Plain-English answers on India's digital regulation.

The DPDP Act applies to any entity processing the digital personal data of individuals located in India, regardless of where the processor is based. At a minimum, businesses must provide a clear notice before collection, obtain free, specific, informed, unconditional and unambiguous consent (or rely on a prescribed legitimate use), limit processing to the stated purpose, implement reasonable security safeguards, and notify the Data Protection Board of India of any personal data breach. The Digital Personal Data Protection Rules, 2025 add operational detail on notice content, consent management, breach reporting timelines, the role of Consent Managers and the supervisory regime for Significant Data Fiduciaries. Read the full DPDP practice guide →

Yes. The DPDP Act has extraterritorial reach. It applies to the processing of digital personal data outside India where such processing is in connection with any activity relating to the offering of goods or services to Data Principals within India. A foreign company offering services to Indian users must comply, even with no local establishment, no Indian server and no Indian employee.

The Central Government may notify any data fiduciary or class of data fiduciaries as a Significant Data Fiduciary based on factors such as the volume and sensitivity of personal data processed, the risk to data principals, the impact on India's sovereignty and integrity, electoral democracy, security of the state, and public order. Once notified, an SDF must appoint a resident Data Protection Officer, an independent data auditor, and undertake periodic Data Protection Impact Assessments. Banks, large consumer-internet platforms, healthcare aggregators and credit information companies are likely candidates.

A Consent Manager is a registered entity that provides Data Principals with a single point of contact through which to give, manage, review and withdraw consent. The Consent Manager is registered with the Data Protection Board of India and is required to maintain interoperability standards prescribed under the DPDP Rules, 2025. The design draws on the architecture of the Reserve Bank of India's Account Aggregator framework. I have written about this in detail for the IBA →

The DPDP Rules, 2025 require Data Fiduciaries to notify the Data Protection Board of India and affected Data Principals of a personal data breach without delay. An initial intimation must be made to the Board, with a detailed report to follow within the timeline prescribed in the Rules. Failure to notify is a separately penalised contravention under Schedule I of the DPDP Act. The timeline runs from the moment you should reasonably have known, not from the moment you actually did, making detection the single most important investment.

The DPDP Act provides for graded monetary penalties of up to INR 250 crore (approximately USD 30 million) for failure to take reasonable security safeguards leading to a personal data breach. Lesser penalties apply to other categories of breach, including failure to notify the Data Protection Board, breach of children's data obligations, and breach of additional Significant Data Fiduciary obligations. The Data Protection Board adjudicates complaints and imposes penalties having regard to the nature, gravity, duration and impact of each breach.

Yes. The DPDP Act adopts a negative-list approach. Personal data may be transferred outside India to any country except those the Central Government specifically restricts by notification. This is a meaningful departure from the GDPR's adequacy-plus-safeguards architecture: by default, cross-border transfer is permitted, and a restriction must be affirmatively imposed. Sectoral regulators such as the RBI for payment system data and SEBI for certain regulated entities may, however, impose stricter localisation requirements that are not displaced by the DPDP Act.

A Data Principal is the individual to whom personal data relates, including minors acting through a lawful guardian. A Data Fiduciary is any person who, alone or in conjunction with others, determines the purpose and means of processing, the closest analogue to a controller under the GDPR. A Data Processor is any person who processes personal data on behalf of a Data Fiduciary. The Data Fiduciary carries the bulk of the statutory burden; a Processor that strays outside the documented instructions of the Fiduciary may be treated as a Fiduciary for that excursion.

A fintech lawyer in India counsels on the regulatory framework that governs financial technology, principally administered by the Reserve Bank of India, the Securities and Exchange Board of India and the International Financial Services Centres Authority. Typical engagements include digital lending compliance under the RBI's Digital Lending Guidelines, payment aggregator and payment gateway authorisation, prepaid payment instruments, account aggregator obligations, co-lending and First Loss Default Guarantee arrangements, cross-border remittance, virtual digital asset compliance, NBFC licensing, and product-structuring to align with the relevant master directions and circulars. Read the full fintech practice guide →

Cryptocurrencies and other virtual digital assets are not banned in India but are heavily regulated. The Finance Act, 2022 introduced a flat 30% tax on income from the transfer of virtual digital assets and a 1% TDS on transfers above prescribed thresholds. Virtual digital asset service providers are obligated entities under the Prevention of Money Laundering Act, 2002 and must register with the Financial Intelligence Unit. There is no dedicated statute, but the framework is consequential, and the Reserve Bank of India has consistently expressed reservations about private cryptocurrencies.

The RBI's Digital Lending Guidelines, issued in September 2022 and amended several times since, regulate lending through digital channels. Key obligations include direct disbursal of loan proceeds to the borrower's bank account, direct collection of repayments by the regulated entity, mandatory disclosure of the Annual Percentage Rate, a cooling-off period, restrictions on automatic credit limit increases, and clear disclosures around the role of Lending Service Providers. Loan Service Providers and Digital Lending Apps must operate within the framework set by the regulated lending entity.

The Promotion and Regulation of Online Gaming Act, 2025 prohibits the offering, facilitating, advertising and participation in online money gaming services within India. Online money gaming is broadly defined to include real-money games of both skill and chance played for a stake or wager with the prospect of winnings. E-sports and online social games remain permitted under the same legislation. Constitutional challenges to the statute are ongoing, and operators with existing real-money offerings should immediately review their products, payment flows, user-balance positions, advertising and overseas operations against the prohibition. Read the full gaming practice guide →

Under the Promotion and Regulation of Online Gaming Act, 2025, e-sports refers to competitive video gaming organised as a sport, and online social games are games played online for entertainment without any element of staking or wagering for winnings. Both are permitted and indeed promoted under the legislation. Online money gaming covers games where users stake or wager money or other consideration for the prospect of winnings, including both games of skill (such as rummy or fantasy sports for stakes) and games of chance. Online money gaming is now prohibited.

The Promotion and Regulation of Online Gaming Act, 2025 prohibits the advertisement and promotion of online money gaming services in India by any person, including celebrities and social-media influencers. Print, broadcast and digital media as well as platforms are within scope. Existing advertising contracts and influencer arrangements should be reviewed and unwound where they touch on online money gaming, and brand-safety policies updated accordingly.

The Telecommunications Act, 2023 replaces the Indian Telegraph Act, 1885 and the Indian Wireless Telegraphy Act, 1933. It introduces an authorisation-based framework instead of the licence-and-permission architecture of the prior regime, restructures the spectrum-assignment process, modernises the interception and lawful-monitoring framework, recognises and regulates over-the-top communications services in specified respects, and provides for measures against unsolicited commercial communications. Transitional provisions preserve existing licences for defined periods.

The CERT-In directions issued under Section 70B(6) of the IT Act apply broadly to service providers, intermediaries, data centres, body corporates and Government organisations operating in India. Among other things, they require synchronisation of system clocks to NTP servers, reporting of specified cyber incidents within six hours, maintenance of logs for 180 days within India, and significant record-keeping obligations for VPN, virtual private server and cloud service providers and for virtual asset service providers. Most non-trivial digital businesses operating in India fall within scope.

India does not yet have a dedicated artificial intelligence statute. AI deployments are governed by the existing legal framework, principally the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, the Copyright Act, 1957, and sectoral guidance from regulators such as the Reserve Bank of India for financial services. Organisations deploying AI systems in India should focus on consent and lawful basis for training data, intermediary liability under Section 79 of the IT Act, intellectual property allocation between developer and user, liability for model outputs, and emerging guardrail expectations from the Ministry of Electronics and Information Technology.

The principal IP issues are training-data risk (whether copyrighted works are used as training inputs and on what basis), authorship and ownership of AI-generated outputs (Indian copyright law requires human authorship for protection), trade-secret protection of model weights and prompts, contractual allocation of risk between the developer, the deployer and the end user, and the application of the existing intermediary-liability framework to generative outputs. India does not yet have a statutory text-and-data-mining exception, which is one of the more pressing open questions for the next round of reform.

I advise Indian and global businesses on the regulatory architecture shaping India's digital economy, DPDP Act compliance programmes, fintech product structuring and licensing, online gaming and e-sports regulation, telecom and OTT, AI governance and deployment, intermediary liability, technology contracts and outsourcing, and the technology chapters of M&A due diligence. Clients range from early-stage Indian startups through to listed companies and global technology, financial-services and media businesses.

Use the contact form on the homepage, or email naqeeb.ahmed@cms-induslaw.com directly. I respond to legitimate professional enquiries within two working days, typically faster. For LinkedIn, my profile is at linkedin.com/in/naqeebkazia. I am based at the Bengaluru office of CMS INDUSLAW and can take instructions from clients anywhere in India and globally.