November 14, 2025 :  After nearly two years of consultations, debates, committee reviews, and multiple draft iterations, the Digital Personal Data Protection (DPDP) Act has finally been officially notified by the Government of India, marking a historic shift in the country’s digital governance and privacy landscape. Alongside the notification, the government has also amended the Right to Information (RTI) Act, sparking discussions on the balance between privacy rights and transparency obligations.

The DPDP Act is India’s first comprehensive data protection legislation, designed to regulate how personal data is collected, stored, processed, and shared in the digital ecosystem. With India being the world’s largest data market after China and the U.S., the law is expected to have far-reaching implications for citizens, companies, and government entities alike.

A Long Journey Toward a Privacy Framework

The efforts to create a data protection law began after the Supreme Court’s landmark 2017 judgment recognizing the Right to Privacy as a Fundamental Right. This triggered the formation of a committee led by Justice B.N. Srikrishna, which submitted the first draft in 2018. Since then, the bill underwent several revisions, with stakeholders from Big Tech companies, civil society, digital rights groups, and state bodies weighing in.

The final version — the Digital Personal Data Protection Act, 2025 — has now been formally notified, paving the way for its phased implementation.

What the DPDP Act Introduces

The Act gives Indian citizens greater control over how their personal data is used, while creating a clear compliance framework for organizations handling such data.

Key Features Include:

✔ Consent-Based Data Processing

Any personal data can be processed only with clear, informed, and affirmative consent from the user. Companies must present consent requests in easy-to-understand language.

✔ Right to Correction and Erasure

Individuals can request corrections to their data or have it deleted entirely, subject to certain safety or legal exceptions.

✔ Obligations for Data Fiduciaries

Companies handling large volumes of sensitive data — termed Significant Data Fiduciaries — must appoint data protection officers, conduct regular audits, and follow stricter compliance norms.

✔ Data Breach Reporting

Organizations must report data breaches to the government and affected users within a mandated time frame, ensuring transparency during cyber incidents.

✔ Penalties for Non-Compliance

The law allows penalties of up to ₹250 crore for major violations, making it one of the toughest digital compliance regimes in Asia.

✔ Protection of Children’s Data

The Act restricts targeted advertising toward children and requires parental consent for minors’ data processing.

RTI Act Amendment Sparks Debate

In conjunction with the DPDP Act’s notification, the government has also amended Section 8 of the RTI Act, modifying the exemption related to personal information.

The amendment states that any personal data protected under the DPDP Act will be exempt from RTI disclosure, unless public interest clearly outweighs privacy concerns.

Concerns Raised:

• Transparency advocates argue that this could weaken the RTI Act, which has been one of India’s strongest accountability tools for nearly two decades.
• They fear that public officials may now refuse information more frequently by citing “personal data” exemptions.
• Legal experts, however, note that exemptions already existed earlier and the amendment only formalizes the privacy framework in the context of the DPDP Act.

The balance between privacy and public transparency is expected to remain a key area of debate as the Act takes effect.

What Happens Next? Implementation Timeline

The government is expected to introduce rules, guidelines, and timelines in phases. The Act’s implementation is likely to roll out over the next 6–12 months.

Expected next steps:

• Formation of the Data Protection Board of India
• Issuance of subordinate rules
• Gradual enforcement of compliance norms
• Dedicated grievance redressal framework for citizens

Tech companies, financial institutions, e-commerce players, and digital service providers are already preparing for compliance transitions.

Industry Reaction: Mixed but Prepared

Tech Industry Response:

Major IT and digital-first companies have welcomed the regulatory clarity, noting that a formal privacy law will help India better integrate with global data compliance frameworks like GDPR.

Concerns from Startups:

Smaller firms fear compliance costs may rise sharply due to requirements like audit trails, storage norms, and consent records. Startups are requesting a longer transition period.

Civil Society Response:

Digital rights organizations appreciate the emphasis on user consent but remain concerned about broad exemptions granted to government bodies under “national security” or “public order”.

Why This Matters for Citizens

For everyday users, the DPDP Act brings significant changes:

• More say over how apps and websites use your personal data
• Easier tools to withdraw consent or delete accounts
• Mandatory breach notifications when your data is leaked
• Penalties for companies mishandling your information

In effect, the Act aims to make India’s digital environment safer, more transparent, and more accountable.

Summary

India has officially notified the DPDP Act after two years, strengthening digital privacy rights. The government also amended the RTI Act, sparking debate on transparency