Parliamentary Committee raises concern with MeitY over DPDP Act implementation lag

The Parliamentary Standing Committee on Information and Communications Technology has raised concerns over the slow rollout of India’s Digital Personal Data Protection (DPDP) Act, 2023, urging the Ministry of Electronics and Information Technology (MeitY) against missing the mark on protecting citizens’ data privacy.

In its review of the government’s response to earlier recommendations, the committee, during the report presented in Lok Sabha on July 24, found that MeitY had only managed to conduct 20 awareness workshops and 9 consultations on the Draft DPDP Rules, 2025. Additionally, with respect to R&D scheme, four brainstorming sessions with academic experts were held to explore research and development needs, which the Ministry itself admits is a niche area in need of urgent industry participation.

Read more: Businesses gear up for DPDP Rules with privacy policy updates, appoint Data Officers

"...it has been found that it is niche area, which need industry participation for developing potential and promising applications which may further support to various stakeholders towards DPDP compliance in terms of security safeguards etc.," the Ministry said.

While the Ministry claims to have developed a beta version of the “Digital Office” envisioned under the Act, the committee remained unconvinced. It has now urged MeitY to implement DPDP-related projects “in right earnest” and ensure timely achievement of its objectives, especially in light of increasing privacy concerns, regulatory gaps, and data security threats.

Read more: IAMAI urges MeitY for 24-month implementation period of DPDPA Rules

“The Committee would like to impress upon the Ministry to implement these projects in right earnest and ensure that the intended objectives are achieved on time,” the panel wrote in its comments.

Read more: New consent API under DPDP Act set to redefine data use rules for digital platforms

The Committee also reviewed the National Cyber Coordination Centre (NCCC) project, an infrastructure aimed at generating nationwide situational awareness of cyber threats and enabling real-time coordination among stakeholders. While Phase I of NCCC was operationalized in 2017, Phase II, which includes the integration of 250 monitoring sites, was supposed to be completed by end of FY 2024-25. The Committee also asked MeitY for a status update on whether that target is still within reach.

Read more: DPDPA Rules may hinder MSMEs from leveraging digital tools for marketing and growth

The Ministry had released the draft DPDP Rules on January 3, 2025. These rules are intended to clarify and facilitate the implementation of the Digital Personal Data Protection Act, 2023. The draft rules were released for public consultation, with comments accepted until March, 2025.

Read more: DPDP Act: MeitY releases draft data protection rules for public consultation