After nearly two years of deliberation, consultations, and phased drafting, the Indian government has officially notified the Digital Personal Data Protection (DPDP) Act, marking a landmark moment in the evolution of India’s digital privacy framework. The law, first introduced in 2023, aims to establish clear rules for the collection, storage, and processing of personal data by public and private entities.

➡ A New Era of User Consent and Data Responsibility

The notified provisions place strong emphasis on explicit user consent, transparency in data usage, and the principle of data minimisation. Organisations, termed “data fiduciaries,” must now clearly disclose why they collect data and how long they intend to retain it. The Act also mandates that only essential data be collected, significantly tightening India’s baseline privacy requirements.

➡ Stringent Penalties for Enterprises

With the law’s notification, companies will now be liable for steep penalties—running up to hundreds of crores—for violations such as data breaches, misuse of personal information, or failure to implement adequate cybersecurity measures. The government has also laid out obligations for children’s data, requiring enhanced safeguards and filtering mechanisms for platforms catering to minors.

➡ Data Protection Board to Oversee Compliance

The law also formalises the establishment of the Data Protection Board of India, an independent body tasked with investigating breaches, enforcing penalties, and issuing guidelines. The Board will act as the central adjudicatory authority for grievances and compliance-related disputes.

➡ RTI Act Sees Crucial Amendment

Alongside the DPDP notification, the government has amended the Right to Information (RTI) Act, restricting the disclosure of personal information that lacks a clear public interest justification. Section 8(1)(j)—which deals with personal information—has been updated to align with the privacy protections outlined in the DPDP Act.

Officials argue the amendment is necessary to maintain consistency between the two laws, but transparency advocates fear it may reduce the scope of public access to government records.

➡ Transparency vs Privacy Debate Intensifies

The simultaneous rollout has intensified debate surrounding the balance between public accountability and individual privacy. Critics warn that the amendment could be used to shield public officials from scrutiny. Supporters counter that privacy protections were long overdue, especially with increasing digitalisation of government services.

➡ What Comes Next?

Implementation rules will be released in phases, with companies expected to undergo significant compliance adjustments in the coming months. The government is also likely to issue sector-specific guidelines for finance, healthcare, telecom, and digital platforms.