ValkyaEditorial
Weekly Report

Cyber and data protection: May-June 2026 roundup

The May-June 2026 cycle in Indian cyber and data-protection practice is dominated by the DPDP Rules 2025 first-year operationalisation, the transitional jurisprudence under Section 43A of the IT Act 2000 in its final operative phase, and the continuing post-Kunal Kamra recalibration of the intermediary-liability framework. A focused round-up of what changed in policy, what changed in the courts, and what practitioners are tracking.

Valkya Editorial· Legal Intelligence··10 min read

The May-June 2026 cycle is a quieter one than the preceding twelve months. The substantive doctrinal architecture is set; the institutional machinery is being assembled; the operational compliance work is being staged. What has changed in the period is the operational density of the framework — first DPB inquiries, first Consent Manager registration consultations, the maturation of the post-Kunal Kamra intermediary-liability discipline, and the steady transitional jurisprudence under the soon-to-be-superseded Section 43A architecture.

The round-up below covers what changed in policy, what changed in the courts, and what practitioners are tracking. The discipline is to report only what is verifiable on the public record; items that cannot be substantiated have been dropped. The format prefers fewer, better-verified items to more, softer ones.

What changed in policy

The DPDP Rules 2025, notified on 13 November 2025, are in their first operational year. The tranche-1 institutional provisions came into force on notification. Through May-June 2026 the operational architecture of the Data Protection Board has been substantially built out. The Phase I rules establishing the Board's structure under Section 18 of the DPDP Act are in force; named appointments to the Board — Chairperson and members — have not been formally Gazette-notified through the May-June 2026 cycle. Work on the Board's secretariat, procedural rules and digital-proceedings infrastructure is in progress.

The Consent Manager registration regime under Rule 4 of the DPDP Rules 2025 takes effect on 13 November 2026. The Consent Manager registration framework is anticipated through MeitY consultation ahead of the 13 November 2026 effective date. The substantive architectural choices — the registration threshold, the conflict-of-interest discipline, the seven-year retention obligation, the no-content-access principle, the audit and reporting calendar — are being calibrated for the November 2026 cliff. Several technology platforms and sectoral consortia have publicly indicated their intention to seek Consent Manager registration when the regime opens.

The MeitY's draft amendments to the IT Rules 2021 addressing alignment with the DPDP Act and the DPDP Rules 2025 are in industry consultation. The substantive alignment work includes the grievance-redressal architecture, the breach-notification interface between IT Rules and DPDP Rules, the children's-data overlay, and the cross-border-transfer notification framework. The amendments are expected to issue ahead of the May 2027 commencement of the substantive DPDP obligations to permit operational integration.

The Section 43A transitional jurisprudence under the Information Technology Act 2000 and the SPDI Rules 2011 remains operationally relevant. Section 44(3) of the DPDP Act will repeal Section 43A and the SPDI Rules on full commencement of the substantive DPDP provisions on 13 May 2027; pre-commencement breaches remain governed by the substantive law in force at the time of the breach. Adjudicating-officer orders under Section 46 of the IT Act continue to be issued; the architecture is the Vinod Kaushik v. Madhvika Joshi (Adjudicating Officer, 2011) line and its accumulated successor jurisprudence. Practitioners advising on pre-commencement breach exposures continue to work through the Section 43A architecture in parallel with DPDP-readiness work.

What changed in the courts

The intermediary-liability framework remains in the post-Kunal Kamra v. Union of India recalibration. The Bombay High Court's final operative judgment of 26 September 2024 in Kunal Kamra v. Union of India (2024 SCC OnLine Bom 2853), striking down Rule 3(1)(b)(v) of the IT Rules 2021 as inserted by the 6 April 2023 amendment, remains operative law. The Supreme Court appeal — filed by the Union of India in October 2024 — continues to be listed for hearing without an interim stay. The PIB Fact Check Unit notification dated 20 March 2024 remains void. The Central Government has not notified a replacement mechanism through the May-June 2026 cycle; the architecture for online "fake news" content moderation remains the pre-March 2024 position, with the Shreya Singhal-disciplined regime under Section 79 and the Section 69A blocking architecture operating as the principal mechanisms.

The Shreya Singhal v. Union of India (2015) 5 SCC 1 reading of Section 79 of the IT Act 2000 continues to govern the intermediary safe-harbour analysis. The court-order-or-government-notification trigger for safe-harbour loss continues to be the operative standard. The Section 69A blocking architecture under the Information Technology (Procedure and Safeguards for Blocking for Access of Information by Public) Rules 2009 continues to operate; the Rule 16 confidentiality regime and the Section 69A judicial-review architecture remain as they were after the Karnataka High Court's 30 June 2023 judgment in X Corp v. Union of India (2023 SCC OnLine Kar 109), which dismissed Twitter's challenge to blocking directions and imposed Rs. 50 lakh costs.

The post-Subhranshu Rout v. State of Odisha (2020 SCC OnLine Ori 878) and post-Jorawer Singh Mundy v. Union of India (2021 SCC OnLine Del 2306) right-to-be-forgotten line continues to accumulate through the High Courts. The DPDP Act 2023 Section 12(2)(a) right to erasure operates as the statutory cousin of the constitutional right-to-be-forgotten doctrine but does not displace it; the constitutional architecture under Article 21 continues to govern cases that fall outside the DPDP framework or engage the Section 17 exemptions. The interface between the statutory and constitutional regimes will be the doctrinal frontier of the next eighteen months as the substantive DPDP provisions commence in May 2027.

The Reserve Bank of India v. Jayantilal N. Mistry (2016) 3 SCC 525 framework on regulator-transparency under the Right to Information Act 2005 continues to govern disclosure litigation against sectoral regulators. The interface with the post-K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 privacy framework and the Central Public Information Officer, Supreme Court of India v. Subhash Chandra Agrawal (2020) 5 SCC 481 calibration of Section 8(1)(j) of the RTI Act remains the operative doctrinal architecture. The DPDP Act's preservation of statutory disclosure regimes under Section 17(1)(c) means the RTI architecture continues to operate alongside the DPDP framework without structural displacement.

What practitioners are tracking

The Consent Manager registration consultation is the principal operational item for the period ahead. The November 2026 cliff is twelve months out; the registration framework, the operational standards, the technical interoperability requirements and the audit architecture will all crystallise through 2026. Practitioners advising large data fiduciaries are working backwards from the November 2026 date to lock in the consent-architecture investment cycle. Practitioners advising prospective Consent Manager applicants are tracking the MeitY consultation closely.

The Significant Data Fiduciary classification framework is the second principal item. Section 10 of the DPDP Act leaves the classification criteria to Central Government notification; through May-June 2026 the substantive criteria have been the subject of industry consultation but have not been formally notified. The classification has substantial operational consequences — DPO appointment, independent data auditor, periodic DPIA, periodic audit, additional reporting — and the substantive cost-of-compliance differential between a data fiduciary and a Significant Data Fiduciary runs into multiples. Practitioners advising large-volume processors, processors of sensitive data and processors with cross-border architecture are tracking the SDF criteria with particular attention.

The cross-border transfer architecture under Section 16 of the DPDP Act is the third item. The negative-list framework leaves the Central Government free to issue restrictions on specific destinations; through May-June 2026 no negative-list notification has issued. Practitioners are tracking the trajectory of Central Government policy on cross-border data flows and the interface with the sectoral cross-border restrictions retained by RBI, IRDAI and SEBI. The architecture is more permissive than the GDPR by default; the trajectory of the negative-list framework will be the principal variable.

The Section 43A transitional jurisprudence is the fourth item. The final operative year of Section 43A runs through the May 2027 commencement of the substantive DPDP repeal. Adjudicating-officer orders, CIC orders under the residual SPDI Rules framework, and High Court appeals from such orders continue to issue. Practitioners advising on pre-commencement breach exposures must preserve the Section 43A doctrinal architecture as continuing precedent for the residual transitional period and for any pre-commencement events that surface for adjudication post-commencement. The Vinod Kaushik v. Madhvika Joshi line and its successor jurisprudence remain operationally relevant.

The intermediary-liability architecture is the fifth item. The post-Kunal Kamra doctrinal recalibration, the pending Supreme Court appeal in Union of India v. Kunal Kamra, the Delhi High Court's continuing engagement with the IT Rules 2021 Part III challenges, and the Karnataka High Court's evolving s.69A and s.79(3)(b) jurisprudence together form the framework that practitioners advising platforms, intermediaries and content publishers must track. The Section 79 safe-harbour architecture under the Shreya Singhal discipline remains the foundational reference; the operational details accumulate at the High Court level.

The DPB inquiry and voluntary undertaking architecture under Sections 27 and 32 of the DPDP Act is the sixth item. The first DPB orders are expected through the second half of 2026; the procedural template for DPB inquiry, voluntary undertaking, penalty calibration and appeal to TDSAT will be shaped by the first orders issued. The architecture of Section 33 penalty-calibration factors will be substantively articulated through the first inquiry rulings; the Schedule's Rs. 250 crore per-breach cap will be tested in practice through the first significant-breach adjudication.

The architecture, drawn together

Read together, the May-June 2026 cycle is the operational mid-point of the DPDP transition. The substantive doctrinal architecture is set by the DPDP Act 2023 and the DPDP Rules 2025; the institutional machinery is being built out by the Data Protection Board and the MeitY consultation lines; the operational compliance work is being staged by data fiduciaries advised by the firm's principal practices. The intermediary-liability framework continues to operate under the Shreya Singhal discipline and the post-Kunal Kamra recalibration; the right-to-be-forgotten doctrine continues to accumulate through the High Courts under the Subhranshu Rout and Jorawer Singh Mundy line; the Jayantilal Mistry framework continues to govern regulator-transparency litigation. The cycle's principal contribution is operational rather than doctrinal — what has been set in the preceding decade is being made to work in the eighteen months that remain before the May 2027 substantive cliff.

Sources

  1. MeitY — Digital Personal Data Protection Rules 2025, G.S.R. 833(E) dated 13 November 2025, and explanatory notes.
  2. MeitY — Consent Manager registration draft consultation materials and Significant Data Fiduciary criteria consultation.
  3. SCC OnLine — Kunal Kamra v. Union of India (2024 SCC OnLine Bom 2853) and Reserve Bank of India v. Jayantilal N. Mistry (2016) 3 SCC 525.
  4. LiveLaw — DPDP commentary archive and intermediary-liability coverage.
  5. BarandBench — DPDP Rules implementation coverage and post-Kunal Kamra litigation tracking.
  6. Internet Freedom Foundation — IT Rules 2021 case tracker and DPDP commentary.

Related reading

Service and employment law in May–June 2026: gig-worker rules, the labour codes operationalised, and the regularisation line refined

The May–June 2026 cycle in Indian service and employment law has produced the most operationally consequential clutch of developments since the four Labour Codes were notified on 21 November 2025. The *Social Security (Central) Rules 2026* — notified on 8 May 2026 — operationalise the Chapter IX gig-and-platform-worker framework with the first enforceable monetary obligation on aggregators. The *MoLE* additional FAQs on the Codes supply working compliance guidance — including a standardised 50%-of-CTC wages definition. *Bhola Nath v. State of Jharkhand* refines the *Umadevi* regularisation discipline through the model-employer doctrine. *Avinash Kumar v. UoI* polices deemed-abandonment clauses. *Virinder Pal Singh v. Punjab and Sind Bank* settles the continuing-post-retirement-disciplinary question. *Rupesh Kumar Meena v. UoI* preserves the finality of selection. *Balaji Madhukar Konkanwar* rejects estoppel on structural-inequality grounds. The Supreme Court strikes down the three-month adoption-age cap on maternity leave under the *Code on Social Security 2020*. The dismissal-versus-compulsory-retirement dichotomy under *Article 311(2)* is given operational content. Read together, the cycle resets the working architecture in which Indian service-and-employment practice now runs.

Valkya Editorial··15 min

Labour and employment law: May-June 2026 roundup

The May-June 2026 cycle in Indian labour and employment law has been dominated by the 8 May 2026 Industrial Relations (Central) Rules notification, the operationalisation of state-level gig-worker frameworks led by Karnataka, the continuing IFAT v. Union of India petition before the Supreme Court, and a clutch of apex-court rulings on workman classification and contract-labour referral jurisdiction.

Valkya Editorial··10 min

Insurance law in May-June 2026: collateral source, mental-health parity, IRDAI cyber-security, and the Sabka Bima reforms

The May-June 2026 cycle in Indian insurance law has produced three threads running in parallel — the Supreme Court's collateral-source recalibration in Dolly Satish Gandhi alongside the Santhosh anti-double-counting discipline and the Sayona Colors fraud-vitiates-all line; the operational implementation of the Sabka Bima Sabki Raksha (Amendment of Insurance Laws) Act 2025 with 100 per cent FDI and SEBI-style disgorgement powers for the IRDAI, alongside the Bima Sugam commercial launch and the continued delay of the Bima Vistaar composite product; and the IRDAI's substantive regulatory recalibration through the Information and Cyber Security Guidelines 2026, the KMP remuneration amendment tying half of the performance assessment to policyholder-outcome metrics, and the Karnataka HC and Supreme Court interventions on MACT jurisdiction over PA cover and on the personal liability of insurer top brass.

Valkya Editorial··15 min
Research this line of authority in Valkya

Trace how this proposition has been treated across Indian courts — citations, bench strength, and subsequent history — in one workspace built for litigators.

Open Valkya →