As inter-ministerial consultations on the draft rules for the Digital Personal Data Protection (DPDP) Act reportedly concluded on December 31′ 2024, the rules are now being sent for translation, Storyboard18 has learned.
The draft rules recently received approval from the Ministry of Home Affairs.
According to a highly placed source close to the development, DPDP Act draft rules will likely be released soon.
Once out, there will be a 45-day consultation period for stakeholders.
IT minister Ashwini Vaishnaw, in August last year, publicly announced that the government would release the draft rules for implementing the Digital Personal Data Protection Act (DPDPA) within 30 days. “The framework is ready and a draft of the DPDP rules will be published for public consultation within thirty days,” he said.
Read more: BREAKING: DPDP rules will soon be released for public feedback, says Ashwini Vaishnaw
The release of these draft rules aims to operationalise the DPDP Act, providing a clear framework for data protection and privacy in India.
Storyboard18 earlier reported that the compliance or transition period under the draft rules will likely be kept between six to eight months only, with provisions for up to Rs 250 crore penalty for any data breach.
It is to be noted that data privacy laws including the General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA)- from where the DPDP Act has taken inspiration, gave companies around two years to make the transition, change business practices and then were levied with the penalty violation.
Read more: DPDP Act draft rules expected soon; transition period likely to be restricted to 6 months
However, early-stage startups are likely to be given 3-6 months as the grace period to test their products during which they will be exempt from certain stringent provisions
Under the draft rules, the government can demand data on grounds of National Security, it has been learned. Also, cross-border information to other governments, if shared, must be notified to the Central Govt.
Additionally, significant conditions are being added to data fiduciaries.
Prasanth Sugathan, legal director, Software Freedom Law Centre India, points out that such a long delay in implementing the legal framework for data protection is unacceptable. “Citizens are forced to share a lot of personal information with Government agencies and corporates and any further delay will affect citizens and businesses.
Although there is a lot of room for improvement in the parent Act, the enforcement of the Act and the Rules would give at least some protection to users, who have to encounter data breaches on a regular basis.”
The DPDPA rules, which have been delayed for several months, will reinforce the existing data privacy law, while amendment to the IT rules will address crucial issues like artificial intelligence-driven misinformation and deepfakes until a comprehensive Digital India Act is formulated.
The DPDP Act was passed by Parliament on August 9, 2023 — about six years after the Supreme Court upheld privacy as a fundamental right. Despite being announced last year, the Act has not yet taken effect since its rules and regulations are still have not been released or finalised.