The Ministry of Electronics and IT has unveiled draft regulations aimed at implementing the government’s groundbreaking digital privacy law.
The Ministry mentioned that the draft rules are open for public feedback until February 18, 2025, and submissions can be made through the MyGov portal.
The Ministry stated that the DPDP Act which received the assent of the President of India, establishes a framework for processing digital personal data. It balances the individual’s right to protect personal data with the need to process such personal data for lawful purposes.
The DPDP Act and its draft rules are designed to keep pace with the swift evolution of digital technologies. The Data Protection Board, envisioned as a fully digital platform, aims to streamline processes by allowing citizens to file complaints and resolve disputes entirely online, eliminating the need for physical appearances. Additionally, citizens will be informed about their rights and equipped to manage their personal data through user-friendly, multilingual digital platforms.
As per the Ministry, the draft Rules details about the various implementation aspects such as the notice by the Data Fiduciary to the individuals, registration and obligations of Consent Manager, processing of personal data for issuance of subsidy, benefit, service etc. by State, applicability of reasonable security safeguards, intimation of personal data breach, providing details about availing of their rights by the individuals, processing of personal data of child or of person with disability, setting up the Data Protection Board, appointment and service conditions of the Chairperson and other members of the Board, functioning of Board as digital office, procedure to appeal to Appellate Tribunal among others.
The Ministry intends to conduct structured consultations with civil society, industry leaders, and government stakeholders, alongside gathering online feedback, to refine the proposed rules. Once finalised, the rules will be presented to Parliament for approval.
The draft rules focus on safeguarding individual rights while ensuring minimal disruption to current digital practices. Organisations will be granted sufficient time to align with the new regulations, which aim to keep compliance requirements manageable. Data processing based on prior consent will remain permissible, provided individuals receive notices that uphold their legal rights.
Additionally, to protect children’s personal data, Data Fiduciaries are required to establish mechanisms for obtaining verifiable parental consent. While startups will enjoy eased compliance requirements, significant Data Fiduciaries will face more stringent obligations.
The DPDP Act establishes a system of graded financial penalties, determined by the severity and duration of violations. To ensure enforcement remains fair and proportional, businesses have the option to voluntarily submit undertakings to the Data Protection Board during proceedings, potentially avoiding penalties.
The draft rules do not mandate storing all personal data exclusively within India. However, certain categories of personal data may face restrictions on cross-border transfers, subject to recommendations from a designated committee.
