What it is:
- A law to protect the personal data of Indian citizens in digital form.
- Passed in: August 2023 by Parliament.
- Recent Update: Large parts of the Act notified by the Union government in 2025, along with the DPDP Rules, 2025.
- Aim: Ensure data privacy, accountability of data-collecting entities, and compliance with Supreme Court’s 2017 K.S. Puttaswamy v. Union of India judgment affirming the right to privacy.
Key Provisions of the DPDP Act
- Scope and Coverage:
- Applies to “data fiduciaries” (entities that collect or process personal data).
- Exemptions: State and its instrumentalities.
- Rights of Individuals (Data Principals):
- Right to access, correct, erase, or port personal data.
- Enforcement of consent-based data processing.
- Obligations for Data Fiduciaries:
- Implement safeguards to protect personal data.
- Appoint a Data Protection Officer (DPO).
- Ensure transparent data handling practices.
- Penalties:
- Firms can face fines or penalties for non-compliance or breach of data protection obligations.
- Consent Manager Framework (from Nov 2026):
- Enables authorized intermediaries to exercise data removal, correction, or other rights on behalf of users.
- Impact on Right to Information (RTI):
- Limits the obligation of government bodies to provide personal information if public interest conflicts with privacy rights.
Implementation Timeline
- 2025 Notification: Most parts of the Act and DPDP Rules come into effect immediately.
- November 2026: Key provisions like DPO disclosure and the Consent Manager framework will become enforceable for firms.
