The Hindu: Delhi: Saturday, 15 November 2025.
Much of the Act goes into force in late 2026 mid-2027; a much-resisted Right to Information Act, 2005 amendment is in force immediately
The Union Government
notified large parts of the Digital Personal Data Protection (DPDP) Act, 2023,
on Friday (November 14, 2025), addressing the need for a law to protect the
data privacy of Indian citizens. The DPDP Rules, 2025, are also a significant step
forward in compliance with the Supreme Court’s 2017 K.S. Puttaswamy v. Union of
India judgment affirming the right to privacy.
A draft of the Rules was circulated in January and mulled over for a significant period of time.
The law, passed in August 2023 in Parliament, requires firms to safeguard digital data of Indian citizens, with exemptions for the “State and its instrumentalities”, and prescribes penalties for firms that breach these obligations.
Meanwhile, transparency activists have said the law weakens the Right to Information Act, 2005, by removing the obligation of government bodies to provide “personal information” if the public interest outweighs a public official’s right to privacy.
That amendment is in force from Friday (November 14, 2025). However, “data fiduciaries,” who collect and use personal data, will have until November 2026 to comply with some provisions, such as putting out the details of their designated Data Protection Officer (DPO). That same month, the Consent Manager framework, which allows firms to exercise data removal and amendment rights on behalf of “data principals” (users), will also come into force.
It may take until May 2027 for large tech firms to be subject to the full force of the Act, which also provides for the constitution of the Data Protection Board of India (DPBI) by the Centre. Another notification there were a total of four on Friday (November 14, 2025) sets the number of members in the DPBI at four. The board can hold inquiries in response to complaints and impose penalties in case of data breaches. The board’s members, who have not yet been chosen, will be appointed by the Ministry of Electronics and Information Technology (MeitY).
The DPDP Act, 2023 has gone through three major drafts since 2017, with the first draft in 2018 imposing conditions like data localisation that were furiously resisted by technology firms. The latest version of the Act, which strips out many of the requirements of the original draft, has been relatively better received among large Indian and global tech firms, which as “significant data fiduciaries,” would face additional compliance requirements.
Nasscom, which represents the main IT and technology firms, said in a statement issued through its Data Security Council of India (DSCI) initiative that it welcomed the Rules, but had problems with the Act that could not be solved by “subordinate legislation”, such as tight rules around parental consent and short disclosure deadlines for breaches.
“On international data transfers, Nasscom-DSCI recognises the importance of developing mechanisms that support interoperability and facilitate co-operation with India’s key trading partners,” Nasscom said.
Delhi-based digital rights advocacy Internet Freedom Foundation said the notified Rules “do not address key structural concerns repeatedly raised by civil society” and rued the fact that they “[defer] most core obligations and rights” by a year and a half. The Rules “provides statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data,” the IFF said.
Much of the Act goes into force in late 2026 mid-2027; a much-resisted Right to Information Act, 2005 amendment is in force immediately
 |
| Image used for representation purpose only. Photo Credit: Getty Images/iStockphoto |
A draft of the Rules was circulated in January and mulled over for a significant period of time.
The law, passed in August 2023 in Parliament, requires firms to safeguard digital data of Indian citizens, with exemptions for the “State and its instrumentalities”, and prescribes penalties for firms that breach these obligations.
Meanwhile, transparency activists have said the law weakens the Right to Information Act, 2005, by removing the obligation of government bodies to provide “personal information” if the public interest outweighs a public official’s right to privacy.
That amendment is in force from Friday (November 14, 2025). However, “data fiduciaries,” who collect and use personal data, will have until November 2026 to comply with some provisions, such as putting out the details of their designated Data Protection Officer (DPO). That same month, the Consent Manager framework, which allows firms to exercise data removal and amendment rights on behalf of “data principals” (users), will also come into force.
It may take until May 2027 for large tech firms to be subject to the full force of the Act, which also provides for the constitution of the Data Protection Board of India (DPBI) by the Centre. Another notification there were a total of four on Friday (November 14, 2025) sets the number of members in the DPBI at four. The board can hold inquiries in response to complaints and impose penalties in case of data breaches. The board’s members, who have not yet been chosen, will be appointed by the Ministry of Electronics and Information Technology (MeitY).
The DPDP Act, 2023 has gone through three major drafts since 2017, with the first draft in 2018 imposing conditions like data localisation that were furiously resisted by technology firms. The latest version of the Act, which strips out many of the requirements of the original draft, has been relatively better received among large Indian and global tech firms, which as “significant data fiduciaries,” would face additional compliance requirements.
Nasscom, which represents the main IT and technology firms, said in a statement issued through its Data Security Council of India (DSCI) initiative that it welcomed the Rules, but had problems with the Act that could not be solved by “subordinate legislation”, such as tight rules around parental consent and short disclosure deadlines for breaches.
“On international data transfers, Nasscom-DSCI recognises the importance of developing mechanisms that support interoperability and facilitate co-operation with India’s key trading partners,” Nasscom said.
Delhi-based digital rights advocacy Internet Freedom Foundation said the notified Rules “do not address key structural concerns repeatedly raised by civil society” and rued the fact that they “[defer] most core obligations and rights” by a year and a half. The Rules “provides statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data,” the IFF said.
.JPG)
.JPG)
