos of you have been shared online without consent, India has a layered takedown system. The legal hammer is criminal; the practical takedown is administrative.IT Act...