Digital Personal Data Protection Act notified after two years, RTI Act amended

By Admin

15 Nov, 2025

India has formally moved closer to a stronger data governance framework as the Union Government notified major portions of the Digital Personal Data Protection (DPDP) Act, 2023 on November 14, 2025. While several provisions will become operational between late 2026 and mid-2027, an important and controversial amendment to the Right to Information (RTI) Act, 2005 has come into effect immediately.

A Long-Awaited Step Toward Data Privacy

The notification marks a significant milestone in India’s journey to implement a modern privacy regime, as mandated by the Supreme Court’s 2017 K.S. Puttaswamy judgment, which recognised privacy as a fundamental right.
The newly notified DPDP Rules, 2025 further enhance India’s compliance and lay down mechanisms for consent, data handling, data principal rights, and grievance redressal.

A draft of the Rules was circulated in January and underwent extended deliberations before finalisation.

Key Obligations for Firms and Exemptions for State

The DPDP Act mandates organisations to safeguard the digital personal data of Indian citizens, enforce strong data processing standards, and impose penalties for violations.
However, the law provides broad exemptions for the State and its instrumentalities, a provision that continues to trigger criticism from digital rights groups.

Transparency advocates argue that the exemption, along with the RTI amendment, could create space for excessive discretion by government departments.

RTI Act Amendment Comes Into Force Immediately

A major point of contention is the amendment to the Right to Information Act, 2005, which removes the obligation of government bodies to disclose “personal information” even if the public interest outweighs an official’s right to privacy.
This amendment is effective from November 14, 2025, sparking concerns that it weakens transparency mechanisms and restricts citizen access to crucial information.

Compliance Timeline: 2026 to 2027

While the RTI amendment is immediate, data fiduciaries have staggered compliance deadlines:

Key Dates to Watch

• November 2026:
  
  

• Mandatory disclosure of Data Protection Officer (DPO) details
  
  

• Implementation of the Consent Manager Framework for data removal and amendment rights
  
  

• May 2027:
  
  

• Full enforcement of the Act for large technology companies
  
  

• Operationalisation of the Data Protection Board of India (DPBI)
  
  

The government has notified that the DPBI will have four members, empowered to conduct inquiries and impose penalties for data breaches. Members will be appointed by the Ministry of Electronics and Information Technology (MeitY).

How the Act Evolved Over the Years

The DPDP Act has undergone three major drafts since 2017.
The first 2018 draft, which demanded strict data localisation, was sharply opposed by global tech firms.
The latest version, stripped of several stringent requirements, is more acceptable to both Indian and international technology companies especially those classified as “significant data fiduciaries”.

Industry Response: Praise and Concerns

Nasscom & DSCI

Nasscom, through its Data Security Council of India (DSCI), welcomed the notification of the Rules but highlighted persistent gaps in the Act, including:

• Tight timelines for breach disclosures
  
  

• Complex parental consent mechanisms
  
  

• Issues that cannot be resolved through subordinate legislation
  
  

Nasscom also emphasised the need for interoperable international data transfer frameworks to support India’s global trade relationships.

Digital Rights Concerns

The Internet Freedom Foundation (IFF) criticised the Rules for:

• Failing to address structural privacy issues
  
  

• Deferring core obligations by over a year
  
  

• Granting statutory backing to extensive data collection by state agencies with minimal oversight
  
  

According to IFF, the Rules may strengthen state control over personal data instead of limiting it.

Conclusion: A New Era of Data Governance   With Caveats

The notification of the DPDP Act marks a historic shift in India’s regulatory landscape, finally bringing the country closer to a comprehensive privacy law.
However, the immediate weakening of certain RTI protections, coupled with extended compliance delays and broad state exemptions, continues to raise important questions about transparency and accountability.

As India prepares for full enforcement by 2027, the coming years will determine how effectively the law balances citizen privacy, corporate responsibility, and governmental power a balance crucial for a digital democracy.