Feb 27, 2026

A screenshot of a computer AI-generated content may be incorrect.

The Supreme Court of India notified the Union Government about petitions that question the constitutionality of the Digital Personal Data Protection (DPDP) Act, 2023, and the DPDP Rules, 2025.

On February 16, 2026, the Supreme Court of India notified the Union Government about petitions that question the constitutionality of the Digital Personal Data Protection (DPDP) Act, 2023, and the DPDP Rules, 2025. Chief Justice Surya Kant and his Bench noted that the issues are complex. The case was sent to a larger five-judge Constitution Bench for closer review. The case was sent to a larger five-judge Constitution Bench for closer review.

The petitions claim that the DPDP framework weakens transparency and accountability, especially because of the amendment introduced by Section 44(3) of the DPDP Act to Section 8(1)(j) of the Right to Information (RTI) Act, 2005. Advocates and civil society groups argue that the law puts privacy ahead of public-interest disclosures.

The main issue:

Petitioners say Section 44(3) of the Act essentially "guts" the Right to Information (RTI) Act by banning the release of personal information about public officials and limiting when information can be shared in the public interest.
Critics warn that the DPDP Act does not meet the proportionality test set out in the Puttaswamy judgment. They argue it lacks safeguards against abuse and places broad limits on fundamental rights.

The Court decided not to pause the law’s implementation, so businesses must keep working to comply even as the legal challenge continues. The Bench admitted there are still issues to resolve but said the law will not be stopped for now. The case is expected to be heard again in March 2026.

The case now goes to a larger Constitution Bench for a closer look at how the Right to Privacy and the Right to Information should be balanced. This move shows the Supreme Court wants to give clear guidance on how privacy laws and transparency requirements fit together.

MINI HEADLINES

MeitY Proposes Six-Month Cut in DPDP Compliance Deadline for Significant Data Fiduciaries

The Ministry of Electronics and Information Technology (MeitY) is reportedly considering a proposal to shorten the compliance window for Significant Data Fiduciaries (SDFs). The deadline for full compliance may shift from May 13, 2027, to November 13, 2026, reducing the window by six months. This change targets large platforms and financial institutions handling vast personal data, while startups may still have longer timelines

Intersecting Regulation: IT Rules Amendment 2026

Effective February 20, 2026, amendments to the IT Rules will require prominent labelling of all AI-generated or synthetic media, including deepfakes, with embedded metadata for traceability. These mandates align with data fiduciary responsibilities. Illegal content must be removed within 3 hours, reduced from the previous 36-hour window. For non-consensual intimate imagery, removal is required within 2 hours. Platforms must obtain user declarations and conduct technical verification for SGI before publishing. These changes are intended to combat misinformation, and penalties will apply for non-compliance.

India Tightens Domain Registrar KYC Norms to Combat Online Fraud and Anonymity

The Delhi High Court has directed domain name registrars (DNRs) operating in India to implement stringent Know-Your-Customer (KYC) verification for registrants, ending default masking of personal details and making privacy protection an opt-in paid service. The ruling, in a case involving major brands like Colgate and Bajaj Finance, holds DNRs accountable for online fraud facilitation and revokes safe harbour immunity for non-compliance. This aligns with broader data protection trends under the DPDP framework by reducing anonymity that enables the misuse of personal data in cybercrimes.

Online Fraud
Read More → https://law.asia/india-domain-kyc-mandate