The Union government has notified major portions of the Digital Personal Data Protection (DPDP) Act, 2023 on Friday, marking a significant step towards complying with the Supreme Court’s 2017 K.S. Puttaswamy vs Union of India judgment that affirmed the right to privacy and the need for a data protection law. The DPDP Rules, 2025, whose draft was circulated in January and deliberated upon for an extended period, have also been notified.
The law, passed in Parliament in August 2023, has required firms to safeguard Indians’ digital data, with exemptions for “the State and its instrumentalities,” and has prescribed penalties for entities that violate these obligations. Transparency activists have said that the Act has weakened the Right to Information Act, 2005, by removing the requirement for government bodies to disclose “personal information” even when public interest outweighs a public official’s privacy. This amendment has come into force immediately from Friday.
Data fiduciaries, entities that collect and use personal data, have been given time until November 2026 to comply with several provisions, including publishing details of their designated Data Protection Officer (DPO). The Consent Manager framework, enabling firms to act on data removal and amendment rights on behalf of users (“data principals”), has also been scheduled to come into force in the same month next year. Full compliance obligations for large technology firms have been pushed to May 2027.
Another notification issued on Friday has set the number of members on the Data Protection Board of India (DPBI) at four. The board, which can conduct inquiries following complaints and impose penalties in case of data breaches, has been placed under the appointment purview of the Ministry of Electronics and Information Technology (MeitY). The members have not yet been appointed.
The DPDP Act has undergone three major drafts since 2017. The first draft in 2018, which included data localisation mandates, had been resisted strongly by technology companies. The present version, the 2023 Act, which has removed several of those earlier obligations, has been received more favourably by large Indian and global technology firms, who, as “significant data fiduciaries,” would otherwise face additional compliance burdens.
