Fintech
Travel Tech
Electric Vehicle
Health Tech
Edtech
IT
Logistics
Retail
Ecommerce
Startup Ecosystem
Enterprise Tech
Clean Tech
Consumer Internet
Agritech
The Ministry of Electronics and Information Technology has already completed perusing two-thirds of comments received during consultations on the draft DPDP Rules 2025
The remaining one-third of the comments will be completed soon and the rules are expected to be finalised by next month end
After much anticipation, MeitY released the draft rules for DPDP on January 3 and invited suggestions from the public till February 8. Later, the deadline was extended to March 5
The Centre is reportedly planning to finalise the Digital Personal Data Protection (DPDP) Act rules by April, a legislation aimed at safeguarding personal data in an increasingly digital world.
The Ministry of Electronics and Information Technology (MeitY) is currently in the process of reviewing feedback from industry stakeholders, privacy advocates and citizens. An ET report said that the ministry has already completed perusing two-thirds of comments received during consultations on the draft DPDP Rules 2025.
The remaining one-third of the comments will be completed soon and the rules are expected to be finalised by next month end, the report added, citing a government official.
This comes just a few days after the Centre closed the two-month consultation period to seek suggestions from industry leaders, digital rights advocates, startups and other stakeholders on the DPDP draft rules. Back then, the authorities said that there will be no major change in the draft and the deadline for public consultations will not be extended further.
DPDP Draft And What Followed: After much anticipation, MeitY released the draft rules for DPDP on January 3 and invited suggestions from the public till February 8. Later, the deadline was extended to March 5.
As per the DPDP draft rules, data fiduciaries will need to give necessary details and seek consent from users before processing their personal data.
Data fiduciaries are the entities which regulate how personal data is processed. With this, the users will have the power to revoke their consent and in case of any violation, they can file a complaint with the Data Protection Board of India.
The data fiduciaries are expected to adhere to the following measures to prevent personal data breaches:
- Implementation of data security like encryption of personal data, masking or using virtual tokens linked to the data set.
- Measures to control access to the computer resources used by a data fiduciary or a data processor.
- Ensuring visibility on who is accessing such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence.
- Reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised.
- Appropriate provision in the contract entered between data fiduciary and a data processor for taking reasonable security safeguards.
- Technical and organisational measures to ensure effective observance of security safeguards.
The draft bill also considered privacy of data associated with children and individuals with disabilities. The data controller will need to seek consent from parents or legal guardians before processing the personal data of the children or individuals with disabilities.
Besides, it also emphasises on cross-border data transfers, which can now only occur if the Centre permits and the receiving country meets mandatory data protection criteria.
However, the rules are not implied on entities in the healthcare sector, educational institutions as well as child day care centres.
In August 2023, the Lok Sabha passed the DPDP Bill, 2023. The aim was to replace the data protection rules that were largely enforced through Section 43A of the Information Technology Act, 2000.
The Broader Impact : With India’s rapid technological evolution, data privacy is at stake.
The government claims that this set of rules will provide lesser compliance burden for startups and MSMEs and more clarity about how to tackle users’ personal data.
However, the founders of startups, including MobiKwik, OYO, ixigo and Razorpay, among others, met the government officials and voiced their concerns regarding the draft rules in January. The closed-door meeting highlighted discussions around cross-border transfer of certain data sets, which is important for startups operating in sectors including ecommerce and travel.
A report published by PwC last year has been an eye-opener. In the survey of over 3,000 consumers across the country, it found that 56% were completely unaware of their rights related to personal data.
Meanwhile, the survey on 186 respondents representing organisations found that only 9% organisations have a comprehensive understanding of the DPDP Act.
