The Ministry of Home Affairs has approved the draft Digital Personal Data Protection (DPDP) rules after inter-ministerial consultations concluded on December 31, 2024. The Ministry of Electronics and Information Technology (MeitY) will now release the draft rules for public consultation, paving the way for their notification and phased implementation.
This approval marks a crucial milestone, as the DPDP Act, passed over 16 months ago, has remained dormant awaiting the finalisation of its rules. Key provisions of the Act, including data privacy safeguards, data minimisation, purpose limitations, and penalties for violations, have yet to be enforced.
The finalised rules are expected to address essential aspects such as user consent mechanisms, data handling protocols, and compliance timelines. Officials have indicated that companies will have a transition period of 18 to 24 months to align with the new regulatory framework.
Once operational, the Act will grant consumers greater control over their personal data. Organisations managing user data will need to disclose the information they hold, allow users to request its deletion, and adhere to specified usage preferences. Consumers will also be entitled to inquire about the purpose of data collection, permissible uses, and the timelines for deletion. The rules will further specify provisions for managing consent for minors and outline exemptions for specific entities or situations. The government also plans to establish the Data Protection Board to adjudicate disputes between data principals (users) and fiduciaries (data handlers).
Additionally, entities found guilty of data breaches could face penalties of up to Rs 2,500 million per incident, emphasising the government’s resolve to ensure strict compliance.