# DPDP Act 2023 — implications for Indian legal practice in 2026
_Published 2026-04-25T09:00:00.000Z · Updated 2026-05-11T16:12:29.214Z · By Aniruddh Atrey_
Canonical: https://www.courtnetra.com/blog/dpdp-act-2023-legal-practice
Category: Compliance
Tags: DPDP Act, data protection, IT Rules 2021, privacy, compliance
---
> A 2026 practitioner's overview of the Digital Personal Data Protection Act 2023 — what changes for advocates, how matter records are treated, client-data obligations, and the breach-notification regime.
![A team reviewing privacy and compliance documents — DPDP-era data hygiene](https://images.unsplash.com/photo-1517048676732-d65bc937f952?w=1600&h=900&q=80&auto=format&fit=crop)

The Digital Personal Data Protection Act 2023 (DPDP Act) is now operational across most provisions, with the Data Protection Board of India (DPBI) constituted and notice-rules finalised. For Indian advocates, the Act changes both their own data-handling obligations and the legal landscape they advise clients in. This post covers both.

## What the DPDP Act covers

The DPDP Act regulates the processing of digital personal data — any data about an identified or identifiable individual that is processed digitally. Key actors:

- **Data Principal** — the individual the data relates to

- **Data Fiduciary** — the entity processing the data (this is most companies, including law firms)

- **Significant Data Fiduciary (SDF)** — entities designated by the central government based on volume, sensitivity, risk

- **Data Processor** — entity processing data on behalf of a Data Fiduciary

- **Consent Manager** — registered intermediaries facilitating consent management

A Data Fiduciary's principal obligations:

- Process personal data only for lawful purposes with consent (Sections 4-7)

- Provide notice to the Data Principal (Section 5)

- Implement reasonable security safeguards (Section 8(5))

- Notify breaches to the DPBI and to affected Data Principals (Section 8(6))

- Erase personal data when consent is withdrawn or purpose is fulfilled (Section 8(7))

- Appoint a Data Protection Officer where the entity is an SDF (Section 10(2)(a))

## What changes for the law firm itself

A law firm processes personal data of:

- Clients (matter records, communications, financial details)

- Counter-parties (in the firm's matter records)

- Witnesses, experts, and third parties

- Employees and contractors

- Service providers (AOR network, vendors)

Each of these involves obligations under the DPDP Act:

**Notice to clients.** When a firm onboards a new client, the engagement letter must include a privacy notice — purposes of processing, retention period, rights under the DPDP Act. Indian Bar Council Rules already require client engagement letters; the DPDP Act adds the privacy-notice element.

**Consent for processing.** Most matter-related processing is justifiable on contractual or legitimate-purpose grounds (Section 7). Where the firm uses client data for marketing — e.g., adding to a newsletter list — explicit consent is needed.

**Retention.** The DPDP Act requires erasure when the purpose is fulfilled. For litigation files, the "purpose" extends through the limitation period for professional-negligence claims (typically 3 years from end of representation). Permanent retention of all matter records without justification is a DPDP non-compliance.

**Security.** Reasonable security safeguards are mandatory. For most law firms, this means at minimum: access-controlled cloud storage, encrypted backups, role-based permissions, breach-detection capability.

**Breach notification.** A breach of personal data must be notified to the DPBI without undue delay and to affected Data Principals where there is significant impact. The threshold and timeline rules were finalised in the 2024-2025 rule-making rounds.

## What changes in advice to clients

For advocates whose clients are themselves Data Fiduciaries (most corporates, fintechs, healthcare entities, e-commerce):

**Cross-border data flow.** The DPDP Act allows transfer of personal data outside India except to countries notified by the central government as restricted. As of 2026, the restricted-country list is short. But for sensitive sectors (financial services, health), sectoral regulators (RBI, IRDAI, NHA) have additional data-localisation requirements that go beyond DPDP.

**Children's data.** Section 9 prohibits processing children's data except where verifiable parental consent is obtained. This is operationally hard for many digital products and has generated significant compliance work.

**SDF designation.** Significant Data Fiduciary designation triggers additional obligations — DPO appointment, data protection impact assessments, periodic audits. Designation criteria include volume of data, sensitivity, and risk to Data Principals; the DPBI publishes designations.

**Contractual flow-down.** Service-provider contracts must include DPDP-compliant data-processing terms. Standard MSA templates are being updated industry-wide; advocate review of these clauses has become a steady advisory line.

## Litigation under the DPDP Act

The DPDP Act creates new litigation patterns:

**DPBI proceedings.** The Data Protection Board of India hears complaints and imposes monetary penalties under Section 33. Penalties can reach significant levels — up to ₹250 crore for breach of obligations relating to security safeguards.

**Appeal forum.** Section 30 — appeals from DPBI orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). This is a notable forum choice — TDSAT was originally the telecom appellate body but has been re-purposed as the data-protection appellate forum.

**Class actions.** Section 38(1)(c) of the Consumer Protection Act 2019 allows class complaints; data-breach claims can be routed through the consumer forums alongside the DPDP regime.

## How CourtNetra handles DPDP compliance for itself

CourtNetra is a Data Fiduciary for client (advocate) and matter data. The platform's posture:

- **Indian data residency.** All customer data stored in Indian data centres.

- **Explicit consent in onboarding.** Privacy notice in the engagement flow at /register and /privacy-policy.

- **Role-based access.** Matter records visible only to assigned advocates. Audit logs track access.

- **Encryption.** At rest and in transit.

- **Breach notification.** Documented procedure for DPBI and affected Data Principal notification within timelines specified by rules.

- **Grievance officer.** Documented at /grievance under both IT Rules 2021 and DPDP Act Section 8.

For client-uploaded matter facts (sensitive personal data of the advocate's clients), CourtNetra acts as a Data Processor on behalf of the law firm (the Data Fiduciary). The contract with the firm includes the standard processor-flow-down clauses required by the DPDP Act.

## Practical posture for law firms in 2026

Working compliance steps for an Indian law firm:

- **Privacy notice** in engagement letters, consistent across the firm's intake flow.

- **Retention policy** in writing — typically 7 years from end of matter for case files, with cleared destruction processes after.

- **Security** — encrypted laptops, cloud-backed matter management, access-controlled file storage, password manager for the firm.

- **Breach response plan** — written, tested annually. Knowing who to call within the first hour matters more than perfect documentation.

- **Vendor diligence** — review the data-processing terms of every cloud service the firm uses.

- **Training** — paralegal and junior associate training on data-handling. The DPDP Act's penalties affect the firm regardless of who caused the breach.

- **Engagement-letter update** — standard advocate-client engagement letters need a privacy notice section. Most firms updated by mid-2025.

## The bottom line

The DPDP Act is now part of working Indian legal practice — not a compliance afterthought. Law firms that built compliance in early have less catch-up to do; firms that haven't, have a 6-12 month modernisation programme ahead. For client advisory work, DPDP-compliance reviews are now a standard line item alongside contract review, IT audits, and IPR matters.

CourtNetra is built for DPDP-compliant Indian legal practice — Indian data residency, role-based access, audit logs, breach-notification procedures. The platform's compliance posture is documented at /data-protection.