As India continues to bolster its digital economy, safeguarding personal data has emerged as a critical priority. At the helm of this mission is the Digital Personal Data Protection (DPDP) Act, a landmark piece of legislation passed by Parliament in 2023.
Read more: DPDP Act: MeitY releases draft data protection rules for public consultation
On January 3, 2025, the government released the DPDP draft rules for public consultation, marking a significant step in efforts to regulate data privacy and protection. These rules, which have sweeping implications for both the public and private sectors, outline critical provisions related to data handling, its cross-border transfer, and the processing of children’s data, among other concerns.
IT ministry secretary S Krishnan, who took charge at MeitY shortly after the passage of the DPDP Act, reflected on the extensive consultations that went into drafting the rules, which he views as a balanced approach to data privacy and business needs. In an interview with Moneycontrol, he discussed the government’s approach to data regulation and the path forward for businesses and citizens alike.
One of the key goals of the DPDP Act and its accompanying rules is to strike a balance between data protection and India’s rapidly expanding digital economy. As Krishnan explained, the government has designed the rules to offer a flexible and non-prescriptive framework that can be adapted to a variety of contexts, from global corporations to nascent startups.
The draft rules are aligned with the principles of the DPDP Act and are designed to be simple, adaptable, and flexible, he said. “By granting companies, including startups, the freedom to innovate responsibly, the draft rules encourage innovation while minimising regulatory burden. This approach promotes both ease of living for citizens and ease of doing business for companies.”
The rules are structured to minimize red tape, which is particularly important as India aims to become a global digital hub. The government’s overarching goal is to ensure that India remains an attractive destination for both local startups and international businesses, offering them the tools to grow in a secure digital landscape.
Recognizing that compliance with the new rules may require adjustments, Krishnan highlighted that the government is committed to facilitating a smooth transition for businesses. He assured that companies would be granted sufficient time to adapt to the new regulations.
Read more: Policy think tanks, civil society call DPDP draft rules ‘vague’, raise concerns
A particularly sensitive aspect of the DPDP rules is the handling of children’s data. Under the new provisions, companies will be tasked with verifying the age of users to ensure that data processing complies with the law. Krishnan clarified that companies would be given the autonomy to determine how best to comply with these requirements.
In addition to the rules, the establishment of the Data Protection Board is a crucial component of the DPDP framework. Krishnan revealed that the government is in the process of setting up a fully digital, “born-digital” platform for the Board. This platform will allow citizens to lodge complaints and have them adjudicated without the need for in-person visits.
The next step will be a period of consultation, followed by final implementation of the rules. In the coming years, as the Data Protection Board becomes operational, citizens and businesses alike will be watching closely to see how India’s new regulatory framework shapes the country’s digital future.