Navigating the India Privacy Act: Understanding Consent, Compliance, and Consequences by Dr. Pavan Duggal, Dr. Prashant Mali, Puneet Bhasin & Bikash Barai

The India Privacy Act introduces a new era of data protection and privacy regulations in India. This comprehensive law emphasizes the need for explicit consent, robust compliance measures, and significant penalties for non-compliance. Recently, a panel discussion on the CESO platform, featuring esteemed experts in cyber law, shed light on the critical aspects of this legislation. This blog delves into the key highlights of the India Privacy Act, its implications for various organizations, and the steps necessary to ensure compliance.



Here is the verbatim discussion:

the more the data that's flowing so by default the concept of consent will have to come in now just to get give you a brief about what is the concept of consent so it's primarily in the nature of an explicit notice an explicit notice as to what you are going to do with the data what are the data sets that you're collecting how are you going to utilize it what are the data processors involved what are they going to perform on it and not just in English or Hindi in every single Indian language as per the e8th schedule of the Constitution the notice has has to be provided if the data principle explicitly consens is when you can actually go ahead and process data so this is irrespective of the size of the organization startup MNC large organization medium scale organization manufacturing Hospital anything a Cooperative Housing Society a person who's a visitor coming into your Society also needs to give explicit consent you cannot just collect his data we are waiting the secondary legislation the minister has indicated that they are not going to wait for elections and that rules under the dpdp act are going to come very soon so I do hope that the rules will provide certain amount of clarity as to how this particular Quantum of fine has to be so-call calculated uh we need to be mindful of the fact that some broad parameters are given under the ACT but they are too broad in general so each case will have to be dependent on its own peculiar facts and circumstances it will also be dependent upon what subjective interpretation does the data protection board take in each case as it moves forward for the very simple reason that supposing if it's just as a data breach of say 1,000 records then obviously the Quantum of fine is going to be slightly lesser but if the records are say 10 million records then the Quantum of fine is going to be far more higher so this this nomenclature of up to 50 250 cror means it is left to the subjective discretion measures and they have a clean audit report what will happen still they will be F or not I guess this was discussed that they may have lesser F but still still they will be fined is that right uh yes it would be in the nature of uh demonstrating uh you know just having an audit on paper is not what works you will have to show demonstrable compliance that is actually the level of implementation of security measures data security measures cyber security measures that you can actually demonstrate uh that is something which would be important I'm quite certain for uh the nature of proceedings as in judicial proceedings just showing that you have an auditor sign off is not enough there you have to show evidence too so uh.



Explicit Consent Requirement

Consent must be obtained through an explicit notice detailing data collection, processing, and the involved data processors.

  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent is required regardless of the organization's size or sector, including startups, MNCs, hospitals, and housing societies.

Broad Definition of Personal Data

  • Includes any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • Merges previous categories of sensitive personal data and personally identifiable information.

Data Protection Board and Penalties

  • Establishes a Data Protection Board to oversee compliance and handle grievances.
  • Penalties for non-compliance can reach up to ₹250 crore per violation, with fines depending on the severity and scale of the data breach.

Breach Notification and Remedial Actions

  • Mandatory notifications to the Data Protection Board and affected individuals in case of a data breach.
  • Organizations must take demonstrable steps to secure data and notify victims post-breach.


The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.



Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".


Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa