Understanding the India Privacy Act: Consent, Compliance, and Consequences by Dr. Pavan Duggal, Dr. Prashant Mali, Puneet Bhasin & Bikash Barai

The India Privacy Act represents a significant advancement in the country's data protection landscape, aiming to safeguard digital personal information. This blog examines key aspects of the Act, its implications for various organizations, and the steps necessary to ensure compliance. Insights from a recent panel discussion on the CESO platform, featuring top cyber law experts, provide a comprehensive understanding of this legislation.



Here is the verbatim discussion:

and then an organization cannot say I do not have the bandwidth or the monetary uh uh requirements for it so I'll give you a simple example no where is the act specifying a percentage of turnover like the gdpr so when they're giving a blanket figure of up to 150 crores up to 250 crores up to 100 crores you need to understand that the magnitude of offense like let's say if it's a hospital data there have been actual cases like I will not quote the cases but abroad there have been cases where hnis have been targeted their medical information when they hospitalized was manipulated to you know obviously create a risk to their life and in India this could be happening so many times as a matter of fact many people who are actively involved in data protection would be aware in the year 21 and 22 in India majorly most of the hospitals face cyber breaches even right now medical data is the second highest targeted data after a financial data that's of Banks and insurance Etc so considering the sensitivity of such data so whether you may say I'm a small Clinic that does not mean that you cannot risk your patient life end of the day you need to understand the repercussion you may say I don't have 100 crores but then in that situation if you even read the CPC in the event there is a compensation in in the event there is any kind of money that's a civil clear it talks of a personal breach this law is only applicable if there is a breach of a digital personal information so the moment I give a non-digital personal information which is maybe a print out then then technically from a standpoint from a interpretation standpoint it can be argued that this is not coming within the Ambit law but if I give a print out of a pan card or an Adar which subsequently gets digitized I still come within the Ambit of this law so in each particular case look at whether the ultimate digitization of the personal data took place or not if it has taken place and subsequent there to there's been a data breach then of course this law is going to be applicable but if I was to just give my Adar or a pan card number photocopy to my cellular service provider who does not digitize it but Monet just monetizes it by selling it then to that extent it would not really qualify as a breach under the digital personal data protection legal framework but these are very very great complications we'll have to still await for more clarifications in the rules and regulations that the government may come up very shortly so for all practical purposes it's people are going to digitize very few are going to sell it as like a zerox copy right so for all practical.



Explicit Consent Requirement

  • Consent must be obtained through an explicit notice detailing data collection, processing, and the involved data processors.
  • Notices must be provided in all Indian languages as per the 8th schedule of the Constitution.
  • Consent is required regardless of the organization's size or sector, including startups, MNCs, hospitals, and housing societies.

Broad Definition of Personal Data

  • Includes any information that can identify an individual, such as names, health data, email IDs, and IP addresses.
  • Merges previous categories of sensitive personal data and personally identifiable information.

Significant Penalties for Non-Compliance

  • Penalties for non-compliance can reach up to ₹250 crore per violation.
  • The severity of fines depends on the scale and impact of the data breach.
  • Unlike GDPR, the Act does not specify penalties as a percentage of turnover but rather imposes blanket fines.

Breach Notification and Remedial Actions

  • Mandatory notifications to the Data Protection Board and affected individuals in case of a data breach.
  • Organizations must take demonstrable steps to secure data and notify victims post-breach.

Applicability to Digital Data

  • The Act applies to breaches of digital personal information.
  • Non-digital data that is subsequently digitized falls within the Act's purview.


The India Privacy Act imposes significant responsibilities on organizations, demanding a proactive approach to data protection and privacy. By understanding and adhering to its key provisions, businesses can navigate this regulatory landscape effectively. The CESO platform is dedicated to supporting its community in staying informed and compliant, fostering a secure and resilient data environment.



Dr. Pavan Duggal is the Founder & Chairman of the International Commission on Cyber Security Law and President of Cyberlaws.Net. He heads the Artificial Intelligence Law Hub and Blockchain Law Epicentre, and is the Founder of Cyberlaw University. Dr. Duggal is the Chief Evangelist of Metaverse Law Nucleus and has directed numerous international conferences on cyber law. He has spoken at over 3000 events and authored 194 books on various legal topics.


Prashant Mali is an acclaimed international cybersecurity and cyber law expert, practicing as a lawyer at the Bombay High Court with 25 years of experience. He holds advanced degrees in computer science and law, and has authored 8 books and 16 research papers on cyber law and data protection. Mali frequently appears on TV and at international conferences, offering expert legal opinions on a wide range of technology-related issues. His landmark legal work includes numerous acquittals and influential policy contributions.


Advocate Puneet Bhasin is a Pioneer in Cyber Laws in India and Awarded the Best Cyber Lawyer in India. She is an advisor to the Rajya Sabha Committees on Internet laws and Recipient of 13 National Awards for contribution in Cyber laws one of them being "Best Cyber Lawyer in India".



Bikash Barai is credited for several innovations in the domain of Network Security and Anti-Spam Technologies and has multiple patents in USPTO. Fortune recognized Bikash among India’s Top 40 Business Leaders under the age of 40 (Fortune 40-under-40).Bikash is also an active speaker and has spoken at various forums like TiE, RSA Conference USA, TEDx etc.Earlier he founded iViZ an IDG Ventures-backed company that was later acquired by Cigital and now Synopsys. iViZ was the first company in the world to take Ethical Hacking (or Penetration Testing) to
the cloud.


E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa