Context:
-
The Digital Personal Data Protection (DPDP) Rules, 2025 were notified in November 2025, operationalising provisions of the Digital Personal Data Protection Act, 2023.
-
The notification marks a key step in India’s transition towards a comprehensive digital data protection regime, while also triggering debate due to simultaneous amendments to the Right to Information (RTI) Act, 2005.
Key Highlights:
Government Initiative / Policy Details
-
The DPDP Act, 2023 provides a statutory framework for protection of personal data in digital form.
-
Companies and entities processing data are classified as Data Fiduciaries, while individuals whose data is processed are Data Principals.
-
The Data Protection Board of India (DPBI) is to be constituted as the adjudicatory authority to enforce compliance.
Rights and Obligations Under the Rules
-
Informed consent is mandatory before processing personal data.
-
Users are entitled to:
-
Access their data
-
Correct or erase data
-
Withdraw consent
-
-
Data must be deleted after a period of inactivity, as prescribed.
-
Penalties for non-compliance range from ₹10,000 to ₹250 crore, depending on the nature of the violation.
Compliance Timeline
-
Though the Act was passed in August 2023, firms are given:
-
Up to 18 months to fully comply
-
Certain obligations, such as appointing a Data Protection Officer (DPO), to kick in within one year
-
-
This staggered timeline aims to balance regulatory readiness and business feasibility.
Consent Management and Technology
-
Introduction of a Consent Manager, enabling users to:
-
View, manage, and revoke consent across multiple platforms
-
Exercise granular control, similar to smartphone permission settings
-
-
Baseline safeguards mandated:
-
Access control
-
Encryption
-
Periodic security audits
-
Institutional Structure
-
The DPBI, a subordinate office under the Ministry of Electronics and Information Technology (MeitY), will:
-
Adjudicate disputes
-
Impose penalties
-
Monitor compliance
-
-
Concerns persist regarding regulatory independence, as MeitY also promotes the digital economy.
RTI Act Amendment and Controversy
-
Amendment to Section 8(1)(j) of the RTI Act, 2005 has come into force.
-
The public interest override has been removed, allowing authorities to:
-
Withhold personal information even when disclosure may serve public interest
-
-
Critics argue this may:
-
Restrict access to public records
-
Weaken social audits and accountability mechanisms
-
Significance / Concerns
-
Positive aspects:
-
Aligns India with global standards like GDPR (EU) and Singapore’s PDPA
-
Enhances user control over personal data
-
-
Concerns:
-
Delayed implementation of citizen safeguards
-
Potential dilution of transparency due to RTI amendment
-
Limited independence of the DPBI
-
UPSC Relevance (GS-wise):
GS 2 – Governance
-
Digital governance and citizen rights
-
Regulatory institutions and accountability
-
Transparency vs privacy trade-offs
GS 3 – Science & Technology
-
Data governance and cyber security
-
Regulation of digital economy and Big Tech
-
Consent-based data processing frameworks
Prelims Focus:
-
DPDP Act, 2023
-
DPDP Rules, 2025
-
Data Fiduciary, Data Principal
-
Data Protection Board of India
-
RTI Act amendment
Mains Orientation:
-
Examine whether India’s data protection framework strikes a balance between privacy, transparency, and innovation.
-
Discuss the implications of weakening RTI safeguards in the era of digital governance.