Digital Personal Data Protection Act notified after two years, RTI Act amended

Large parts of the Digital Personal Data Protection Act (DPDP), 2023 were notified on Friday (November 14, 2025), a significant step forward in the Union government’s compliance of the 2017 K.S. Puttaswamy v. Union of India judgement of the Supreme Court, affirming the right to privacy, and the need for a law to protect Indians’ data. The DPDP Rules, 2025, a draft of which was circulated in January, and mulled over for a significant period of time, were also notified.

The law, passed in August 2023 in Parliament, requires firms to safeguard Indians’ digital data, with exemptions for the “State and its instrumentalities,” and prescribes penalties for firms who breach these obligations. The law also weakens the Right to Information Act, 2005, transparency activists have said, by removing the obligation of government bodies to provide “personal information” if the public interest outweighs a public official’s right to privacy.

While that amendment is in force from Friday (November 14, 2025) onwards, the actual obligations of “data fiduciaries,” who collect and use personal data, will have until November 2026 to comply with some provisions, such as putting out the details of their designated Data Protection Officer (DPO). That month next year, the Consent Manager framework, which allows firms to exercise data removal and amendment rights on behalf of “data principals” (users), will also come into force. It will take until May 2027 for large tech firms to be subject to the full force of the Act.