The Ministry of Electronics and Technology (MeitY) recently released draft rules for the Digital Personal Data Protection Act (DPDPA) to solicit public feedback. Stakeholders have expressed concerns about the limited consultation period and are requesting an extension. Feedback is currently being accepted until February 18. Experts state that though the implementation timeline is of two years, be it MSME’s or major companies, they are now a data fiduciary.
The draft rules mandate the localization of personal data within India, except in cases where exemptions are granted by the central government. Additionally, the rules require parents and guardians to verify their identity before individuals under 18 can register on online platforms or social media.
Minister of Electronics and IT Ashwini Vaishnaw has expressed his intent to avoid overly complex regulations akin to Europe’s General Data Protection Regulation (GDPR). Instead, India seeks a simpler framework that encourages innovation while upholding user privacy.
S. Krishnan, Secretary of the IT Ministry, who assumed office at MeitY shortly after the passage of the DPDP Act, highlighted the extensive consultations involved in drafting the rules. He emphasized the effort to balance data privacy with business needs.
Vinay Butani, Partner at Economic Laws Practice, remarked, “The limited public consultation period is a concern. The short timeframe for feedback could hinder comprehensive stakeholder engagement and the inclusion of diverse perspectives in the final rules.”
Butani also noted ambiguities in the DPDPA rules, particularly regarding breach notification procedures and specifics of security safeguards. These gaps, he said, could pose challenges to implementation and lead to inconsistencies in compliance, including difficulties with verifiable consent mechanisms.
The DPDP Act, passed by Parliament on August 9, 2023, followed the Supreme Court’s recognition of privacy as a fundamental right six years earlier. However, the Act has yet to come into effect as its rules and regulations are still being finalized.
Akshayy Nanda, Partner at Saraf and Partners, urged organizations to begin compliance efforts without delay. “Compliance is a complex, time-consuming process that often requires a thorough overhaul of business practices,” Nanda said. “Organizations that delay risk falling behind, facing legal penalties, and damaging their reputations. The time to act is now.”
In addition to concerns about the consultation process, the Internet Freedom Foundation (IFF) raised preliminary issues regarding five key areas in the draft rules: vagueness, excessive reliance on discretionary powers, weak oversight and accountability mechanisms, broad exemptions for state processing, and a move toward universal and mandatory registrations.
The IFF highlighted problems with the requirement for Verifiable Parental Consent (VPC) for children’s data under Rule 10. It argued that without internet-wide age-gating, only users identified as children would need VPC, potentially paving the way for mandatory age verification for all users via government-issued credentials. This could lead to mass surveillance, violate data minimization principles, and result in over-collection and prolonged storage of personal data.
Siddharth Chandrashekhar, advocate & counsel, Bombay High Court pointed out, “Granting government agencies unfettered access to personal data in the name of national security is like giving a wolf the keys to the sheep pen. While national security is paramount, the absence of robust safeguards invites misuse and could erode public trust. When the gatekeepers themselves are unchecked, privacy becomes an illusion, and liberty is the silent casualty. Those wary of digital snooping, are will within their rights to question if this provision sacrifices privacy at the altar of surveillance.”
Jaspreet Singh, Partner at Grant Thornton Bharat, noted, “The draft rules leave certain areas open to interpretation and require further refinement. For example, the designation of organizations as Significant Data Fiduciaries (SDF) by an officer appointed by the MeitY Secretary raises important questions about compliance and operations.”
The limited consultation period, coupled with ambiguities in critical provisions, has raised concerns among stakeholders. Experts emphasize the need for detailed guidelines and a more inclusive approach to ensure effective implementation.