Digital Personal Data Protection Act notified after two years, RTI Act amended

Large parts of the Digital Personal Data Protection Act (DPDP), 2023 were notified on Friday (November 14, 2025), a significant step forward in the Union government’s compliance of the 2017 K.S. Puttaswamy v. Union of India judgement of the Supreme Court, affirming the right to privacy, and the need for a law to protect Indians’ data. The DPDP Rules, 2025, a draft of which was circulated in January, and mulled over for a significant period of time, were also notified. 

The law, passed in August 2023 in Parliament, requires firms to safeguard Indians’ digital data, with exemptions for the “State and its instrumentalities,” and prescribes penalties for firms who breach these obligations. The law also weakens the Right to Information Act, 2005, transparency activists have said, by removing the obligation of government bodies to provide “personal information” if the public interest outweighs a public official’s right to privacy. 

While that amendment is in force from Friday (November 14, 2025) onwards, the actual obligations of “data fiduciaries,” who collect and use personal data, will have until November 2026 to comply with some provisions, such as putting out the details of their designated Data Protection Officer (DPO). That month next year, the Consent Manager framework, which allows firms to exercise data removal and amendment rights on behalf of “data principals” (users), will also come into force. It will take until May 2027 for large tech firms to be subject to the full force of the Act.

That includes the Data Protection Board of India (DPBI). Another notification (there were a total of four on Friday) sets the number of members at the DPBI at four. The board can hold inquiries in response to complaints and impose penalties in case of data breaches. The board’s members, who have not yet been chosen, will be appointed by the Ministry of Electronics and Information Technology (MeitY). 

The DPDP Act, 2023 has gone through three major drafts since 2017, with the first one in 2018 imposing conditions like data localisation that were furiously resisted by technology firms. The 2023 Act, which strips out many of the requirements of that original draft, has been relatively more welcome among large Indian and global tech firms, who as “significant data fiduciaries,” would face additional compliance requirements.