The Ministry of Electronics and Information Technology (MeitY) has extended the public feedback period on draft rules for the Digital Personal Data Protection Act (DPDPA) by 15 days. A source close to the development told Storyboard18 that the feedback is now accepted until March 5, 2025.
Earlier, the feedback was accepted until February 18. However, industry stakeholders expressed concerns about the limited consultation period and sought more clarifications.
In a notice for extension, the Ministry said, “Feedback/comments from the stakeholders on the draft Rules were invited until February 18, 2025. In response to the representations received from several stakeholders, the
Ministry has decided to extend the last date for receipt of feedback/comments till March 5, 2025.”
Read more: DPOs in demand: DPDP draft rules push Meta, Kotak, GMR to seek Data Protection Officers
The Ministry released draft regulations to implement the government’s landmark digital privacy law on January 3.
On January 14, Ashwini Vaishnaw, India’s Minister for Electronics and Information Technology, led a key industry consultation in New Delhi on the draft rules, where he emphasised the government’s commitment to engaging with a broad spectrum of stakeholders, stating that they will continue to conduct a series of exhaustive consultations to ensure that all viewpoints are heard.
In the same meeting, Vaishnaw had suggested that the ongoing consultations could extend beyond the initially planned timeline, potentially by up to 15 days.
In addition to concerns about the consultation process, the Internet Freedom Foundation (IFF) raised preliminary issues regarding five key areas in the draft rules: vagueness, excessive reliance on discretionary powers, weak oversight and accountability mechanisms, broad exemptions for state processing, and a move toward universal and mandatory registrations.
Vinay Butani, Partner at Economic Laws Practice, told Storyboard18 that the limited public consultation period was a concern among stakeholders. The short timeframe for feedback could hinder comprehensive stakeholder engagement and the inclusion of diverse perspectives in the final rules.
Read more: DPDP Rules: Govt may give extension on consultation period
Butani also noted ambiguities in the DPDPA rules, particularly regarding breach notification procedures and specifics of security safeguards. These gaps, he said, could pose challenges to implementation and lead to inconsistencies in compliance, including difficulties with verifiable consent mechanisms.
The DPDP Act, passed by Parliament on August 9, 2023, followed the Supreme Court’s recognition of privacy as a fundamental right. However, the Act has yet to come into effect as its rules and regulations are still being finalised.
Jaspreet Singh, Partner at Grant Thornton Bharat, noted, “The draft rules leave certain areas open to interpretation and require further refinement. For example, the designation of organisations as Significant Data Fiduciaries (SDF) by an officer appointed by the MeitY Secretary raises important questions about compliance and operations.”
The limited consultation period, coupled with ambiguities in critical provisions, has raised concerns among stakeholders. Experts emphasise the need for detailed guidelines and a more inclusive approach to ensure effective implementation.