At a glance
Law practices get the DPDP Act’s most unusual deal: processing necessary for enforcing a legal right or claim — the core of litigation work — is exempt from most of the Act (Section 17), and processing by courts sits outside it too. But the exemption is narrower than the profession assumes: security safeguards and the bar on indefinite storage survive it, and everything around the case work — client onboarding, marketing, staff data, the firm’s own operations — is fully in scope. The working model is two buckets, and knowing which bucket a file sits in.
Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to law firms and legal practices; it is not formal legal advice.
The situation
Lawyers hold other people’s worst moments in writing — disputes, investigations, matrimonial files, opposing parties’ finances — and the profession’s instinct is that privilege already governs all of it. The DPDP Act complicates that in both directions at once: it carves out the adversarial core of legal work more generously than almost any other profession gets, and it captures the ordinary business of running a firm exactly like any other business. Practices that read only the carve-out will miss where they’re exposed; practices that read only the duties will over-engineer their litigation files. The skill is the split.
Does DPDP apply to a law practice at all?
Yes — a firm or solo advocate deciding why and how personal data is used is a Data Fiduciary; the question is which processing falls inside the exemption. The Act exempts processing necessary for enforcing any legal right or claim (Section 17), and processing by courts and tribunals in their judicial functions — recognition that adversarial work can’t run on the other side’s consent. You don’t ask the opposing party’s permission to hold their documents for a recovery suit. But the exemption attaches to processing, not to lawyers: it covers what’s necessary for the claim, and the rest of the practice — engagement management, business development, HR, billing, the website’s enquiry form — is ordinary fiduciary territory with the full duties: notice, consent or another basis, security, breach reporting, retention limits.
The data a legal practice actually holds
Two buckets with very different rules — and the sensitive one is bigger than the client list.
- Bucket one — matter data (largely exempt): case files and evidence, opposing parties’ and witnesses’ personal data, financial records in disputes, matrimonial and criminal-matter material — processing necessary for the claim.
- Bucket two — practice data (fully in scope): client onboarding and KYC, engagement letters and billing, the contact database and marketing lists, website and enquiry-form data, staff and recruitment files, vendors’ and counsel-network details.
- The overlap — the same client’s data can sit in both: their identity details in your onboarding system (bucket two) and their affidavit in the matter file (bucket one). The file doesn’t inherit the exemption because the client is in litigation; the processing purpose decides.
And the matter files hold the most explosive content a professional can leak — allegations, evidence, strategy — which is why the duties that survive the exemption matter so much.
The obligation that actually bites: the exemption’s real edges
The legal-claims exemption removes consent and rights machinery from matter work — it does not remove security, and it does not cover the firm as a business. Three edges to hold:
- Security survives. Even exempt processing remains subject to the Act’s security-safeguard duty and the bar on holding data indefinitely — a leaked matter file is a statutory security failure (with penalties in the top band) regardless of the exemption, on top of everything it does to privilege and the client. “Exempt” never means “unprotected.”
- “Necessary for the claim” is the boundary. Holding the opposing party’s records for the suit is exempt; mining matter data for business development, or keeping every closed file forever “in case,” is not what the words cover. When the claim ends, the exemption’s purpose ends with it — closed files move to a retention schedule justified by professional norms and limitation periods, not by inertia.
- Bucket two gets no shelter. The enquiry form needs a notice; the newsletter list needs consent; staff data runs on the employment ground with its own limits; the firm’s vendors — e-discovery platforms, transcription, cloud practice-management — need contracts binding security, breach notice and deletion. A firm that answers every question with “privilege” has confused its two buckets.
Where DPDP sits alongside privilege and professional duty
Privilege and confidentiality protect the client from disclosure; the DPDP Act regulates the data operation — they stack, they don’t substitute. The statutory privilege for advocate–client communications and the Bar Council’s confidentiality norms are duties owed to the client, enforced through professional discipline and evidence law. The DPDP Act adds a different axis: duties about everyone’s data in your systems (including opposing parties and witnesses, via the surviving security duty), a regulator with penalty powers, and — for bucket two — enforceable rights held by clients, staff and enquirers as data principals. In practice the regimes point the same way: what privilege has always demanded culturally (guarded files, controlled disclosure), the Act now demands operationally (access controls, breach response, retention schedules). The firms with real information hygiene will find DPDP mostly names what they already do; the firms running matters over personal email will find both regimes offended at once.
Common mistakes law practices make
The failure pattern is the blanket answer — in either direction.
- “We’re lawyers, DPDP doesn’t apply” — the exemption read as immunity, leaving the firm’s entire business layer ungoverned.
- Matter files on personal channels — case documents over personal email and WhatsApp, on juniors’ laptops, in unsecured shared drives: the security duty survives the exemption, and this is where it fails.
- The immortal archive — every file since the firm’s founding, no schedule, no owner; closed matters are a retention question, not a museum.
- Marketing on matter contacts — client and counterparty details from cases flowing into newsletters and BD lists without consent.
- The enquiry form with no notice — the website collecting names, numbers and case descriptions (sensitive by nature) with nothing said about purpose.
- Vendors on trust — transcription, e-discovery and cloud tools holding privileged material with no data terms in the contract.
Collecting client documents compliantly
Onboarding is bucket two — run it like a professional intake, and let the engagement letter carry the notice work. A clear notice-and-consent step for client data at engagement (identity, contact, billing — plus the matter-file explanation that litigation processing runs on the legal-claims footing), one controlled channel for document intake instead of email-and-WhatsApp accretion, and an engagement letter that states what’s collected, why, who sees it and how long the file lives. The channel mechanics are common to every practice — see secure client document collection for professionals — and the CA sector guide’s retention-schedule pattern translates directly: statutory and limitation-driven holds named per record type, everything else deleted on schedule.
FAQ
Is a law firm exempt from the DPDP Act?
Not as a firm — specific processing is. Work necessary for enforcing a legal right or claim sits outside most of the Act, but the firm’s ordinary operations (onboarding, marketing, HR, the website) carry the full duties, and security obligations survive even on exempt processing.
Do we need the opposing party’s consent to hold their documents?
No — processing necessary for a legal claim is exactly what the exemption covers. What you still owe that data is security, and holding it beyond the claim’s needs isn’t covered by the words.
Does the exemption cover our client database and newsletters?
No. Business development, marketing and client-relationship data are the firm acting as an ordinary business — notice, consent and the rest apply in full. The exemption follows the claim, not the letterhead.
How long can we keep closed matter files?
On a written schedule justified by limitation periods and professional norms — not forever by default. When the claim and its realistic follow-on needs end, the exemption’s purpose ends; the archive becomes a retention decision like any other professional’s.
If a matter file leaks, does the exemption protect us?
No — the security-safeguard duty survives the exemption, and its breach sits in the Act’s highest penalty band. Add privilege consequences and professional-duty exposure, and a leaked matter file is the single worst data event a firm can have.