Cyber Law & Data Protection – Joginder Poswal

Cybercrime and data protection are among the fastest-evolving areas of Indian law. The Digital Personal Data Protection Rules, 2025, notified on November 13, 2025, have operationalised India’s data protection framework. Full compliance obligations will take effect in phases through May 2027. Cybercrime, including UPI fraud, account freezing, online harassment, and data breaches, affects individuals and organisations at all levels.

This page offers general legal information on cyber law and data protection in India, including the IT Act, 2000, the DPDP Act, 2023, and the DPDP Rules, 2025.

Why Cyber Law Requires Technical Understanding

Most legal disputes involving technology have a technical aspect that influences the legal outcome. A data breach is not only a compliance issue; understanding what data was stored, how it was processed, and which systems were involved directly affects the legal obligations under the DPDP Act. Similarly, a cybercrime complaint is not solely a police matter; the technical method of fraud determines the applicable statutory provisions and available remedies.

Fifteen years of professional experience in technology infrastructure, before enrolling as an advocate, inform this practice. Legal analysis here is not limited to the statute. It includes the technical context in which the incident occurred.

Cybercrime & Digital Fraud: Legal Position Under Indian Law

Cybercrime in India is governed primarily by the Information Technology Act, 2000, and the Bharatiya Nyaya Sanhita, 2023. Common digital offences under these laws include:

UPI Fraud & Online Financial Fraud

UPI fraud is now among the most frequently reported cybercrimes in India. Victims often face two issues: recovering funds that were defrauded and, in some cases, the wrongful freezing of their bank accounts during investigations. Each situation has specific legal remedies under Indian law.

UPI and online fraud cases typically require analysis of bank liability, the payment platform’s role, and evidentiary requirements for cybercrime complaints under the IT Act and BNS.

Bank Account Freeze in Cyber Fraud Cases

Law enforcement agencies routinely freeze bank accounts during cybercrime investigations, often without sufficient prior notice to account holders. Courts across India, including the Rajasthan High Court, have issued rulings on procedural requirements for such orders and the legal remedies available to affected individuals.

Legal advisory in these cases includes assessing the lawfulness of the freeze, applicable procedural safeguards, and the appropriate steps for restoration.

Online Harassment, Defamation & Identity Misuse

Digital platforms have enabled new forms of harassment, defamation, and identity misuse, such as morphed images, fake profiles, and doxxing. These offences are addressed under the IT Act, 2000, and the BNS, 2023, and require careful examination of digital evidence and relevant statutory provisions.

Data Protection Under the DPDP Act, 2023 and DPDP Rules, 2025

The Digital Personal Data Protection Act, 2023, is India’s primary data protection law. The DPDP Rules, 2025, notified on November 13, 2025, have operationalised the Act by setting detailed, mandatory requirements for consent, data security, breach notification, and data principal rights. The Data Protection Board of India has been formally established. Full compliance obligations are being implemented in phases, with substantive requirements effective by May 13, 2027.

Non-compliance carries significant financial penalties. The DPDP Act imposes fines of up to ₹250 crore for failing to maintain reasonable security safeguards and up to ₹200 crore for failing to notify a data breach to the Board or affected individuals.

Who Does the DPDP Act Apply To?

The DPDP Act applies to any entity processing digital personal data within India and, in some cases, to entities outside India that process data of Indian individuals. This includes startups, established companies, e-commerce platforms, fintech applications, healthcare providers, and any business collecting user data through apps, websites, or digital forms.

Many businesses today, especially startups, collect personal data without a documented consent framework, defined privacy notice, or data breach response procedure. Each of these gaps creates legal exposure under the DPDP Act and DPDP Rules, 2025, with the compliance window now open.

Key Obligations Under the DPDP Act and DPDP Rules, 2025

The DPDP Rules, 2025, translate the Act’s broad principles into specific, mandatory operational requirements. Key obligations include:

Consent Notice: Data Fiduciaries must provide a separate, clear, and understandable notice before collecting personal data. This notice must specify the personal data to be processed and the specific purpose for which it will be processed. A generic privacy policy does not meet this requirement.
Purpose Limitation: Data collected for one purpose cannot be used for an unrelated purpose without fresh consent.
Reasonable Security Safeguards: The Rules set minimum security measures, including encryption or tokenisation of personal data, access controls, monitoring and logging of data access, data backups, and contractual obligations for data processors to implement equivalent safeguards.
Data Breach Notification: Upon becoming aware of a data breach, a Data Fiduciary must promptly notify affected individuals and submit a detailed report to the Data Protection Board of India within 72 hours.
Rights of Data Principals: Individuals have the right to access their data, request corrections, withdraw consent, and seek erasure. Data Fiduciaries must resolve all such grievances within 90 days.
Children’s Data: When processing children’s personal data, verifiable parental or guardian consent is required, with limited exceptions for healthcare and education services.
Data Retention: Large digital platforms, such as e-commerce, gaming, and social media, must erase personal data after three years of inactivity, providing 48 hours’ prior notice to the data principal.

DPDP Act Compliance: The Three-Phase Timeline

The DPDP Rules implement a phased compliance approach:

Phase 1: November 13, 2025: DPDP Rules notified. Data Protection Board of India formally established.
Phase 2: November 2026 (approx.): Consent Manager registration begins. Data Fiduciaries must be technically ready to integrate with the Consent Manager framework.
Phase 3: May 13, 2027: Full compliance obligations in effect — including consent notices, security safeguards, breach notification, data principal rights, and data retention requirements.

The 18-month compliance window is already underway. Businesses that begin compliance assessments now, rather than waiting until the May 2027 deadline, will be in a much stronger legal and operational position.

Significant Data Fiduciaries: Enhanced Obligations

Entities designated as Significant Data Fiduciaries (SDFs) have additional obligations under the DPDP Rules, including conducting annual Data Protection Impact Assessments (DPIAs), conducting independent data audits, and appointing a Data Protection Officer. DPIA obligations apply from the date of notification of the DPDP Rules (November 13, 2025) or from the date an entity is designated as an SDF.

Matters Covered Under This Practice Area

Legal advisory, drafting, and consultation in this practice area include the following categories:

Legal advisory on cybercrime complaints — including UPI fraud, account freeze, and online offences
Assessment of data breach incidents and legal obligations under the DPDP Act and DPDP Rules, 2025
Review and drafting of privacy notices, consent frameworks, and data processing agreements in accordance with DPDP Rules, 2025 requirements
DPDP Act compliance advisory for businesses and startups — gap assessment, notice drafting, and security obligations
Legal analysis of electronic records and digital evidence
Advisory on data principal rights and obligations of data fiduciaries under the DPDP Rules
Legal framework analysis relating to cybersecurity incidents and breach response procedures

Applicable Laws

Information Technology Act, 2000
Digital Personal Data Protection Act, 2023
Digital Personal Data Protection Rules, 2025 (notified November 13, 2025)
Bharatiya Nyaya Sanhita, 2023 (applicable provisions)
IT (Amendment) Act, 2008
Relevant rules, judicial precedents, and regulatory guidance issued by the Data Protection Board of India

Frequently Asked Questions (FAQs)

My bank account has been frozen due to a cyber fraud complaint. What can I do legally?

Freezing bank accounts in cybercrime cases has become increasingly prevalent in India. Law enforcement agencies frequently freeze accounts based on complaints, even when the account holder is not identified as a suspect. Judicial decisions have established that freezing accounts without due process or sufficient grounds is subject to legal challenge. The appropriate course of action depends on the nature of the freeze order, the bank's communication, and the specific circumstances, and typically requires a formal legal response to the investigating authority or an application before the relevant court or tribunal.

In the event of financial loss due to UPI fraud, who bears legal responsibility: the bank, the payment application, or the user?

Legal liability in UPI fraud cases in India depends on the specific circumstances, such as whether the fraud involved social engineering, a technical compromise of the platform, or negligence by the payment service provider. The Reserve Bank of India (RBI) has issued guidelines on customer liability in unauthorised transactions. If the bank or payment application fails to implement prescribed security measures, legal liability may extend beyond the user. Each case requires separate factual and legal analysis.

Do the DPDP Act and DPDP Rules 2025 apply to startups or small businesses?

The DPDP Act applies to any entity processing digital personal data within India, regardless of organizational size. Any business that collects names, phone numbers, email addresses, location data, or other personal data through a website, application, or digital form is subject to the Act. The DPDP Rules, 2025, notified on November 13, 2025, specify compliance requirements, including consent notices in plain language, minimum security safeguards such as encryption and access controls, a 72-hour breach notification obligation to the Data Protection Board, and grievance redressal within 90 days for data principal requests. Full compliance obligations take effect by May 13, 2027; however, the compliance window is already open, and early assessment is recommended.

What are the data breach notification obligations under the DPDP Rules, 2025?

Under the DPDP Rules, 2025, when a Data Fiduciary becomes aware of a personal data breach, it must immediately notify each affected individual in clear, plain language. The notification should explain the incident, its potential impact, remedial steps taken, and provide contact details for follow-up. Additionally, the Data Fiduciary must submit a detailed report to the Data Protection Board of India within 72 hours. Failure to notify either the Board or affected individuals may result in penalties of up to ₹200 crore under the DPDP Act.

Is a privacy policy legally sufficient under the DPDP Rules, 2025?

Under the DPDP Rules, 2025, a generic or boilerplate privacy policy does not satisfy the consent notice requirement. The Rules require a separate, independently understandable notice, in clear and plain language, that itemises the specific personal data being collected, the exact purpose of processing, and includes information on how data principals can withdraw consent, exercise their rights, and submit complaints to the Data Protection Board. The notice must be presented before data collection begins and be understandable on its own, without reference to other documents. Consent Managers, once registered under Phase 2 of the rollout, will further formalise how this consent architecture operates.

Discuss a Cyber Law or Data Protection Matter

For issues related to cybercrime, UPI fraud, account freezes, data breaches, or compliance with the DPDP Act and DPDP Rules 2025, please contact us to request an appointment.

Send a Message