India Notifies Digital Personal Data Protection Act, 2023

New Delhi: The Government of India has formally brought the Digital Personal Data Protection Act (DPDP Act), 2023, into effect, marking the country’s first complete legal framework dedicated to the protection of digital personal data. The notification was issued on November 14, 2025. On the same day, the government also enforced an amendment to the Right to Information (RTI) Act, 2005, revising its personal-information disclosure clause to reflect privacy protections recognized under the Constitution.

DPDP Act Comes Into Effect After Long Gap Between Passage and Notification

The DPDP Act was passed by Parliament in August 2023. It has now been officially notified by the Ministry of Electronics and Information Technology (MeitY), more than two years after its passage. The law gives statutory backing to the Supreme Court’s 2017 judgment in K.S. Puttaswamy v. Union of India, which held that the right to privacy is a fundamental right under Article 21.

The Act regulates the processing of digital personal data, whether collected directly online or collected offline and later digitized. It places responsibility on “data fiduciaries”—the entities that decide the purpose and means of processing data. These entities must follow transparency and security obligations while handling personal information.

The law is built around consent-based processing. Organizations must obtain clear and specific consent before using personal data. This applies across sectors and covers a wide range of digital operations. For data relating to children, the DPDP Act introduces stricter standards: processing children’s data requires parental consent, and platforms likely to have child users must put additional safeguards in place.

The Act also lays down rules on data retention. Personal data must be deleted once it no longer serves the purpose for which it was collected. Certain categories of large digital platforms—such as major social-media or e-commerce intermediaries—will have to follow specific retention schedules detailed in the rules notified with the Act.

Penalties for violations range from ₹50 crore to ₹250 crore, depending on the nature and seriousness of the breach. MeitY has set up a four-member Data Protection Board of India to ensure compliance, investigate complaints, and impose penalties.

Under the timeline issued by the government, organizations will get 12 to 18 months to make the necessary changes. Consent managers must be in place by November 14, 2026, and the law’s full compliance framework is expected to take effect by mid-2027.

RTI Act Amended to Align With Privacy Requirements

The amendment to Section 8(1)(j) of the RTI Act, 2005, also came into effect on November 14, 2025. The revised clause restricts disclosure of personal information held by public authorities unless a larger public interest clearly justifies such disclosure. This change reflects constitutional standards relating to privacy and “reasonable restrictions,” as interpreted in earlier Supreme Court judgments.

According to the government’s statement in Parliament, the amendment aims to strike a balance between the right to information and the right to privacy. The updated wording ensures that personal information cannot be disclosed merely because it is held by a public authority; instead, disclosure will occur only when the public interest outweighs the privacy impact.

The amendment has caused concern among activists and groups that frequently use the RTI Act. They argue that restricting access to personal information could limit public scrutiny, especially in cases involving elected officials or public servants. The government, however, has stated that the change is consistent with the privacy protections recognized in Indian law and aligns with international data-protection standards.

The government has clarified that the amendment does not weaken the RTI Act. Official statements note that the Act continues to offer access to a wide range of public information. The change to Section 8(1)(j), officials have said, is meant only to align the RTI framework with the privacy structure created under the DPDP Act.

Implementation Framework, Consultation Process, and Next Steps

The DPDP Act and its rules were finalized after a wide consultation process. The draft Digital Personal Data Protection Bill, 2022, received more than 22,600 comments from the public, industry stakeholders, and various ministries before the final version was tabled in Parliament.

The rules notified with the Act specify procedures that data fiduciaries must follow. These include clear notice requirements for users: every user must be informed, in a simple and itemized format, about the data being collected, how it will be used, the purpose of the processing, and the rights available to the user.

The rules also specify grievance-redressal mechanisms. If individuals believe their data rights have been violated, they must first approach the concerned data fiduciary. If the issue is not resolved, it can then be escalated to the Data Protection Board.

The DPDP Act allows cross-border data transfers to countries notified by the central government, provided the transfers comply with safeguards specified in the rules. The Act also includes exemptions for certain state functions, such as law enforcement, national security, and specified government operations. These exemptions must still be lawful and proportionate.

Significant data fiduciaries will have additional responsibilities, which may include appointing a data protection officer, conducting periodic audits, and carrying out data-protection impact assessments. These requirements fall within the 12- to 18-month compliance window announced by the government.

The notification of the DPDP Act and the amendment to the RTI Act together create a unified framework for privacy and information access. With both measures now in force, organizations and public authorities will need to adjust their data-handling and disclosure processes over the coming months.