On 14 August 2021, a Bombay High Court division bench stayed Rules 9(1) and 9(3) of the IT Rules 2021 pan-India — holding that the Code of Ethics for digital news media travels beyond the rule-making power conferred by the IT Act and chills Article 19(1)(a) speech.
The May-June 2026 cycle in Indian cyber and data-protection practice is dominated by the DPDP Rules 2025 first-year operationalisation, the transitional jurisprudence under Section 43A of the IT Act 2000 in its final operative phase, and the continuing post-Kunal Kamra recalibration of the intermediary-liability framework. A focused round-up of what changed in policy, what changed in the courts, and what practitioners are tracking.
A practitioner's primer on the structural design of India's first comprehensive data-protection statute — lawful basis, data-fiduciary obligations, the Significant Data Fiduciary tier, data-principal rights, cross-border transfers, exemptions, the Data Protection Board, the Schedule's ₹250 crore penalty cap, and the staged repeal of Section 43A IT Act and the SPDI Rules 2011. Written as the foundational reference for any DPDP question.
A 2016 Delhi High Court division bench refused to read constitutional restraints into a click-wrap consent transaction but moulded transitional relief — and the case has been pending before a five-judge Constitution Bench of the Supreme Court ever since.
A Bombay High Court division bench split 1-1 in January 2024 on the constitutional validity of the IT Rules 2023 Fact Check Unit. The tie-breaking opinion of Justice A.S. Chandurkar in September 2024 struck down Rule 3(1)(b)(v) — vague, overbroad, and structurally inviting the state to be judge in its own cause.
On 30 June 2023, a single bench of the Karnataka High Court dismissed Twitter's challenge to MeitY blocking orders covering 39 URLs and 1,474 accounts — and imposed exemplary costs of fifty lakh rupees. Section 69A, the court held, authorises account-level blocking; foreign intermediaries have only limited Article 19 standing; and selective compliance attracts deterrent costs.
Six months into the staged rollout of the Digital Personal Data Protection Act, 2023 — and the DPDP Rules notified by MeitY on 13 November 2025 — the practitioner architecture is now substantially visible. Phase I (the Data Protection Board's establishment) is live; Phase II (the consent-manager regime) takes effect on 14 November 2026; Phase III (the compliance obligations and the ₹250 crore penalty ceiling) takes effect on 14 May 2027. A practitioner read on where data fiduciaries should be at the six-month mark and what the remaining eighteen months require.
India's first comprehensive data-protection framework is now operational, but in a staged sequence: Consent Manager rules effective November 2026; substantive Significant Data Fiduciary obligations effective May 2027. A practitioner's read on the architecture, the timeline, and the compliance work that has just become urgent for law firms and for the entities they advise.