The Ministry of Electronics and Information Technology (MeitY) unveiled draft rules for the Digital Personal Data Protection (DPDP) Act on Friday, January 3, marking a significant step towards implementing India’s long-awaited data protection framework.
Passed by Parliament in August 2023, the DPDP Act is designed to safeguard personal data and ensure responsible processing by organizations. The draft rules are now open for public feedback on the MyGov portal until February 18, 2025, offering stakeholders an opportunity to shape the final regulations.
The draft rules are expected to clarify critical aspects of the DPDP Act, including the structure and functions of the Data Protection Board (DPB). This independent body will oversee data-related grievances and enforce compliance. Users will be able to file complaints with the DPB and appeal its decisions, ensuring an accessible mechanism for redressal.
The rules will also specify procedures for users to exercise their rights, such as accessing personal data held by companies (referred to as Data Fiduciaries) and requesting its deletion when consent is withdrawn. Timelines for erasing such data and resolving user complaints will be outlined, providing clarity for both organizations and individuals.
Additional provisions in the draft include requirements for obtaining parental consent when processing minors’ data and mandatory notifications to users in the event of a data breach. These measures aim to strengthen user trust and accountability in data handling.
The rules will establish conditions for Consent Managers entities responsible for managing user consent. These conditions will address technical, operational, and financial requirements, ensuring a robust framework for consent handling.
The industry has been eagerly awaiting these rules to prepare for compliance and streamline systems. Experts anticipate that the final rules will provide much-needed clarity on operational responsibilities under the DPDP Act.
With public feedback open until mid-February, the next steps will involve refining the draft rules before formal adoption. This marks a critical phase in India’s journey toward comprehensive data protection and privacy in the digital age.