The Union government has notified key sections of the Digital Personal Data Protection (DPDP) Act, 2023, aiming to protect the data privacy of Indian citizens.
The DPDP Rules, 2025 align with the Supreme Court’s 2017 K.S. Puttaswamy judgment that recognizes the right to privacy.
The law mandates firms to protect digital data, exempting the “State and its instrumentalities,” and includes penalties for violations.
Amendments to the Right to Information Act, 2005 remove the obligation to provide “personal information”.
Data fiduciaries have until November 2026 to comply with certain provisions, including appointing a Data Protection Officer.
The Data Protection Board of India (DPBI) will be constituted with four members appointed by MeitY.
Detailed Insights:
The DPDP Act, 2023 requires firms to safeguard the digital data of Indian citizens but has exemptions for the “State and its instrumentalities”.
The Consent Manager framework, enabling data removal and amendment rights for users, will be effective from November 2026.
Large tech firms are expected to be fully compliant by May 2027, pending the constitution of the Data Protection Board of India (DPBI).
The DPBI can investigate complaints and impose penalties for data breaches, with members appointed by the Ministry of Electronics and Information Technology (MeitY).
The Act has evolved through three drafts since 2017, with the latest version being better received by tech firms due to relaxed data localization requirements.
Nasscom has expressed concerns over strict parental consent rules and short breach disclosure deadlines, despite welcoming the Rules.
The Internet Freedom Foundation criticizes the Rules for deferring core obligations and enabling excessive state control over personal data.
Key Concepts Involved:
Data Fiduciary: An entity that processes personal data.
Data Principal: The individual to whom the personal data relates.
Data Protection Officer: A person responsible for overseeing data protection strategy and implementation.