Union Government Notifies Digital Personal Data Protection Act, 2023

The Union Government has notified significant provisions of the Digital Personal Data Protection (DPDP) Act, 2023, effective from November 14, 2025. This development follows the Supreme Court’s 2017 K.S. Puttaswamy v. Union of India judgment, which affirmed the right to privacy.

Key Provisions and Compliance

• The Act mandates firms to protect the digital data of Indian citizens.
• Exemptions are provided for the “State and its instrumentalities”.
• Penalties are prescribed for firms breaching these obligations.

Impact on Right to Information Act, 2005

• The amendment weakens the Right to Information Act by removing the obligation of government bodies to provide personal information, even if the public interest outweighs privacy rights.

Compliance Timeline and Mechanisms

• Data fiduciaries have until November 2026 to comply with certain provisions, such as appointing a Data Protection Officer (DPO).
• The Consent Manager framework, empowering data principals, will be operational by November 2026.
• Full implementation for large tech firms is expected by May 2027.

Data Protection Board of India (DPBI)

• The DPBI will consist of four members and is responsible for inquiries and penalties related to data breaches.
• Members will be appointed by the Ministry of Electronics and Information Technology (MeitY).

Stakeholder Reactions

• Nasscom: Welcomes the Rules but highlights unresolved issues with parental consent and short disclosure deadlines.
• Internet Freedom Foundation (IFF): Criticizes the Rules for deferring core obligations and rights, and for enabling state control over personal data with limited oversight.

Historical Context

• The Act has undergone three major drafts since 2017, with significant changes from the initial 2018 draft that imposed data localization conditions.
• The latest version has been better received by tech firms.