India: Digital Personal Data Protection (Amendment) Bill, 2025 (No. 38 of 2025), including data protection regulation was introduced to Council of States

On 5 December 2025, the Digital Personal Data Protection (Amendment) Bill, 2025 (No. 38 of 2025) was introduced to the Council of States of the Parliament of India. The Bill amends the Digital Personal Data Protection Act, 2023, addressing gaps in privacy safeguards, strengthening the independence of the Data Protection Board, and enhancing consent, security standards, and children’s data protection. It applies to all entities processing the personal data of Indian residents, including foreign providers, and extends the Act’s scope to cover data processed outside India if it relates to offering goods or services to individuals within the country. The Bill defines harm to include unauthorised profiling and surveillance, and introduces a definition of profiling as any processing that predicts or analyses a person’s behaviour, attributes, or interests. It requires data fiduciaries to obtain specific, prior, informed, and explicit consent before sharing personal data, to disclose the purpose of processing, and to provide prior notice for data transfers abroad. Any unauthorised sharing of data is treated as a personal data breach, attracting penalties and compensation liability. The Bill also prohibits processing for profiling, behavioural monitoring, or targeted advertising without explicit consent, and introduces a right for data principals to transfer their personal data from one fiduciary to another where consent has been given. The Bill revises Section 17 on exemptions, removing the Central Government’s power to selectively exempt entities from key obligations such as consent, notice, and user rights. Any exemptions under Section 17 must now be reasonable, non-arbitrary, and subject to judicial review. Section 7 is amended to allow processing to comply with judgments or orders, including foreign ones, but only when enforced through competent Indian courts. The Bill introduces new rights for data principals, including the right to seek compensation for harm caused by a data fiduciary or processor (Section 6A) and the right to be forgotten (Section 8A). Under the right to be forgotten, data principals can request the erasure, deletion, or restriction of personal data held by public authorities if it is no longer needed, consent is withdrawn, or retention is not required by law or public interest. Public authorities must act on valid requests within thirty days, confirm erasure or anonymisation, provide explanations for refusals, and allow appeals to the Data Protection Board.