DPDP Act final rules expected by September 30
As per sources, the government will notify the final set of comprehensive rules for the Digital Personal Data Protection Act, this week.
ADVERTISEMENT
The government is preparing to notify the final rules for the Digital Personal Data Protection (DPDP) Act by September 30. To operationalize the law, the government has already received 6,915 responses from stakeholders and citizens, reflecting strong public engagement.
A highly placed source told Storyboard18, "...it is confirmed that DPDP with Consent Management goes to the President to become a law on 30th of September."
IT Minister Ashwini Vaishnaw had earlier set the September 28 deadline, while sharing that the rules under the law had been finalized and would be made public before the end of September.
He also had noted that the drafting process had been deliberate, involving extended consultations with industry groups, civil society, and sections of the press that had voiced concerns. Only after those issues were resolved, he said, did the government decide to move ahead.
S. Krishnan, secretary at the Ministry of Electronics and Information Technology, too, had recently said the final text was ready for publication, capping a long period of debate and drafting. Implementation, he added, would proceed in phases, consistent with earlier signals from the ministry.
Passed in 2023, the Digital Personal Data Protection Act sets rules for the collection and processing of digital personal data, aiming to balance individual privacy rights with the need for lawful data use. The law is intended to foster a more secure and accountable digital environment, and the government has emphasized that awareness and capacity-building will be key to its rollout.
As per sources, the government is unlikely to introduce amendments or detailed guidelines, and may instead issue a set of FAQs to address queries around the Act. This has alarmed media groups, who say their concerns remain unaddressed.
One of the most contentious provisions is Section 7, which requires consent from individuals before their information can be collected or published.
Intended as a safeguard, journalist bodies argue it could cripple investigative reporting. Further, provisions empowering the Data Protection Board to seek disclosure of information raise fears that reporters could be compelled to reveal confidential sources. Media groups also caution that the law may dilute the Right to Information (RTI) Act, restricting public access to critical data. The hefty penalties under the Act- running up to ₹200 crore-add to the unease.
Storyboard18 earlier reported that bodies including the Editors Guild had demanded amendments or explicit safeguards for the media, but with none in sight, journalists remain wary of how the law will reshape the practice of reporting in India.
In its letter to Vaishnaw last year, the body had urged the ministry that processing for journalistic purposes is excepted from the application of DPDPA.
Meanwhile, the National Association of Software and Service Companies (NASSCOM) had urged the government to reconsider the proposed restrictions on cross-border data transfers under the draft. In its submission, the trade body asserted that the proposal risks causing unintended uncertainty about international data transfers. Additionally, the proposal could impact global competitiveness, and increase compliance costs for companies operating across jurisdictions.
In its letter to MeitY, the Internet and Mobile Association of India (IAMAI) also pushed back against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. IAMAI also called for a 24-month implementation period to allow companies to adapt to the regulatory changes.
In addition, compliance is said to be simply unaffordable for the MSMEs.
Sanjay Goel, Former Joint Secretary, Ministry of Electronics and Information Technology recently told Storyboard18 that while there has been a lot of hue and cry in the industry and the academia, regarding curbing of free speech, freedom/ right for information, why should anyone has to have the right over user's personal data, whether it is through executive action or through courts?
"One’s data is one’s own. This act gives that right to the individual. If a third person wants it, the same is not a right of that entity. It can make a request and the data principle would now be well within his rights to allow or disallow such usage. Whether it is for research or any other purpose no one can claim right and get the data except as per the process or provisions laid down in DPDP," Goel highlighted.
