NEW DELHI: The long-awaited implementation of the Digital Personal Data Protection (DPDP) Act is one step closer to reality, as inter-ministerial consultations on the draft rules concluded on Tuesday with the home ministry’s approval.
The ministry of electronics and information technology (MeitY) is now set to release the draft rules for public consultation, setting the stage for their eventual notification and phased implementation.
The clearance marks a significant milestone, as the DPDP Act, passed over 16 months ago, has remained inoperative pending finalisation of its rules. The delay has left key provisions – ensuring data privacy, enforcing data minimisation and purpose limitations, and imposing penalties for violations – unrealised.
The final rules will address critical aspects of the Act, including user consent mechanisms, data handling procedures, and compliance timelines. According to officials, the transition period for companies to adapt to the new regulatory framework is expected to range from 18 to 24 months. This is more or less in line with global practices, which allow 12 to 30 months for similar overhauls.
“Given the sensitivity of personal data, it was essential to ensure all government departments and stakeholders were aligned with the draft rules,” said an official. Some ministries had earlier cited challenges in setting up mechanisms for seeking user consent and requested additional time to transition to the new system. Private entities, too, have sought an adequate adjustment period to comply with the rules.
Once implemented, the Act will empower consumers with greater control over their data. Companies handling user data will be required to disclose the information they possess, enabling users to request its deletion or specify usage preferences. Additionally, consumers will have the right to demand details on the purpose of data collection, permissible uses, and the timeline for its deletion.
The rules will also detail specific provisions, such as consent management for minors and exemptions for certain entities or contexts. Moreover, the government plans to establish the Data Protection Board, an adjudicatory body to address disputes between data principals (users) and fiduciaries (data handlers).
Entities found guilty of data breaches could face penalties of up to Rs 250 crore per incident, underscoring the government’s intent to enforce stringent compliance.
The release of the draft rules for public consultation is expected shortly, whereby stakeholders will be able to provide feedback and suggestions. Following this, the rules will be notified and implemented in phases, marking the beginning of a robust framework to safeguard digital personal data.
Source: The Financial Express
RSS Is Determined To Remove Every Legacy Of Mahatma Gandhi In Indian Life 