The draft rules are designed to protect citizens’ rights while supporting technological advancements
The Ministry of Electronics and Information Technology (MeitY) on Friday, January 3, released the draft rules for the Digital Personal Data Protection (DPDP) Act. The legislation, enacted in 2023, aims to safeguard personal data while fostering a balance between regulation and innovation in India’s burgeoning digital economy. Citizens and stakeholders have until February 18, 2025, to provide feedback through the MyGov portal.
Safeguarding Digital Rights With Innovation
The draft rules are designed to protect citizens’ rights while supporting technological advancements. MeitY underscored the intent to promote a secure digital environment without hampering ongoing digital practices. The rules and the Data Protection Board are envisioned to operate entirely through digital platforms, allowing individuals to submit complaints and seek resolutions without requiring physical appearances.
Public Consultation Process
To finalise the rules, the government will engage with civil society, industry representatives, and other stakeholders in structured feedback sessions. “All feedback will be taken into consideration while finalising the rules, and the final version will be presented before Parliament,” MeitY stated.
Adaptation Period For Businesses
The government has assured that businesses will be given sufficient time to comply with the rules, with minimal disruption to existing practices. Entities that processed personal data based on prior consent can continue doing so, provided they inform users of their rights under the new law.
Empowering Citizens
Citizens will be empowered to exercise their rights over personal data, such as withdrawing consent, accessing information, updating or erasing data, and lodging grievances. Digital platforms will need to offer information and consent options in English or any of the 22 Indian languages listed in the Constitution.
Parental Consent For Children’s Data
The draft rules place the responsibility on Data Fiduciaries to ensure verifiable parental consent before processing the personal data of children.
Fair Penalties For Non-Compliance
Financial penalties for non-compliance will be graded based on factors such as the nature, gravity, and duration of violations. “The penalty would be fair and proportionate, with higher obligations for Significant Data Fiduciaries and reduced compliance for startups,” the Ministry said. Fiduciaries can voluntarily offer undertakings to the Data Protection Board, which may result in the dismissal of proceedings.
Data Storage & Transfers
The rules do not mandate that personal data be stored exclusively in India. However, a committee may recommend restrictions on data transfers for certain categories by Significant Data Fiduciaries.
The draft rules are seen as a critical step towards strengthening data protection in India while maintaining a conducive environment for digital innovation. The government’s move to seek public input underscores its commitment to a transparent and inclusive legislative process.
