On 29 May 2026, Justice Sachin Datta of the Delhi High Court delivered a 144-page judgment recognising the Right to be Forgotten as an integral facet of informational privacy under Article 21 and laying down a workable framework for de-indexing judicial records.
The May-June 2026 cycle in Indian cyber and data-protection practice is dominated by the DPDP Rules 2025 first-year operationalisation, the transitional jurisprudence under Section 43A of the IT Act 2000 in its final operative phase, and the continuing post-Kunal Kamra recalibration of the intermediary-liability framework. A focused round-up of what changed in policy, what changed in the courts, and what practitioners are tracking.
A practitioner's primer on the structural design of India's first comprehensive data-protection statute — lawful basis, data-fiduciary obligations, the Significant Data Fiduciary tier, data-principal rights, cross-border transfers, exemptions, the Data Protection Board, the Schedule's ₹250 crore penalty cap, and the staged repeal of Section 43A IT Act and the SPDI Rules 2011. Written as the foundational reference for any DPDP question.
Six months into the staged rollout of the Digital Personal Data Protection Act, 2023 — and the DPDP Rules notified by MeitY on 13 November 2025 — the practitioner architecture is now substantially visible. Phase I (the Data Protection Board's establishment) is live; Phase II (the consent-manager regime) takes effect on 14 November 2026; Phase III (the compliance obligations and the ₹250 crore penalty ceiling) takes effect on 14 May 2027. A practitioner read on where data fiduciaries should be at the six-month mark and what the remaining eighteen months require.
On 24 August 2017, a nine-judge Bench of the Supreme Court held — without dissent, in 547 pages across six opinions — that the right to privacy is protected as a fundamental right under Articles 14, 19 and 21 of the Constitution. The judgment overruled M.P. Sharma (1954) and Kharak Singh (1962) in significant part, and supplied the three-prong proportionality test for state action affecting privacy. A close digest.
India's first comprehensive data-protection framework is now operational, but in a staged sequence: Consent Manager rules effective November 2026; substantive Significant Data Fiduciary obligations effective May 2027. A practitioner's read on the architecture, the timeline, and the compliance work that has just become urgent for law firms and for the entities they advise.