6 months ago
1
The Digital Personal Data Protection Rules (DPDP), 2025 were notified this week, kicking disconnected the enactment of the Data Protection Board of India (DPBI), and the ineligible model for safeguarding the information of Indian radical online. The DPDP Act itself was passed successful Parliament successful August 2023, and a draught of the Rules that were notified connected Friday (November 14, 2025) were released for consultation successful January.
What bash the DPDP Act and Rules do?
The DPDP Act, 2023 is India’s mentation of information extortion laws specified arsenic Europe’s General Data Protection Regulation (GDPR) and akin regimes successful galore different countries, specified arsenic Singapore’s Personal Data Protection Act, 2012. Like these regimes, the Act sets retired immoderate baselines for however companies (“data fiduciaries”) grip information of their users successful India (“data principals”). For instance, determination indispensable beryllium entree power and encryption, on with information audits for ample firms (“significant information fiduciaries”).
Data principals are besides required to instrumentality “informed” consent from their users, and anyone whose information they collect, by giving a summary of what information they are collecting, and however they volition usage it. The Act besides gives users the close to erase oregon modify information they supply to firms, oregon to delete it. After a specified play of inactivity, firms are nether an work to delete the information they person connected users. A Data Protection Officer has to beryllium appointed by ample firms, who volition oversee compliance.
The Act besides restricts targeted advertizing and definite information postulation for children. The Rules carve retired an exemption present for parents tracking their children’s location.
To let users to workout rights crossed a assortment of fiduciaries (accounts implicit respective platforms), the Act and Rules acceptable retired the model for a “Consent Manager,” a work that volition let users to negociate their information crossed respective fiduciaries, akin to permissions manager settings connected a smartphone.
Data breaches indispensable beryllium reported arsenic soon arsenic possible, the Act says. Fines for non-compliance for antithetic parts of the instrumentality scope from ₹10,000 to ₹250 crore.
Are these requirements successful force?
No. While implicit 2 years person gone by since the Act was notified, the Ministry of Electronics and Information Technology (MeitY) has chosen to springiness firms up to 18 much months to comply. Some requirements, similar having a DPO beryllium appointed for ample firms, goes into effect 1 twelvemonth from now.
Some parts of the Act person been kicked into enactment — specified arsenic the DPBI’s formation. The DPBI volition oversee the Act’s implementation and volition beryllium a subordinate bureau of MeitY. The assemblage volition person 4 members.
Another portion of the Act that goes unrecorded is the amendment to the Right to Information Act, 2005, which has been furiously resisted by integer rights and transparency groups alike.
How is the RTI Act amended? Why is the amendment controversial?
The 2023 Act amended Section 8(1)(j) of the Right to Information Act, 2005, which allows citizens to petition nationalist accusation from authorities bodies. That conception allowed authorities bodies to garbage requests for “personal information,” but said that this exemption would not use if determination was a larger nationalist involvement successful disclosing the information.
The DPDP Act removed that carve-out, allowing authorities organisations much discretion successful what is and isn’t idiosyncratic information, and diminution it adjacent if doing truthful would beryllium successful the nationalist interest. The 2023 instrumentality was not going to beryllium successful unit — including this amendment — until the Union authorities notified it. Transparency activists, specified arsenic those belonging to the Mazdoor Kisan Shakti Sangathan (MKSS) and the National Campaign for the People’s Right to Information (NCPRI), spent years (since the DPDP Act’s 2022 draught was published) resisting this change.
But connected Friday, the authorities disregarded that pushback, and specifically invoked its powerfulness to propulsion the amendment done successful the signifier of a notification. Another amendment, to the Information Technology Act, 2000, is not yet successful force.
Organisations similar MKSS person worked with grassroots movements to get entree to ration “muster rolls” and enactment bid logbooks, allowing them to scrutinise nationalist records for signs of graft and misspending. With a wide explanation of “personal information,” they person argued, citizens whitethorn person nary country to behaviour specified societal audits. The amendment could besides beryllium utilized to shield almighty officials’ misconduct, they person said.
Nikhil Dey, an MKSS founding member, vowed that “‘[w]e the people’ volition combat back” aft the amendment went into force.
