The Digital Personal Data Protection Rules, 2025 were notified on November 14, 2025, but delay key protections until 2027.
The rules immediately implement changes to the Right to Information (RTI) Act, 2005, limiting access to personal information.
The Data Protection Board of India (DPBI) will operate under the Ministry of Electronics and Information Technology.
Compliance timeline of 12-18 months is provided for technology companies to implement the new rules.
Detailed Insights:
The Supreme Court recognized privacy as a fundamental right over eight years ago, leading to multiple drafts of data protection laws.
The 2023 law simplified the 2018 draft but provided broad exemptions for government organizations in handling citizen data.
Amendments to the RTI Act authorize public information officers to withhold personal information beyond what is legally mandated for publication.
The DPBI's lack of independence, operating under the same ministry courting investments from data-heavy tech firms, raises concerns about impartiality.
Citizens will continue to experience limited privacy and accountability from both the state and major technology companies.
Key Concepts Involved:
Right to Privacy: The fundamental right to control one's personal information and freedom from intrusion.
Data Protection: The practice of safeguarding personal information from unauthorized access, use, or disclosure.
Right to Information Act: Legislation promoting transparency and accountability by granting citizens access to government-held information.