The New Data Protection Act in India: Critical Implications for CCTV Installers & Users

by

Understanding India’s Digital Personal Data Protection Act (DPDPA) 2023: What CCTV Users Should Know

Updated: August 30, 2025 | Reflecting current implementation status as of late 2025

🛑 Critical Disclaimer

*This article represents our operational perspective as a CCTV service provider based on publicly available government communications and industry analysis. It is NOT legal advice. Our interpretations:

  • Reflect our understanding of draft rules and government statements
  • May differ from future regulatory guidance or judicial interpretations
  • Do not constitute professional legal opinion
    Always consult a qualified data protection lawyer for compliance decisions. The Ministry of Electronics & IT (MeitY) remains the sole authoritative source for DPDPA requirements.*

Clarifying the Current Status of DPDPA 2023

India’s Digital Personal Data Protection Act (DPDPA), 2023 represents a significant milestone in data privacy legislation. However, it’s crucial to understand that the law has not yet come into full effect. Published in the Gazette of India on August 11, 2023, the Act is currently in a phased implementation phase, with most provisions expected to become operational by late 2025 or early 2026 following the establishment of the Data Protection Board of India (DPB) and finalization of rules.

Important context: The government is actively working on implementation frameworks, but no compliance deadlines currently exist. Businesses and residential societies should use this transition period for preparation, not panic.

What the DPDPA Will Mean for CCTV Surveillance (When Implemented)

Once fully operational, the DPDPA will impact CCTV usage in these key ways:

1. Personal Data Definition Applies to CCTV Footage

Footage capturing identifiable individuals (faces, license plates, etc.) will qualify as personal data under the law. This includes recordings from:

  • Corporate lobbies and common areas
  • Residential society gates and elevators
  • Commercial complexes and public spaces

Note: The exact boundaries of “identifiable” footage are still being clarified in draft rules.

2. Transparency Requirements (Not Always Consent)

While explicit consent isn’t required for security-related surveillance (per Section 9(1)(a) of the Act), mandatory disclosure will be required:

  • Clear signage at entry points stating:
    • Surveillance is active
    • Purpose of collection (e.g., “Security monitoring”)
    • Contact details for data queries
  • Privacy notices accessible to all stakeholders

3. Strict Purpose Limitation

Footage can only be used for declared purposes:

  • ✅ Security monitoring (theft, trespassing)
  • ❌ Employee productivity tracking (without additional consent)
  • ❌ Marketing or unrelated investigations

4. Data Minimization & Retention Rules

  • Collect only footage necessary for stated purposes
  • Retain recordings only as long as needed (typically 30-90 days for security footage, unless legal proceedings require longer retention)
  • Draft rules suggest automatic deletion protocols will be mandatory

5. Security Safeguards

Organizations must implement:

  • Encryption of stored footage
  • Access controls (role-based permissions)
  • Audit trails for footage access
  • Protection against breaches (with mandatory breach reporting)

6. Data Subject Rights

Individuals will have the right to:

  • Request access to footage containing them
  • Seek correction of inaccurate footage (limited applicability)
  • Demand deletion (subject to legal/security exceptions)
  • Organizations must respond within 30 days

Preparing for Compliance: Practical Steps

Since enforcement isn’t immediate, use this transition period wisely:

For Businesses & Residential Societies
Signage Audit
Not yet required
3-6 months before enforcement
Retention Policy Drafting
Voluntary best practice
6-12 months before enforcement
Storage Security Upgrade
Recommended
6-12 months before enforcement
Staff Training
Proactive measure
3 months before enforcement

For CCTV Service Providers

Responsible vendors should:

  • Offer systems with configurable privacy zones (masking windows/washrooms)
  • Provide encrypted storage options with audit logs
  • Enable automated deletion schedules
  • Avoid making claims about “immediate compliance requirements”

Understanding Penalties (When Law Takes Effect)

The DPDPA specifies fines for violations:

  • Maximum penalty: ₹250 crores (for severe breaches like inadequate security)
  • No “4% of turnover” provision (this misstatement appears in many articles)
  • Penalties apply only after DPB establishment and enforcement begins

Critical note: The Data Protection Board of India (DPB) is still being constituted. Recent budget allocations (2025-26) show initial funding for its setup, confirming it does not yet exist as an operational body.

Responsible Implementation: A Balanced Approach

The DPDPA aims to balance security needs with privacy rights. For CCTV systems:

Do:

  • Place cameras to cover public areas while avoiding private zones
  • Document your “purpose limitation” policy
  • Train security staff on handling footage requests

Don’t:

  • Claim “immediate compliance is required” (it isn’t)
  • Suggest fines apply today (they don’t)
  • Overstate individual deletion rights (security footage has exemptions)

How Service Providers Can Help (Without Fear-Mongering)

As the law approaches implementation, reputable CCTV providers should:

  • Offer compliance readiness assessments (not “emergency fixes”)
  • Provide modular upgrades (e.g., adding encryption to existing systems)
  • Share government-approved resources (like MeitY’s draft guidelines)
  • Clarify that legal advice is needed for specific compliance questions

The Bottom Line

The DPDPA 2023 will transform data privacy in India, including CCTV surveillance practices. While compliance isn’t required today, the transition period offers a valuable opportunity to:

  1. Audit current CCTV practices
  2. Upgrade systems incrementally
  3. Educate stakeholders about upcoming changes

Important disclaimer: This article reflects our preparatory perspective as a technology service provider. The DPDPA is not yet in force. Always verify requirements through official channels:

  • Ministry of Electronics & IT (MeitY) DPDPA Portal
  • Official Gazette notifications
  • This is general guidance only. Consult a legal professional for organization-specific compliance planning.

    CCTV as a Service: Supporting your preparation for India’s data privacy future
    Mumbai | Navi Mumbai | Thane
    www.cctvasservice.com/dpdpa-prep

    We provide no-cost readiness assessments to help organizations understand upcoming requirements – without alarmist claims. Because true compliance starts with accurate information.

    © 2025 CCTV as a Service. All information verified against MeitY’s latest DPDPA implementation updates (August 2025).

Leave a Comment


Math Captcha
thirty ÷ = six