New Delhi: In a decisive move that reshapes the digital privacy and transparency landscape in India, the government has notified the Digital Personal Data Protection Act, 2023 (DPDP Act) after roughly two years since its enactment. At the same time, amendments to the Right to Information Act, 2005 (RTI Act) have been brought into immediate effect, reflecting the twin priorities of protecting personal data and preserving public access to information. According to the official notification, large parts of the DPDP Act will go into force in late 2026 to mid-2027, whilst the RTI amendments apply now.
Background of Digital Personal Data Protection Act
Privacy as a fundamental right in India was affirmed by Justice K. S. Puttaswamy (Retd.) v. Union of India judgment (2017) under Article 21 of the Constitution.
In response, the government introduced various policy drafts, culminating in the DPDP Act which received the President’s assent on August 11 2023. However, the key implementation rules were yet to be notified—hindering its operationalisation. The RTI Act, meanwhile, has been the bedrock of transparency and accountability since 2005.
What is Digital Personal Data Protection Act
The DPDP Act establishes obligations for entities called “Data Fiduciaries” (those determining purpose and means of data processing) and grants rights to “Data Principals” (the individuals to whom data relates).
The Act also provides for the constitution of the Data Protection Board of India (DPBI) as the adjudicating authority for breaches and grievances.
Why this Matters: Importance
Citizen control over data: The Act empowers individuals with rights such as correction, erasure, and access to their digital personal data.
Business & tech compliance: Companies operating digital platforms will face new obligations to secure, manage and report personal data usage—especially those classified as “Significant Data Fiduciaries”.
Global alignment: With cross-border data flow regulations and heightened data governance, India signals its commitment to global data protection norms.
Transparency & public oversight: The RTI amendments mean immediate adjustments in how public authorities handle “personal information” requests, impacting access to official data.
Key Challenges & Implications
- While the Act is notified, full enforcement is slated for late 2026–mid-2027. Until then, some provisions remain dormant.
- The law grants broad exemptions for government processing of data in the interests of sovereignty, security and public order—raising concerns about oversight and safeguards.
- The amendment to the RTI Act (via the DPDP Act) alters Section 8(1)(j), removing the “larger public interest” test for withholding personal information—this could restrict access under RTI requests.
- Rules around consent-managers, audits, data localisation and cross-border transfers are still evolving, leading to ambiguity for firms.
- Implementing the rights and obligations effectively requires citizens and companies to understand their roles, a major undertaking in a diverse digital economy.
Way Forward
- The government must ensure the DPDP Rules covering Sections 3-15, 21 & 22 are notified without further delay—enabling clarity for stakeholders.
- Educating citizens about their new rights under the law—such as data erasure, correction and grievance mechanisms—is essential.
- Digital platforms and service providers should prepare early for obligations like appointing Data Protection Officers, conducting audits and managing breaches.
- The DPBI’s independence and capacity must be ensured so that enforcement and audits are credible and transparent.
- Authorities must ensure that RTI mechanisms remain robust, even as personal data protection rules evolve, maintaining accountability of public institutions.
- Given rapid technology change (AI, IoT, big data), the law and its rules should be reviewed periodically and aligned with global best practices.
Read Also: Census 2027 Goes Fully Digital in Gujarat: Citizens Can Now Submit Data Online
