The DPDP Act for Advocates and Law Firms
A law practice is a concentration of other people's personal data: Aadhaar and PAN copies in vakalatnamas, addresses and phone numbers in petitions, medical records in MACT claims, bank statements in matrimonial and insolvency matters. Under the DPDP Act, the firm holding that data is a Data Fiduciary — and the obligations attach to the firm, not the client.
Where DPDP meets daily legal practice
| Daily activity | DPDP consideration |
|---|---|
| Collecting client KYC and case documents | Notice and lawful basis — usually voluntary provision for a specified purpose (Section 7(a)) or consent |
| Filing documents containing third-party PII | Compliance with law / court procedure is a legitimate use — but over-disclosure beyond what the filing requires is not |
| Emailing briefs and annexures | Reasonable security safeguards: encrypt or password-protect attachments containing personal data |
| Using cloud PDF tools to merge/compress filings | Each tool is a Data Processor — contract, safeguards and retention visibility required |
| Storing closed-matter files indefinitely | Retention must map to a purpose or statutory requirement; indefinite ad-hoc storage is exposure |
| Sharing case papers with counsel/experts | Disclose the minimum necessary; redact identifiers that the recipient does not need |
Redaction becomes a duty, not a courtesy
Data minimisation means filings and shared documents should carry only the personal data the purpose requires. Masking Aadhaar numbers, PAN, bank account numbers and minors' identities before circulation is the practical expression of that duty. Two cautions: drawing a black rectangle over text in a PDF does not remove the text underneath, and uploading a client document to a free cloud redaction tool defeats the purpose — you have disclosed the entire unredacted document to an unknown processor in order to redact it.
Privilege does not exempt you
Professional privilege protects communications from compelled disclosure; it does not exempt the firm from data protection obligations toward the personal data it holds. The two regimes coexist: privilege governs who can demand your files, DPDP governs how you must protect them.
A five-point plan for a law office
- Inventory client-document storage (server, drives, email, clerks' laptops) and apply access controls and encryption.
- Replace cloud PDF utilities with client-side tools for merging, compressing, redacting and converting case files.
- Adopt a redaction SOP: pattern-based detection of Aadhaar/PAN/phone numbers, true text-layer removal, and a verification pass.
- Password-protect (AES) documents sent by email; share passwords over a separate channel.
- Define retention: how long closed-matter files are kept, and a yearly purge with a log entry.
Redact filings without uploading them
EverydayPDF's Auto-Redact detects Aadhaar, PAN, phone numbers and other Indian identifiers and removes them permanently — entirely in your browser, with a compliance certificate generated for your records.
Auto-redact a filingFrequently asked questions
Is a law firm a Data Fiduciary under the DPDP Act?+
Yes. The firm determines the purpose and means of processing the personal data in its matters, which is the statutory definition of a Data Fiduciary. Individual advocates practising solo are fiduciaries in the same way.
Do I need client consent to file documents containing their personal data?+
Filing pursuant to law or court procedure falls within legitimate uses, and clients typically provide documents voluntarily for the purpose of the engagement. The obligation that bites is minimisation and safeguards: disclose only what the proceeding requires and protect what you hold.
Can I keep using free online PDF tools for case documents?+
Every upload transfers client personal data to a third-party processor — one you likely have no contract with, whose servers may be outside India, and whose retention you cannot verify. Under DPDP's safeguard obligations that is difficult to defend. Client-side tools that process files in the browser avoid the transfer entirely.
What happens if my firm suffers a data breach?+
You must notify affected individuals and the Data Protection Board within the prescribed timelines, regardless of breach size — there is no materiality threshold. Failure to notify carries penalties up to ₹200 crore; failure of the underlying safeguards, up to ₹250 crore.
Continue reading
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
Is your PDF tool compliant?
The five questions to ask any document tool before sending client files to it — and the architecture that makes them moot.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
For CAs & tax professionals
PAN, 26AS, bank statements, Form 16 — obligations for the practice that holds a city's financial data.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
